Canadian police have the master key to millions of Blackberrys around the world

Canadians have a reputation for good manners and neighbourliness. How do you get a Canadian to apologise? Step on their foot, according to the old joke. But there’s nothing well mannered or neighbourly about Canadian police using Blackberry’s global decryption key to spy on private citizens.

A joint investigation by Vice News and Motherboard has revealed that the Royal Canadian Mounted Police (RCMP) has had the decryption key since 2010 and used it extensively during a two year operation targeting a Montreal crime syndicate. Its lawyers (as well as Blackberry’s) then spent two years fighting to prevent these details from appearing in the public record.

Let’s back up a bit here to consider the seriousness of this news. A police service had, and probably still has, a master key that allows anyone to intercept private text messages between millions of Blackberry users around the world. That’s not just dangerous, it’s reckless.

The RCMP should, at the very most, have compelled Blackberry to decrypt specific messages. They should never have asked for, and certainly never received the global decryption key. This is like the difference between transferring money to your teenager and giving them your credit card. Once the key is out there, all control is lost.

This is exactly why platforms like WhatsApp and Telegram have implemented end-to-end encryption - because it removes the temptation for government agencies to overstep their mandates and demand unfettered access to millions of people’s private conversations.

It’s important to note that this doesn’t affect all of Blackberry’s customers - only those using the standard “consumer” servers. Those using corporate or (ironically) government Blackberry servers are safe because those systems all have their own encryption keys. But that doesn’t detract much from the seriousness of this breach of trust.

Regardless of what the RCMP may say, an encryption key is easily copied and shared. While there’s no hard evidence either way, there’s a definite chance that the key has been leaked. If it has been leaked, there is literally no way to tell. The only way to remedy this is to update every Blackberry device on the planet to use a new key.

But perhaps the worst thing about this flagrant misuse of state power is that the RCMP and Blackberry then expected it to be kept secret. Let’s absorb that, shall we. Canada, one of the world’s most benign democracies, is now spying on its own citizens and trying to keep that spying a secret.

The fact that the RCMP operation was a success and the crime ring was smashed is completely beside the point. The scale of this invasion of privacy can’t be justified by a few arrests. The RCMP acted recklessly and overstepped both its authority and its capabilities.

Democratic governments around the world have begun to see privacy as optional and contingent. Supposedly free countries like England, France, the USA and now Canada are crawling with what amount to secret police.

These agencies have broad powers to listen in on millions of people’s daily lives on the slim chance that they may be, or may be connected to, terrorists or criminals. And, what’s worse, these agencies often lack the technical understanding to realise how dangerous their master keys could be in the wrong hands.

The people of the world need to make ourselves heard: we will not accept mass surveillance. We will use encryption to protect ourselves from governmental overreach. As Alan Moore wrote, people should not be afraid if their governments, governments should be afraid of their people.