BlackBerry pioneered mobile messaging software. The world’s trust in BlackBerry’s software solutions and security experience and expertise is unequalled. BlackBerry’s commitment to the security and privacy of our customers has and always will be unwavering.
Reports such as the one on encryption and human rights released by Amnesty International in October are admirable in their intentions. Unfortunately, they are hampered by a lack of information and understanding. We would like to take this opportunity to clarify our practices, policies, and philosophies.
Private Information in the Cloud
In the modern digital world, most of us trust public cloud services to protect the privacy of massive volumes of personal information: photos, videos, messages, status updates, etc. Consumers should be concerned with how that information is protected. If a service provider is hacked, personal information stored within its cloud servers are at risk.
Over the past year, BlackBerry has transformed itself from a device company to an enterprise software company. BlackBerry does not develop mass-market consumer data storage services, but offers products that enable business users to privately communicate and collaborate. Data flows between users, and their private communications are not archived within BlackBerry’s servers.
Furthermore, BlackBerry believes that users need to be armed with more control over the privacy of their sensitive information, and offers tools that enable this. When security can be tied to the data – instead of just the device – data owners can protect information regardless of how it is shared across untrusted networks. For example, BlackBerry’s enterprise file sharing service enables data owners to control the security of files regardless of which cloud service (e.g. Microsoft Office 365, Dropbox, etc.) is physically storing them.
A hypothetical example of this data-centric approach to privacy in consumer cloud services would be for a social network to offer a “privacy mode.” An account holder and her friends’ posts would be encrypted with keys that only they control, and could not be read by anyone else. Consumer advocates that wish to promote a commitment to privacy should take note – these are the kinds of features that should be encouraged and evaluated.
Messaging is but one planet in a universe of information sharing systems.
Another example is email message encryption, where only the intended recipient can decrypt and read private messages. While BlackBerry has been offering this service to business users for more than 20 years, none of the major consumer cloud email services do. Again, attention to email could fill a larger privacy gap than what exists in messaging.
More about BBM Enterprise Security
BBM Enterprise provides end-to-end encryption of messages where the keys are generated by communicating users, and neither BlackBerry nor any other third party can read the messages.
BBM Enterprise security design and protocols have been vetted by multiple independent experts, and BlackBerry is a strong believer in the need for independent evaluation and the assurance that provides. In fact, where security certification programs exist, BlackBerry puts its products through them to evaluate security capabilities, including encryption. BlackBerry’s products have more security certifications (80+) than any other software vendor.
One example is the ISO 15408 security certification of the BlackBerry Work business productivity suite for iOS and Android. This product has achieved certification to Evaluated Assurance Level 4+, the highest internationally accepted security level, requiring vulnerability assessment and penetration testing by multiple independent certified security labs. This software “containerizes” enterprise apps and data, assuring user privacy by isolating personal apps and data from their employer or anyone else.
Security and Privacy Evaluation Standards
An overly simplistic evaluation method can cause more harm than good. The security world has many experts involved in the creation of high-quality independent evaluation standards, and there are also standards (e.g. ISO 17025) that ensure the quality of evaluation labs. No such evaluation standard currently exists for messaging apps.
BlackBerry would welcome the opportunity to participate in a multi-stakeholder, open process for creating one, and volunteers its resources for similar efforts often. One example is DTSec. This multi-stakeholder, non-profit, independent security evaluation standard was co-founded by BlackBerry to help protect the safety of patients using connected healthcare devices, such as diabetic insulin pumps.
DTSec addresses the lack of trust consumers have in the safety of connected healthcare products, and medical device manufacturers who certify their products through DTSec improve patient confidence. The standard also helps give patients an understanding of the privacy and security risks of connected healthcare – something BlackBerry believes is a basic human right. Privacy advocates should join this fight, and DTSec would welcome their involvement.
BlackBerry recognizes the threats to users’ privacy and is committed to freedom of expression and the use of strong encryption as a tool to help users realize this freedom. We are applying our privacy commitment and expertise to ensure the safety of users throughout the growing Internet of Things, including self-driving connected cars, wireless medical devices, and more.
Unlike many other firms in Silicon Valley, we have never – nor will we ever – monetize or traffic in our customers’ personal information.
BlackBerry applauds groups such as Amnesty International and the Electronic Frontier Foundation for joining in our steadfast commitment to providing better security tools and driving transparency – and for working to better protect the privacy of users. However, we encourage these organizations to develop multi-stakeholder processes in moving this agenda forward with open, trusted standards. We also encourage them to expand their focus beyond messaging to include social networks, photo sharing, email, and other private information services, where oversight, transparency, confidence, and encryption are sorely lacking.