Baltimore set to exploit formula for success

Almost unnoticed by either the business or technology worlds, last week marked a milestone in the digital security world, a change…

Almost unnoticed by either the business or technology worlds, last week marked a milestone in the digital security world, a change which could radically advance - or crimp - the aspirations of Baltimore Technologies.

On September 6th, the primary component of almost all commercial security products was released into the public domain after being under patent for the US limit of 17 years. This relatively unheralded item was a mathematical formula, or algorithm, enabling computer data to be encoded so it can only be read by the intended recipient.

The patent, owned by the Massachusetts Institute of Technology, had been licensed to the same firm, RSA Security, for that time. Firms using the algorithm for products sold in the US, including Baltimore, have had to pay large licensing fees to RSA.

RSA's custodianship of the algorithm has been controversial. Critics say the firm's tight control on its commercial use has crippled the growth of the computer security industry, as developers have been required to pay tens of thousands of dollars to use the algorithm.

READ SOME MORE

They have also had to pay a royalty to RSA for the units sold of a product using the algorithm. Analysts say this means firms have been penalised for their success, and have ended up owing often significant additional amounts to RSA.

But there is a more weighty criticism from industry experts such as Mr Phil Zimmerman, the programmer who developed the highly regarded Pretty Good Privacy (PGP) encryption program. Costly restrictions on the algorithm's use mean the world has been slow to accept the need for the infrastructure to allow widespread use of security products.

This global system, known as public key infrastructure (PKI), depends on the worldwide use of mathematical keys that can encode and decode information, and the use of special certificates to guarantee that a person using a key is who they say they are.

In a statement, Mr Zimmerman said: "Over the past two decades, the RSA patent and other public key patents did more to suppress the deployment of public key cryptography than the NSA [the US National Security Agency]. As long as this patent was in effect, anyone who used it was a sharecropper on someone else's land."

In the Republic, organisations as diverse as the Chambers of Commerce of Ireland and An Post are ready to issue certificates and be active participants in the rollout of PKI. But the average businessperson still has no idea what a certificate is, why they might need one or even how to encrypt an e-mail.

Baltimore and other security companies believe the situation will change with the patent release.

Indeed, Baltimore, the world's third largest encryption and security product firm, has been the most vocal of affected firms about the patent's release. Its website has detailed explanations about why Baltimore feels the patent expiry is pivotal, and has realigned its product range to take account of the shift.

In an unusual move, the company also has decided to release for free on its website a basic but fully functional version of the software "toolkit" developers use to create security products. Previously, the toolkit elements would have sold for $10,000 to $20,000. Meanwhile, in the lead-up to the patent release, several analysts are sceptical, saying they feel Baltimore is overvalued, which may be true. A particular criticism is that Baltimore does not own any proprietary technologies and is therefore vulnerable to attack from other upstart security companies, which now will not have to negotiate their way through RSA's licensing fees. But such a view fails adequately to take account of the nature of the software world and in particular, of the security software industry.

As the readily-believed rumours of a Microsoft purchase of Baltimore recently demonstrated, security is not an easy area in which new companies or even established monoliths can gain a foothold. Building a product range in this complex area and getting those products to intermesh is a massive undertaking. And a security firm also has to develop something more ephemeral: trust.

The last time I spoke to US industry analysts about Baltimore, several thought the firm would never take more than 5 per cent of the US market - that US customers prized long-term relationships in the security industry and would stick with the proven US companies like Verisign and Entrust. Baltimore proved them wrong, buying up US company CyberTrust last January, which gave them 15-20 per cent of the market, and moving aggressively to take about 30 per cent today.

A small company in the sector is vulnerable. As Baltimore chief executive Mr Fran Rooney has reiterated, Baltimore had to get big fast. Thus it has gone through a succession of mergers and acquisitions, in order to be in the position it is now - dominant enough to believe that releasing a valued product for free will seed the market for security products and further Baltimore's share by encouraging developers to pay for other company products.

Several senior figures within Baltimore say the company has been accelerating towards this point. They joined the company knowing the patent release would make or break Baltimore. If the company were very big, it could help shape where the industry goes next. If it were still relatively small, it would just be acquisition material itself.

Baltimore has been the only company able to take on the established US giants in a decade. It has shown a chutzpah absent in its US rivals, which has enabled it to gain blue-chip partners and clients across the globe. The risks of losing this hard-fought advantage are always present, but it is difficult to see where a significant challenge could come from in the near to medium term.

Thus one can bank on being entertained - or annoyed - by Baltimore's success and special brand of attitude for some time to come. It has everything to play for, and Mr Rooney is a man who enjoys that challenge. Selling out to Microsoft would not have been his style at all - unless he had in mind a reverse takeover.

Karlin Lillington is at klillington@irish-times.ie.

Karlin Lillington

Karlin Lillington

Karlin Lillington, a contributor to The Irish Times, writes about technology