July 2, 2002

Zimmermann to Network Associates: Sell PGP back to me, or open-source it

Author: JT Smith

- by Bruce Tober -

Philip R. Zimmermann, author of encryption program Pretty Good Privacy, is suggesting current owner Network Associates open-source PGP's code as one alternative to the program dying on the vine at the company. "I would strongly prefer PGP be Open Source compared with the current scenario, because right now it's locked in intellectual property prison and no one can get it," he says. "Open Source would be much better."

Zimmermann says a return to open-code status is one option he could live with. His first choice
for PGP, however, would be to buy it back from Network Associates. He sold PGP in 1997, but last year, the company gave up trying to make PGP
profitable and put it up for sale. But the company hasn't been able off-load it,
and PGP is now in limbo world.

Zimmermann says he can't buy back PGP for one very simple
reason: "I don't have the money to buy it back."

PGP's status as Open Source has sometimes been confused. "It wasn't
actually Open Source," Zimmermann says. "It was published source code, for peer review. Open Source has to do with IP. Publishing source code for peer review has to do with transparency and making sure there are no back doors."

With the source code able to be modified, it might be easy for some people to think of PGP as Open Source. "You could modify it if you wanted to, and run it on your own computer, but you could not distribute a modified version," Zimmermann explains. "That's the way it's always been, it's not some recent policy, it's right there in the PGP manual, from 10 years ago."

Douglas Hurd, Network Associates' senior product manager for Desktop Firewall and E-Business Server, says PGP products are in "maintenance mode." He adds: "We don't sell more. We look after existing customers until their licenses expire. I was responsible for the desktop crypto stuff as well before we rolled up the PGP business unit."

Hurd says there are "no plans to make it Open Source. I can't say
'never' as far as selling it off. And we still sell PGP in the form of E-
Business Server (the command-line version of PGP). This is a viable
offering that an Open Source policy would kill off."

Zimmermann disputes this. He explains Network Associates could open-source the software developer's kit and the GUI, "thus allowing the desktop product to be free from its prison, and omit the command-line wrapper from the OS.

"So what they could do," Zimmermann continues, "is open-source everything except
the command-line wrapper. So they're selling a product that is a
command-line product. Everybody likes to use the desktop product, which
is the SDK and the GUI. So that's what they should open-source."

This would allow Network Associates to continue to sell and make money from the command-line version, more popular with corporate techies. "End-users don't pay money," Zimmermann says. "It's the businesses with their techies who pay money and they like to have a command-line product to run in a shell script, so that a big Web site,
for example, can encrypt your credit card number. Their command-line
product is for one of those raised-floor machine rooms with a bunch of
servers and nobody around."

But Hurd has more questions: "Also, if we were Open Source, who do you think users would look to to maintain it? And how many of them would be willing to pay?"

Hurd believes "it is possible that there is a viable business model
with regards to PGP desktop encryption technology, but we haven't found
what it is. Our server-based licensing is successful, though, and we
continue to sell, support, develop in this area."

But Zimmermann thinks otherwise. "First of all, I'd like to point out
that they don't have any engineers to maintain the command-line product.
They fired all the employees in February after their attempts to sell it failed. There's no one left to maintain it."

In addition, he says, "nobody's buying it. They haven't found a
corporate buyer. And so, by sitting on it like this, and not open-sourcing it,
it kind of reminds me of the wealthy Japanese tycoons who when they died
were cremated along with their great works of art that they'd
accumulated through their lives. It does them no good to keep it the way
it is. And it does everyone else a great deal of harm."

If Zimmermann is eventually able to buy back PGP, his plan
would be to "create a mechanism whereby there would be some kind of a
dead man's switch on it. That way it could be published source code as
it always was, but not Open Source for as long as the new company continues
developing, commercializing and selling it. But, if something happens
like it goes bankrupt, or gets sold to another company that doesn't
continue to develop it, they would inherit the same responsibilities. As
soon as it becomes discontinued, then it would have to become fully Open Source.
That's what I would do, I would have an IP lawyer craft a license that
would spell out those conditions.

"Now, one would have to do that in a way that would still make it
attractive to investors in order for them to finance the thing to begin
with ... But I'm not seeing investors lining up at
the door here."

The reasons investors aren't beating a path to his door are several, he
says. "One is that the tech sector has been hit pretty hard. The crash
of the Nasdaq in November 2000 certainly had a huge impact on the
Silicon Valley's economy, and it dried up capital. And this was before
September 11. So that, probably more than anything else, has made it
difficult to raise the capital to buy the product back."


  • Programming
Click Here!