Monday, January 13, 2014

Why I am not boycotting #RSAC

I'm scheduled to speak at the RSA Conference, San Francisco.  Many prominent speakers have decided not to speak in protest.  I've decided to follow through with this speaking engagement.

I'm bothered by the events and actions that have prompted the boycott -- a secret deal between the NSA and RSA to promote a weakened cryptography system.  I share most of the concerns and strong objections that the protesting speakers have expressed.  I have decided that, in this case, the benefits of speaking and engaging with attendees outweighs the value of a protest action.

(Edit: But I will be wearing an Electronic Frontier Foundation t-shirt and will give them a shout-out, so that's something.)

First and foremost, the RSA Conference is a giant meeting ground and marketplace, and isn't a promotion device for a single company and it's customers.  Yes, RSA name and logo are all over the place but so are hundreds of other companies.  In terms of attendees, there are relatively more business people who attend, compared to other conferences that are more purely technical.  It's business people, especially senior business people, who need to change their views and make the policy decisions necessary to change how everyone in the industry engages with NSA and other government security agencies.  So my view is that, if they are already attending, it would be good to be there to engage with them.

Second, I'm not a marque speaker.  Other than adding one more name to the "refusenik" list, I don't think my canceling would have any effect on RSA or RSA's corporate owners, EMC.

Third, while I respect the decisions of the other speakers who have cancelled, I don't believe that "mass action" like protests, demonstrations, or boycotts will be very productive in driving change.  And what I care about most is effectively driving change.

Instead, what I want to see and what I'd like to apply my energy to are constructive community actions that materially change the technologies, institutions, power structures, and incentives.  I'm not sure right now exactly what "community actions" might be viable, but now is the time to start thinking about them and maybe to "nudge" some existing community activities and groups in the direction of constructive action.

There are two opportunity areas I can think of on the top of my head.  The first is the committees and working groups that are involved with cryptography standards.  I don't know anything about the technical details of their work, but I imagine that they might be able to modify their working procedures to make it much more difficult for any party, government or not, to weaken or subvert a cryptography standard or algorithm.

The other opportunity area is non-technical -- contracts and contingent payments.  It might work like this: Maybe many large customers could collaborate to create a standard contract "rider" that added terms and conditions that required the vendor to warrant that their products are not compromised, weakened, "backdoored", or otherwise accessible in any way that is not publicly specified, as verified by a Trusted Third Party.  If, later, someone discovers that this condition is violated, the vendor would have to pay a penalty to the customer and also to a trust fund for the benefit of the industry.  This covers a wide variety of situations and conditions, not just backdoors due to government security agencies.  The contingent payment could be set high enough to be materially significant for the vendor.

I'm sure many of you could think of other ideas for constructive action.  Maybe we can talk at the RSA Conference, or, even better, at B-sides San Francisco.  I'd love to see a whole track at B-sides devoted to this.

1 comment:

  1. Rafal Los posted a very similar position here: On withdrawing your [RSA Conference] talk in protest -