Bidzos the man, RSA the company and Disney the nation-state Do you feel that when all this shakes out and when crypto becomes
available without any restrictions that you're going to end up being the
guy who did the dirty work and that other people will come in and reap the
benefits?
I never really think about that. There are a lot of people who are
getting into the business and doing things, but in terms of reaping the
benefits, I think I've already done that. Certainly the company is doing
well financially, which was never the main purpose of doing this, but it's
nice to have that benefit.
I came to realize some time around 1987 that an invention--that was
probably one of the most important mathematical discoveries of this century
(which is public key cryptography and RSA) by people who were absolutely
brilliant and a delight to work with--was going to be controlled by the
government. They were not only using it, they didn't want anybody else to
use it. And they wanted to deny the inventors the credit and economic
benefit of their invention. Quite frankly, that pissed me off and that
motivated me and I worked extra hard.
So when I look around over the last couple of days at a conference that
now draws 2,500 people, we list among our licensees the biggest and best
companies in the world, shipping close to 100 million products that contain
RSA encryption. By any measure, I think I've achieved as much success as I
could have ever hoped for. So if other people want to pick up the ball and
do things and take credit for cryptography, that's fine with me.
Was there a moment or an incident that really impressed upon you
the need for privacy protection, either as an individual or a businessman?
No, I have to confess that I never really thought very much about
these issues until I got involved with this company. I think I've been
influenced in a great way by the founders of this company. The founders are
idealistic academics who have a great view of the future. They're
brilliant, clear thinkers, who'd rather enlighten than impress. I get a lot
of my strong feelings about this from them. The academics and the civil
libertarians are not the only people that I get information from, but I
find my thinking to be very, very sympathetic with theirs.
How is it that you wound up running RSA?
RSA was founded in 1982 by the three professors who invented the
RSA algorithm. (R, S, and A are the initials of their last names.) They
weren't very successful in making a business of it. I did a little bit of
call it consulting work, helping figure out how this technology might get
used. Then I met Whitfield
Diffie [co-inventor of public-key cryptography] in 1985 and I
found him to be a very intriguing person.
I just kind of came out and stayed with the company. Within 60 days of my
doing that, it became clear that the company was going broke and needed to
do something drastic. Everybody left except me. So, by default I became the
CEO. That was about 11 years ago.
You said in a Fortune interview, that you had a hard time
pitching RSA to investors.
Investors would actually say to me "Well let me see if I've got
this straight: there's no market for your technology, but you're going to
create one by promotion and the government prefers that you didn't exist?
But you're just going to beat them at that game. Well gee, I don't think
we'll invest today; we need to be somewhere else." So it was hard to raise
money, but what I meant by creating a market and promoting it was endless
travel: cross-country flights, speaking to anybody who would listen, trying
to get myself in front of every trade show, every industry group, in front
of people in companies, especially software companies, trying to get them
to understand what the potential for the technology was and start using it.
And the potential if you didn't use it.
Exactly. The downside. I've always thought the dark side of cryptography is that we use these sophisticated search engines to type in
somebody's name and get an immediate picture of everything they do: where
their kids go to school, what their bank account looks like. The dark side
is no cryptography, so here I am to help you with good
cryptography.
Your patents are going to expire pretty soon--when is that exactly?
The RSA patent expires in September in the year 2000, about three
and a half years from now. But that isn't what we sell. I always use the
example of Dolby. I think Dolby has no patents, but it's the leading
company in what it does because it's ubiquitous, it's a standard, it offers
some real value, and the company keeps innovating. Who would have thought
there was life for Dolby after digital audio? And yet there's quite a bit.
And I think that RSA is like that too. We really sell trust.
We build a very sophisticated toolkit, of which a very small part is the
RSA algorithm. A lot of it consists of the stuff that you need to use
encryption: key generators and message formatting. And it's a product of
many hundreds of thousands of lines of code, built by a company that was
founded by the inventors of the technology and carefully supported by them
with a focus on that one thing. And it seems like a safe bet.
We license our source code to all of our customers, so there are no
secrets about what we do. People are welcome to look at it and decide for
themselves if they like what we've done or don't like what we've done. So I
think the patents are sort of overstated in their importance.
You'll lose the revenue from the licensing though?
Which is a small single-digit percentage of our revenue. It's a
tiny, tiny fraction of our revenue. I don't think that any one of our
customers--because anybody can give them a small part of what we do for a
little bit less--is going to risk the security of their company or their
customers on making that change.
Why did you choose to merge RSA with Security Dynamics last year,
when many analysts expect a RSA to go public? Was it the state of the IPO
tech market?
No, I think I was able to keep that all in perspective. In fact I
thought that the market was a little overheated for IPOs and a little bit
hyped. And so that made me consider the alternatives seriously. If I
hadn't believe it was overhyped and it was such a hot IPO market I might
have just driven toward an IPO and ignored other possibilities.
I went through a very, very complicated process of analyzing the value of
an IPO vs. a merger. There are a lot of things to consider there. There's a
direct economic value for example. In an IPO, we would have had to create a
large number of new shares to sell to the public, to give to all the new
management that I would have to hire. And there was an immediate and
significant dilute of impact.
Secondly, as sort of a pure-play crypto IPO, I think we would be vulnerable
to wild swings and it would be hard to explain to non-sophisticated
investors why it is true that the government is trying to put us out of
business, but they shouldn't worry about it. And also I think that security
is going to become a very large market and that large companies need to
provide more comprehensive solutions. Being able to provide more complete
products, better service, more R&D funding, and being able to focus on what
I like, working with the cryptographers, marketing, that ongoing promotion
which I've not stopped doing, overall would provide the best return to my
employees and the shareholders. And the employees were probably the most
important factor in that consideration.
So you've had some trouble with Pretty Good Privacy, some
sparring back and forth. And lo and behold they show up at the conference
this year. What does that mean in terms of your relationship with them?
Well I'm not sure I agree with what you said. I've had one person
say to me "PGP would be all over the place if it wasn't for you." And I say
"Excuse me, I think it's all over the place wherever it is because
of me." Now if you're using PGP in the U.S. it's because we granted a free
license and actually provided software that runs in it. So I don't know
what I've ever done to prevent anybody from using encryption. I've insisted
that our intellectual property be respected because I have a corporate
responsibility to do that. But they are a customer just like anybody else.
You are polite, yet very adamant about your distrust of
government, but I also think there's a disturbing trend of corporations
becoming nation-states, for example, the state of Disney. What's your
position on the private sector using/abusing information, whether it's
their employees information or its marketing information?
There is very little that I can think of that's ever happened in
history that creates more of a threat to personal privacy than the
Internet. Encryption offers us an opportunity to get a lot of that back if
it's used properly. I'm a staunch believer in personal privacy. I think the
Internet can be a good tool if we use encryption to get some of that
privacy back. The corporations and companies that use that information
without any respect for personal privacy, personally I don't think that's a
very good thing.
Should companies have the right to read their employees' email?
Well that's a difficult question. I guess my feeling is that if
somebody takes a job and they understand what the conditions of that job
are--for example that the corporation owns their work product, which may be
information they produce (including email) and that's well understood and
made clear--that's probably acceptable as long as they don't try to reach
out into somebody's private life. I think most companies today have a
policy that they can break into an office or a desk in an emergency to get
information that belongs to the company. I don't think any company has any
business opening an envelope that's marked "personal" that happens to
arrive at the office.