I don't practice intellectual property law, but I think y'all should be careful, legally speaking. Without more facts, you don't know if the purported disassembly was lawful.

From: Rich Salz <rsalz@osf.org> Date: Thu, 1 Feb 1996 19:46:50 -0500 Subject: Re: RC2 Source Code - Legal Warning from RSADSI

Once lost, trade secret can never be regained. The person(s) responsible can be sued so they never work again :), but it's unclear if RSA can stop anyone using unpublished trade-secret source.

At any rate, I'll stop my comparison of the distributed RC2 and the licensed RC2 since RSA's done it for us. :) /r$

I think the first and second sentences don't map. It's true that once a trade secret is "lost," it's lost (though I suppose if everyone forgets it and someone rediscovers and protects it it's regained). But you must distinguish between *legally* lost and merely practically disseminated. Trade secrecy is not complete or real secrecy. If I were under NDA to RSA to keep RC2 secret, passed it on to Rich, and RC2 met the legal test for trade secrecy, it is still a trade secret in the law. I don't recall the remedies, but I'm fairly sure that if Rich has the right level of knowledge/notice, he's not immune.

From: "Brian A. LaMacchia" <bal@martigny.ai.mit.edu> Date: Thu, 1 Feb 96 21:06:12 -0500 Subject: Re: RC2 Source Code - Legal Warning from RSADSI

Date: Thu, 1 Feb 1996 18:26:15 -0500 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" From: jrochkin@cs.oberlin.edu (Jonathan Rochkind) Sender: owner-cypherpunks@toad.com Precedence: bulk

Now, copyright might be another matter. But you can't copyright an algorithm, only specific text in fixed form (ie, the source code). So this would mean you couldn't use the particular code posted to sci.crypt, but wouldn't stop anyone from using the algorithm, if they wrote their own code (to be safe, without having seen the RSA-copyrighted code, only having the algorithm described to them by someone else).

If the source code posted to sci.crypt was in fact a copy of an RSADSI copyrighted soure code listing, then making copies of that listing is a copyright violation. However, copyright protection does not extend to the underlying algorithm, so unless RSADSI has a patent on the algorithm the idea is free, and can be reimplemented using a "clean room" or "Chinese wall" approach. If the posted source code was *not* a copy of RSADSI source code but instead produced by disassembling object code RSADSI's claims are tenuous at best. RSADSI could conceivably claim that the disassembled code is a derivative product of their copyrighted object code, but I think they would have a hard time distinguishing themselves from the facts in _Sega v. Accolade_.

I fail to see how the legality of "alleged-RC2" is any different than that of the "alleged-RC4" code which was published last year.

--bal

Trade secrecy is separate from either copyright or patent. It covers both patentable and nonpatentable stuff. Its great advantage is its potential duration -- so long as it's not independently generated or reverse-engineered. Its great drawback is it's hard to maintain. I think Brian is right in what he said, but the critical qualification is how the posted source code was produced. One could have a trade secret in the algorithm; Sega v. Accolade only addresses the copyright issues, if memory serves. The Ninth Circuit found that the dissassembly was infringement, because it involved copying of the protected expression, but excused the infringement based on "fair use." *** Keep in mind that fair use is multifactor, and the Sega decision expressly noted that Accolade was only trying to achieve compatibility, only indirectly harming the market for Sega's videogames. This alone might distinguish disassembly to get RC2 source in order to put RC2 "out there," even from a copyright perspective. What's unclear in the law is RSA's power to control dissassembly by contract. Traditionally, reverse engineering has always been a legitimate means of penetrating trade secrecy. The problem arises, though, if one agrees not to reverse-engineer. If I got an RSA product and agreed not to disassemble and not to disclose anything I might happen to discover, then I have a contractual, not statutory, duty. This is like the shrink-wrap license issue: if I buy Lotus Notes, a shrink-wrap "no dissassembly" provision may well be unenforceable. Such a provision is more likely enforceable in a truly bargained contract. This is all contract law. So if the person who disassembled was under a contractual bar, disassembly could be misappropriation. (I'm not clear on current misappropriation law, which is in a statute in California if I recall.) I'm not really up on all this, and it's very fact-sensitive, but I don't think the legal issues are very simple, and I would counsel some caution. Are those enough qualifications and disclaimers? Lee