home *** CD-ROM | disk | FTP | other *** search
- Xref: sparky sci.crypt:5618 alt.security.pgp:146
- Path: sparky!uunet!zaphod.mps.ohio-state.edu!caen!nic.umass.edu!m2c!crackers!transfer.stratus.com!ellisun.sw.stratus.com!cme
- From: cme@ellisun.sw.stratus.com (Carl Ellison)
- Newsgroups: sci.crypt,alt.security.pgp
- Subject: PKP/RSA comments on PGP legality
- Message-ID: <1galtnINNhn5@transfer.stratus.com>
- Date: 11 Dec 92 18:16:23 GMT
- Organization: Stratus Computer, Software Engineering
- Lines: 181
- NNTP-Posting-Host: ellisun.sw.stratus.com
-
- I went to the horse's mouth and asked some folks at PKP & RSA to comment
- on PGP legality. Here's their reply. I have permission to post it.
-
- This was inspired by my original question, to them, whether I could buy
- an individual license to permit me to use PGP. [I have since concluded
- that I would like to get a copy of the PGP interface spec so that I could
- write a program, using RSAREF, which interoperates with PGP. I see PGP
- as setting a kind of new standard format -- an alternative to PEM.]
-
- So -- on to the reply from PKP (much from a lawyer there) and RSA:
-
-
- - - -----------------------------------------------------
-
- Risks of using pgp
-
- One should be careful about assuming that the documentation in
- electronically distributed software is accurate, especially where
- law is concerned.
-
- There is much that the documentation for pgp does not tell you about
- patent and export law that you should be aware of. Some of the
- statements and interpretations of patent and export law are simply
- false. This note will attempt to offer some clarification and accurate
- information.
-
- pgp seems to be an attempt to mislead netters into joining an
- illegal activity that violates patent and export law, letting them
- believe that they run no serious risk in doing so.
-
- PATENTS
-
- Patent law prohibits anyone from making, using, or selling a device
- that practices methods described in a U.S. patent. pgp admits
- practicing methods described in US patent #4,405,829, issued to the
- Massachusetts Institute of Technology, and licensed by Public Key
- Partners.
-
- Those who send signed or encrypted messages, post the pgp program,
- or encourage others to do so are inducing infringement. Under
- patent law, there is no distinction between inducement to infringe and
- direct infringement. You are just as liable.
-
- Being aware of the RSA patent makes infringement willful and
- deliberate. Under patent law, a patent holder is entitled to seek
- triple damages and legal fees from deliberate infringers. While the
- pgp documentation suggests you that you probably won't get sued, it
- doesn't tell you what can happen when patent holders assert their
- rights against infringement.
-
- Free and legal RSA software is available. RSA Data Security has
- released a program, including source code, called RSAREF. This program
- is available free to any U.S. person for non-commercial use.
- Applications may be built on RSAREF and freely distributed, subject to
- export law. An application that provides email privacy, based on
- RSAREF, which uses the RSA and DES algorithms, called RIPEM is an
- example. For information, send email to rsaref-info@rsa.com or
- rsaref-users@rsa.com.
-
- NOTE: The pgp documentation states that PKP acquired the patent rights
- to RSA "... which was developed with your tax dollars..." This is very
- misleading. U.S. tax dollars only partially funded researchers at MIT
- who developed RSA. The U.S. government itself received royalty-free
- use in return. This is standard practice whenever the government
- provides financial assistance. The patents on public-key are no
- different and were handled no differently than any others developed at
- universities with partial government funding. In fact, almost every
- patent granted to a major university includes government support,
- returns royalty-free rights to the government, and is then licensed
- commercially by the universities to private parties.
-
- EXPORT LAW
-
- pgp leads users to believe that it has circumvented export controls
- when it says "...there are no import restrictions on bringing
- cryptographic technology into the USA." You are led to believe that
- since you didn't import it, it's legal for you to use it in the US.
- The "no import restrictions" claim has been made so many times, many
- people probably believe it.
-
- One would be well advised not to accept this legal opinion. While
- stated as if it were a well-known fact, the claim that "there are no
- import restrictions" is simply false. Section 123.2 of the ITAR
- (International Traffic in Arms Regulations) reads:
-
- "123.2 Imports. No defense article may be imported into the United
- States unless (a) it was previously exported temporarily under a
- license issued by the Office of Munitions Control; or (b) it
- constitutes a temporary import/intransit shipment licensed under
- Section 123.3; or (c) its import is authorized by the Department of
- the Treasury (see 27 CFR parts 47, 178, and 179)."
-
- Was pgp illegally exported? Was pgp illegally imported? Of course.
- It didn't export or import itself. pgp 1 was illegally exported from
- the U.S., and pgp 2, based on pgp 1, is illegally imported into the
- U.S. Is a license required? According to the ITAR, it is. ITAR
- Section 125.2, "Exports of unclassified technical data," paragraph (c)
- reads:
-
- "(c) Disclosures. Unless otherwise expressly exempted in this
- subchapter, a license is required for the oral, visual, or documentary
- disclosure of technical data... A license is required regardless of
- the manner in which the technical data is transmitted (e.g., in
- person, by telephone, correspondence, electronic means, telex, etc.)."
-
- What is "export?" Section 120.10, "Export," begins:
-
- "'Export' means, for purposes of this subchapter: ...(c) Sending or
- taking technical data outside of the United States in any manner
- except that by mere travel outside of the United States by a person
- whose technical knowledge includes technical data; or..."
-
- Is pgp subject to the ITAR? See Part 121, the Munitions List, in
- particular Category XIII, of which paragraph (b) reads, in part,
- "...privacy devices, cryptographic devices and software (encoding and
- decoding), and components specifically designed or modified
- therefore,..."
-
- A further definition in 121.8, paragraph (f) reads: "Software
- includes but is not limited to the system functional design,
- logic flow, algorithms, application programs, ..."
-
- pgp encourages you to post it on computer bulletin boards. Anybody
- who considers following this advice is taking quite a risk. When you
- make a defense item available on a BBS, you have exported it.
-
- pgp's obvious attempts to downplay any risk of violating export law
- won't help you a bit if you're ever charged under the ITAR.
-
- Penalties under the ITARs are quite serious. The ITARs were clearly
- designed to put teeth into laws that make exporting munitions illegal.
- It's unfortunate that cryptography is on the munitions list. But it
- is. pgp is software tainted by serious ITAR violations.
-
- These points on patent and export law are straightforward and can
- easily be confirmed with legal advice. However, there are other
- statements in the pgp documentation that should not go unchallenged.
-
- In pgp 2.0, the author says, "I did not steal any software from PKP."
- (PKP is the patent holder for the RSA patent.) Of course not; PKP
- doesn't make any software. However, not mentioned is a software
- product by RSA Data Security called MailSafe. This product was first
- shipped in July of 1986. Features such as a digital signatures on the
- program itself for verification, internal self-check for virus
- detection, compression of plaintext and ASCII recoding of encrypted
- binary files, direct and extended trust of public keys through
- certification, including the publisher's public key in the
- distribution, display of a message digest, security and password
- advice, and many others are in MailSafe and are carefully documented
- in the user manual. The authors of pgp have had a copy of MailSafe
- and the user manual since 1987.
-
- There may be nothing illegal about using ideas from another product,
- but there's something dishonest about misleading people into believing
- these ideas were your own in the interest of recruiting "fans."
-
- pgp calls itself "public-key for the masses." Even this isn't
- original. The September 12, 1986 issue of the Christian Science
- Monitor contains a page one story on cryptography, and discusses
- MailSafe. In that story, an RSA spokesman is quoted as saying
- "MailSafe is public-key for the masses." Reprints of this story were
- widely circulated in RSA press kits, and received by the pgp authors
- in 1987.
-
- The documentation to pgp would have readers believe that pgp was the
- result of a noble desire to save everyone from an evil government
- threatening to deny rights to privacy; that users and distributors of
- pgp have little or nothing to fear from the patent holders, who, it is
- implied, are probably dishonest anyway; and that one shouldn't be
- concerned about export controls because pgp beat the system for
- everyone by having been developed overseas and imported legally. The
- facts simply don't support these claims.
-
-
- - - -----------------------------------------------------
-
- --
- -- <<Disclaimer: All opinions expressed are my own, of course.>>
- -- Carl Ellison cme@sw.stratus.com
- -- Stratus Computer Inc. M3-2-BKW TEL: (508)460-2783
- -- 55 Fairbanks Boulevard ; Marlborough MA 01752-1298 FAX: (508)624-7488
-