Private messages exchanged using corporate BlackBerry wireless devices might not be quite so private after all as evidenced by a recent lawsuit filed in Toronto, Canada, by the Canadian Imperial Bank of Commerce (CIBC).
The lack of security through the use of such devices, which are increasingly utilized by employees to access corporate e-mail accounts, has not only triggered concerns about the security of the popular BlackBerry wireless e-mail device but spotlights the larger concern regarding employee privacy with respect to personal messages that were previously thought to be untraceable.
In the above case, the CIBC is suing Genuity Capital Markets, a new Toronto-based investment management firm established by six former CIBC employees. The lawsuit centers around CIBC’s allegation that these former employees used their BlackBerrys to improperly recruit their colleagues while still working at the bank.
PIN Messages Retrieved
The bank submitted numerous BlackBerry e-mails and PIN messages as evidence that the former executives took confidential information from the company and orchestrated a “calculated scheme” to solicit others while they were still employed by CIBC.
The fact that bank management could retrieve PIN messages (discussed below), which were previously thought to be untraceable, has left many in the business world stunned.
Standard BlackBerry e-mail goes through a company’s computer system, or enterprise server, and can be logged and archived by the system just like any other e-mail message. However, BlackBerrys come equipped with a personal identification number (PIN). PIN messaging is common in financial circles and workgroups. Common belief has held that messages sent from one BlackBerry to another using these PIN numbers, rather than using normal e-mail addresses, will bypass a company’s computers, thus making these communications completely private since the messages are being sent directly from one device to another.
Because it is believed these messages cannot be monitored or logged by the BlackBerry enterprise server, many people use the feature to exchange private or sensitive information. The reality is that that is not the case as companies can access all communication sent and received through a company-issued BlackBerry.
In fact, there is software available that can capture such PIN-to-PIN communications, and it is being increasingly used by financial services firms and government agencies to log BlackBerry communication. Furthermore, messages relayed in this manner can then be subpoenaed in court, as has happened in the CIBC case.
BlackBerry devices are manufactured by Toronto-based Research in Motion, which currently has more than 2 million users spread out through thousands of companies worldwide.
The case against Genuity was established through CIBC’s probing of the alleged conspirators’ e-mail for evidence, including those of David Kassie, CIBC’s one-time vice chairman and a 25-year veteran employee with the firm who resigned in February of 2004, reportedly due to fallout from an Enron-related banking scandal.
Kassie, Genuity’s CEO, founding partner and its largest shareholder, denies that Genuity improperly recruited staff from CIBC or took confidential information. CIBC argues that the former employees named in the suit, who all went to Genuity after leaving the bank in early 2004, had agreed not to “directly or indirectly solicit” their former colleagues for 21 months; however, their e-mail records indicated that they were recruiting for Genuity during the summer of 2004. These records were culled from the supposedly secure BlackBerry PIN messages.
Experts in the IT industry say that unless a wireless e-mail device like a BlackBerry is disconnected from a company’s server — and changed, for example, to a personal e-mail account offered through a private Internet service provider — every message is likely stored in a corporate computer and can be retrieved later. The only way to get around this is to disconnect oneself from one’s corporate e-mail and, in so doing, one would be able to send and receive e-mail privately over whatever account one wanted.
The issue at hand is that employees using PINs to pass confidential information back and forth might not know that the messages are traceable, and prior to the CIBC incident, many employees thought that using PINs to send e-mails was a private form of communication.
In the CIBC case, the bank is not revealing how it got access to the former employees’ BlackBerry messages, but states in its lawsuit that the executives “seemed to have believed [they] did not create any record of their e-mails on the [bank’s] central computer systems.
Server in the Middle
This news should come as no surprise to security professionals, states Pete Lindstrom, an analyst at Malvern, Penn.-based Spire Consulting. “Most people think of peer-to-peer communications as a person-to-person thing,” he said. “But somewhere in between, there’s almost always a server.”
CIBC is asking for $10 million in damages, plus costs, any compensation paid while employees were planning Genuity, all of Genuity’s revenue and the right to inspect the IT equipment of ex-employees.
On the legal side, this case is significant in that it marks one of the first times (if not the first time) that an employer has used PIN-forwarded e-mails against former employees in a public court battle.
On the practical side, this lawsuit highlights two important points: first, when using corporate resources to communicate, employees should assume that all communications are monitored and recorded — period. Second, personal privacy when using electronic devices to communicate is an illusion perpetuated by our strong desire to believe that we can keep certain communications private as opposed to a rational belief based on an intelligent examination of the technology being used.