What had all the earmarkings of a major-league food fight sure didn't take long to dry up and blow away. Triggering the flap was an Internet posting of source code that implemented the RC4 algorithm, an act that knocked on all kinds of legal doors--trade secrets, Internet-host liabilities, reverse engineering, shrink-wrap licensing, export control. You name it.
The problem is that RC4, the block-cipher encryption algorithm at the heart of RSA Data Security cryptography, is protected as a trade secret. But some on the net say the online posting let the genie out of the bottle--RC4 was made public and available for anyone to use, RSA's claims notwithstanding. RSA counters that the company used trade-secret law simply to protect its intellectual property, that there's never really been any "secret" about the algorithm. Anyone willing to sign a nondisclosure agreement acknowledging RC4's trade-secret status could have ready access to the reference and source code. Among companies which have licensed RC4-based tools from RSA are Microsoft, Novell, Apple, and Lotus, all of which distribute RC4-based binary files in shrink-wrapped applications.
You can imagine the furor when an unidentified person (or persons) used an anonymous remailer to post worldwide--first to a cryptographer mailing list, then to a newsgroup--source code that was supposedly RC4. Subsequent testing by programmers and cryptographers confirmed that the code was indeed compatible with "real" RSA RC4 code. RSA Data Security responded by calling in everyone from the U.S. Customs Service to the Federal Bureau of Investigation. In a strongly worded warning on the net, RSA said it considered the posting "a violation of law_[and]_a gross abuse of the Internet."
If the person(s) who posted the source code had in fact signed an RSA nondisclosure agreement, the issue seems pretty clear-cut. They broke the law, not to mention RSA's trust. If, as some claim and RSA disputes, the code was reverse engineered from object files in off-the-shelf software, then the law was probably broken--unless RSA and other vendors decide to test the strength of highly questionable and likely unenforceable shrink-wrap licenses that try to prohibit disassembly/decompilation. Of course, it just might be that some cryptographer derived the algorithm after examining the key, plaintext, and encrypted text. And there's even the chance, albeit unlikely, that a dumpster diver ran across discarded copies of the code in RSA's corporate wastebasket.
Questions concerning the legal status of copyrighted material that's made freely available (illicitly or otherwise) on the Internet also have to be tackled. Can Internet hosts be held accountable for an anonymous postings of protected material? And don't forget, RC4 isn't just any software--it's encryption software. Is posting such software online worldwide the same as exporting it? If so, the State Department might have a thing or two to say. The end result is that RC4 code is available on ftp sites worldwide, ready and waiting for you to use it. But if you grab it off the net, can you use it without RSA's permission? For the time being, the answer probably depends on which lawyer you ask.
Speculation aside, the RC4 controversy explains why many developers are protecting their intellectual property with patents instead of copyrights. Gray areas like RC4 would be black and white if RC4 had been patented. But then patenting would also mean that RC4 would have been public in the first place.
The immediate impact may be on RC5, the next-generation version of RC4, which Ron Rivest describes in this issue. In part because of the RC4 controversy, Ron and RSA Data Security are considering patenting RC5, a departure from their original plans. At one point, RC5 code and reference was to be distributed free-of-charge for noncommercial use. Small businesses could license the material for $500, and large businesses, for $1000. All proceeds were to go to RSA Labs--not RSA's bottom line--to fund further R&D. This could still happen even if RSA patents RC5, but the licensing fees would be higher to offset the patent costs.
Likewise, there could be some repercussion in terms of exporting RC4-based systems. For the past couple of years, vendors have been allowed to export software that uses RC4 short-key encryption. The State Department could change this since RC4 is no longer secret.
As for the multitude of legal questions, nothing concrete will immediately come of the RC4 brouhaha, unless those responsible for posting the code are identified. Existing RC4-based systems weren't compromised and may have benefited, since we can now see that system backdoors don't exist.
What we're left with are more questions, fewer answers, and the suspicion that one of these days a big shoe is going to fall on software and intellectual-property rights--one that won't make anyone completely happy.
Gee, could it really have been 20 years ago that the MITS Altair first appeared on the cover of Popular Electronics, ushering in what we like to now call the "personal-computer revolution"? And have 20 years passed since Dennis Allison, Bob Albrecht, and folks at the People's Computer Company put out the first issue of Dr. Dobb's Journal of Computer Calisthenics & Orthodontia: Running Light Without Overbyte? It sure looks like it. If nothing else, the past two decades have proved that time sure flies when you're having fun. (Of course, some in the PC industry have had more fun than others--just ask Bill Gates.)
In any event, it is with this issue that Dr. Dobb's Journal launches into its 20th year of publication, a remarkable accomplishment for any magazine and particularly so for a computer publication. I'd like to say thanks to Dennis, Bob, and the other pioneers who had the vision to see that something truly important was on the horizon and the spirit to do something about it. But more so, I'd like to thank all of you readers who have supported Dr. Dobb's Journal over the years--we wouldn't be here without you.
Coincidentally, Jim Warren, DDJ's first editor, was recently awarded the Hugh M. Hefner First Amendment Award for his work in using computers for online advocacy and network-assisted citizen action. In particular, Jim organized a grass-roots campaign to provide a low-cost, computerized public-information system for the citizens of California.
Join us in celebrating both this 20th anniversary issue and congratulating Jim. Here's to the next 20 years.
Jonathan Erickson
editor-in-chief
Copyright © 1995, Dr. Dobb's Journal