The annual RSA conference in San Francisco, founded by the computer security company of the same name, is a marquee event for the security industry and has long been a forum for some of the most vocal opponents of government surveillance to discuss ways to keep personal data safe from prying eyes. But this year, talk of betrayal is in the air. At least eight prominent attendees are pulling out of the conference, which begins next month, and are canceling planned talks and presentations to protest RSA's alleged covert collaboration with the National Security Agency.
At issue is a $10 million deal that RSA reportedly struck with the spy agency to include a deliberately flawed algorithm in one of its security products, which effectively gave the agency a backdoor to spy on RSA's customers.
The alleged deal, which was reported last year by Reuters, shocked many security experts and technologists, who have long seen RSA as a pioneering defender of privacy-enhancing technologies like encryption and a historic adversary of the NSA. The company's products are used by people, companies, and governments around the world to shield their communications and data.
The agency's efforts to weaken an encryption algorithm that RSA eventually adopted in 2006 were confirmed in documents disclosed by Edward Snowden. His leaks have revealed a multifaceted campaign by the NSA to foil encryption and steal unencrypted information from Google and Yahoo. But the Reuters report is the first specific allegation of a company being paid to secretly insert weaknesses into its products in order to help the NSA spy.
"It's astounding," Jeffrey Carr, the CEO of Taia Global, said of RSA's alleged decision to use the NSA's flawed algorithm. "Even if RSA comes forward and says, 'Here's the contract, we had no idea there was a backdoor,' it's still bad judgment. It's maybe not as bad as saying, 'Yes, we took a bribe,' but it's still bad judgment."
Carr had planned to speak on a panel at the conference but pulled out as part of a growing boycott that, as of Wednesday, included two security engineers from Google, which itself has been a high-profile target of NSA's intelligence-gathering apparatus. So far, the protesters are a mix of technologists and activists. No conference sponsors have pulled out, and only one company has said none of its employees will speak.
Mikko Hypponen, a prominent security researcher, was the first conference attendee to pull out, a decision he announced two weeks ago in an open letter to RSA executives criticizing their alleged cooperation with the spy agency.
"I don't want to portray myself as a leader of a boycott," Hypponen wrote on Wednesday in an update to his letter. "I did what I felt I had to do. Others are making their own decisions." Hypponen, the chief research officer for F-Secure, a security company based in Finland that has offices in the United States and around the world, said that no one from his company would speak at the conference.
What's especially galling to the conference boycotters is that RSA's founders were some of the original stalwarts against NSA's efforts to foil encryption. In the 1990s, they helped lead a charge against an NSA project, known as the Clipper Chip, to stop the proliferation of commercial encryption, which the agency feared would allow terrorists and criminals to communicate using codes that it couldn't break.
Ironically, the RSA conference started in response to concerns by privacy advocates and technologists that the government would try to dictate encryption standards, thus giving agencies like the NSA the privileged access for which they allegedly paid the company years later. (RSA was acquired by EMC Corp. in 2006.)
In a statement last year, RSA denied that it entered into a "secret contract" with the spy agency. But it hasn't explicitly said that there is no backdoor in the product that it ultimately sold after consultation with the NSA. "We have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use," the statement said. But RSA also distanced itself from the spy agency, saying that back when it decided to use the flawed algorithm, "the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption."
Even that assertion may strike some security experts as a stretch, considering that the NSA has never made a secret of its attempts to break codes. (That is, after all, the business it's in.) But the NSA also helps make codes, and has encouraged the adoption of ostensibly strong encryption standards. The flaw in RSA's algorithm was quickly discovered and written about by security researchers at Microsoft and elsewhere at the time. But there was no proof it had been put there by the NSA. Not until the documents released by Snowden showed that the NSA had poisoned the algorithm did RSA encourage people to stop using it.
"Until RSA explains what happened, the available evidence we have points to a betrayal of trust," Carr said.
The RSA conference organizers didn't respond to a request for comment.
Joining the protest with Carr, Hypponen, and two Google engineers, Chris Palmer and Adam Langley, are Christopher Soghoian, the principal technologist for the American Civil Liberties Union; Marcia Hofmann*, a privacy and security expert and attorney formerly with the Electronic Frontier Foundation; Alex Fowler, who leads global privacy and public policy issues for Mozilla; and Josh Thomas, the "chief breaker" at security research firm Atredis Partners.
*Correction (Jan. 9, 2014): An earlier version of this post misspelled Marcia Hofmann's surname.