Free for All by Peter Wayner (great books to read .txt) 📖

getting permission from me. Please respect this restriction. PGP's reputation for cryptographic integrity depends on maintaining strict quality control on PGP's cryptographic algorithms and protocols."

Zimmerman's laissez-faire attitude, however, doesn't mean that the software is available with no restrictions. A holding company named Public Key Partners controlled several fundamental patents, including the ones created by Ron Rivest, Adi Shamir, and Len Adleman. Zimmerman's PGP used this algorithm, and technically anyone using the software was infringing the patent.

While "infringing on a patent" has a certain legal gravitas, its real effects are hard to quantify. The law grants the patent holders the right to stop anyone from doing what is spelled out in the patent, but it only allows them to use a lawsuit to collect damages. In fact, patent holders can collect triple damages if they can prove that the infringers knew about the patent. These lawsuits can be quite a hassle for a big company like Microsoft, because Microsoft is selling a product and making a profit. Finding a number to multiply by three is easy to do. But the effects of the lawsuits on relatively poor, bearded peace activists who aren't making money is harder to judge. What's three times zero? The lawsuits make even less sense against some guy who's using PGP in his basement.

Still, the threat of a lawsuit was enough of a cudgel to worry Zimmerman. The costs, however, put a limit on what PKP could demand. In the end, the two parties agreed that PGP could be distributed for non-commercial use if it relied upon a toolkit known as RSAREF made by PKP's sister company, RSA Data Security. Apparently, this would encourage people to use RSAREF in their commercial products and act like some free advertising for the toolkit.

The patent lawsuit, however, was really a minor threat for Zimmerman. In 1994, the U.S. government started investigating whether Zimmerman had somehow exported encryption software by making it available on the Internet for download. While Zimmerman explicitly denounced violating the laws and took pains to keep the software inside the country, a copy leaked out. Some suggest it was through a posting on the Net that inadvertently got routed throughout the world. Was Zimmerman responsible? A branch of the U.S. Customs launched a criminal investigation in the Northern District of California to find out.

Of course, determining how the source code got out of the country was a nearly impossible exercise. Unless Zimmerman confessed or somehow kept some incriminating evidence around, the prosecutors faced a tough job painting him as a lawbreaker. The software was available for free to anyone inside the country, and that meant that everyone had at least an opportunity to break the law. There were no purchase records or registration records. No one knew who had PGP on their disk. Maybe someone carried it across the border after forgetting that the source code was on a hard disk. Maybe a foreigner deliberately came into the U.S. and carried it out. Who knows? Zimmerman says it blew across the border "like dandelion seeds blowing in the wind."

To make matters worse for the forces in the U.S. government that wanted to curtail PGP, the patent held by RSA wasn't filed abroad due to different regulations. Foreigners could use the software without care, and many did. This was the sort of nightmare that worried the parts of the U.S. intelligence-gathering branch that relied upon wholesale eavesdropping.

Eventually, the criminal investigation amounted to nothing. No indictments were announced. No trials began. Soon after the investigation ended, Zimmerman helped form a company to create commercial versions of PGP. While the free versions continue to be available today and are in widespread use among individuals, companies often turn to PGP for commercial products that come with a license from PKP. When the RSA patent expires in September 2000, the people will be free to use PGP again.[^16]

[16]: The GNU project has already worked around many of these impediments. Their Privacy Guard package (GNU PG) is released under the GNU license.

Zimmerman's experiences show how free source code turned into a real thorn in the side of the U.S. government. Businesses can be bought or at least leaned on. Merchandise needs to flow through stores and stores have to obey the law. Red tape can ruin everything. But free software that floats like dandelion seeds can't be controlled. People can give it to each other and it flows like speech. Suddenly it's not a product that's being regulated, but the free exchange of ideas between people, ideas that just happen to be crystallized as a computer program.

Of course, a bureaucracy has never met something it couldn't regulate, or at least something it couldn't try to regulate. Zimmerman's experience may have proved to some that governments are just speed bumps on the infobahn of the future, but others saw it as a challenge. Until the end of 1999, the U.S. government has tried to tighten up the restrictions on open source versions of encryption technology floating around the world. The problem was that many countries around the globe explicitly exempt open source software from the restrictions, and the United States has lobbied to tighten these loopholes.

The best place to begin this story may be in the trenches where system administrators for the U.S. government try to keep out hackers. Theo de Raadt, the leader of the OpenBSD team, likes to brag that the U.S. government uses OpenBSD on its secure internal network. The system designers probably made that choice because OpenBSD has been thoroughly audited for security holes and bugs by both the OpenBSD team and the world at large. They want the best code, and it's even free.

"They're running Network Flight Recorder," de Raadt says. "It's a super sniffing package and an intrusion detection system. They can tell you if bad traffic happens on your private little network that the firewall should have stopped. They have OpenBSD running NFR on every network. They run an IPSEC vpn back to a main network information center where they look and do traffic analysis."

That is, the departments watch for bad hackers by placing OpenBSD boxes at judicious points to scan the traffic and look for incriminating information. These boxes, of course, must remain secure. If they're compromised, they're worthless. Turning to something like OpenBSD, which has at least been audited, makes sense.

"They catch a lot of system administrators making mistakes. It's very much a proactive result. They can see that a sys admin has misconfigured a firewall," he says.

Normally, this would just be a simple happy story about the government getting a great value from an open source operating system. They paid nothing for it and got the results of a widespread, open review looking for security holes.

De Raadt lives in Canada, not the United States, and he develops OpenBSD there because the laws on the export of encryption software are much more lenient. For a time, Canada did not try to control any mass market software. Recently, it added the requirement that shrinkwrapped software receive a license, but the country seems willing to grant licenses quite liberally. Software that falls into the public domain is not restricted at all. While OpenBSD is not in the public domain, it does fit that definition as set out by the rules. The software is distributed with no restrictions or charge. By the end of 1999, senior officials realized that the stop crypt policy was generating too many ironic moments.

This is just another example of how free source software throws the traditional-instincts regulatory system for a loop. Companies sell products, and products are regulated. Public domain information, on the other hand, is speech and speech is protected, at least by the U.S. Constitution. Relying on Canada for network security of the Internet was too much.

In January 2000, the U.S. government capitulated. After relentless pressure from the computer industry, the government recognized that high-quality encryption software like OpenBSD was common throughout the world. It also recognized that the quality was so good that many within the United States imported it. The government loosened restrictions and practically eliminated them for open source software. While many people are still not happy with the new regulations, open source encryption software can now flow out of the United States. The distributors need only notify the U.S. government about where the software is available. The commercial, proprietary encryption software was not as lucky. The regulations are now substantially easier on the corporations but they still require substantial review before an export license is granted.

The difference in treatment probably did not result from any secret love for Linux or OpenBSD lurking in the hearts of the regulators in the Bureau of Export Affairs at the Department of Commerce. The regulators are probably more afraid of losing a lawsuit brought by Daniel Bernstein. In the latest decision released in May 1999, two out of three judges on an appeals panel concluded that the U.S. government's encryption regulations violated Bernstein's rights of free speech. The government argued that source code is a device not speech. The case is currently being appealed. The new regulations seem targeted to specifically address the problems the court found with the current regulations.

Encryption software is just the beginning of the travails as the government tries to decide what to do about the free exchange of source code on the Net. Taxes may be next. While people joke that they would be glad to pay 10 percent sales tax on the zero dollars they've spent on GNU software, they're missing some of the deeper philosophical issues behind taxation. Many states don't officially tax the sale of an object; they demand the money for the use of it. That means if you buy a stereo in Europe, you're still supposed to pay some "use tax" when you turn it on in a state. The states try to use this as a cudgel to demand sales tax revenue from out-of-state catalog and mail-order shops, but they haven't gotten very far. But this hasn't stopped them from trying.

What tax could be due on a piece of free software? Well, the state could simply look at the software, assign a value to it, and send the user a bill. Many states do just that with automobiles. You might have a rusted clunker, but they use the Blue Book value of a car to determine the tax for the year and each year they send a new bill. This concept proved to be so annoying to citizens of Virginia that Jim Gilmore won the election for governor with a mandate to repeal it. But just because he removed it doesn't mean that others will leave the issue alone.

If governments ever decide to try to tax free software, the community might be able to fight off the request by arguing that the tax is "paid" when the government also uses the free software. If 7 out of 100 Apache servers are located in government offices, then the government must be getting 7 percent returned as tax.

One of the most difficult problems for people is differentiating between wealth and money. The free software movement creates wealth without moving money. The easy flow of digital information makes this possible. Some folks can turn this into money by selling support or assisting others, but most of the time the wealth sits happily in the public domain.

Today, the Internet boom creates a great pool of knowledge and intellectual wealth for the entire society. Some people have managed to convert this into money by creating websites or tools and marketing them successfully, but the vast pool of intellectual wealth remains open and accessible to all. Who does this belong to? Who can tax this? Who controls it? The most forward-thinking countries will resist the urge to tax it, but how many will really be able to keep on resisting?