The first two primary players are MIT, which distributes the "free" version of PGP, and Phil Zimmermann who holds the copyright to PGP.
Here follows the text of an email which Hal Abelson of MIT sent to me regarding this "commercial use" question. Note, Hal here is not speaking as an official spokesman for MIT, but is stating his understanding of the situation (This was in late 1995).
As far as the MIT definition of "commercial use", here is the standard answer I give people when they ask: MIT imposes no restrictions on "commerical use" other than what derives from the RSAREF license, and from Zimmermann's copyright on PGP. Zimmermann's restrictions, in turn, derive from his agreement with Ascom AG (which licenses the IDEA algorithm) and from an agreement he signed with Viacrypt, giving them exclusive commercial rights to PGP. RSADSI's interpretation of "commercial use" is using RSAREF in a commerical product. They specifically permit using RSAREF within a commerical facility, so long as you don't sell RSAREF, or use it to provide a service for which you charge. Ascom's interpretation of "commerical use" includes using PGP (which uses IDEA) to provide a service. E.g., a bank communicating securely with its customers would be commerical use under their interpretation. Viacrypt has the most extensive definition of commercial use (which is understandable, since they are selling PGP). They may claim that any use of PGP in a commercial establishment is commercial use. It's unclear, though, what implications this has, since their agreement is with Zimmermann, and does not involve MIT. If you are worried about this, I suggest that you simply buy a copy of PGP from Viacrypt. The cost of a few copies of Viacrypt PGP will be considerably less than the value of the time that would be spent by your lawyer thinking about these issues.
His position in the documentation is clear regarding commercial use for those who can purchase PGP from Viacrypt. He has entered into an agreement with Viacrypt under which they are the ones who are to handle all commercial use sales. However, under the ITAR regulations, they are not allowed to sell to anyone who is not either a US citizen, a US "Green Card" holder, or a Canadian citizen. It has been reported that his attitude toward other commercial users is that he is willing to let them use PGP without any fee, as long as noone else (Ascom, RSADSI,...) makes money off that use of PGP. His response to IDEA's current current position is unknown.
Note that the previous versions of PGP (2.3a being the last) were released by Zimmerman, and by the international consortium who enhanced PGP1.0 to PGP2.3, with the GNU Copyleft copyright restrictions. These do not restrict the use of PGP to non-commercial use. Version 2.3a is not compatable with the MIT versions, due to restrictions placed in the MIT versions at the instance of RSADSI. However, a version of the 2.3a code, 2.6ui, was released in the UK by mathewihttp://www.domino.org/~meta. This is compatable with the MIT versions, and is still under the "Copyleft" agreement which does not restrict commercial use except possibly under the IDEA license. It however does not benefit from the work done on the MIT release. mathew advises the use of the International 2.6.3i version and no longer supports 2.6ui nor provides a source for getting it. Tony Lezard has released a version of 2.6ui, called PGP2.62ui, in which he has tried to included the new features of the MIT/Zimmermann 2.6.2 version.
In March, 1996, Zimmermann formed a company PGP, Inc. to further the commercial developement of PGP. After some apparently accrimonious discussions with Viacrypt regarding the commercial status of PGP, PGP, Inc aquired Lemcom Systems the owner of Viacrypt. The impact that this will have on the question of commercial use is still to be clarified as of Dec 27,1996.
>What is your definition of "commercial use"? Personal use is defined as "private, personal" (ie..sending encrypted messages to your Aunt Tilda in Kansas) ViaCrypt PGP can be used for Personal as well as commercial. ViaCrypt PGP is the FULLY licensed version. Commercial use includes ALL else; consultant, one person business, mom-n-pop store, Fortune 100 company, University personnel usage, research, local, state and federal government, development.On further query he claimed that "non-commercial use" was defined in the MIT license and the Viacrypt license. This is true of neither of these licenses. Since the restriction on use of free PGP arises out of Zimmermann's agreement with ViaCrypt, and since I am not privy to that agreement, I cannot tell whose interpretation comes nearest the terms of that agreement. This is a question which will have to be left to Zimmermann to resolve. This question is of course of relevance only to those to whom Viacrypt could sell a copy of their program. Thus it is irrelevant to all non US or non Canadian citizens.
The status of ViaCrypt, and the commercial licensing of PGP are at present somewhat uncertain because, as mentioned above, ViaCrypt has been purchased by PGP, Inc., a company which was set up by Phil Zimmermann in March 1996. This holds promise that the definition of "commercial use" will be clarified in the near future.
Contact for Viacrypt:
IDEA was patented by Ascom Tech of Switzerland in the USA, Japan and in Europe. Ascom has recently (Jan 1996) decided that they want a license fee for the commercial use of PGP from those who did not purchase PGP through Viacrypt. Their policy is now (Dec 96) almost as restrictive as ViaCrypt's was reported to be. This is a drastic change on thier previous postion where they claimes to me that "commercial use" meant use in a commercial environment. University use was "non-commercial". Now say that
Use other than for commercial purposes is strictly limited to non-revenue generating data transfer between individuals. The use by government agencies, non-profil organisations, etc. is considered as use for commercial purposes but may be subject to special conditions.See their detailed license conditions at the Ascom's Licensing Policy for the IDEA Algorithm page
The license fee is ranges from $15 each for single purchases, to $6 each
in lots of greater than 500. This is sufficienly small that it is not worth
fighting over. Note that it is not clear what the status is for commercial
users who live in countries in which IDEA is not patented, but it would seem
that Ascom Systec has no rights to demand a license in those countries. It has been
suggested that a future version of PGP might use Triple DES or some
other public domain cypher instead of IDEA to get around this problem.
That would of course make it incompatible with current versions.
The Ascom Systec IDEA licensing information can be read at
http://www.ascom.ch/Web/systec/policy/normal/htmlcontent.html
or by contacting them at
I have tried to contact RSADSI to clarify their position regarding their definition of "non-commercial purposes" in their license for the RSAREF 1.0 subroutines used in PGP 2.6.x. The situation is complicated by the fact that PGP uses RSAREF 1.0 while their current version is 2.0. The license under 2.0 appears to conform with Hal Abelson's statements above. However, in their interpretation of 1.0 issued when they released RSAREF 1.0, the terms were more strict. To quote from the preamble to the license originally packaged with RSAREF 1.0
The license at the end of this note gives legal terms and conditions. Here's the layman's interpretation, for information only and with no legal weight: 1. You can use RSAREF in personal, non-commercial applications, as long as you follow the interface described in the RSAREF documentation. You can't use RSAREF in any commercial (moneymaking) manner of any type, nor can you use it to provide services of any kind to any other party. For information on commercial licenses of RSAREF-compatible products, please contact RSA Data Security. (Special arrangements are available for educational institutions and non-profit organizations.)On the other hand, the license itself simply says:
2. LIMITATIONS ON LICENSE. ... b. The Program and all Application Programs are to be used only for non-commercial purposes. However, media costs associated with the distribution of the Program or Application Programs may be recovered.which can be argued to be not nearly as restrictive as their interpretation. Note that since it is their license, one could argue that any restrictive definition of "non-commercial" should have been incorporated into the license. I am still waiting to find out what their current interpretation of the RSAREF 1.0 license is.
In any case, RSA is patented only in the USA, and for commercial users in the USA, Zimmermann already demands that they purchase the Viacrypt version of PGP. Viacrypt has a license from RSADSI for selling products for commercial and non-commercial use of RSA.
For commercial users outside the USA, RSADSI has copyright to the RSAREF1.0 code used in the MIT version of PGP. Thus I would advise that such users use the i or International version of PGP, which contains the original code for RSA written by Zimmermann and which is thus independent of RSADSI.
For information regarding licensing of RSA products,