RSA Conference speakers boycott over RSA-NSA scandal. But should they?

(Photo Credit: Danny Chia/Flickr Creative Commons)

I’m a big proponent of voting with your dollars. Hate how McDonald’s props up factory farming? Me too, so I don’t eat there. An ethical debate is happening right now in the security community in the wake of allegations that the NSA paid security vendor RSA $10 million to essentially put a backdoor in its encryption products that are used around the world to protect corporate data.  A group of speakers and panelists on the schedule for the RSA Conference next month have decided to boycott the event in protest against RSA.

Late last month Josh Thomas, a partner at Atredis Partners, cited a “moral imperative” in bowing out and Mikko Hypponen, chief research officer at F-Secure, sent a letter to the top executives at RSA and parent company EMC saying he was pulling his RSA talk over the matter. Since then at least six others have backed out in protest, including Jeffrey Carr, CEO of Taia Global, ACLU privacy expert Chris Soghoian and Marcia Hofmann, a digital rights lawyer and special counsel to the Electronic Frontier Foundation.

I understand the desire to send a message to companies who have behaved egregiously. But I’m just not convinced that boycotting the RSA Conference will have much impact on the bottom line of RSA the crypto provider. RSA and its conference cousin may share the same name and parent company, but that’s about where the similarities end. RSA Conference is run as a separate entity, with different chairmen, staff and agendas.

The RSA Data Security Conference was started in the early 1990s to educate people about the threats from government restrictions on strong crypto. This was the time of the so-called “Crypto Wars.” Relations between RSA and the government at that time were more than slightly contentious, according to some information unearthed by Carr.  At first it seemed that cryptographers and privacy advocates had won the war. The public battles may have subsided but the behind-the-doors pressure and deals apparently continued. If the allegations are correct, this would be a tremendous betrayal of trust for a company whose sole business is selling products designed to protect sensitive corporate information from unwanted eyes.

I respect the decision of the speakers and panelists who have pulled out in protest. But I would argue that the boycott could harm the security community by depriving the industry of a chance to leverage the event as a forum to discuss this and other important topics, like NSA snooping in general. For instance, the thousands of attendees who now won’t be able to attend Hypponen’s scheduled talk on “Governments as Malware Authors” or hear what Hofmann has to say during the panel titled “The Boundary Between Privacy and Security: The NSA Prism Program.” These are smart people giving important talks and we will miss them.

(Full disclosure: Three Bateman Group clients — Qualys, Netskope and Google Enterprise — are speaking at RSA Conference.)