10 February 1999. Thanks to Anon and Dan Tebbutt.
Source: http://technology.news.com.au/indextech.asp?URL=/techno/features/f90210a.htm

The Australian, 9 February 1999

High security, high drama

RSA's local development office picked its way through an obstacle course to challenge the US's grip on cryptography. Dan Tebbutt reports

Charles Stuckey, chief executive of Nasdaq-listed Security Dynamics, will visit Brisbane to open the Australian arm of his subsidiary, RSA Data Security.

Queensland Premier Peter Beattie will be there smiling for the cameras, largely oblivious to the controversy behind the new RSA facility.

The plan for the office came to fruition following a series of negotiations that offer an eye-opening insight into Silicon Valley horse-trading.

The most contentious aspect of RSA's arrival down under was the groundbreaking grant of export licences by the Department of Defence, which maintains tight control over encryption policy in Australia.

Defence's concessions to a US developer raise questions of credibility and consistency: if one company has received export approval, why not others?

The RSA Australia story began about a year ago. At that point, Tim Hudson and Eric Young were obscure engineers working for a small Silicon Valley outfit called C2Net.

Within the secretive encryption community the two were recognised as gurus because of SSLeay, Young's independent implementation of the Secure Sockets Layer (SSL) protocol used to safeguard Internet commerce.

But most of the IT world remained unaware of their work in Brisbane.

Wider impact was unlikely while they remained with C2Net.

While C2Net president Sameer Parekh became a media darling for his outspoken opposition to US encryption laws, the secure Web software supplier struggled for sales and finance.

And size matters when it comes to security software. Few companies are willing to entrust critical corporate data to a small developer that may disappear like so many IT start-ups.

So C2Net and its Australian development arm were an obvious takeover target when RSA – one of world's largest encryption suppliers – started looking to expand into the SSL tools market last February.

C2Net's appeal was boosted by unique development arrangements under which strong cryptography was cleared for export from Australia via the Internet.

This made the company immune from export restrictions and permitted it to sell its data scrambling software into any market in the world – including areas where RSA was blocked by US laws.

"For 13 years we have wanted to participate in markets outside the US," RSA president Jim Bidzos says.

Dialogue between the two companies began, and US stock-market filings reveal that in June RSA's parent company loaned C2Net $US200,000 ($308,000) to help its development efforts.

A formal acquisition offer was made the following month, according to informed sources.

But in August the deal started to unravel over the critical issue of intellectual property rights.

Because their SSLeay tools were distributed as freeware on the Internet, Hudson and Young had reserved exclusive control of their intellectual output – meaning C2Net had nothing to sell.

Parekh says middle management at RSA had misinterpreted C2Net's position before making the acquisition offer.

"If the people in charge at RSA were fully aware of the situation from the start, I don't think they would have spent as much time negotiating," he says.

John Linton, former director of business development at RSA, said: "In other words, there were no intellectual property rights owned by C2Net that RSA could acquire."

As a result, C2Net was cut out of the picture and RSA negotiated directly with Hudson and Young.

The two resigned from C2Net in August and the company's Australian operations closed soon after.

But Parekh suggested C2Net's pioneering efforts showed RSA how to crack the world markets that it desperately coveted.

"Without having spent a few months talking to us about how we deal with international development, I don't think RSA would have realised that such a strategy was feasible," he wrote via e-mail.

But Linton rejected as "absolutely false" the suggestion that RSA did not know how to penetrate world markets.

Going worldwide with SSL was the key, he says.

ASIC records suggest a deal with Hudson and Young was struck by September 17, when the new RSA subsidiary was registered – although no formal announcement was made until last month.

Then came the hard part.

Because RSA did not want to rely on a tenuous legal loophole that overlooked Internet exports, the company began negotiating an export license for the Australian encryption engine.

Over several months Hudson worked hard to cultivate a smooth relationship with the Defence agencies that administer encryption exports.

He and Young worked with other local cryptographers to prove that their product was developed entirely without US technology.

"We did a lot of [due] diligence to make sure that the software was not touched by any US hands," Bidzos says.

This diplomacy seems to have paid dividends with a generous export permit that is remarkable in several respects.

Firstly, RSA appears to have been granted a general export licence (GEL) that allows its toolkit to be exported to any user worldwide.

Normally, developers must seek prior authorisation from Defence for each end user that wants full-strength encryption products.

This is a time-consuming process. Mike Wynd, managing director of Melbourne firewall specialist Norman Data Defence, says these individual export permits (IEP) can often delay product shipment by several weeks.

Hudson would not disclose RSA's licence arrangements, but he admitted they were "unique".

"We do appear to be the first encryption technology supplier to go through this process with the Defence agencies and get a licence that lets us operate and compete on a world market," he said.

This statement comes with a caveat: Defence does not disclose licence agreements publicly.

"Information about who has export licences is something Defence treats as extremely sensitive information," Hudson says.

But there is considerable evidence RSA obtained a broader licence than its competitors.

Bidzos says the subsidiary has already signed deals worth several million dollars, strongly suggesting the company has a general licence.

This inference was amplified last month when RSA announced an open-ended licencing deal with Swedish e-commerce vendor Celo Communications – a redistribution arrangement that would be virtually impossible with an IEP.

Equally importantly, the RSA product incorporates SSL 3.0 with the ultra-secure Triple DES cipher.

Although companies such as Sydney-based Baltimore Technologies have gained case-by-case approval for Triple DES, Professor Bill Caelli says he believes this is the first time Triple DES has been approved for general export.

"That is a massive change under the general rules in Australia," says Caelli, head of the data communications school at Queensland University of Technology. "In the past there has been hypersensitivity in relation to the way cryptography is used."

Moreover, Caelli says, RSA's arrangements would pose a serious challenge to the Wassenaar Arrangement – the multinational protocol that governs trade in encryption technology.

"The political implications of what has happened are far more interesting than the technology," he said.

The larger question, recently raised in The Australian by Opposition IT spokeswoman Senator Kate Lundy, is whether RSA's groundbreaking deal will be extended to other companies.

If Defence does not grant GEL approval to other developers of strong cryptography, it could be accused of favouritism – to a US company, no less.

Parekh suggests RSA's Australian coup will raise the encryption debate to new levels.

"While RSA's discussions with C2Net didn't make our shareholders rich, they did accomplish another goal: driving the final stake through the heart of the United States cryptography export restrictions," he says.

http://www.aus.rsa.com