The Indian government’s demands that telecom providers such as BlackBerry, Google and Skype allow access to their data on national security grounds has brought to the forefront warnings voiced by some experts in recent months that this issue could affect businesses that provide these services, as well as their customers.
While Research in Motion (RIM), the Canada-based maker of BlackBerry, negotiated a two-month reprieve to develop a solution complying with the Indian government’s demands, Indian officials have said companies such as Google and Skype would also be asked to comply with the government’s directives or close their networks.
When asked for a response, a Google spokesperson at their headquarters in California told Business Standard: "We have not received any communication on this issue from the government. If and when we do, we will review and respond." A spokesperson for Skype in the Asia-Pacific region replied with a similar statement: "We have not yet received any notification from the local authorities and are not able to comment."
SECURITY & ACCESS
Experts say the growing ease of use of encryption in products ranging from email to software and advances in encryption technology have led to more businesses making use of encryption, but has also thrown up fresh challenges to governments worldwide. "It’s an interesting confluence created by the increase in high technology applications, global trade and national security," says Sanjay Mullick, a Washington, DC-based attorney with the Pillsbury law firm which recently sent out an advisory to clients on compliance with laws relating to encryption and security in various countries, even before India’s demands on BlackBerry hit the news.
Mullick points out that frequent reports of breach or theft of data have prompted new laws in the US and the European Union, specifically requiring the addition of encryption to any media holding confidential data. "Businesses are being forced to deploy encryption widely to meet government mandates, even as governments are simultaneously trying to restrict the same technology’s reach," according to Mullick.
While RIM has not disclosed how it deals with individual governments, industry experts believe the company has arrangements in place to provide access to certain communications to governments in countries such as the US, the UK, France and Canada. "Most large countries have a natural desire from a security standpoint to intercept certain electronic communications; it’s been going on for years," says Andrew Jaquith, a Senior Analyst for Security and Risk at the Boston-based technology research firm Forrester.
Since RIM uses a centralised model to encrypt traffic to and from consumer devices, these governments have a single point of accountability, from where they could demand access to data under laws such as the United States’ CALEA statute or Communications Assistance for Law Enforcement Act. In the case of enterprise customers, however, companies rather than RIM hold the encryption keys, and similar interception would not be possible.
In the case of Google and Skype, experts believe it’s easier for these companies than for RIM to co-operate with governments solely on technical grounds. But Jaquith dismisses a reported demand from India for Google and Skype to also locate their servers in India as unreasonable. "There are lots of ways to legally access contents of emails or messages exchanged by parties of interest when needed, without requiring servers in India," he says, calling the demand a likely "job preservation requirement".
Even in cases where service providers have the ability to cooperate, this could trigger concerns about the security of data and communications among their customers. An increase in obstacles would also mean less of an incentive to operate in a market, says Jaquith, but adds that the size of a market and its growth potential could prove a big lure for companies who would be willing to put up with the inconvenience. China and Russia, for instance, are known to apply rigorous controls on encryption technology and require prior approvals of specific products. India is widely considered a fast growing and promising market for global telecom providers.
Forrester Research calls BlackBerry the "gold standard" for secure corporate devices, and Jaquith says the recent controversy in India shows how important traffic and content analysis has become for national governments. And, how strong encryption will continue to be an important tool for those who wish to evade these controls.
Advances in technology have also changed the way governments approach controls. Mullick points out that many nations have historically placed export controls on "outbound" encryption technologies produced by their domestic industries, whereas governments are now placing "inbound" controls on encryption. And for companies such as RIM, Jaquith warns that it could lead to "death by a thousand cuts" from every government that wants to intercept BlackBerry traffic.