Is It Legal to Use PGP?
by Tim O’Connor
Possession and use of PGP versions 2.6 and higher, as distributed by the Massachusetts Institute of Technology, are now legal in the U.S.
Early PGP versions included the RSA encryption algorithm, which is a product patented by MIT and licensed to a private company, RSA Data Security, Inc. (RSADSI). Because PGP’s author, Phil Zimmermann, included RSA encryption in PGP without RSADSI’s permission, the software was technically illegal to use in the U.S., because it infringed on the RSA patent.
In 1994, MIT arranged for free use of the RSA module in PGP for noncommercial purposes in the U.S. The result is that PGP versions 2.6 and later may be freely used for noncommercial purposes. (The current PGP release is version 2.6.2.) For profit-making organizations, Viacrypt sells a commercial version of PGP. (Viacrypt can be reached by e-mail at email@example.com.)
However, there is another hurdle to using PGP.
Due to strict U.S. export laws, none of these products may be exported from the U.S., because they are legally classified as munitions. Zimmermann himself lived for several years under threat of indictment for having exported PGP from the United States via the Internet. He takes full credit for writing the software, but denies ever having exported it. Indeed, even the official MIT versions typically appear on overseas host computers within hours of their release from the MIT site. The case against Zimmermann was finally dismissed in January 1996, when the Justice Department chose not to indict the programmer.
In addition to the U.S. export ban, some countries have made it illegal to use or possess encryption software — including PGP — unless the user first surrenders a copy of the secret key to the government. At the beginning of 1996, this was the situation in France, Russia, and Belgium.
As of early 1996, PGP ownership and use is still legal in the U.S. However, federal officials have suggested that they may consider pushing for a law that would require users of encryption products like PGP to register their secret keys with a federal agency, so that law-enforcement authorities can gain access to encrypted information in the course of a criminal investigation. Privacy advocates vow to fight any such legislation.
Tim O’Connor home page