Canadian police have had BlackBerry's encryption master key for years

Roughly a million BBMs decrypted

BlackBerry

BlackBerry is renowned for the security of its devices, but that doesn't mean much when you have something as powerful as the company's global encryption key in your hand.

That's exactly what dual reports from Vice and Motherboard say federal police in Canada had during an investigation into a mafia murder beginning in 2010. The most disconcerting part? They may still be in possession of it.

The investigation centered around a handful of men, but the key would have let the Royal Canadian Mounted Police (RCMP) decrypt any consumer message it wanted to as well.

As one Canadian government prosecutor put it: "So right now, with my device, if I'm not on [BlackBerry's Business Enterprise Server], I'm a dead chicken. That's the reality of it, that's what we don't want the general public to know."

The reports indicate over one million BBMs were intercepted onto a server in Ottawa and decrypted with the key as the RCMP carried out "Operation Clemenza".

What's not known is how the RCMP obtained the key, including whether BlackBerry simply handed it over. Another option is that, like with the Apple vs FBI dispute, a third party figured out the key for the Canadian government.

Key findings

According to Vice, the government fought against making this information public for two years, while the police force and BlackBerry both resisted a judge's order to release details on what their working relationship looks like. Neither confirmed nor denied how the key came into the RCMP's possession.

What's even more disconcerting is that it's unknown where the key is now. It could still be in RCMP's possession, which doesn't impact corporate or government accounts as those have their own decryption keys, but might mean that the country's police had easy access to private users' messages while they were none the wiser.

As noted in a technical report inspected by Vice, the RCMP referred to BlackBerry's global encryption key as one that "would unlock the doors of all the houses of the people who use the provider's services, and that, without their knowledge."

Only one key is needed to decrypt all private BlackBerry device messages. So, if the company hasn't changed the key - which is unlikely given it would take a "massive update that likely was on the per-handset level," according to one Motherboard source - and the police held onto the code, they could still decrypt any BBM they wanted.

The BlackBerry revelation comes at a critical time in the encryption debate. Apple and the FBI's well-publicized spat over accessing data on a terrorist's iPhone is, for the most part, wrapped up, though we're already seeing similar disputes between the two heat up.

Whether BlackBerry gave its code to the government or not, it only further elevates the importance of questions about the extent of government power and how far companies are expected - or required - to assist in accessing devices with software that could put innocent parties at risk. These are questions not likely to be resolved any time soon.

Techradar reviews the iPad Pro 9.7

Article continues below