Experts withdraw from Internet security conference

WASHINGTON — At least eight researchers or policy experts have withdrawn from an Internet security conference after the sponsor reportedly used flawed encryption technology deliberately in commercial software to allow the National Security Agency to spy more easily on computer users.

RSA Security, owned by data storage giant EMC Corp. of Hopkinton, Mass., has disputed claims it intentionally introduced the flawed encryption algorithm but otherwise has declined to discuss what a published report last month described as a $10 million government contract.

The revelation supplemented documents leaked by former NSA contractor Edward Snowden showing that the NSA tried to weaken Internet encryption.


The withdrawals from the RSA conference represent early blowback by technology researchers and policy experts who have complained that the government’s surveillance efforts have weakened Internet security for innocent users.

Get Talking Points in your inbox:
An afternoon recap of the day’s most important business news, delivered weekdays.
Thank you for signing up! Sign up for more newsletters here

Some US companies that have agreed or been compelled to turn over customer records to the government have complained that their relationships with customers in Europe, Asia, and elsewhere are increasingly becoming arduous.

It was not immediately clear whether any researchers who still intended to make presentations at the conference would discuss the subject. Hugh Thompson, a conference organizer who works for security firm Blue Coat Systems, said the event is ‘‘an open venue where people can talk openly about security.’’

The researchers and experts include Mikko Hypponen, chief research officer of Finland-based antivirus provider F-Secure, and Adam Langley and Chris Palmer, who work on security practices at Google.

Christopher Soghoian, a researcher with the American Civil Liberties Union, said Tuesday on Twitter that he withdrew from the conference after having ‘‘given up waiting for RSA to fess up to the truth’’ regarding its development of the Dual_EC_DRBG algorithm with the NSA.


RSA issued an advisory to customers last summer urging them not to use the algorithm, following reports of the software’s potential weaknesses. But that wasn’t enough for researchers who want answers about the government’s contract with RSA, which thousands of businesses use to secure their data.

RSA said last month that as a security company, it ‘‘never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use.’’

The published report said RSA received the $10 million contract from the NSA to use the agency’s preferred method of number generation. The report said such a flawed algorithm generates random numbers in such a way that it creates ‘‘backdoors’’ into the encryption products.

Organizers said next month’s conference in San Francisco will host 560 speakers.