From: tien@well.sf.ca.us (Lee Tien)
Date: Sat, 3 Feb 1996 11:38:10 +0800
To: cypherpunks@toad.com
Subject: Re:  RC2 Source Code - Legal Warning from RSADSI
Message-ID: <199602030235.SAA08181@well.com>
MIME-Version: 1.0
Content-Type: text/plain


I don't practice intellectual property law, but I think y'all should be
careful, legally speaking.  Without more facts, you don't know if the
purported disassembly was lawful.  


>From: Rich Salz <rsalz@osf.org>
>Date: Thu, 1 Feb 1996 19:46:50 -0500
>Subject: Re:  RC2 Source Code - Legal Warning from RSADSI
>
>Once lost, trade secret can never be regained.  The person(s) responsible
>can be sued so they never work again :), but it's unclear if RSA can
>stop anyone using unpublished trade-secret source.
>
>At any rate, I'll stop my comparison of the distributed RC2 and the 
>licensed RC2 since RSA's done it for us. :)
>        /r$

I think the first and second sentences don't map.  It's true that once a
trade secret is "lost," it's lost (though I suppose if everyone forgets it
and someone rediscovers and protects it it's regained).

But you must distinguish between *legally* lost and merely practically
disseminated.  Trade secrecy is not complete or real secrecy.  If I were
under NDA to RSA to keep RC2 secret, passed it on to Rich, and RC2 met the
legal test for trade secrecy, it is still a trade secret in the law.  I
don't recall the remedies, but I'm fairly sure that if Rich has the right
level of knowledge/notice, he's not immune.

>From: "Brian A. LaMacchia" <bal@martigny.ai.mit.edu>
>Date: Thu, 1 Feb 96 21:06:12 -0500
>Subject: Re: RC2 Source Code - Legal Warning from RSADSI
>
>   Date: Thu, 1 Feb 1996 18:26:15 -0500
>   Mime-Version: 1.0
>   Content-Type: text/plain; charset="us-ascii"
>   From: jrochkin@cs.oberlin.edu (Jonathan Rochkind)
>   Sender: owner-cypherpunks@toad.com
>   Precedence: bulk
>
>   Now, copyright might be another matter.    But you can't copyright an
>   algorithm, only specific text in fixed form (ie, the source code).  So this
>   would mean you couldn't use the particular code posted to sci.crypt, but
>   wouldn't stop anyone from using the algorithm, if they wrote their own code
>   (to be safe, without having seen the RSA-copyrighted code, only having the
>   algorithm described to them by someone else).   
>
>If the source code posted to sci.crypt was in fact a copy of an RSADSI
>copyrighted soure code listing, then making copies of that listing is a
>copyright violation.  However, copyright protection does not extend to
>the underlying algorithm, so unless RSADSI has a patent on the algorithm
>the idea is free, and can be reimplemented using a "clean room" or
>"Chinese wall" approach.  If the posted source code was *not* a copy of
>RSADSI source code but instead produced by disassembling object code
>RSADSI's claims are tenuous at best.  RSADSI could conceivably claim
>that the disassembled code is a derivative product of their copyrighted
>object code, but I think they would have a hard time distinguishing
>themselves from the facts in _Sega v. Accolade_.
>
>I fail to see how the legality of "alleged-RC2" is any different than
>that of the "alleged-RC4" code which was published last year.
>
>                                                --bal

Trade secrecy is separate from either copyright or patent.  It covers both
patentable and nonpatentable stuff.  Its great advantage is its potential
duration -- so long as it's not independently generated or
reverse-engineered.  Its great drawback is it's hard to maintain.  

I think Brian is right in what he said, but the critical qualification is
how the posted source code was produced.  One could have a trade secret in
the algorithm; Sega v. Accolade only addresses the copyright issues, if
memory serves.  The Ninth Circuit found that the dissassembly was
infringement, because it involved copying of the protected expression, but
excused the infringement based on "fair use."  *** Keep in mind that fair
use is multifactor, and the Sega decision expressly noted that Accolade was
only trying to achieve compatibility, only indirectly harming the market
for Sega's videogames.  This alone might distinguish disassembly to get RC2
source in order to put RC2 "out there," even from a copyright perspective.

What's unclear in the law is RSA's power to control dissassembly by
contract.  Traditionally, reverse engineering has always been a legitimate
means of penetrating trade secrecy.  The problem arises, though, if one
agrees not to reverse-engineer.  If I got an RSA product and agreed not to
disassemble and not to disclose anything I might happen to discover, then I
have a contractual, not statutory, duty.  This is like the shrink-wrap
license issue:  if I buy Lotus Notes, a shrink-wrap "no dissassembly"
provision may well be unenforceable.  Such a provision is more likely
enforceable in a truly bargained contract.  This is all contract law.

So if the person who disassembled was under a contractual bar, disassembly
could be misappropriation.  (I'm not clear on current misappropriation law,
which is in a statute in California if I recall.)

I'm not really up on all this, and it's very fact-sensitive, but I don't
think the legal issues are very simple, and I would counsel some caution. 
Are those enough qualifications and disclaimers?  

Lee