WHEN LAW ENFORCEMENT OBTAINED AN ENCRYPTION KEY TO PRIVATE COMMUNICATIONS

A recent criminal prosecution revealed that Canadian law enforcement obtained a key to decrypt certain private communications of Blackberry devices. Was the action lawful? Did it compromise privacy?

The Blackberry/RCMP Case

The prosecution involved a Montreal crime ring that had allegedly committed a murder in 2011. During the Canadian court proceeding, the suspects discovered that the Royal Canadian Mounted Police (RCMP) had intercepted and deciphered the organization’s encrypted “pin-to-pin” (SMS text) messages. The court almost compelled the Crown prosecutors to disclose how the RCMP performed the decryption, but the defendants terminated the proceeding through a plea bargain.

A few facts were revealed. The RCMP obtained the Blackberry encryption key in 2010. The key could unlock Blackberry pin-to-pin messages. And the communication service provider (CSP) was Rogers Communications.

May a CSP Share Encryption Keys with Law Enforcement?

In the U.S. and Canada no law prohibits a handset vendor or CSP from sharing an encryption key with law enforcement. The Communications Assistance for Law Enforcement Act (CALEA) requires an American CSP, when subject to a court surveillance order, to decipher encrypted communications if it provides the encryption and has the information to perform the decryption. However, CALEA does not require the sharing of encryption keys. If law enforcement wants the encryption key or other decryption assistance, it could ask a court for an all-purpose assistance order called an All Writs Act order. But the validity of such orders remains unresolved.

Even if a CSP can perform the needed decryption, it should still not share the encryption key with law enforcement. A suspect’s communications can be decrypted just as efficiently on the CSP’s premises without incurring the privacy risk of sharing the encryption key with a third party.

Today, text messages and emails are commonly encrypted on a per-user basis each time the user initiates one of these data sessions. Encryption is considered necessary in these scenarios because the signals travel over the public Internet, which is not considered secure. The per-user, per-session approach to encryption ensures privacy protection and makes it highly infeasible for industry to share encryption keys with law enforcement.

VoIP communications may or may not be encrypted, depending largely on whether they traverse the public Internet. Traditional telephony is not encrypted because the telephone network has no cost-effective way to perform encryption. Obviously, VoIP operators that do not offer encryption have no encryption keys to share.

Did the Encryption Key Sharing Compromise Privacy?

The RCMP held Blackberry’s pin-to-pin encryption key from 2010 to 2016. Does this mean the agents could freely monitor all Blackberry pin-to-pin communications for six years? No. An encryption key is useless without the communications that go with it. As long as a CSP intercepts only communications subject to a valid court order, and delivers only those messages to the law enforcement monitoring point, it need not worry about a decryption of an excessive volume of communications.

The Encryption Policy Debate

In December of 2015, when a terrorist investigation in San Bernardino, California led the FBI to request encryption assistance from iPhone maker Apple, Apple’s opposition triggered a public debate over encryption policy. The FBI said it wanted only decryption assistance, not the encryption keys themselves. Apple countered that routinely providing such assistance for investigations would enable law enforcement to unlock an unlimited number of iPhones.

The Blackberry/RCMP case offers lessons for both sides of the encryption debate. It would be more privacy protective for a CSP to perform any feasible decryption in-house and then deliver the plain text to law enforcement rather than give agents encryption keys or other decryption tools. On the other hand, a CSP can provide encryption tools to law enforcement without violating user privacy, as long as the assistance limits law enforcement to viewing only communications subject to a court order. Also, law enforcement maintains strict protocols to guard the privacy of sensitive information. That probably explains how the RCMP kept its possession of a Blackberry encryption key a secret for as long as six years.

 

Copyright © Subsentio, Inc. 2025 All Rights Reserved. No part of this website may be reproduced without Subsentio’s express consent.