Just before Christmas 2013 the world found out that RSA, the corporation making millions selling its software to provide security through encryption, had taken millions more in money from the U.S. military’s National Security Agency in order to build a “backdoor” so that the NSA could break any RSA-based encryption to spy on the communications of its users. RSA kept this information secret from its paying customers. Given the news that the NSA has been bypassing search warrents to collect billions of records every day spying on innocent people, that’s a pretty big deal. Encryption was seen as the best protection from NSA intrusion — but that avenue can’t be relied on any longer.
On December 20th, Reuters broke a story alleging that your company accepted a random number generator from the National Security Agency, and set it as the default option in one of your products, in exchange of $10 million. Your company has issued a statement on the topic, but you have not denied this particular claim. Eventually, NSA’s random number generator was found to be flawed on purpose, in effect creating a back door. You had kept on using the generator for years despite widespread speculation that NSA had backdoored it.
As my reaction to this, I’m cancelling my talk at the RSA Conference USA 2014 in San Francisco in February 2014.
Aptly enough, the talk I won’t be delivering at RSA 2014 was titled “Governments as Malware Authors”.
I don’t really expect your multibillion dollar company or your multimillion dollar conference to suffer as a result of your deals with the NSA. In fact, I’m not expecting other conference speakers to cancel. Most of your speakers are American anyway – why would they care about surveillance that’s not targeted at them but at non-americans. Surveillance operations from the US intelligence agencies are targeted at foreigners. However I’m a foreigner. And I’m withdrawing my support from your event.
It turns out that Hypponen was wrong about American conference speakers not cancelling. American security expert Josh Thomas has publicly declared his intention to quit the RSA Conference too.
9 of the last 10 tweets to the #RSAC conference hashtag aren’t about the conference itself. They’re about the RSA’s paid collaboration with the NSA, and about decisions to withdraw from RSA’s upcoming conference as a result. The conference hashtag could turn into a bashtag.