With handheld devices now the top-selling computing platform worldwide, online privacy is increasingly becoming a function of mobile security.
For as long as Research In Motion has made communication devices, security has been a cornerstone of the Waterloo company’s success.
Scott Totzke, RIM’s senior vice-president in charge of BlackBerry security for the past 10 years, doesn't need to name-drop to make the point. Suffice it to say there are reasons why 70 million people, including famous Americans from Brad Pitt to Barack Obama, continue to bypass Apple and Android phones in favour of RIM technology.
The mobile security landscape has evolved considerably since the first BlackBerry pinned our Inboxes to our hips. The subsequent integration of cellphones, cameras, GPS, Bluetooth and countless applications, many of them location-based, have expanded Totzke’s role, to say nothing of BlackBerry's reach into more than 175 countries around the world.
As part of our online privacy series, Communitech asked Totzke to share his thoughts on this evolution, talk about what differentiates BlackBerry and tell us what RIM's security team has been working on lately.
Q – How long have you been working in the security field at RIM?
A – Just over 10 years.
Q – So, obviously a lot of change in those 10 years. Can you give me an idea of how the landscape has evolved in your time at RIM?
A – Well, it’s kind of both changing and not changing. If you think back to when we first introduced the BlackBerry, when we were shopping that concept around, the feedback from early investors and potential customers was really, “It sounds like a really good idea, but if you put my information at risk and my company’s network at risk, I’m not going to invest in your firm and I’m not going to buy your product.”
These were the big financial services guys on Wall Street. And with that kind of feedback, it became a pillar of what we do: How do we protect our customers’ information in all aspects of mobility?
As the industry evolved, it became a lot more complicated. In the beginning we had one device on one network and one killer application; it was really about getting your Inbox to your hip, I think, and a decade ago, that was magic.
Over the last decade, we’ve seen a tremendous change in what you can do with these devices, and a change in expectations from the customer base. I mean, we immediately started doing applications, but we’ve had to deal with new technologies and understand how they impact our customers and how our customers want to manage that.
Two examples would be the use of cameras, and Bluetooth.
Bluetooth has had this security stigma associated with it for a long time, but there are a lot of useful applications for Bluetooth that, if managed properly, can minimize that risk to the customer. You need to be able to enable that functionality for the customer, but do it in a way that doesn’t expose their address book or their e-mail database or something like that.
So, providing our customers with flexible manageability to create policies that meet their individual needs has really been one of the hallmarks of how we’ve evolved over the last 10 years, and we continue to look at pieces of new technology that we need to manage and control.
Q – What has that meant for cameras?
I mean, cameras on phones are ubiquitous today, so we have policies for customers to disable the cameras.
We have customers who take that another step further and, using APIs (application programming interfaces) built into the platform, create their own applications to enable location-based policies. So, when you show up to their campus, it’ll disable the camera, but when you leave at night and get outside of a certain radius, the camera gets turned back on.
That speaks to the power of the platform, but also to the need to be flexible in how you apply security.
Today, we want to run all kinds of applications and we want rich web experiences, and we have to recognize that applications present a new risk and a new challenge. It’s all well and good to be binary and say, ‘Yes you can run applications’ or ‘No you can’t run applications,’ but if you take that approach, you kind of get yourself into the position where you don’t really have a platform.
If you think back to 10 years ago, when you mobilized e-mail and that was it, you got lots of return on investment on that and you did a really good job for your company. Today, companies have hundreds of thousands or millions of dollars invested in their mobile infrastructure, and they really need to do business transformation; they need to get their ERP (enterprise resource planning) and CRM (customer relationship management) systems out there, and all kinds of third-party applications if they’re really going to deliver value in their mobility investment.
To do that, you need to deploy applications in a way that allows your internal users flexibility to go and connect to Facebook, Twitter, FourSquare, whatever sort of applications they want to run, and do it in a way that protects my corporate data so that when I launch Facebook, I don’t end up with all of my corporate contacts populated to my Facebook page.
Q – So how big of a challenge has it been for RIM to remain the gold standard in this field?
A – It continues to be a challenge because of the pace of innovation that we see. Probably the biggest challenge is re-educating the customer base as to what they can and can’t do.
If you think back to 2002, we introduced the first BlackBerry smartphone, the first combination e-mail-phone device in a single thing you could carry around, the BlackBerry 5810. And a lot of our customers, the early adopters, really had concerns about the financial impact this would have. They could afford to give everybody a pager and a data plan for a pager, but in 2002, to give those same employees a pager and a cellphone was just not within the cost model that they could support.
So, our response was, let’s give you a policy to turn off the phone. And customers loved that; it let them control their costs; they still got to keep using BlackBerry to get that wireless e-mail and get that investment in productivity out of mobilizing the workforce, and they were able to contain their costs because they were disabling the phone on the device.
If you fast-forward to 2010 and 2011 here, some of those customers still have that policy turned on, and they have tens of thousands of BlackBerries deployed, and they’re under pressure from their employees to deploy other solutions because the employee just wants one device. They want something they can get their e-mail on and make a phone call on.
One of the challenges is how you keep educating the customer base if you’ve got to re-evaluate what the risks are and what the concerns are on a regular basis, whether it’s annually or bi-annually; to look at your internal policies and see if they still make sense.
I’ve sat with high-ranking guys in the military who pull out their BlackBerry and say, ‘Why can’t I run Google Maps and Facebook on this device?’ And I say, ‘You’ve got a policy set that says you can’t install these applications, but if you change your policy, you can safely install these applications so you don’t have to worry about your government or corporate data leaking outside the organization.’
That’s the big challenge, helping educate not only the end user, but also educating our enterprise administrators on the changing policies.
We’ve tended to always increase the kind of granular management that we’ve built into the platform, but at the same time we have to help our customers avoid the tendency to turn all of these knobs to 11 and turn everything off except e-mail, because they’re just not getting their value out of mobility if they’re turning everything off but e-mail.
They’re kind of back in the 2000s, and not in 2011.
Q – It seems that people have never been more concerned about security, yet at the same time, they have never been more willing to surrender their personal data. How do you reconcile those two things?
A – First, I think there’s a pendulum. My study is my two kids, so my sample is maybe not that high for what I see, but it’s common in their peer group.
We went through a period post-9/11 where people were going to give up their personal information and privacy for the security of the country; there was a really strong reaction to extraordinary circumstances, and one that had some merit to it.
In the last couple of years we’ve seen a swing towards wanting to protect our personal information.
So I think we had a generation of folks who were really liberal, and now we’ve got a much more savvy, younger generation of sub-20-year-olds now, who think about privacy and controlling their information in a much more sophisticated manner than the generation before them did, when everything was just open and we were going to share.
Increasingly, I think people are getting more concerned about protecting their own personal information and having control over it. They’re not yet asking all of the right questions. Where is my information backed up? Where is it stored? Who has access to it? But they’re getting to a point where they’re much more savvy about the public disclosure of their information, and I think that’s a change that I’m starting to see in the last couple of years.
At the same time, we’re still willing to give up our name and e-mail address and phone number to get something that’s perceived as free, but really has very little value to us.
Q – Where does BlackBerry fit into that trend? There’s a lot of hype around iPhones and Android phones, but you also hear they are not as secure as RIM’s devices. Do you see RIM benefiting from that?
A – If you look at the profile of some of our users, clearly they are high-profile users who are concerned about their personal privacy; heads of business, a lot of celebrities; people who have a really strong stake in protecting their personal information.
On the platform side, we’ve wanted to strive towards transparency for our users, and explicit authentication.
You can talk to the vendors, and all of us will tell you that we sign applications, and that is an integrity check to allow the application to run unmodified on the platform, which is a good element of security. But for us, if an application wants to access your address book, or wants to access your e-mail database, there’s a prompt for the user that they have to authorize that behaviour, and if they don’t authorize the behaviour, the application won’t be able to access that information.
So we want to make sure that there’s informed consent from the user, where everything is transparent and the user actually has to do something if an application wants to access personal information on the device. And if the user doesn’t authorize that, the application won’t have access to it, which is a little different than how some of the other platforms deal with it.
And then there’s security – how do we protect information on the device? There’s the device password, which is really basic; it’s the lock for the front door. That, for us, provides a fairly strong deterrent for somebody trying to bypass that.
I’ve not seen any bypasses of the device password to access the content on the device, which is again fairly unique to our platform versus some of the competitors.
But also, there’s the ability to embed encryption in there. If you want to protect all of your data stored on the device, you can turn on encryption to protect all of your local databases.
As an administrator, there are lots of controls over setting-of-passwords policies, or requiring smartcards to authenticate to your BlackBerry if you want to get into a really strict security context.
We’re getting to a place where, as an administrator, I can set policies that are going to wipe data if my device is out of coverage for too long, or the user hasn’t unlocked it for a period of time, or even if the battery gets too low, to use the remaining charge in the battery to wipe all the information on the device.
So we can go to the real high end of the paranoid crowd, and provide them with policies that make sense based on the nature of the business and the information that they possess and process.
Think of how much information is on your BlackBerry today that is either yours or your company’s. I have thousands of e-mails and contacts and calendar information; for others it could be pre-release product information, it could be earnings information, it could be information about where I’m going to be and whom I’m going to meet with.
Let’s face it, there’s a high personal attachment to your smartphone, so I take my BlackBerry everywhere; I occasionally drive to work and forget my wallet, but I never drive to work and forget my BlackBerry, and if I did, I would go home and get it before I would go home and get my wallet.
The reality, though, is that devices are going to be left behind somewhere, so do you have the right mechanisms to protect your data? And it starts with a password, and the next level is, can you remotely wipe the device, which is something we’ve been doing for 10 years, and can you confirm that that command has been processed by the device so, as the administrator, I know the information is being erased.
Having that flexibility really lets us have policies to meet every need, from the mom-and-pop shop and the consumer right up to the large-scale government agency that has highly confidential information.
Q – Or the President of the United States.
A – I can’t comment on any specific customer.
Q – Canada is a bit more privacy-aware than some other countries. How much do you think being a Canadian company has informed RIM’s commitment to privacy?
A – Certainly we have a good federal privacy commissioner, and in Ontario, Ann Cavoukian is a very strong privacy commissioner for the province, and both work internationally very well. So I think Canada has had a fairly strong influence on privacy by design within the product, and I know that’s been a mantra of the privacy commissioner here in Ontario.
But, you know, we’ve also been working internationally for six or seven years now, and we find that there are other parts of the world that also take privacy extremely seriously, or maybe even have a stronger view towards privacy.
I was in Germany meeting with a privacy commissioner there, and there’s a strong alignment between Canadian thinking and the thinking in Germany. They actually, I think, take an even stricter view of privacy than we do here in Canada.
Q - How so?
They’re looking at what mechanisms can you have in place to protect your identity, even if you have to make an online purchase. This is a fairly difficult problem to solve. They’re actually trying to find ways to go a step further so that the online transaction has the same degree of privacy that a cash transaction at the corner store would have.
But what do vendors need to do to help consumers protect themselves? As technologists, there are limitations to what we can do. We can build all kinds of great technology, but we still have to educate the users.
When an application wants to access your personal information, we want to make sure you’re giving consent to that application to do so. Probably the biggest piece of that would be location information, which has certainly been a hot item here in North America for the last four or five months.
We call that out as a very explicit piece of information that you have to authorize; if an application wants to know where you are, we actually require a separate approval for that.
It’s one of those technologies that we had to evaluate in a very strict manner. We asked, ‘What are we going to do when we have GPS technology in the devices? Where is this line?’ And when we first implemented it, we decided that, unlike everything else on the platform, access to location information would be something that would be governed by the end user of the device, not so much the administrator.
It actually is personal information about the employee or the user of the device, and if companies needed to access that information they could do that through a policy, rather than allowing them to just turn it on and force that.
And I think that type of thinking is really a direct result of sort of the privacy thinking here in Canada; about how we’re protecting individual information and how we’re building privacy by design into the products and services that we offer.
Q – At the same time, we’ve got huge technology companies whose business relies on commercializing people’s private data. Do you think the technology sector is conscientious enough about helping people to protect their privacy?
A – Well, RIM certainly is. We’ve taken this stance for as long as I’ve been with the company, about making sure that we’re protecting our customers’ privacy, and that they are always able to opt in and out of anything.
I don’t know that the technology sector in general is always doing that. I think there are a lot of good intentions, but I think as an industry, there is work that needs to be done to protect people’s privacy and to give them more options.
And we’re seeing that; the great work by the Privacy Commissioner in Canada to call out Facebook; I mean, that is starting to work with the industry to find better ways to give users mechanisms to protect their information, and I think it’s got a few more years of working with large segments of the industry to make sure there is an appropriate level of transparency.
The U.S. inquiries into location-based services really helped people understand what was going on on their smartphone when they were using location-based services; to know whether or not there was a concern there. I think that’s helpful.
Education and awareness for the end user are key in my mind, but also making sure that vendors have a clear understanding as to what they should be doing to protect the privacy of their customers.
Again, it’s been core to our philosophy since Day 1, and continues to be something that we examine every time that we implement a new feature or bring in a new smartphone.
We’re constantly looking at what are both the privacy and security impacts.
Q – What does it feel like to carry the weight of BlackBerry security on your shoulders?
A – You know, it actually feels pretty good, because it’s woven into the philosophy of the company. It’s something that Mike Lazaridis has set as a strategic direction for the R & D community, so the way that we think about privacy and security is something that is really ingrained into the culture.
Some days it’s a much easier than you might imagine, because we are well-aligned as a company around making sure that we continue to do the right thing to protect the information of our customers, and to secure the platform.
It’s just part of our thinking, so actually, I can’t think of a better job.
Q – Is there anything new on the horizon that you can tell us about?
A – Last month we had an announcement around NFC (near field communications), and people think about NFC in terms of payments, which I think is sort of the natural tendency right now. You know, ‘I want to use my phone to buy a coffee at Tim Hortons, or fill up my car and just tap and pay to do that.’
But we’ve done some work with some of our partners around building-access, which brings interesting other elements to the platform. You’ll be able to use your smartphone as the key to unlock the door to get in the building.
Most large companies have got their ID badges, and you tap those and you get in, and they’ve got your picture on them. We’re looking at replacing that with your smartphone, and there we get into some security concerns about, ‘How do I make sure, if my employee loses their phone, that those credentials can be appropriately managed so that that phone can’t be used to get into my building?’
So I think NFC starts to change again how we think about privacy and security, because I’m going to start doing wireless payments, and how do I secure that transaction? How do I secure building access?
We had our first announcement recently on building access, which I think is really good, but with NFC, we get into payments, we get into transit, we get into how you interact with movie posters and smart tags and things like that.
It’s interesting technology, which I think is going to bring about a new set of privacy and security concerns, some of which we can already think about and some of which I don’t think we’ve fully envisioned yet, because the technology is relatively new.
Third in an ongoing series.
Part 1: Q + A with Mark McArdle
Part 2: Q + A with Jennifer Stoddart, Canada's Privacy Commissioner