Category : Various Text files
Archive   : PGPLEGAL.ZIP
Filename : ETHICS.PGP

Subject: PGP use Ethical and Legal Questions
Date: Wed, 23 Dec 1992 01:05:44 GMT
From: [email protected] (james.a.parker)
Lines: 139

David Sternlight seems to be on a one man crusade to eliminate the use of PGP.
He has argued that it is both illegal and unethical to do so, on the basis of:

o ITAR restrictions against US import
o Patents held by PKP

Let me address each of these.

IS IT LEGAL?

With respect to the patents held by PKP, it is alleged that PGP infringes upon
the intellectual property rights of PKP. However, this is the case only if
the patents are indeed being infringed. This has not been demonstrated,
however. The claim apparantly made by PKP is that it holds sole ownership
of all implementation of public key cryptosystems. This seems a rather broad
claim, and one which could certainly be attacked on the basis of its being
overly broad and/or an "obvious" act of someone skilled in the appropriate
art (the trick being *how* to do it; RSA being one effective way).

In addition, PKP has apparently not attempted to defend its patent against
PGP (although they know of its existence); this gives some merit to the theory
that PKP *knows* it has no legal standing.

The answer at this point, then, is it is unknown. Unless and until the matter
is adjudicated in a court of law, the legal status is not known.

With respect for ITAR, there is strong evidence that the restriction is not
legally binding. The case can be made on constitutional grounds:

o Violation of the first amendment; prohibiting the transfer of information
from one party to another violates abridges freedom of speech and of
the press.

o Violation of the second amendment; by recognizing cryptographic software
as "arms", prohibiting its import and use infringes on the people's
right to keep and bear arms.

o Violation of the ninth amendment; given that the federal government
is given no explicit power to prohibit the import, export or use of
cryptographic software, the right is retained by the people.

In addition, the presumed goal of limiting the cryptographic capabilities of
the US citizen can be found unconstitutional:

o The third amendment prohibits the quartering of troops in people's
homes. The reason troops were quartered at that time was to limit
private activities of citizens thought to be acting against the
goals of the government.

o The fourth amendment prohibits unreasonable search and seizure. Limiting
the ability of citizens to cloak their speech from searches by the
government limits that protection.

o The fifth amendment protects the right of citizens against self
incrimination. Limiting a persons ability to not incriminate
themselves impairs that right.

I therefore conclude that the ITAR restriction on importing cryptographic
software is clearly unconstitutional, and not binding.

However, the final decision resides not in the words in the constitution, but
in the courtroom. Given the frequent abuses of the US court system, up to
and including the US Supreme Court, it is not clear that they would rule
correctly. So, from a practical standpoint (i.e., will you end up in
prison?), the answer is uncertain.

IS IT ETHICAL?

With respect to intellectual property rights and PKP, for PGP use to be
unethical one would have to believe:

o PGP does indeed infringe on a valid patent held by PKP.
o Patents are themselves an ethical means of protecting intellectual
property rights.
o The owners of PKP are not unethically being coerced into prohibiting
the use of PGP.

The first count is a matter of law, and as stated above, is not clear. If
it is proved false, however, there are no apparent ethical problems with
respect to property rights in using PGP.

The second point is one of some debate. Given that a person who invents
something based on his or her own independent effort has no right to the
fruits of their labor simply because someone else had done something similar
previously seems a weak means of delineating property. Unlike other
protections for intellectual property, such as copyrights, trade secrets,
and nondisclosure agreements, showing that the original work was not derived
from the original is not a valid defense. Thus the question of whether or
not patent law is an ethical protection of intellectual property rights is
certainly not obvious. If it indeed is not an ethical protection, and
indeed PGP was not copied from products released by PKP, there is no ethical
problem with respect to property rights in using PGP.

The third point speaks to whether or not PKP is not freely defending their
property rights, but actually being coerced by an outside force. Here there
is some circumstantial evidence that PKP is indeed being coerced.

If PKP were to lose something of value by permitting the distribution of PGP,
and assuming they have a legal and ethical right to the contents of PGP,
it would make sense for them to prevent its distribution. However, PKP has
both refused to grant license to US users of PGP *and* released a no-cost
encryption package (based on their patents) to the same audience as PGP users
(non-commercial use). If they wished the owners of PKP could offer to
license patent use rights to PGP for non-commercial use at no cost, thus
ensuring they have protected their patent. They have not.

Instead, they have placed themselves in a position where they would have to
fight a legal battle to stop PGP's use. This, of course, would be quite
expensive. Given that PKP is a business presumably to raise revenue, this
seems most counterproductive.

However, if the Federal Government has threatened in some fashion PKP or
its owners, PKP's actions would be consistent. PKP might try both a
carrot (free encryption software) and a stick (threat of a patent violations
suit) to prevent PGP's widespread use in the US.

If indeed this is the case, it is no more unethical to disregard PKP's
claims than it would be to ignore a hostage's request to provide ransom
to her captors. In fact, it might be highly ethical to do so.

CONCLUSION

Although not definite, there is clear evidence that the use of PGP within the
US may indeed be both legal and ethical. Some may try to obsfucate the
issue, or use emotional or scare tactics; but they should not take the place
of careful reasoning.

Should you use PGP? That is for you to decide. If you believe that PGP use
is both ethical and would be found legal, by all means. If you believe it
is ethical but would be found illegal (either by valid law or court error),
you use it at your own risk. It might then be prudent to not use it in a
particularly public manner unless you are willing to be unjustly punished.
If you believe it to be unethical, you will have to live with your conscience,
and suffer any legal consequences without my sympathy.

Just remember, it is you and you alone who must make the final decision.

James A. Parker
[email protected]