In article <1e9ka5INNbmt(_at_)roche(_dot_)csl(_dot_)sri(_dot_)com>,
boucher(_at_)csl(_dot_)sri(_dot_)com (Peter K. Boucher) writes:
|> Summary: PGP may appear to be "freeware," but there are two areas
|> of legal risk for those who use it: patent law, and export
|> law.
|>
|> DISCLAIMER: The following information is provided as a public
|> service. It is explicitly NOT a commercial advertisement, and
|> does not in any way represent, express or imply any policy or
|> viewpoint of SRI International.
|>
|> First, it is illegal to "make, use, or sell" a patented device
|> without a license. PGP's disclaimer does not protect anyone making,
|> distributing, or using PGP. PKP owns the patent and sells licenses
|> to companies who want to make and sell products that use RSA and
|> other public-key cryptography. PGP is not licensed. A license to
|> the maker of PGP has always been (and still is) available, but it
|> would not be free (which would be unfair to other licensees, whose
|> licenses were not free).
|>
|> Second, PGP may be illegal with respect to US export law. The
|> author states in the documentation that he "guided" its development
|> overseas. This might be construed an export of "technical know-how"
|> under the ITAR (International Traffic in Arms Regulations). By
|> distributing or using PGP 2.0, you may be involved directly or
|> indirectly in an illegal act. Ignorance before the law, of course,
|> is no excuse. It's the responsibility of every one to seek their
|> own legal advice. I strongly urge potential PGP users to have their
|> company's lawyers read the ITAR and read the PGP statement before
|> making a decision. It could be a serious mistake to assume that
|> because this software "appeared" in the US or elsewhere, it and those
|> who use it are not at any risk of violating export law.
|>
|> The risks to those actively promoting PGP, and/or distributing it, are
|> of course, greater than those for simple users, but even simple users
|> would do well to seek an acceptable alternative, such as RIPEM.
|> RIPEM is built on a piece of software called RSAREF. RSAREF contains
|> an embedded patent license, and is perfectly legal to use for
|> non-commercial purposes. Any software whatsoever can be built on
|> RSAREF, even PGP-like programs, and distributed freely. RSAREF does
|> carry strong restrictions on export. RIPEM source and executables can
|> be found using archie.
|>
|>
|>
|> --
|> Peter K. Boucher
|> --
|> RIPEM public key available upon request.