Privacy profit

Privacy profit
By Alex Lash
Staff Writer, CNET NEWS.COM

Only the U.S. government stands between Jim Bidzos and a fortune.

The 41-year-old president of RSA Data Security is ready for the big payoff, but there's one small matter: The Federal Bureau of Investigation and the National Security Administration are fighting to keep strong cryptography under the government's thumb.

If indeed the Internet is to become a global commercial highway, confidential information and transactions will need protection. Everyone agrees that encryption--software that uses mathematical codes to keep data and messages away from prying eyes--is the best way to provide that protection. Bidzos's RSA has practically cornered the market on encryption software, with its toolkits built into over 90 million copies of mainstream applications such as Netscape Navigator and Lotus Notes. But such saturation is nothing compared to what the company could reap if the United States and other countries decide (against the advice of security advisers) to deregulate the spread of no-holds-barred encryption.

Now, after butting heads with the intelligence brass for 11 years, Bidzos's rap is as smooth as a rock jutting across a river's current. But his years of resistance and polishing could be coming to an end, as Congress once again prepares legislation to liberalize the export of strong encryption. If Capitol Hill musters enough votes to pass the bill and override an expected Clinton veto, Bidzos is poised to reap international rewards as commerce not only goes global, but digital.

According to the press, Bidzos is a crusader, a brawler, a hero, and a threat to national security. But talking to Bidzos leaves you with the feeling that it all boils down to business. The man with a Belushi-brother face and sense of humor to match is focused on selling encryption, plain and simple.

To do that, you have to package fear. RSA does a great job with a mischievous, hip sense of humor that stands in contrast to the dour, faceless agencies it mocks. One promotional poster shows federal agents eavesdropping on a nuclear family's phone line. The tag line? "Add Uncle Sam to your circle of friends and family!" A similar poster reads "A good marketing organization listens to its customers." Both are signed, "Your National Security Agency."

At the recent RSA-sponsored conference, the company announced a contest to crack its own codes. The strongest allowed out of the country without regulation (40 bits) was cracked in less than four hours by a computer science grad student.

His commitment to the free spread of encryption is unquestioned, but does that make Jim Bidzos an outstanding civil libertarian as his image suggests? Compared to his attacks on Uncle Sam, Bidzos has said very little about the growing power of large corporations and the threat they pose to the privacy of both consumers and employees. His views on privacy in the workplace, for example, are much more measured. After all, he's selling software to corporations, not their employees.

Unlike others in the battle against the abuse of privacy, Bidzos does not cite Watergate or J. Edgar Hoover as a motivation to his crusade. In fact, he says he paid little attention to privacy matters before being asked in 1986 to bring his business savvy to RSA. Sound bites about to past political events ("if Nixon had the Clipper chip, he'd still be president.") often seem too polished to reveal true deep-seated belief.

NEWS.COM chatted with Bidzos in San Francisco during the RSA conference, where the veteran of bureaucratic wars talked about his fight against the spooks, personal privacy, and whether the decade-long fight has been worth it.

NEWS.COM: Do you ever feel that you've dug in your heels so deeply that it has made it sort of hard for any sort of public compromise [on encryption policy]?

Bidzos: If there were any kind of compromise on this issue, the government squandered its opportunity to find it with its very unrealistic, unacceptable approaches that were just such in-your-face kinds of proposals. The Clipper chip, for example, just made no sense: "Here's my product, use my product with built-in access for me. Don't worry, I won't abuse it. By the way, the two escrow agents are both in the Executive branch of the government." Hey, if Nixon had the Clipper chip, he'd still be president! Now, there's something to live for.

NEXT: Encrypt this!

Encrypt this!

As a private citizen, not as the CEO of RSA, how do you feel about the bad guys, to put it simplistically, using encryption to hide their activities?
Well it is a concern, there's no doubt about it. I'm like a lot of other people: I have people that are important to me (family members, I fly on airplanes) and I'm concerned about terrorism, I'm concerned about criminals. I understand the government's argument. My feeling is that if the government really wanted to help itself, I think they would have been hard-pressed to do a worse job than they've done. And that's not meant in a terribly direct negative way, but I think that the government doesn't understand how to take risks.

Take a company that's in business today: They have to choose a direction based on what they believe the future will look like. I think the government's approach has been "We can tell people what to do. What we do is more important. Who cares what else is going on in the world? We save lives, therefore nothing else matters." But there's always a compromise. The automobile industry makes a product that kills at least 30,000 or 40,000 people every single year. I'm sure that doesn't affect the business or personal views of the people who make them because their buyers buy the product for good reasons. Cryptography is just like that. If you asked the purchaser of a car why they buy it and you ask the purchaser of strong cryptography, you'd get the same answer.

What if the government said "From now on cars made in the United States can only go five miles an hour, no more. Safety first. But by the way, we're not going to restrict import of cars that go faster." What do you think people would say? I think they would say "Wait a minute. The risk of going faster is acceptable. The alternative, going five miles an hour, is unacceptable and if I can't buy that product from a U.S. company I'll buy it from a European or an Asian company." I think cryptography is exactly the same way.

I believe the risks can be acceptable. I think that there could have been things that the government could have done to help itself to at least manage the problem and transition to a world with cryptography better because I believe that's inevitable. And I think throwing things out like the Clipper chip and saying "Here, use this or else we'll get legislation to make you use it" is not a good way to do that.

The U.S. has an intelligence-gathering capability that's second to none. It also has a crime problem that's second to none. And so the interests in controlling encryption are motivated to do more in the U.S. than anywhere else. But there is the argument that inevitably encryption will come. The Internet has no borders. I think eventually people will accept that these principles being adopted by other countries ultimately must be adopted here, which is that encryption is a reality: Learn to deal with it. Maybe we should be focusing more on the fundamental problems: Why is there so much wrong with the world that we need to be gathering intelligence all over the place? I'm not so idealistic that I'm saying we can fix the world's problems in a decade or two, but the fact that we have such a crime problem and we need to threaten everybody's privacy in order to deal with it I think indicates that there is a fundamental problem here.

Certainly the government shouldn't ignore encryption, but they shouldn't be so focused on controlling it that they're willing to do things like put everybody's personal privacy at risk, raise constitutional questions, do things that invite abuse by the government, [do things that] are completely inconsistent with international commerce, [and] inconsistent with international principles. Congress really needs to get involved. I'm glad they are.

But the government says its just maintaining the status quo. Why shouldn't law enforcement be allowed to wiretap digital communications just like it taps phone conversations?
I think that's a very convenient argument for them to make because it sounds logical, it sounds reasonable, and it sounds like they're not asking for very much.

The status quo today is that the government can get a court order that authorizes a wiretap. That court order doesn't guarantee them by any means that that wiretap will be successful. It just says "you can go tap a phone."

I think that that argument ignores the fact that they're asking for something that makes such a profound change in the system. Having a key escrow system invites abuse. [Editor's note: Key escrow requires scramblers to "bank" the keys that open their encrypted messages with a third party.] It creates risks that we can't even imagine in today's system.

The government cannot sit at a computer terminal with a court order and tap somebody's phone from the convenience of that terminal [today]. Under the proposed schemes, such as the digital telephony bill and some of the crypto controls, that is precisely what they would be able to do. And that capability could be passed down to local law enforcement. I think one of the few things that is quite an accurate reflection of society on television is that local law enforcement tends to have powers that are used for other than legitimate reasons.

It just so happens that prior to the digital age, tapping a phone wasn't all that difficult. Now [law enforcement agencies] are finding it a little bit more difficult to tap those phones. Does that mean that we need to retard the technology just to keep them right where they are? I don't think that makes sense.

To a certain extent it seems to me that this ongoing fight with the government is in fact perhaps, in some twisted way, good for your business. It certainly scares a lot of people from getting into the security market. Let's just say that they cave-in and they said "OK, go ahead, write the export laws as you wish." First of all, how would you write those? Secondly, would you rue the day that you didn't have that fight to join?
Well I guess it depends on whether you're asking me how I'd feel if that happened today or if that had been the case, say ten years ago. I think it's true that the David-and-Goliath view certainly, in retrospect, hasn't hurt our ability to get some exposure for our cause and for our business. But the flip side of that is we've had to fight a very long and difficult uphill battle.

The government has done far more than just maintain export controls that limit our market. They have excluded RSA from the government standards, even though it's a de facto standard with 100 million products. They have tried to use their standards-making authority in saying that the [government's] escrowed encryption technology and the government's signature techniques are the only acceptable technologies in government. We've had to fight against that, yet we've been successful.

You've never had a government contract?
I think some of our end-user products may have been sold to the civilian side of government, but we have never made a penny at a government contract. We have never been paid by the government to do any special kind of work for them. None of that has ever happened. So we've had to fight a pretty difficult battle as a result of having the government against us.

The good news is nobody else wanted to fight it. The bad news is nobody else wanted to fight it. I would revisit this question myself over the years very often and I concluded that it was futile to fight with the government, that I should keep promoting, keep educating, keep visiting the Microsofts and companies like that, get them excited about this technology. And if I'm successful they'll fight the battle for me because it's a good fight. And that's exactly what you're seeing today I think.

NEXT: Bidzos the man, RSA the company, and Disney the nation-state

Bidzos the man, RSA the company and Disney the nation-state

Do you feel that when all this shakes out and when crypto becomes available without any restrictions that you're going to end up being the guy who did the dirty work and that other people will come in and reap the benefits?
I never really think about that. There are a lot of people who are getting into the business and doing things, but in terms of reaping the benefits, I think I've already done that. Certainly the company is doing well financially, which was never the main purpose of doing this, but it's nice to have that benefit.

I came to realize some time around 1987 that an invention--that was probably one of the most important mathematical discoveries of this century (which is public key cryptography and RSA) by people who were absolutely brilliant and a delight to work with--was going to be controlled by the government. They were not only using it, they didn't want anybody else to use it. And they wanted to deny the inventors the credit and economic benefit of their invention. Quite frankly, that pissed me off and that motivated me and I worked extra hard.

So when I look around over the last couple of days at a conference that now draws 2,500 people, we list among our licensees the biggest and best companies in the world, shipping close to 100 million products that contain RSA encryption. By any measure, I think I've achieved as much success as I could have ever hoped for. So if other people want to pick up the ball and do things and take credit for cryptography, that's fine with me.

Was there a moment or an incident that really impressed upon you the need for privacy protection, either as an individual or a businessman?
No, I have to confess that I never really thought very much about these issues until I got involved with this company. I think I've been influenced in a great way by the founders of this company. The founders are idealistic academics who have a great view of the future. They're brilliant, clear thinkers, who'd rather enlighten than impress. I get a lot of my strong feelings about this from them. The academics and the civil libertarians are not the only people that I get information from, but I find my thinking to be very, very sympathetic with theirs.

How is it that you wound up running RSA?
RSA was founded in 1982 by the three professors who invented the RSA algorithm. (R, S, and A are the initials of their last names.) They weren't very successful in making a business of it. I did a little bit of call it consulting work, helping figure out how this technology might get used. Then I met Whitfield Diffie [co-inventor of public-key cryptography] in 1985 and I found him to be a very intriguing person.

I just kind of came out and stayed with the company. Within 60 days of my doing that, it became clear that the company was going broke and needed to do something drastic. Everybody left except me. So, by default I became the CEO. That was about 11 years ago.

You said in a Fortune interview, that you had a hard time pitching RSA to investors.
Investors would actually say to me "Well let me see if I've got this straight: there's no market for your technology, but you're going to create one by promotion and the government prefers that you didn't exist? But you're just going to beat them at that game. Well gee, I don't think we'll invest today; we need to be somewhere else." So it was hard to raise money, but what I meant by creating a market and promoting it was endless travel: cross-country flights, speaking to anybody who would listen, trying to get myself in front of every trade show, every industry group, in front of people in companies, especially software companies, trying to get them to understand what the potential for the technology was and start using it.

And the potential if you didn't use it.
Exactly. The downside. I've always thought the dark side of cryptography is that we use these sophisticated search engines to type in somebody's name and get an immediate picture of everything they do: where their kids go to school, what their bank account looks like. The dark side is no cryptography, so here I am to help you with good cryptography.

Your patents are going to expire pretty soon--when is that exactly?
The RSA patent expires in September in the year 2000, about three and a half years from now. But that isn't what we sell. I always use the example of Dolby. I think Dolby has no patents, but it's the leading company in what it does because it's ubiquitous, it's a standard, it offers some real value, and the company keeps innovating. Who would have thought there was life for Dolby after digital audio? And yet there's quite a bit. And I think that RSA is like that too. We really sell trust.

We build a very sophisticated toolkit, of which a very small part is the RSA algorithm. A lot of it consists of the stuff that you need to use encryption: key generators and message formatting. And it's a product of many hundreds of thousands of lines of code, built by a company that was founded by the inventors of the technology and carefully supported by them with a focus on that one thing. And it seems like a safe bet.

We license our source code to all of our customers, so there are no secrets about what we do. People are welcome to look at it and decide for themselves if they like what we've done or don't like what we've done. So I think the patents are sort of overstated in their importance.

You'll lose the revenue from the licensing though?
Which is a small single-digit percentage of our revenue. It's a tiny, tiny fraction of our revenue. I don't think that any one of our customers--because anybody can give them a small part of what we do for a little bit less--is going to risk the security of their company or their customers on making that change.

Why did you choose to merge RSA with Security Dynamics last year, when many analysts expect a RSA to go public? Was it the state of the IPO tech market?
No, I think I was able to keep that all in perspective. In fact I thought that the market was a little overheated for IPOs and a little bit hyped. And so that made me consider the alternatives seriously. If I hadn't believe it was overhyped and it was such a hot IPO market I might have just driven toward an IPO and ignored other possibilities.

I went through a very, very complicated process of analyzing the value of an IPO vs. a merger. There are a lot of things to consider there. There's a direct economic value for example. In an IPO, we would have had to create a large number of new shares to sell to the public, to give to all the new management that I would have to hire. And there was an immediate and significant dilute of impact.

Secondly, as sort of a pure-play crypto IPO, I think we would be vulnerable to wild swings and it would be hard to explain to non-sophisticated investors why it is true that the government is trying to put us out of business, but they shouldn't worry about it. And also I think that security is going to become a very large market and that large companies need to provide more comprehensive solutions. Being able to provide more complete products, better service, more R&D funding, and being able to focus on what I like, working with the cryptographers, marketing, that ongoing promotion which I've not stopped doing, overall would provide the best return to my employees and the shareholders. And the employees were probably the most important factor in that consideration.

So you've had some trouble with Pretty Good Privacy, some sparring back and forth. And lo and behold they show up at the conference this year. What does that mean in terms of your relationship with them?
Well I'm not sure I agree with what you said. I've had one person say to me "PGP would be all over the place if it wasn't for you." And I say "Excuse me, I think it's all over the place wherever it is because of me." Now if you're using PGP in the U.S. it's because we granted a free license and actually provided software that runs in it. So I don't know what I've ever done to prevent anybody from using encryption. I've insisted that our intellectual property be respected because I have a corporate responsibility to do that. But they are a customer just like anybody else.

You are polite, yet very adamant about your distrust of government, but I also think there's a disturbing trend of corporations becoming nation-states, for example, the state of Disney. What's your position on the private sector using/abusing information, whether it's their employees information or its marketing information?
There is very little that I can think of that's ever happened in history that creates more of a threat to personal privacy than the Internet. Encryption offers us an opportunity to get a lot of that back if it's used properly. I'm a staunch believer in personal privacy. I think the Internet can be a good tool if we use encryption to get some of that privacy back. The corporations and companies that use that information without any respect for personal privacy, personally I don't think that's a very good thing.

Should companies have the right to read their employees' email?
Well that's a difficult question. I guess my feeling is that if somebody takes a job and they understand what the conditions of that job are--for example that the corporation owns their work product, which may be information they produce (including email) and that's well understood and made clear--that's probably acceptable as long as they don't try to reach out into somebody's private life. I think most companies today have a policy that they can break into an office or a desk in an emergency to get information that belongs to the company. I don't think any company has any business opening an envelope that's marked "personal" that happens to arrive at the office.