Blackberry and BES Privacy Invasion

I’ve had two people asked me recently about whether or not their employeer has the ability to spy on their phones (in addition to their company email). For example, text messages and their other email accounts. Maybe you’re wondering that right now so let me attempt to clear up any mystery. In short, if you’re strapped to a BES, you have virtually no privacy on that phone and if that threat, however remote it may be, bothers you, get another phone (I recommend a Google Android phone). Though I’ve never administered a BES, I googled the hell out of this and offer it to you with confidence.

If your company Blackberry is on the company’s Blackberry Enterprise Server (which would, unlike IMAP, for example let you change your calendar, the one that Outlook is plugged into, IE synced with each other along with your contacts) the administrator of the BES may be able to log, audit and watch most of that phone’s communication activities if they’re so inclined, and with a few items if they’re also so determined.

Here’s the fair game list which I think has at least 83% accuracy (please chime in if I got anything wrong): In addition to company mail that BES and Exchange handles, outgoing (and possibly incoming) BIS email (email accounts you added through the email setup wizard) by forcing that data to go through the BES and grabbing it or activating an autoBCC address, text messages including the body of each message, your call logs, your GPS coordinates with some phones, web addresses you’ve accessed either by typing them in or clicking links, your bookmarks, tasks, notes, calendar, contacts and all PIN messaging data.

Keep in mind that the company, especially if it’s their phone and in particular if they’re thinking about firing you, may take possession of your phone in which case obviously they’d have access to whatever they didn’t bother to log in the preceding paragraph. Or the admin may trigger a wireless backup of your phone and then restore that data to another phone and flip through the following in case they didn’t have certain logging components enabled before you presented yourself as a troublemaker.

If you want to check your MSN mail or whatever without getting another phone but also without making it too easy for the The Man to read your personal mail, do it through the web browser, making sure you see that S in https when you log in to buy yourself a layer of encryption. Though the admin could find out if you tried to access your mail that way, it’s not exactly very suspicious behavior. Downloading the Gmail client or any other third party client, provided you are certain strong encryption is involved, is another example of something to do if you only care about this a little but not enough to buy and carry around a second phone.

The consensus on third party IMing is that it’s at worst prohibitively difficult for the admin to read and hand off to your boss as more encryption and confounding protocols are involved, however if you’re paranoid that shouldn’t matter as all data of your Blackberry can be forced to fly through the BES and sometimes people figure out how to break encryption.

All that said I would submit that it’s highly unlikely saying the wrong thing in a personal email which you added to your company Blackberry will jam you up and it’s further improbable that going out of their way to spy on you offers a company a good return on its investment. Me, I wouldn’t get a second phone (that is, if I didn’t know Android existed), but maybe you’re not a digital exhibitionist. I figure as long as you’re producing you’ve got nothing to worry about – unless your company itself is naughty in which case the feds might take the seat behind the BES. But if you see the top brass of the company carrying around two phones, that could be a sign they didn’t like what they heard in one of the meetings in regards to their own peace of mind with the phone guys before they issued everyone Blackberries.

Tl;dr? If you’ve got a Blackberry that your company’s IT guy touched, privacy at your company from IT and management is no longer a feature of your phone. Or from the government if you’re based in the Middle East.

Doug Simmons