part 1: a place to put your wallet
Steven K. Sprague, President and CEO, Wave Systems
Interviewed by Lauren Keyson
http://www.theinternetanalyst.com/individual/000727sections/hotlunch.asp
I entered the subdued atmosphere at the 14 Wall Street Restaurant, located in what was once J.P. Morgan's penthouse. The atmosphere was subdued, since it was largely filled with business people. Waiting for me there was Steven Sprague, president and chief executive officer of WAVE SYSTEMS (WAVX), a business with an interesting spin on Internet security. I ordered a baby green salad with sea scallops, while Mr. Sprague ordered the pepper steak, and, between sips of Diet Coke, I began the interview.
[LAUREN KEYSON] To start off, Pacific Growth Equities said in a report that WAVE SYSTEMS is "leading a significant paradigm shift in PC security and electronic commerce with its programmable chip-based platforms." Can you talk to us a little about that?
[STEVEN SPRAGUE] As you look at the Internet today, security is all on the server side. By moving security to the client side, we can begin to establish the relationship between the consumer and the server from a security perspective. We offer a whole range of different capabilities but in the end, it's a programmable hardware device that can support everybody's security paradigm, whether it's control of content, like music and video, or authentication, like who are you when you're logging in. We don't pick the method. We just offer a platform on which everybody's method will work.
A company like INTERTRUST TECHNOLOGIES (ITRU) that builds digital rights management systems can hide its secrets and do some of its secure processing on our chip, independent of the PC's operating system. We're bringing client-side security to the PC. Take your cable set-top box for example. When you want to watch HBO, you just punch in the channel, and if you're a subscriber, HBO comes on. You don't have to log in, you don't have to authenticate yourself, and the server is never busy. It's because your set-top box knows that you're a subscriber. In trying to bring that kind of seamless functionality to the PC, the challenge is there's no one network that's in charge. Each of the services across the Internet picks its own scheme. We're offering a programmable platform that can reprogram itself, automatically, depending on the service or the Web site.
We're moving trust to the edge of the network so that you, as an individual, can have a place to hide your secrets, to put your identities, to hold your wallet. Today, a server can give you a digital certificate that authenticates your signature, but where do you keep it? If you just keep it on your hard disk, then a virus could theoretically steal it, like the ILOVEYOU virus stole passwords. We're creating a secure vault where you can store that certificate, where you can put secret information and where the way that information is processed, so that the consumer is in control.
[LK] So, do you consider yourself an infrastructure play?
[SS] Very much so. From a security perspective, we're providing the platform on which every single e-commerce company's security will run. I can say that with incredible strength because whether WAVE SYSTEMS is successful in a trusted client deployment or not, a trusted client will play a critical role in the network.
[LK] It sounds cutting edge and forward thinking. I wonder if you're a little ahead of your time. Is it possible that the industry isn't ready for you?
[SS] Well, you're really asking two questions. One, where is the technology relative to the marketplace? In many cases we're applying technology through the Internet that's already applied in almost every other network in the world. If you look at every media network, it has a secure set-top box to control what you watch at the edge of the network. If you look at cell phones, they have security built into the cell phone on the network. It's only the Internet that doesn't have security built in, and part of the reason why is that there's no one in charge of the Net. So it's a much more difficult problem to solve. I think we're at the beginning of the market made for security. We read everyday in the newspaper that someone else has got a security problem on the Internet.
A huge advantage for us - and also something of a liability - is that the company has been around for a long time. The company was formed in 1988, went public in 1994 as a venture capital IPO, ran into some difficulties in 1996 and was delisted from Nasdaq in 1998. As a result, any analyst coverage that we had was lost. In 1999, we were relisted and Pacific Growth Equities initiated coverage. The market has been so busy with IPOs over last year that getting coverage without a deal with a specific bank issue has been a real challenge.
That's when you start to look at a company from a performance perspective and say what's the revenue, how is the quarter building - how predictable is a company, because an analyst wants to be correct. The challenge with WAVE is that we're only today getting into a position where we can look ahead three or four quarters and accurately predict what our volumes of deployment and infrastructure are going to be. Up to this point, the company has been about technology, not "What are sales going to look like next quarter?"
[LK] Have you made a profit yet?
[SS] No, we're just at the beginning of the sales cycle on deployment of devices. We've been doing technology development. Our real economic model is driven off of the services that pass through devices once they're shipped. Today we're selling devices and supplying a number of companies - HITACHI (HIT) and COMPAQ COMPUTER (CPQ). Later this year we expect to supply a number of ADVANCED MICRO DEVICE's (AMD) customers. We supply them with chips and those chips become revenue-generating subscribers as the devices get deployed in the market.
We make money off the services side. Our goal is not so much profitability as a company, as it is profitability per unit. What our investors would like us to do is to take as much capital as possible, and invest it in creating volume deployment, so long as we can show that an individual unit is profitable. Imagine that tomorrow morning you're granted access to a new wireless spectrum covering all of the U.S. but you only have access to it for two years. What do you do? You invest like crazy in building towers, so you can enable the network as quickly possible. That's in essence what we're doing. We're investing in that infrastructure so we can generate services revenue from each device.
Steven K. Sprague, President and CEO, Wave Systems
Interviewed by Lauren Keyson
My discussion with Steven Sprague, president and chief executive officer of WAVE SYSTEMS (WAVX), continued at the 14 Wall Street Restaurant, high above the financial district in New York. WAVE SYSTEMS is creating a programmable set-top box that will act as a secure intermediary between the Internet and a computer - or any other device.
[LAUREN KEYSON] You've mentioned "trusted client" a few times. Is that a brand name?
[STEVEN SPRAGUE] Actually it's a name we're not going to brand. We see trusted client as a whole category of devices, of which Embassy is our implementation. A perfect example is what we are building with a company called Cyber-COMM. Cyber-COMM is owned by the nine largest French banks and has FRANCE TELECOM (FTE) and a number of others as customers. We're building a terminal that is designed to go to the consumer's phone. It has the ability to accept a smart card - you type your PIN number into it. One of the most important aspects of the device is that the PIN number that you type in, or the keyboard that you type with, is completely firewalled from the operating system of your home PC. So for the first time, you can enter your network password, and it can be secured in the device and delivered to the server. The operating system never saw it, which means it's impossible to write a virus to capture that password. This is the first time you can log-on to your trading account, your bank or get your e-mail in a manner that guarantees you are the only one who can get in, because you're the only one who knows what the PIN number is.
[LK] What if you forget your password?
[SS] That problem always exists, but you can recover your password. However, when you typed your password using a keyboard, the ILOVEYOU Trojan-horse virus sent that password, if it was stored locally on your PC, to the Philippines. Other viruses could watch for keystrokes and then send the keystrokes elsewhere. They don't have to know your password - they steal it off your computer. What we can do is offer a firewall that sits between the computer and the keyboard, and we're not doing this with a customized device. We're doing this with a programmable device. So Cyber-COMM's application is an applet that runs on our chip and creates this secure PIN-entry system. That same device could be used for a Web server or your e-mail or a variety of other things. Is this capability of having secure password entry an important feature of a PC? We believe so. It belongs on every single PC. If it's not there, your platform is insecure.
[LK] Who are your competitors? Would they include such traditional Internet security providers as privately held SSH Communications Security or INTERNET SECURITY SYSTEMS (ISSX)?
[SS] Those companies generate applets - they have a problem. They're building a whole set of software infrastructure to make it easy to use and sell the service of security. But they can't do that until they have a way to authenticate the end user, which they don't have. They have your password - which you typed in and my virus snooped and sent to someone else. It's as good as the state-of-the-art is today, but clearly, what's coming next is the infrastructure to make it truly secure.
[LK] So, who do you consider your competitors?
[SS] We see competitors in each of the vertical spaces. We're doing access control for new media and there are certainly companies doing subscriber management systems like U.K.-based NDS GROUP (NNDS), General Instrument [now MOTOROLA's (MOT) broadband unit], INTERTRUST TECHNOLOGIES (ITRU) and some others. If we build features and functions in that space, then we compete with those companies. At the same time, we expect those companies to use Embassy as a platform to offer their security.
A good example: Cyber-COMM has a supplier called ACTIVCARD (ACTI) that is building a Cyber-COMM device. If ACTIVCARD used our chipset instead of their own, then their device could also handle transactions for music, video and the like. So while we compete with ACTIVCARD today, we would actually love to have them adopt our chip and abandon their security efforts - because they're really not a security company, they're a smart-card reader company.
[LK] What kinds of trends do you see in the security industry?
[SS} I think we're going to see a trend towards convenience. Right now, we have inconvenient security - the best analogy is the old, brick-sized cell phone. If you remember the old cell phones, every time you would go up the West Side highway your number would get cloned, and you would have to get a new phone. Then you had PIN numbers, so every time you made a phone call you had to type in a PIN number. What a pain in the neck. Now, finally it works. The security has become invisible. You just dial the phone, hit send and it connects.
[LK] So the trend is invisible security.
[SS] The best security is invisible. People don't like to have metal detectors at the airport they have to walk through. By bringing the security to the client, we enable things like anonymous membership in a group. So I know you're an AMERICAN EXPRESS (AXP) member, but I don't know who you are. This is really important because it protects your privacy, but it also gives you the benefit of membership. Membership is a very important concept on the Internet. What we're really talking about is moving away from portals, which track everything you do in order to generate revenue, and moving toward networks. I'm a YAHOO! (YHOO) member, an AMERICA ONLINE (AOL) member, an AMAZON.COM (AMZN) member or a member of all of the above. And because I'm a member I get special perks, but without spreading my identity all over the Web.
[LK] What's the biggest security risk on the Web?
[SS] The most significant thing that's happened in the marketplace today is AMERICAN EXPRESS dropping its support for doing credit card transactions in the adult entertainment industry. It's not about AMERICAN EXPRESS censoring the content. It's because today, it's impossible to use your credit card to buy a virtual good on the Web in a way that protects the merchant against fraud. There are no tools or methods today to detect it. Having AMERICAN EXPRESS drop its support for an entire industry says, well, music is the same thing. Is the company going to drop its support for virtual music sales? Without a technology that solves the problem of authenticated identity and delivery for virtual goods, the whole services and content distribution on the Web will not happen.
We had the same experience at WAVE. For a short period of time, we were selling "levels" of the computer game, Doom. We had a fraud rate of almost 50%. It's impossible to track a person down, because you get a valid credit card number, name, e-mail and shipping address, but because you're not shipping any goods, none of that matters. The entire infrastructure for credit card transactions online is based on a physical address. In virtual goods, you're not shipping anything so you don't care what the physical address is. And, you don't hear back that it was a bad transaction until 20 or 30 days later when you get a caller saying, "I didn't charge that on my credit card." There is no way to track the fraud. That's the biggest problem right now on the Web.
[LK] What piece of technology can't you live without?
[SS] Probably my cell phone. If I had to choose one thing that, if taken away, would leave me feeling naked, it would be my cell phone.
[LK] What kind of cell phone do you have?
[SS] Actually, I just broke my cell phone, so I ran out and bought one of the new MOTOROLA StarTACs. I'm addicted to being able to communicate all the time. I get frustrated when I pick up the phone and can't reach somebody. We have a distributed company where you can pretty much get anyone on the phone, 24-7.
[LK] And if they don't like it?
[SS] Our wives try to find obscure places, where there is no cell phone coverage.
[LK] What about e-mail? Do you rely on that too?
[SS] I certainly rely on it, but less so. I could live without my e-mail and not miss it. But don't take away my cell phone. I'm less concerned with people reaching me than I am with my ability to pick up the phone and reach someone else.
[LK] What's the strangest e-mail you've ever received?
[SS] I don't know if I've got a strangest e-mail, but here's a "different" story. I lost a filling in my tooth while I was in Florida, and I went to a dentist recommended by my father-in-law. I show up at the office and the dentist says, "Steven Sprague, I know you. I'm an investor in your company." And the one question I really want to know when he turned out to be an investor was, when did he buy.
[LK] Was he gentle?
[SS] He was in the money, so it was OK.