Privacy Activists Sour on RSA

After report privacy company gave NSA backdoor access

  • Share
  • Read Later

Technology privacy advocates are withdrawing from RSA’s annual conference after a report claimed the popular security brand took $10 million to give the National Security Agency backdoor access to customers’ personal information.

Angry and disheartened, 11 to date have dropped out of the usually well-attended cybersecurity symposium set for February. They’re staging their own kind of protest as they seek answers from RSA and its parent company, EMC Corp., about a Reuters report last month that RSA let the NSA sneak into its Bsafe privacy software, used by companies for security.

“It seems to me that RSA essentially sold out,” said Jeffrey Carr, CEO of the cybersecurity firm Taia Global, who recently canceled his speech at the conference. “A lot of people profited.”

Speakers have been dropping like flies from the conference’s lineup, which still boasts about 500 presenters, since the damaging accusation. Christopher Soghoian, a leading technologist and senior policy analyst at American Civil Liberties Union, has cancelled his lecture, too. He declared in a Jan. 7 Twitter post that he’s “given up waiting for RSA to fess up to the truth.”

EMC Corp. did not respond to requests for comment from TIME, but the company did “categorically deny” the Reuters report on its website, saying it neither had a secret contract with the NSA nor knowingly allowed the spy agency access to customers’ information. “Our explicit goal has always been to strengthen commercial and government security,” the company, best known for its SecurID key FOB, said in a statement last month.

At issue is software known as Bsafe, which uses an NSA encryption algorithm to generate random numbers to secure computer privacy. At least two-dozen companies have long used the NSA algorithm through RSA’s software, according to Carr. After a New York Times report based on on documents leaked by former NSA contractor Edward Snowden, a government agency recommended in September that companies stop using the algorithm because of security flaws. RSA then advised customers to switch to other encryption formulas created for the Bsafe software. But Reuters soon reported NSA had previously paid RSA to make the NSA’s insecure algorithm Bsafe’s default option, giving the spy agency backdoor access.

“The companies have to change from the default Bsafe [algorithm],” Carr said. “I don’t recommend any of my other companies spend a penny on [RSA].”

Carr is boycotting RSA products to push the company to either fess up or prove it did not knowingly provide the NSA with direct access to secure information. The flap has yet to impact the bottom line for EMC Corp., in part because RSA accounts for only a small portion of the company’s business.

Evan Greer, the campaign manager of the nonprofit Internet freedom advocacy group Fight for the Future, said RSA set a dangerous precedent if the report is true.

“RSA gave the NSA access to more than they should have,” Greer said, “but they gave anybody else who can exploit this backdoor access.”

1 comments
forgottenlord
forgottenlord

1) This is the argument for using PGP.  Yes, it's RSA based but it is a privacy enthusiast who's actually been charged previously by the NSA for undermining their efforts and would undoubtedly not be using the NSA variation

2) It is strongly believed that the NSA is the #1 cause of insecurity in the civilian world.  They are believed to be the ones who decided on 56 bit as industry standard (because there is no other logical explanation for why anyone wouldn't use a full 64 bit - at least in that era, today both are laughably bad) and they are believed to be the ones who made a certain wireless standard so pathetically bad that anyone could hack it in under an hour.  Of course they made an insecure algorithm and of course they put a gun to RSA's head to make it the default.  The NSA isn't about protecting information and never really has been, it's about looting information.