RSA Show Boycott Spreads in Wake of NSA Allegations

At least eight speakers have pulled out of the security conference to protest RSA's relationship with the controversial spying agency.

The decision by several high-profile speakers to pull out of the upcoming RSA security conference in light of allegations that the information security technology company abetted the NSA in its spying efforts is fueling debate in the industry over whether the boycott is warranted or effective.

As many as eight security experts that had been scheduled to speak have said they will not attend the RSA Conference 2014, a major annual security show set this year for Feb. 24-28 in San Francisco. Their decisions stem from a report last month by Reuters that the National Security Agency paid RSA $10 million to put a weak pseudo-random-number generator (PRNG) in its BSafe encryption solution, enabling the spy agency to gain access to protected data.

That Reuters story came after The Guardian reported that the NSA was getting access to private data of users of a range of technology products. The reports were the result of documents and information from former NSA contractor Edward Snowden.

In a statement in December, officials with RSA—a division of storage giant EMC—said the company had worked with the NSA as both a vendor and within the security community with the "explicit goal … [to] strengthen commercial and government security." However, they denied doing anything to weaken the algorithms in their products to give the NSA easy entrance into systems.

"RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use," the statement read.

However, that wasn't enough for some security experts, several of whom said that in light of the allegations and the lingering questions surrounding RSA's role, they could not in good conscience speak at the conference.

In an open letter to EMC CEO Joe Tucci and Art Coviello, executive chairman of RSA, on the F-Secure blog the day after RSA's statement came out, Mikko Hypponen, chief research officer for F-Secure, said he was pulling out of the conference. Hypponen, who had spoken at the RSA event eight other times, noted that RSA's statement never denied the allegation that the company used a PRNG from the NSA as the default in its products in exchange for $10 million.

"I don't really expect your multibillion dollar company or your multimillion dollar conference to suffer as a result of your deals with the NSA," he wrote. "In fact, I'm not expecting other conference speakers to cancel. Most of your speakers are American anyway—why would they care about surveillance that's not targeted at them but at non-Americans. Surveillance operations from the U.S. intelligence agencies are targeted at foreigners. However I'm a foreigner. And I'm withdrawing my support from your event."