Skip to main content
Cybersecurity

Book Review The Business of Secrets: Stunning Best Analysis

Book Review The Business of Secrets: Stunning Best Analysis

“Nobody knew anything.” That line, lifted from a memoir of cryptography’s commercial frontier, is less a lament than a diagnostic: in the 1970s, the market for encryption was a fog of good intentions, poor information and high-stakes politics. Fred Kinch’s recollections of building a cryptographic-hardware business in that era read like a travelogue through confusion — sales calls, hotel rooms, airplane terminals — and through a technical landscape only beginning to reckon with the implications of secrecy as a product and a geopolitical instrument.

Kinch was a founder and sales executive at Datotek, a U.S. company that sold cryptographic gear from 1969 through the early 1980s. His self-published memoir, The Business of Secrets: Adventures in Selling Encryption Around the World, is by turns anecdotal, cranky and illuminating. It does not pretend to be a rigorous history; it is a practitioner’s collection of deals gone right, deals gone wrong, and the bewildering fact that neither sellers nor buyers could reliably assess whether a device actually protected information.

To understand why those uncertainties mattered then — and why the book still matters now — it helps to recall three background facts. First, modern, vetted public-key and strong symmetric cryptography were still being standardized and debated; commercial implementations varied wildly in quality. Second, governments were not neutral buyers: encryption intersected with export controls, national-security concerns, and a desire to retain lawful access. Third, many customers (foreign ministries, airlines, embassies, telecom carriers) lacked the expertise to evaluate products and thus relied on reputations, promises and, often, wishful thinking.

Summarizing Kinch’s account: the commercial market was improvisational. Suppliers sometimes sold devices they could not fully test or whose security assumptions were opaque. Buyers — eager to secure communications or to gain advantage — often bought on the basis of trust, convenience or political alignment rather than cryptographic assurance. Kinch’s stories of endless travel and stringing together contracts illuminate a world where perception often mattered more than provable security.

Why does a memoir about selling hardware decades ago still deserve attention? There are three overlapping reasons: historical, technological and policy-related.

  • Historically: Kinch’s anecdotes document the origin story of a high-stakes industry. They help fill gaps that formal histories omit: how personal relationships, salesmanship and on-the-ground logistics shaped adoption curves for technology that would later underpin global communications.
  • Technically: The book makes vivid the perennial risk that buyers cannot independently verify claims about security. That verification problem is not confined to the 1970s; it reappears today in software supply chains, cloud services and cryptographic libraries.
  • Policy-wise: Kinch’s narrative shows why governments treated cryptography as both commodity and control lever. Export restrictions, restrictions on key lengths, and laws about lawful access all trace to a time when secrecy was perceived as an asymmetric strategic advantage.

Different readers will take different lessons from this material.

  • Technologists will see a recurring theme: the need for auditable designs, independent review, and reproducible testing. The 1970s scramble underscored the value of open standards and peer review — the very mechanisms that later helped build trust in modern cryptographic primitives.
  • Policymakers should note the tension between national-security control and the practical reality of a market that spans borders. Kinch’s accounts suggest that restrictions intended to prevent proliferation often produced perverse incentives — driving customers to opaque vendors or encouraging ad hoc workarounds.
  • Users and organizations can draw a simpler practical lesson: treat vendor claims with caution. Security is not a product stamp but an ongoing assurance problem requiring testing, operational discipline and clear threat modeling.
  • Adversaries — meaning anyone seeking to intercept or manipulate communications — will find in Kinch’s world ample evidence that uncertainty itself is exploitable. When neither side can verify claims, opportunism fills the void.

Critically, the memoir’s limitations are as instructive as its stories. Kinch writes as an insider with a salesman’s eye: colorful vignettes, sharp opinions and occasional blind spots about broader technical debates. He does not systematically analyze cryptographic theory nor does he offer a forensic accounting of every claim. For readers seeking a balanced history of cryptography’s maturation, Kinch’s book is a complementary primary source rather than a definitive chronicle.

Viewed from today, with open standards, formal cryptanalysis and broad community scrutiny, Kinch’s era appears chaotic. Yet that chaos helped catalyze institutions and norms we now take for granted: peer review, reproducible benchmarks and the widespread expectation that cryptographic claims be independently verifiable. The memoir thus documents both the problem and, indirectly, the genesis of its solutions.

There are broader, continuing policy questions that the book prompts. How should governments regulate dual-use technologies without hampering innovation? What mechanisms best ensure that customers — especially in developing states or commercial sectors with limited expertise — receive verifiably secure products? And how should the market balance secrecy for legitimate national-security purposes against the democratic value of transparency and auditability?

In practical terms, the main takeaway is a familiar one: security without verification is a fragile promise. Whether the context is hardware from the 1970s or cloud cryptography today, assurances must be backed by inspection, testing and the capacity to update and remediate. Institutions — vendors, standards bodies, regulators and customers alike — have to play complementary roles if those assurances are to be meaningful.

Fred Kinch’s account is not a technical manual or a policy brief; it is a personal ledger of an industry finding its feet amid geopolitics and commerce. Read it as a human document that explains why, even when technology improves, the social and economic puzzles around trust and verification persist. If the past taught anything, it is that the commercialization of secrets demands not only clever engineering but also institutional courage: willingness to open code to scrutiny, to subject designs to adversarial review, and to accept the short-term discomfort of transparency for the long-term gain of trust.

In the end, Kinch’s stories leave us with a question that still matters: will we learn to design systems whose security can be shown and not merely sold — or will the industry repeat the old pattern of confident claims built on uncertain foundations?

Source: https://www.schneier.com/blog/archives/2025/11/book-review-the-business-of-secrets.html