Matthew J Miszewski has asked some questions about my posting this morning, and about my motivations (Wow! It's kind of fun to be the target of such speculations!). I'll answer his questions and points with nothing but the truth.
To all,
Tim's statements bother me a great deal. Granted I have not been around as long as some (in this particular environment), but long enough to gain respect for certain net personalities. I wish to hold on to that respect...
Ive heard a lot of people talk a lot of sh** about the privacy issues concerning us requiring private acts of heroism. Is that what is involved with giving up on an ideal that has helped define the term cypherpunk. Not long ago Tim (and others) posted a rabid defense to the changing of the name of the list. Were those merely words? I have never questioned the dedication of freedom lovers like Tim before this series of postings. Something has clearly taken place. I hope we find out what.
First of all, no "external event" has happened to cause me to change from being a freedom-loving "crypto anarchist" to being some kind of "crypto narc" (if you'll pardon the pun). No phone calls from Dorothy, or from Jim, or from Bobby Inman (wherever he may be these days). No threats, no letters, no knocks on the door in the middle of the night. My posting this morning on "tough choices" was based on my best assessment of the current situation and my best judgement on what we need to think about.
My problems with Tim's suggestions:
1. While those of us lucky enough (or skilled enough) to be independently wealthy may think that the price of RSA software is nominal considering what is at risk (I personally agree), do we forget about those that *need* this data security and cannot pay for it? (All of these people of course would use PGP as an academic resource in order to make its distribution OK).
There are several points here. Is the purpose we're using PGP the saving of a few bucks? I doubt it. Most of the hobbyist/hacker types now using PGP are doing so because a kind of "community" has grown up around it, a kind of "stone soup" collective effort. I'm not trivializing the value of money. (Ironically, I chose not to go to the recent CFP Conference because I felt $400 was a bit much for a conference. A single seat at this conference would buy 3 copies of a commercial RSA encryption package.) I just don't see much evidence that the reason PGP is needed is because people can't afford the fee for a legal version. (BTW, I've acknowledged several times the limitations of MailSafe and the advantages in several areas of PGP 2.1.) I've yet to see many people who "need" PGP who cannot pay for it. Perhaps I'm wrong, but that's how I see it. In any case, while we may have certain doubts about the patentability of mathematical algorithms, that's the way the world works. Certain property rights are reasonable. Arguing that RSADSI has no rights to a patent on public key methods is a different matter than arguing that someone's need and inability to pay is grounds for taking software. (I apologize profusely to my Cypherpunk colleagues if I sound a bit like David Sternlight here. While I think he comes off as a pompous fool most of the time, he raises some important points. I like to think I'm raising them here in a different way, suggesting a compromise in the greater interests of ultimate privacy rights.)
2. From a legal point of view, what RSA is probably doing is asserting its *presumed* patent rights. Left unchallenged they will remain presumed. So, to those whom have repeatedly sounded the call for "individual acts of heroism", is now the time to run and hide? The *ultimate* question of the legitimacy of algorithmic patents funded with public money *will* default if left unchallenged. So I challenge, with all of my honest respect, those with the means to take up the gauntlet thrown down by RSA.
A legal battle with RSADSI at this moment would cost quite a bit and almost certainly be won by RSADSI. (The courts have upheld "process" and "algorithm" patents...Caveat: I am not a lawyer.) I happen to agree that some software patents are prima facie stupid--like the "XOR cursor" patent--and deserve to be thrown out. And perhaps the several key patents held by Public Key Partners (MIT, Stanford, RSA Data Security, and Cylink are the partners, as I recall) should be thrown out. But this will not happen anytime soon, and will cost an enormous amount to successfully litigate (the lawyers can correct me if I'm wrong). I see no chance of this happening before the patents begin to naturally expire around 1998 or so (and on to 2002 or so). Meanwhile, others are free to openly distribute PGP and face the court system. (RSADSI must of course defend itself against all "obvious" infringements or attempts to infringe, or it risks losing its patent status. While some of us might like this outcome, it's of course not very reasonable.) Stanton McLandish, in his admirable zeal, publicly announced the availability of PGP at his site. When RSADSI sent him a "cease and desist" letter (isn't e-mail great?...Stanton posts it, and Jim Bidzos, the Pres. of RSA responds...no lawyers were needed, no lengthy delays.). Stanton did the wise thing. I haven't seen others step forward to put PGP in a highly visible position on their systems (and I'm definitely not recommending it, either).
3. There are more ways than one to legitimize strong crypto and allow RSA to gain its almighty buck. Suggestions have already been made. Allow the rights to the RSA patents to be purchased. RSA does have a choice between that and no money at all.
4. What about those that went before. Is the heroism of Phil Zimmerman to go for nought? The chances that several people, including Tim, have taken deserve compensation NOT compromise. RSA wants us to fold now. Why is a respected leader of the community asking a compromise of the Cypherpunk Manifesto?
Because I think the larger issue is the preservation of the rigth to strong crypto, the right to put locks on your doors without depositing a copy with the cops, the right to speak in tongues if that's what you want. Fighting the RSA patents NOW will not help this battle be won. We're on a stronger foundation, legally and constitutionally, if we're using "non-illegal" products. (If it came down to defending my freedom with "illegal guns," for example, I'd certainly choose the guns. This is because I don't believe the government is right in outlawing guns. If the government ever outlaws strong crypto, you can be sure I'll be using outlaw crypto. The difference with the current situation is that crypto per se has not yet come under regulation.)
5. Finally, there have been other ways suggested to deal with the problems. A USA-Legal PGP is one. I know that many of the philosophers, code writers, hackers, thinkers, etc. among us can overcome this too. Why give up when it appears to be the night before the big game?
I'm definitely not proposing we "give up." And joining in a crusade against RSA precisely when we need them as an ally is truly tilting at windmills. (I've made this point before: the Clipper/Skipjack/Capstone scheme appears to be an attempted end-run around public key strong crypto. You may not like one minor aspect of this situation, i.e., that the work of Diffie, Hellman, Merkle, Rivest, Shamir, and Adleman is now licensed from RSA Data Security, but that's the way it is. Fortunately, it's a relatively minor issue.)
I am merely a law student with a deep interest in liberty and privacy. I *am* willing to offer my time to the preparation of any eventual *challenge* of the RSA patents. NONE of the above post was meant as a personal afront to anyone, but rather a critical look at Tims suggestions (Mainly because I would not have expected it from *Tim*). If there are extenuating circumstances involved, let us know. I have been reading posts from Tim since the days of p/hun and before. I in NO WAY question Tims committment, but rather the motivation for the out of character post.
I hope I've addressed the main points raised by Matt in his thoughtful post. Like I said, it was a tough post to write! I expected some controversy. But the points needed to be said. We should all thank Phil Zimmermann for what he did...he energized the community, made a lot of people aware of strong crypto, and started a community programming effort rarely seen before. But let's face it--bootleg crypto (which is what PGP will remain in this country unless and until the courts overturn the patents or RSA suddenly decides to cave in) is *not* going to spread the way we want strong crypto to. Already, companies that want to use PGP (probably because some employees do) are facing the realization that it's not legal and that they are exposing themselves to serious liabilities if they use it. This alone will begin to strangle PGP in its crib, so to speak. Furthermore, neither Phil nor any other members of the development team are likely to ever make any money with this (something Phil would understandably like to do someday). Better that Phil do what other companies have done: arrange a license with RSADSI. RSAREF source code is readily available for inspection, lest people fear that trapdoors or whatnot have been inserted into the code. (There are a lot of issues about the various versions of the RSA code, including RSAREF, MailSafe, RIPEM, TIPEM, OCE, etc., which I won't go into here. Others are better qualified anyway.) All I'm suggesting is that we not quixotically (speaking of tilting at windmills) pin our hopes and expectations on a climactic battle between Phil Zimmermann and the lawyers at RSA. Our freedom to encrypt is more important than that kind of ego battle. (Asking RSADSI to cave in and give away their crown jewels is unrealistic. Asking them to incorporate some of the features of PGP we like into some current or future offering is much more reasonable. Who knows, perhaps even a full-scale licensing of PGP is possible.) I'm hopeful that some kind of accommodation will come about so we can focus on the real fight, the fight for our right to keep some things secret. -Tim May -- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, smashing of governments. Higher Power: 2^756839 | Public Key: in a state of flux! Waco Massacre + Big Brother Wiretap Chip = A Nazi Regime