PKP/RSA comments on PGP legality

Bruce F. Webster pages!bwebster at uunet.UU.NET
Mon Dec 21 11:30:02 PST 1992

(Cross-posted with permission of Eben Moglen):

Newsgroups: sci.crypt,
From: em21 at (Eben Moglen)
Subject:  Re: PKP/RSA comments on PGP legality
Message-ID: <1992Dec17.150409.17696 at>
Date: Thu, 17 Dec 1992 15:04:09 GMT

I have been following with interest, and distress, the conversation
about legal risks in using PGP set off by Carl Ellison's posting of
a document said to reflect the legal position of PKP.  Perhaps a
Columbia Law professor's views on these questions may be helpful.   
I'm going to discuss the realities of the situation, without jargon,
rather than the legal technicalities.  Those who want to discuss the
legal detail should feel free to contact me, but for legal advice I
usually get paid.

PKP says that any user of PGP is "inducing" infringement.  Here's the
reality of the situation.  PKP is the licensee of a presumptively
valid US patent, which it claims PGP 2.1 infringes.  If the patent is
valid, and PGP infringes, every user is not just inducing
infringement--he/she/it is infringing the patent.  This is not a
crime; it's a civil wrong, for which, as the PKP statement says,
damages are available at law.  But this is true every time a
manufacturer sells or distributes an infringing article.  As you may
recall, for example, an inventor recently won an enormous damages
judgment against a major US auto company for infringing his patent  
for intermittent windshield wipers.  Theoretically, under the patent  
law, he could instead have notified all Ford buyers in the past  
decade that they were personally infringing his patent.  But it is  
grossly impracticable to do that, and a suit against the manufacturer
accomplishes exactly the same result, since the total amount of the
damages available is the same either way, while the litigation cost  
is not.  PKP can test the validity of its patent and recover its  
damages, if any, in a suit against the developers and distributors of  
PGP, if it cares to.  Without any knowledge of their thinking, I  
predict the partners won't want to do that.  It would be expensive,  
the damages to be recovered would be slight or none, and they would  
risk having the only patent anywhere in the world protecting their  
technology declared invalid.  But in any event, it is virtually  
unheard-of to sue individual end-use consumers of allegedly  
infringing technology.  If PKP's investors had $100 million or so  
they wanted to waste in litigation anything could happen, but they  
don't, and it won't.

In any event, in such a situation a lawyer certainly might advise her
client to wait for the patent-holder to assert his rights directly. 

When PKP sends you a personal letter claiming that you are infringing
its patent, and asking you to take out a license, you can decide what
you want to do about it.  In the meanwhile, the patent claim against
end users is mostly, probably entirely, just noise.

The Munitions Act bluster contained in the post is not even that
important.  It's just ridiculous.  Others have said some of the most
important things well, so I'll be brief.  First, even if PKP believes
its own arguments interpreting the ITARs, PKP doesn't have squat to  
do with ITAR enforcement.  This is a question addressed to the  
discretion of the Treasury, the Department of Justice, and local  
United States Attorneys.  ITAR enforcement against distributors of  
PGP would require a decision by all those agencies that the  
highest-priority Munitions Act enforcement problem at some future  
moment is the prohibition of IMPORTATION of a CONSUMER SOFTWARE  
challenge PKP, or anyone else, to show any past example of such an  
approach to ITAR enforcement by any Administration.  I cannot myself  
imagine any United States Attorney's office wanting to bring such a  
case, which is of nightmarish complexity, would be politically  
unpopular, and does nothing whatever to stem the global arms trade or  
increase the national security of the US.  I very much doubt that PKP  
really believes that the domestic circulation of PGP violates the  
ITARs, since PKP itself terms as "unfortunate" the application of the  
Munitions Act to cryptographic technology.  But even if that's really  
what PKP or its officers think, so what?  The chances that the United  
States Government will ever agree, and put weight behind agreement,  
are within fuzz of zero.

UseNet serves many social purposes.  One, apparently, is the no-cost
distribution of negative advertising and legal chest-pounding,
intended to frighten people away from experimentation with a piece of
interesting freeware.  Myself, I would just put the PKP temper  
tantrum in the bitbucket.  But since other people have taken it  
seriously (much more seriously than it deserves) I thought a few more  
sober comments might be warranted.
Fiat Justitia,         "Quoi que vous fassiez, ecrasez l'infame,
ruat Coelum.                           et aimez qui vous aime."
Eben Moglen                       voice: 212-854-8382
Professor of Law & Legal History    fax: 212-854-7946          
Columbia Law School, 435 West 116th Street, NYC 10027           
moglen at

More information about the cypherpunks-legacy mailing list