(Cross-posted with permission of Eben Moglen): Newsgroups: sci.crypt,alt.security.pgp From: em21@cunixf.cc.columbia.edu (Eben Moglen) Subject: Re: PKP/RSA comments on PGP legality Message-ID: <1992Dec17.150409.17696@news.columbia.edu> Date: Thu, 17 Dec 1992 15:04:09 GMT I have been following with interest, and distress, the conversation about legal risks in using PGP set off by Carl Ellison's posting of a document said to reflect the legal position of PKP. Perhaps a Columbia Law professor's views on these questions may be helpful. I'm going to discuss the realities of the situation, without jargon, rather than the legal technicalities. Those who want to discuss the legal detail should feel free to contact me, but for legal advice I usually get paid. PKP says that any user of PGP is "inducing" infringement. Here's the reality of the situation. PKP is the licensee of a presumptively valid US patent, which it claims PGP 2.1 infringes. If the patent is valid, and PGP infringes, every user is not just inducing infringement--he/she/it is infringing the patent. This is not a crime; it's a civil wrong, for which, as the PKP statement says, damages are available at law. But this is true every time a manufacturer sells or distributes an infringing article. As you may recall, for example, an inventor recently won an enormous damages judgment against a major US auto company for infringing his patent for intermittent windshield wipers. Theoretically, under the patent law, he could instead have notified all Ford buyers in the past decade that they were personally infringing his patent. But it is grossly impracticable to do that, and a suit against the manufacturer accomplishes exactly the same result, since the total amount of the damages available is the same either way, while the litigation cost is not. PKP can test the validity of its patent and recover its damages, if any, in a suit against the developers and distributors of PGP, if it cares to. Without any knowledge of their thinking, I predict the partners won't want to do that. It would be expensive, the damages to be recovered would be slight or none, and they would risk having the only patent anywhere in the world protecting their technology declared invalid. But in any event, it is virtually unheard-of to sue individual end-use consumers of allegedly infringing technology. If PKP's investors had $100 million or so they wanted to waste in litigation anything could happen, but they don't, and it won't. In any event, in such a situation a lawyer certainly might advise her client to wait for the patent-holder to assert his rights directly. When PKP sends you a personal letter claiming that you are infringing its patent, and asking you to take out a license, you can decide what you want to do about it. In the meanwhile, the patent claim against end users is mostly, probably entirely, just noise. The Munitions Act bluster contained in the post is not even that important. It's just ridiculous. Others have said some of the most important things well, so I'll be brief. First, even if PKP believes its own arguments interpreting the ITARs, PKP doesn't have squat to do with ITAR enforcement. This is a question addressed to the discretion of the Treasury, the Department of Justice, and local United States Attorneys. ITAR enforcement against distributors of PGP would require a decision by all those agencies that the highest-priority Munitions Act enforcement problem at some future moment is the prohibition of IMPORTATION of a CONSUMER SOFTWARE PRODUCT embodying TECHNICAL INFORMATION IN THE PUBLIC DOMAIN. I challenge PKP, or anyone else, to show any past example of such an approach to ITAR enforcement by any Administration. I cannot myself imagine any United States Attorney's office wanting to bring such a case, which is of nightmarish complexity, would be politically unpopular, and does nothing whatever to stem the global arms trade or increase the national security of the US. I very much doubt that PKP really believes that the domestic circulation of PGP violates the ITARs, since PKP itself terms as "unfortunate" the application of the Munitions Act to cryptographic technology. But even if that's really what PKP or its officers think, so what? The chances that the United States Government will ever agree, and put weight behind agreement, are within fuzz of zero. UseNet serves many social purposes. One, apparently, is the no-cost distribution of negative advertising and legal chest-pounding, intended to frighten people away from experimentation with a piece of interesting freeware. Myself, I would just put the PKP temper tantrum in the bitbucket. But since other people have taken it seriously (much more seriously than it deserves) I thought a few more sober comments might be warranted. _____________________________________________________________________ Fiat Justitia, "Quoi que vous fassiez, ecrasez l'infame, ruat Coelum. et aimez qui vous aime." Eben Moglen voice: 212-854-8382 Professor of Law & Legal History fax: 212-854-7946 Columbia Law School, 435 West 116th Street, NYC 10027 moglen@lawmail.columbia.edu --