The Royal Canadian Mounted Police (RCMP) have had a key to access encrypted BlackBerry messages since 2010, a joint report from Vice News and Motherboard found.
According to the report, the RCMP first obtained the key in 2010 as part of an investigation into a series of violent crimes committed between 2010 and 2012. The investigation, dubbed Project CLEMENZA, resulted in the take down of two Italian-based organized crime cells in June 2014.
Over the course of the investigation, the RCMP said it read more than one million private messages sent by members of the cell using a PIN to PIN interception technique. The RCMP said the investigation was the first time the encryption-breaking technique was used on such a large scale in a major investigation in North America.
Court documents obtained by Vice Canada show the RCMP has a server in Ottawa – called the “Blackberry interception and processing system” – that cracks messages by simulating a mobile device that receives messages as though it were the intended recipient. The documents cite the RCMP’s use of the “correct global key” in decrypting the messages, though the documents do not specify how police obtained the key.
An expert from the University of Toronto’s Citizen Lab told Motherboard that unless BlackBerry has changed the global encryption key since the case – which it said was unlikely – the RCMP likely still have the ability to decipher most BlackBerry PIN-to-PIN communications.
Blackberry declined to comment on the report.
The news comes in the wake of a high profile legal battle in the United States between Apple and the FBI in which the technology company refused to provide software that would help investigators crack an iPhone 5c used by one of the San Bernardino shooters.
Microsoft, too, has recently become entangled in a battle with government officials to gain the right to tell its customers when federal agencies are accessing their emails.
Throughout, however, BlackBerry has taken a more cooperative approach in privacy matters.
“We are indeed in a dark place when companies put their reputations above the greater good,” BlackBerry CEO John Chen wrote in a December blog post. “At BlackBerry, we understand, arguably more than any other large tech company, the importance of our privacy commitment to product success and brand value: privacy and security form the crux of everything we do. However, our privacy commitment does not extend to criminals.”
While Chen said BlackBerry rejects the notion that companies should refuse lawful requests for access to combat crime, the company does draw the line in cases where requests for access would lead to abuse of citizen privacy.
In November, BlackBerry threatened to end its operations in Pakistan after the government there demanded the “ability to monitor all BlackBerry Enterprise Service traffic in the country, including every BES email and BES BBM message.” The company stayed in Pakistan after government officials backed down from their request in January.