PGP Commercial Use

All of the licenses for PGP, whether from Zimmermann, MIT, RSA or IDEA, talk about the fact that the free PGP is for non-commercial use. Unfortunately, none of them actually define what they mean by commercial use. Phil Zimmermann has signed and agreement with Viacrypt for them to handle the commercial use of PGP. However, due to the ITAR regulations, they are allowed to sell only to US citizens or green card holders resident in the USA, or to Canadian citizens (not Permanant Residents of Canada) residing in Canada. What a commercial user who does not fall into these categories should do is unclear from the documentation. This page will attempt to clarify this issue.

The first two primary players are MIT, which distributes the "free" version of PGP, and Phil Zimmermann who holds the copyright to PGP.


MIT

Here follows the text of an email which Hal Abelson of MIT sent to me regarding this "commercial use" question. Note, Hal here is not speaking as an official spokesman for MIT, but is stating his understanding of the situation (This was in late 1995).

As far as the MIT definition of "commercial use", here is the standard
answer I give people when they ask:

    MIT imposes no restrictions on "commerical use" other than what
    derives from the RSAREF license, and from Zimmermann's copyright on
    PGP.  Zimmermann's restrictions, in turn, derive from his agreement
    with Ascom AG (which licenses the IDEA algorithm) and from an
    agreement he signed with Viacrypt, giving them exclusive commercial
    rights to PGP.

    RSADSI's interpretation of "commercial use" is using RSAREF in a
    commerical product.  They specifically permit using RSAREF within a
    commerical facility, so long as you don't sell RSAREF, or use it to
    provide a service for which you charge.

    Ascom's interpretation of "commerical use" includes using PGP (which
    uses IDEA) to provide a service.  E.g., a bank communicating securely
    with its customers would be commerical use under their interpretation.

    Viacrypt has the most extensive definition of commercial use (which is
    understandable, since they are selling PGP).  They may claim that any
    use of PGP in a commercial establishment is commercial use.  It's
    unclear, though, what implications this has, since their agreement is
    with Zimmermann, and does not involve MIT.

    If you are worried about this, I suggest that you simply buy a copy of
    PGP from Viacrypt.  The cost of a few copies of Viacrypt PGP will be
    considerably less than the value of the time that would be spent by
    your lawyer thinking about these issues.


Phil Zimmermann

His position in the documentation is clear regarding commercial use for those who can purchase PGP from Viacrypt. He has entered into an agreement with Viacrypt under which they are the ones who are to handle all commercial use sales. However, under the ITAR regulations, they are not allowed to sell to anyone who is not either a US citizen, a US "Green Card" holder, or a Canadian citizen. It has been reported that his attitude toward other commercial users is that he is willing to let them use PGP without any fee, as long as noone else (Ascom, RSADSI,...) makes money off that use of PGP. His response to IDEA's current current position is unknown.

Note that the previous versions of PGP (2.3a being the last) were released by Zimmerman, and by the international consortium who enhanced PGP1.0 to PGP2.3, with the GNU Copyleft copyright restrictions. These do not restrict the use of PGP to non-commercial use. Version 2.3a is not compatable with the MIT versions, due to restrictions placed in the MIT versions at the instance of RSADSI. However, a version of the 2.3a code, 2.6ui, was released in the UK by mathewihttp://www.domino.org/~meta. This is compatable with the MIT versions, and is still under the "Copyleft" agreement which does not restrict commercial use except possibly under the IDEA license. It however does not benefit from the work done on the MIT release. mathew advises the use of the International 2.6.3i version and no longer supports 2.6ui nor provides a source for getting it. Tony Lezard has released a version of 2.6ui, called PGP2.62ui, in which he has tried to included the new features of the MIT/Zimmermann 2.6.2 version.

In March, 1996, Zimmermann formed a company PGP, Inc. to further the commercial developement of PGP. After some apparently accrimonious discussions with Viacrypt regarding the commercial status of PGP, PGP, Inc aquired Lemcom Systems the owner of Viacrypt. The impact that this will have on the question of commercial use is still to be clarified as of Dec 27,1996.


Note: The agreement of any person obtaining the "free" PGP, whether from MIT or the international versions is primarily with the above two organisations. Thus your agreement re the definition of "non-commercial use" is the interpretation that you give to the terms in the licenses of MIT and Zimmermann. However, in order to give some guidance I have also tried to determine from the other actors involved in PGP what their interpretation of the term means. Since in each case they have a financial interest in narrowing the definition as much as possible, it may not be surprising that their definitions may diverge.


ViaCrypt
The sole company in the world licensed by Zimmermann to sell a version of PGP for commercial use is ViaCrypt. It obtained the right to grant a commercial use license from RSADSI for RSA used in their products, apparently without the latter realising that it would be used for PGP. It also obtained the right to grant a commercial license for the use of IDEA in their products. However, its version has two disadvantages. It can be sold (because of ITAR) only to US citizens and green card holders resident in the USA, or Canadian citizens resident in Canada. Furthermore, it is sold without source code. Some find this disturbing as one cannot check the code to ensure that no "backdoors" have been placed into the code. However, Zimmermann has apparently OKayed this version. I have been in contact with Viacrypt, and their understanding of the term "non-c0mmercial use" is by far the most restrictive of any of the players. They appear to hold that "non-commercial use", means only personal use. To quote from a letter by Eric Nesson, National Sales Manager for ViaCrypt.
>What is your definition of "commercial use"?
Personal use is defined as "private, personal" (ie..sending encrypted
messages to your Aunt Tilda in Kansas)

ViaCrypt PGP can be used for Personal as well as commercial. ViaCrypt PGP
is the FULLY licensed version.  Commercial use includes ALL else;
consultant, one person business, mom-n-pop store, Fortune 100 company,
University personnel usage, research, local, state and federal government,
development.   
On further query he claimed that "non-commercial use" was defined in the MIT license and the Viacrypt license. This is true of neither of these licenses. Since the restriction on use of free PGP arises out of Zimmermann's agreement with ViaCrypt, and since I am not privy to that agreement, I cannot tell whose interpretation comes nearest the terms of that agreement. This is a question which will have to be left to Zimmermann to resolve. This question is of course of relevance only to those to whom Viacrypt could sell a copy of their program. Thus it is irrelevant to all non US or non Canadian citizens.

The status of ViaCrypt, and the commercial licensing of PGP are at present somewhat uncertain because, as mentioned above, ViaCrypt has been purchased by PGP, Inc., a company which was set up by Phil Zimmermann in March 1996. This holds promise that the definition of "commercial use" will be clarified in the near future.

Contact for Viacrypt:


IDEA

IDEA was patented by Ascom Tech of Switzerland in the USA, Japan and in Europe. Ascom has recently (Jan 1996) decided that they want a license fee for the commercial use of PGP from those who did not purchase PGP through Viacrypt. Their policy is now (Dec 96) almost as restrictive as ViaCrypt's was reported to be. This is a drastic change on thier previous postion where they claimes to me that "commercial use" meant use in a commercial environment. University use was "non-commercial". Now say that

Use other than for commercial purposes is strictly limited to
non-revenue generating data transfer between individuals. The use by
government agencies, non-profil organisations, etc. is considered as use
for commercial purposes but may be subject to special conditions.
See their detailed license conditions at the Ascom's Licensing Policy for the IDEA Algorithm page

The license fee is ranges from $15 each for single purchases, to $6 each in lots of greater than 500. This is sufficienly small that it is not worth fighting over. Note that it is not clear what the status is for commercial users who live in countries in which IDEA is not patented, but it would seem that Ascom Systec has no rights to demand a license in those countries. It has been suggested that a future version of PGP might use Triple DES or some other public domain cypher instead of IDEA to get around this problem. That would of course make it incompatible with current versions. The Ascom Systec IDEA licensing information can be read at
http://www.ascom.ch/Web/systec/policy/normal/htmlcontent.html

or by contacting them at


RSA Data Security Inc.

I have tried to contact RSADSI to clarify their position regarding their definition of "non-commercial purposes" in their license for the RSAREF 1.0 subroutines used in PGP 2.6.x. The situation is complicated by the fact that PGP uses RSAREF 1.0 while their current version is 2.0. The license under 2.0 appears to conform with Hal Abelson's statements above. However, in their interpretation of 1.0 issued when they released RSAREF 1.0, the terms were more strict. To quote from the preamble to the license originally packaged with RSAREF 1.0

The license at the end of this note gives legal terms and conditions.
Here's the layman's interpretation, for information only and with no
legal weight:

     1.   You can use RSAREF in personal, non-commercial applications,
          as long as you follow the interface described in the RSAREF
          documentation. You can't use RSAREF in any commercial
          (moneymaking) manner of any type, nor can you use it to
          provide services of any kind to any other party. For
          information on commercial licenses of RSAREF-compatible
          products, please contact RSA Data Security. (Special
          arrangements are available for educational institutions and
          non-profit organizations.)
On the other hand, the license itself simply says:
2.   LIMITATIONS ON LICENSE.

 ...
     b.   The Program and all Application Programs are to be used only
          for non-commercial purposes. However, media costs associated
          with the distribution of the Program or Application Programs
          may be recovered.
 
which can be argued to be not nearly as restrictive as their interpretation. Note that since it is their license, one could argue that any restrictive definition of "non-commercial" should have been incorporated into the license. I am still waiting to find out what their current interpretation of the RSAREF 1.0 license is.

In any case, RSA is patented only in the USA, and for commercial users in the USA, Zimmermann already demands that they purchase the Viacrypt version of PGP. Viacrypt has a license from RSADSI for selling products for commercial and non-commercial use of RSA.

For commercial users outside the USA, RSADSI has copyright to the RSAREF1.0 code used in the MIT version of PGP. Thus I would advise that such users use the i or International version of PGP, which contains the original code for RSA written by Zimmermann and which is thus independent of RSADSI.

For information regarding licensing of RSA products,