From: tcmay@netcom.com (Timothy C. May)
Date: Thu, 29 Apr 93 19:48:03 PDT
To: cypherpunks@toad.com
Subject: Re: No Compromise in Defense of Our Privacy Rights. PGP FIRST!
Message-ID: <9304300247.AA09058@netcom.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


Matthew J Miszewski has asked some questions about my posting this morning,
and about my motivations (Wow! It's kind of fun to be the target of such
speculations!).

I'll answer his questions and points with nothing but the truth.

>To all,
> 
>  Tim's statements bother me a great deal.  Granted I have not been around as
>long as some (in this particular environment), but long enough to gain respect
>for certain net personalities.  I wish to hold on to that respect...
> 
>  Ive heard a lot of people talk a lot of sh** about the privacy issues
>concerning us requiring private acts of heroism.  Is that what is involved with
>giving up on an ideal that has helped define the term cypherpunk.  Not long
>ago Tim (and others) posted a rabid defense to the changing of the name of the
>list.  Were those merely words?  I have never questioned the dedication of
>freedom lovers like Tim before this series of postings.  Something has clearly
>taken place.  I hope we find out what.

First of all, no "external event" has happened to cause me to change from
being a freedom-loving "crypto anarchist" to being some kind of "crypto
narc" (if you'll pardon the pun). No phone calls from Dorothy, or from Jim,
or from Bobby Inman (wherever he may be these days). No threats, no
letters, no knocks on the door in the middle of the night.

My posting this morning on "tough choices" was based on my best assessment
of the current situation and my best judgement on what we need to think
about.

> 
>  My problems with Tim's suggestions:
> 
>1.  While those of us lucky enough (or skilled enough) to be independently
>wealthy may think that the price of RSA software is nominal considering what is
>at risk (I personally agree), do we forget about those that *need* this data
>security and cannot pay for it?  (All of these people of course would use PGP
>as an academic resource in order to make its distribution OK).

There are several points here. Is the purpose we're using PGP the saving of
a few bucks? I doubt it. Most of the hobbyist/hacker types now using PGP
are doing so because a kind of "community" has grown up around it, a kind
of "stone soup" collective effort.

I'm not trivializing the value of money. (Ironically, I chose not to go to
the recent CFP Conference because I felt $400 was a bit much for a
conference. A single seat at this conference would buy 3 copies of a
commercial RSA encryption package.) I just don't see much evidence that the
reason PGP is needed is because people can't afford the fee for a legal
version. (BTW, I've acknowledged several times the limitations of MailSafe
and the advantages in several areas of PGP 2.1.)

I've yet to see many people who "need" PGP who cannot pay for it. Perhaps
I'm wrong, but that's how I see it. In any case, while we may have certain
doubts about the patentability of mathematical algorithms, that's the way
the world works. Certain property rights are reasonable. Arguing that
RSADSI has no rights to a patent on public key methods is a different
matter than arguing that someone's need and inability to pay is grounds for
taking software.

(I apologize profusely to my Cypherpunk colleagues if I sound a bit like
David Sternlight here. While I think he comes off as a pompous fool most of
the time, he raises some important points. I like to think I'm raising them
here in a different way, suggesting a compromise in the greater interests
of ultimate privacy rights.)

>2.  From a legal point of view, what RSA is probably doing is asserting its
>*presumed* patent rights.  Left unchallenged they will remain presumed.  So,
>to those whom have repeatedly sounded the call for "individual acts of
>heroism",
>is now the time to run and hide?  The *ultimate* question of the legitimacy of
>algorithmic patents funded with public money *will* default if left
>unchallenged.  So I challenge, with all of my honest respect, those with the
>means to take up the gauntlet thrown down by RSA.

A legal battle with RSADSI at this moment would cost quite a bit and almost
certainly be won by RSADSI. (The courts have upheld "process" and
"algorithm" patents...Caveat: I am not a lawyer.) I happen to agree that
some software patents are prima facie stupid--like the "XOR cursor"
patent--and deserve to be thrown out. And perhaps the several key patents
held by Public Key Partners (MIT, Stanford, RSA Data Security, and Cylink
are the partners, as I recall) should be thrown out. But this will not
happen anytime soon, and will cost an enormous amount to successfully
litigate (the lawyers can correct me if I'm wrong). I see no chance of this
happening before the patents begin to naturally expire around 1998 or so
(and on to 2002 or so).

Meanwhile, others are free to openly distribute PGP and face the court
system. (RSADSI must of course defend itself against all "obvious"
infringements or attempts to infringe, or it risks losing its patent
status. While some of us might like this outcome, it's of course not very
reasonable.) Stanton McLandish, in his admirable zeal, publicly announced
the availability of PGP at his site. When RSADSI sent him a "cease and
desist" letter (isn't e-mail great?...Stanton posts it, and Jim Bidzos, the
Pres. of RSA responds...no lawyers were needed, no lengthy delays.).

Stanton did the wise thing. I haven't seen others step forward to put PGP
in a highly visible position on their systems (and I'm definitely not
recommending it, either).

>3.  There are more ways than one to legitimize strong crypto and allow RSA
>to gain its almighty buck.  Suggestions have already been made.  Allow the
>rights to the RSA patents to be purchased.  RSA does have a choice between that
>and no money at all.
> 
>4.  What about those that went before.  Is the heroism of Phil Zimmerman to go
>for nought?  The chances that several people, including Tim, have taken deserve
>compensation NOT compromise.  RSA wants us to fold now.  Why is a respected
>leader of the community asking a compromise of the Cypherpunk Manifesto?

Because I think the larger issue is the preservation of the rigth to strong
crypto, the right to put locks on your doors without depositing a copy with
the cops, the right to speak in tongues if that's what you want. Fighting
the RSA patents NOW will not help this battle be won.

We're on a stronger foundation, legally and constitutionally, if we're
using "non-illegal" products. (If it came down to defending my freedom with
"illegal guns," for example, I'd certainly choose the guns. This is because
I don't believe the government is right in outlawing guns. If the
government ever outlaws strong crypto, you can be sure I'll be using outlaw
crypto.  The difference with the current situation is that crypto per se
has not yet come under regulation.)
 
>5.  Finally, there have been other ways suggested to deal with the problems.
>A USA-Legal PGP is one.  I know that many of the philosophers, code writers,
>hackers, thinkers, etc. among us can overcome this too.  Why give up when it
>appears to be the night before the big game?

I'm definitely not proposing we "give up." And joining in a crusade against
RSA precisely when we need them as an ally is truly tilting at windmills.

(I've made this point before: the Clipper/Skipjack/Capstone scheme appears
to be an attempted end-run around public key strong crypto. You may not
like one minor aspect of this situation, i.e., that the work of Diffie,
Hellman, Merkle, Rivest, Shamir, and Adleman is now licensed from RSA Data
Security, but that's the way it is. Fortunately, it's a relatively minor
issue.)


>  I am merely a law student with a deep interest in liberty and privacy.  I
>*am* willing to offer my time to the preparation of any eventual *challenge*
>of the RSA patents.  NONE of the above post was meant as a personal afront to
>anyone, but rather a critical look at Tims suggestions (Mainly because I would
>not have expected it from *Tim*).  If there are extenuating circumstances
>involved, let us know.  I have been reading posts from Tim since the days of
>p/hun and before.  I in NO WAY question Tims committment, but rather the
>motivation for the out of character post.


I hope I've addressed the main points raised by Matt in his thoughtful
post. Like I said, it was a tough post to write! I expected some
controversy. But the points needed to be said.

We should all thank Phil Zimmermann for what he did...he energized the
community, made a lot of people aware of strong crypto, and started a
community programming effort rarely seen before. But let's face it--bootleg
crypto (which is what PGP will remain in this country unless and until the
courts overturn the patents or RSA suddenly decides to cave in) is *not*
going to spread the way we want strong crypto to. Already, companies that
want to use PGP (probably because some employees do) are facing the
realization that it's not legal and that they are exposing themselves to
serious liabilities if they use it. This alone will begin to strangle PGP
in its crib, so to speak.

Furthermore, neither Phil nor any other members of the development team are
likely to ever make any money with this (something Phil would
understandably like to do someday). Better that Phil do what other
companies have done: arrange a license with RSADSI. RSAREF source code is
readily available for inspection, lest people fear that trapdoors or
whatnot have been inserted into the code. (There are a lot of issues about
the various versions of the RSA code, including RSAREF, MailSafe, RIPEM,
TIPEM, OCE, etc., which I won't go into here. Others are better qualified
anyway.)

All I'm suggesting is that we not quixotically (speaking of tilting at
windmills) pin our hopes and expectations on a climactic battle between
Phil Zimmermann and the lawyers at RSA. Our freedom to encrypt is more
important than that kind of ego battle. (Asking RSADSI to cave in and give
away their crown jewels is unrealistic. Asking them to incorporate some of
the features of PGP we like into some current or future offering is much
more reasonable. Who knows, perhaps even a full-scale licensing of PGP is
possible.)

I'm hopeful that some kind of accommodation will come about so we can focus
on the real fight, the fight for our right to keep some things secret.

-Tim May
--
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, smashing of governments.
Higher Power: 2^756839 | Public Key: in a state of flux!
Waco Massacre + Big Brother Wiretap Chip = A Nazi Regime