Zimmermann trying to retrieve rights to PGP from ViaCrypt

Crypto rebel who escaped prosecution may be set to start new legal challenge

Mark Voorhees
Information Law Alert

May 17, 1996

Phil Zimmermann, the programmer who wrote Pretty Good Privacy (PGP) and escaped prosecution earlier this year in connection with the export of that software, is in the middle of a new legal challenge: how to secure the commercial rights to his program.

His legal troubles behind him, Zimmermann is now hard at work trying to capitalize on his popular program by forming a company to sell it. There's only one hitch. Zimmermann may have to buy back or invalidate a license he gave to another company to sell PGP.

Zimmermann wrote PGP, which encrypts email messages, in 1991 and distributed it as freeware. It quickly became a brand name among privacy activists and computer hackers, and even developed a small dedicated following in corporate America.

In 1993 he licensed the code to ViaCrypt [ http://www.viacrypt.com/ ], a small Phoenix company, to create a commercial version. At about the same time, the federal government started a three-year investigation in how PGP, which is so powerful that it is a tightly regulated munition in need of export licenses, found its way onto computer sites overseas.

The threat of prosecution did not recede until January when a federal prosecutor told Zimmermann's lawyer that his client would not be indicted. During the three-year investigation, Zimmermann acquired cult status in the online community as a warrior in the fight to protect privacy and to keep the spy community at bay.

Free from his legal hassles, Zimmermann has wasted little time in trying to capitalize on the popularity of his program. Late in April he announced the formation of PGP, Inc., which he said would market PGP and PGPfone [ http://web.mit.edu/network/pgpfone ], a voice encryption product. The company will be based in the San Francisco area, requiring Zimmermann to relocate from Boulder, Colorado. He's lined up partners: Dan Lynch, one of the cofounders of CyberCash and a respected Internet personality; publisher and entrepreneur Jonathan Seybold; and Tom Steding, a former Novell executive who will serve as president, among them. And he's reportedly raised somewhere between $5 million and $10 million.

Road block

Viacrypt, however, stands in the way. Zimmermann "has given us marketing exclusivity in the United States and Canada for PGP and all future enhancements," says Leonard Mikus, the company's president.

If Mikus is correct, Zimmermann cannot sell PGP without violating the terms of their 1993 agreement, a contention that Zimmermann disputes. Mikus says his company is in discussions with Zimmermann about their disagreement but won't reveal details. "There is a lot going on behind the scenes that I can't talk about," Mikus says.

Zimmermann confirms that the two sides are in discussions but won't elaborate other than to say that PGP, Inc.'s products will contain new code not derived from his original product.

Sell or get sued

People who have spoken recently to those involved with PGP, Inc., say the discussions involve a possible buyout of Viacrypt's rights to PGP. If those discussions break down, Zimmermann reportedly is prepared to go to court to challenge Viacrypt's interpretation of the license and its use of the PGP trademark.

Zimmermann has publicly been highly critical of Viacrypt's creation of a business version of PGP that allows employers to read the messages of their employees at will. This capability violates the spirit and possibly the trademark of PGP, according to Zimmermann. "I have a right to protect against him putting the name 'PGP' on something with a backdoor in it."

Like other public key cryptography systems, PGP relies on two keys that are mathematically related. A user who wants to send a private message uses the recipient's public key to scramble a message, and the recipient uses his or her corresponding private key to unscramble it. The private key cannot be derived from the public key.

Viacrypt's business version of PGP relies on a corporate access key that allows the company to unscramble all messages its employees are delivering. Mikus says this capability is needed because companies worry about being able to unscramble messages and documents of employees who may have died, moved, or lost their key.

Zimmermann says that while corporations need to have ways to unlock messages when their employees are unavailable, Viacrypt picked the wrong solution. "Your employer has your key, plain and simple," Zimmermann says. "It's a real bad way of trying to solve the problem."

There is a wide level of disagreement among companies about the level of privacy the email communications of their employees should enjoy. According to a recent article in The New York Times, some companies, like Intel, have policies setting forth that employees' messages can be monitored. Others, like Apple, keep a distance.

Because neither side will reveal the nature of their discussions, it's impossible to know how talks are proceeding. But one reliable theory is that Zimmermann's side has essentially offered a sell or be sued proposition. If Viacrypt returns the rights to PGP for a fee, the sides will part amicably. Otherwise, Zimmermann will spend the money that he has offered to Viacrypt on the initiation of a suit.

Bite?

Will Mikus take the bait? The answer probably turns on three points-Mikus's perception of the future of PGP; his confidence in the original 1993 agreement; and his willingness to take on a popular, nearly mythic figure in court.

After two years of slow sales, Viacrypt is starting to show some success with its sales of PGP. Mikus says sales have tripled over the past year and that they number in the "tens of thousands." Much of the recent success, he says, comes from the business edition despised by Zimmermann.

Mikus says the 1993 agreement gives Viacrypt wide latitude to conduct its business. Viacrypt relied on Brown & Bain, a highly regarded firm in the technology area, so presumably the agreement doesn't have any glaring omissions. "We believe we have good exclusivity. The question is how good is good," Mikus said.

Whether Viacrypt or Zimmermann end up with control of PGP or control remains split, the real competitor will be RSA Data Security [ http://www.rsa.com/ ], which has become the brand name in cryptographic solutions. RSA recently agreed to be acquired by Security Dynamics Technology in a stock transaction valued at more than $300 million at current market prices.

Zimmermann and Jim Bidzos, RSA's president, were at odds years ago over Zimmermann's use of patented technology in the freeware version of PGP. In the book PGP, author Simson Garfinkel [ http://personal.vineyard.net/simsong/index.html ] quotes Bidzos as saying Zimmermann was an "intellectual property thief."

The patent problem for the freeware, noncommercial version of PGP was eventually resolved through a deal brokered by computer security experts at Massachusetts Institute of Technology, where the freeware version is now available [ http://web.mit.edu/network/pgp.html ].

To this day, however, there is no love lost between Bidzos and Zimmermann.

If there is any brand name capable of competing with RSA, it may be PGP. The freeware program has become an international phenomenon, largely through the volunteer efforts of Zimmermann and other programmers.

"Imagine what it can do with a company behind it," says Zimmermann.

Copyright 1996