Cryptome DVDs are offered by Cryptome. Donate $25 for two DVDs of the Cryptome 12-years collection of 46,000 files from June 1996 to June 2008 (~6.7 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. The collection includes all files of,,, and, and 23,000 (updated) pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985.The DVDs will be sent anywhere worldwide without extra cost.


21 May 1997: See related Exhibit "A" of PKP-Lemcom License Agreement:

20 May 1997: Add Greg Broiles message.

14 May 1997
Source: E-mail from Vin McLellan <vin[at]>


200 Page Mill Road, Second Floor
Palo Alto, California 94306
Telephone: (415) 325-8666

Attorneys for Plaintiff RSA DATA SECURITY, INC.



[Filed May 6, 1997;  CASE No. 400585]



a Delaware corporation, Plaintiff,


a Delaware corporation,
and DOES 1 through 25, inclusive,


	Plaintiff RSA DATA SECURITY, INC. alleges as follows:


	1. Plaintiff RSA Data Security Inc. ("RSA or Plaintiff") is a
Delaware corporation with its principal place of business in Redwood
City, County of San Mateo, California.  RSA is qualified to do and is
doing business in San Mateo County, California.

	2. Defendant Pretty Good Privacy, Inc. ("PGP or Defendant") is a
Delaware corporation with its principal place of business in the City of
San Mateo, San Mateo County, California.  Plaintiff is informed and
believes and thereupon alleges that PGP is qualified to do and is doing
business within San Mateo County, California.

	3. Plaintiff is ignorant of the true names and capacities of
defendants sued herein as Does 1 through 25, inclusive, and therefore sues
these defendants by such fictitious names.  These defendants, and each of
them, are, and at all times herein mentioned were, in some manner or means
responsible for the acts alleged herein in their capacities as employees,
agents or alter egos of Defendant and are sued herein and joined as
parties defendant in this action.  Plaintiff will amend this Complaint to
reflect the true identities of these defendants as soon as such identities
are known.

	4. RSA is informed and believes, and thereon alleges that all
times following the formation of PGP, each of said defendants participated
in the doing of the acts hereafter alleged, and furthermore, defendants,
and each of them, were the agents, servants, and employees of each of the
other defendants, as well as the agents of all defendants, and at all
times herein mentioned were acting within the course and scope of said
agency and employment.

	5. This action arises out of a license agreement for certain patented
technology originally entered into between Public Key Partners and Lemcom
Systems, Inc. ("Lemcom").  As more fully alleged below, Lemcom has been
merged with and has adopted the name of PGP.  As additionally alleged in
greater detail below, RSA has, by written agreement between the partners
of PKP, been granted the sole and exclusive right to monitor and enforce
the terms of the original Lemcom/PKP Agreement as regarding the patent
described below.


	6. Three Massachusetts Institute of Technology ("MIT") scientists
invented the "Cryptographic Communications System and Method," described
in U.S. Patent No. 4,405,829 (the "MIT Patent").  The technology described
in the MIT Patent was invented as a particular implementation of what is
known as public key cryptography.

	7. Public key cryptography allows parties to exchange confidential
information without ever meeting or exchanging private decoding
information.  It also allows parties to sign documents electronically in a
way that prevents electronic forgery.  Public key cryptography has gained
widespread application with the explosive growth of the Internet.

	8. In 1977, Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman
worked together at MIT.  They spent months creating their invention and
filed their application for a patent with the Patent and Trademark Office
("PTO") on December 14, 1977.  The patent was not issued until almost six
years later, on September 20, 1983.

	9. Once the MIT Patent was issued, the patent was assigned to MIT.
The inventors formed RSA, to exploit the commercial uses of their
invention. In September,1983, MIT granted to RSA an exclusive license to
the Patent.

	10. Since that time, the technology that Rivest, Shamir and Adleman
invented has become widely regarded as the most secure public key
encryption and authentication method commercially available.  In fact, in
its more secure forms, a high-speed computer could take thousands of years
to decipher a single message encrypted with the technology.  Today, public
key cryptography stands at the forefront of a communications revolution.
Rivest, Shamir and Adleman's invention provides the security that allows
this new communications industry to function and has, in fact, become the
industry standard for encryption. The RSA software which incorporates the
MIT-Patented technology is now used by almost every major software
company, including Microsoft, Netscape and Lotus.


	11. In 1991, Philip R. Zimmermann ("Zimmermann") designed software
that he called "PGP" for "Pretty Good Privacy."  The PGP software was
encryption software for the secure transmission of e-mail which used
the MIT-Patented technology.  Zimmermann made the PGP software
available as "freeware" [See footnote 1] on the Internet, permitting
anyone who cared to download the software to use it on a
non-commercial basis, free of charge and pursuant to a license which
permitted such non-commercial use.

	12. Public Key Partners ("PKP") was a general partnership formed
in 1990 for the purposes of licensing a suite of patents that covered
various aspects of public-key cryptography, including the MIT Patent.
RSA was one of the partners and Caro-Kann Corporation, a wholly-owned
subsidiary of Cylink Corporation was the other partner.

	13. Over the course of its existence, Public Key Partners granted
a number of patent licenses.  One of those patent licenses was granted to

	14. Lemcom was a Delaware corporation formed in 1976.  In 1992,
Lemcom's principal place of business was Phoenix, Arizona, and its
President was Leonard E. Mikus.  Lemcom sought to produce a "ViaCrypt"
family of security products that used a "commercial version" of the
freeware PGP, which also incorporated MIT-Patented technology.

	15. On or about November 25, 1992, Public Key Partners and Lemcom
entered into a written license agreement (the "License Agreement").  A
copy of the License Agreement is attached hereto as Exhibit "A" and is
incorporated herein by reference.  Under the terms of the License
Agreement, PKP granted Lemcom a limited license to the MIT Patent, among
other patents, in exchange for Lemcom's agreement to certain specified

	16. Lemcom's avowed purpose in seeking the License was to sell
single copies of commercial PGP software to end users.  The royalty
rate was negotiated based on this use.  In addition, the License
Agreement included certain other restrictions on Lemcom's use of the
MIT-Patented technology, which were consistent with Lemcom's intended
use. Among these restrictions was a limit on Lemcom's ability to
authorize copying of the "Licensed Products," which specifically
included cryptography software products.

	Under Section 3.3.1 of the License Agreement, Lemcom could
only authorize "End Users" to make a single copy of a product for
archival purposes.  "End users" were defined as the party who actually
utilized the Licensed Product for its intended purpose without selling
or otherwise transferring it to a third party. (2.9).

	[Footnote 2: All section numbers refer to provisions of Exhibit A.
ie: The PKP/Lemcom License Agreement.]

	Lemcom could authorize "OEM Customers" to make multiple copies
of the Licensed Products only to the extent that the sole form of
cryptography utilized in the Licensed Product was the Digital
Signature Algorithm. [See footnote 3] (3.2).

	To the extent that the Licensed Product utilized the MIT-Patented
technology, Lemcom could not authorize copying by OEM
Customers. (3.2.1).

	An "OEM Customer" was expressly defined as a party who added
significant functional enhancements to the Licensed Product by
bundling it with the OEM Customer's own products. (2.11).

	17. A further limitation on Lemcom's ability to distribute
Licensed Products to OEM Customers was set forth in Section 3.2.2.
Section 3.2.2 provided that, in the case of software Licensed
Products, Lemcom had no ability to transfer any rights to the source
code for the Licensed Product to an OEM Customer or anyone else.

	18. The License Agreement also contained marking provisions,
in particular the requirement that all products and descriptive
literature bear the applicable patent numbers and other appropriate
legends. (9)

	19. The License Agreement further specified that Lemcom could
not assign the license without PKP's prior written consent.  PKP could
withhold its consent for any reason whatsoever. (12.1).

	20. The License Agreement was explicitly terminable for, among
other things, Lemcom's breach of the no-copying provisions, the source
code transfer restrictions, and the marking provisions referenced in
the preceding paragraphs. (11.1(c)). In addition, the consent to
assignment was a material provision, the breach of which was grounds
for termination.

	21. Finally, the License Agreement provided for the arbitration of
disputes. (13.1). However, the arbitration provision expressly did not
survive termination of the License Agreement. (11.2)


	22. In March 1996, Zimmermann and the other founders incorporated
PGP, Inc. in Delaware.  PGP, Inc.'s principal place of business was in
San Mateo County and its President was Dr. Thomas Steding ("Steding").
At that time, PGP, Inc. could have sought a patent license.  It did
not. Instead, PGP, Inc. decided to acquire Lemcom.

	23. The form of the PGP/Lemcom merger effected with the Delaware
Secretary of State and the substance of the merger were completely
different.  On or about June 17, 1996, PGP, Inc. filed papers with the
Delaware Secretary of State by which PGP, Inc. changed its name to
Pretty Good Privacy, Inc. and changed its corporate structure in order
to issue 40 million shares of common stock and 13 million �shares of
preferred stock.  On or about July 1, 1997, Lemcom and Pretty Good
Privacy, Inc. filed a certificate of merger, indicating that Lemcom
was the surviving corporation of the merger.  However, the principal
place of business of the surviving corporation was given as 1072 Parma
Way, Los Altos, California -- Steding's home address.

	24. At precisely the same time as the merger, Lemcom filed a restated
certificate of incorporation by which it changed its name to Pretty Good
Privacy and changed its corporate structure in order to issue 40 million
shares of common stock and 13 million shares of preferred stock.

	25. Within days, the merged corporation named Steding as its President
and appointed PGP, Inc.'s Board of Directors to be the Directors of the
merged corporation.

	26. A press release issued on July 1, 1996, completely ignored the
technical form of the merger and announced that "PGP Acquires ViaCrypt:"

"Pretty Good Privacy, Inc. (PGP), a provider of encryption products used to
privately exchange digital information, today announced the company has
acquired Lemcom Systems, Inc., Phoenix, Ariz., effective immediately.  The
acquisition includes Lemcom's wholly owned subsidiary, ViaCrypt, which
markets commercial versions of PGP's electronic mail (e-mail) software."

	27.In addition, in an open "Letter to ViaCrypt Customers," Steding
stated that:  "Recently, Pretty Good Privacy, Inc. purchased Lemcom
Systems and its wholly-owned subsidiary, ViaCrypt."  Steding then
added, apparently forgetting that he was supposed to be the President
of a company that had been in existence for twenty years, instead of a
company that had been in existence for six months:  "This acquisition
created a unified source of PGP for the market, and gave our company a
jump-start for launch." Steding then went on to explain how the new
company would continue to support the Lemcom/ViaCrypt product line.

	28. Neither Public Key Partners nor RSA consented to Pretty
Good Privacy Inc.'s acquisition of Lemcom.


	29. Pretty Good Privacy, Inc. ("PGP") currently offers the
following software products, among others:

	(a) E-mail encryption products: PGPmail 4.5, PGPmail 4.0/Business
Edition, PGPmail 2.7.1 for Macintosh;

	(b) Disk drive security products: PGPdisk 1.0;

	(c) Modem/telephone encryption products: PGPfone 2.0

	PGP's sales literature emphasizes how its products use "Strong
Cryptography" because the products utilize "the respected RSA system
for Public Key Cryptography."  None of the product description
literature for these products sets forth the marking information
required under Section 9 of the License Agreement.

	30. PGP has announced its participation in OEM [See footnote
4] transactions. For example, on or about July 15, 1996, PGP announced
that it had entered into a transaction with FTP Software, Inc., by
which PGP licensed its encryption software to FTP for use in FTP's
suite of network applications.  The press release boasted:  "FTP
Software has made significant enhancements to the company's latest
mail technology to provide end users with an easy to use PGP e-mail
encryption implementation."

	31. FTP has not requested a patent license from Public Key
Partners or from RSA.  This despite the facts that:

	(1) the transaction involves authorization from PGP for the OEM to
make copies of licensed products; and

	(2) the transaction does not involve a PGP product that utilizes
DSA as its sole form of cryptography.

	32. In addition, in its sales and marketing literature, PGP openly
solicits other OEM transactions:

	"Pretty Good Privacy is aggressively pursuing OEM relationships
with key partners and other strategic third parties.  If you are
interested in an OEM agreement with Pretty Good Privacy, please
contact Steve Abbott. . . etc."


	33. PKP was dissolved on or about September 5, 1995 and is in
the process of winding up its business.  By an agreement dated
December 31, 1996, the two partners of PKP agreed that RSA would have
the sole authority to enforce PKP's license agreements with regard to
the MIT Patent and confirmed that RSA would have exclusive rights to
license the MIT Patent.

	34. On April 16, 1997, RSA sent formal notice to Lemcom
terminating the Lemcom License Agreement.  A copy of this notice is
attached hereto as Exhibit B and is incorporated herein by reference.

	35. On April 17, 1997, PGP, purporting to claim the rights of
Lemcom under the License, sent RSA an alleged notice to arbitrate.
That notice was defective because, among other things, it did not name
a party-arbitrator.


	36. Plaintiff incorporates by reference the allegations set
forth in paragraphs 1 through 35, above.

	37. An actual controversy has arisen and now exists between
RSA and PGP regarding their respective rights and duties in that
Plaintiff contends and Defendants deny the following:

	a.  The arbitration provisions of the License Agreement (13)
did not survive the April 16, 1997 termination of the License
Agreement, and RSA is not required to respond to the arbitration
demand delivered by PGP subsequent to the termination;

	b.   The royalty, reporting and accounting provisions of the
License Agreement (5 and 6) did survive the termination and contain
valid rights enforceable by RSA.

	38. RSA desires a judicial determination of its rights and duties
and a declaration that the license Agreement arbitration provision did
not survive termination and that the royalty, reporting and accounting
provisions did survive the termination.

	39. A judicial declaration is necessary and appropriate at
this time under the circumstances in order that Plaintiff may
ascertain its rights and duties and the rights and duties of Defendant
under the License Agreement.  A judicial declaration of such rights is
particularly important in that third parties may well be affected by
the results of such declaration.

	WHEREFORE, Plaintiff prays for relief as hereinafter set forth.


	40. Plaintiff incorporates herein by reference the allegations
of paragraphs 1 through 39, above.

	41. Paragraph 6.6 of the License Agreement provides in pertinent
part as follows:

	"LICENSEE further agrees to permit its books and records to be
examined by PKP's auditors as often as PKP deems reasonably necessary,
but not more than once a quarter, to verify the LICENSEE's compliance
with this Agreement."

	Paragraph 6.6 explicitly survived the termination of the License

	42. PKP has never demanded an audit.  On April 16, 1997, RSA
has demanded the opportunity to conduct the audit specifically
authorized by Section 6.6, and Defendants have refused.

	43. If RSA continues to be denied the opportunity to exercise
its audit and accounting rights, it will effectively be denied its
rights to receive the royalty payments to which it is entitled under
the provisions of the License Agreement which survived termination.
Other than the issuance of an injunction compelling PGP to comply with
its contract obligations, RSA does not have an effective remedy at law.

	WHEREFORE, Plaintiff prays for relief as hereinafter set forth.


	1.  For a judgement declaring the following:

	a.  That the arbitration provisions contained in Section 13 of
the License Agreement did not survive the termination of the License
Agreement;  and

	b.  That the royalties, reports, payments and accounting
provisions contained in Sections 5 and 6 of the License Agreement did
survive the termination of the License Agreement.

	2.  For a preliminary and permanent injunction compelling PGP
to comply with the provisions of Sections 5 and 6 of the License

	3. For costs of suit herein incurred;  and

	4.  For such other and further relief as the court deems just
and proper.

	DATED:  May 5, 1997.


	By: 	James R. Busselle
		Attorneys for
		RSA Data Security, Inc.


	I,  D. James Bidzos, declare:

	I am the President of RSA DATA SECURITY, INC., a
corporation organized and existing under the laws of the State of
Delaware, which is the Plaintiff in the above-entitled action, and I
have been authorized to make this verification on its behalf. I have
know the contents thereof.

	I am informed and believe that the matters stated therein are
true and on that ground I allege that the matters stated therein are
true. I declare under penalty of perjury under the laws of the State
of California that the foregoing is true and correct.

	Executed on May 5, 1997, at Redwood City, California.



- Footnotes -

[Footnote 1]: Although this software was distributed "for free" for
non�commercial use, Zimmermann solicited a $50 contribution from customers
who used the product.

[Footnote 2]: All section numbers refer to provisions of Exhibit A.
[ie: PKP/Lemcom License Agreement.]

[Footnote 3]: The Digital Signature Algorithm ("DSA") is a part of the Digital
Signature Standard ("DSS") adopted by the National Institute of Standards
and Technology as the digital authentication standard of the U.S.
Government. DSA is separate and distinct from the MIT-Patented technology.

[Footnote 4]: As used in the software industry, an "OEM" (Original Equipment
Manufacturer) is a company which takes another company's product (in this
case, PGP's encryption software) and integrates or "bundles" this product
into its own software to produce a new product.  By definition, this
process requires copying.

[End text of RSADSI Complaint against Pretty Good Privacy, Inc.]


20 May 1997

Date: Mon, 19 May 1997 21:21:59 -0700
From: Greg Broiles <>
Subject: RSA v PGP lawsuit

I drove down to the courthouse in Redwood City today and took a look 
at the court file for RSA v PGP. The complaint is already online at
<>; there are two exhibits which accompany the
complaint in the file, Exhibit A is a 30-page patent license agreement
(which I didn't bother to have copied at $.75/page), the second is Exhibit
B, a letter from RSA's attorneys to Leonard Mikus of Lemcom Systems dated
4/16/97, which describes the basics of the dispute between RSA and PGP. I
copied the letter and have placed it online at

The lawsuit itself is not for monetary damages, but for declaratory and
injunctive relief - RSA is asking the court to declare that the license
agreement's provision regarding arbitration did not survive the termination
of the license; that the royalty, payment, and accounting provisions of the
license agreement did survive its termination; and for an injunction
ordering PGP to comply with the agreement's terms for paying royalties and
accounting for sales.

What I find interesting is what is not included in the suit - a claim for
patent infringement. (Such a claim can only be filed in federal court, and
this suit was filed - at the plaintiff's choice - in San Mateo County
Superior Court, a California state court.) 

The letter identifies several areas of disagreement between the parties:

1. RSA believes it had the right to approve or reject the PGP/Lemcom merger

2. RSA says that PGP has licensed the patent to OEM customers, in violation
   of the license agreement

3. RSA says that PGP has licensed certain source code to some customers, in
   violation of the license agreement

4. RSA says that Lemcom has not made a royalty payment since the third
quarter of 1996. (But I'm sure I saw something - in the media? - where PGP
says they've been making royalty payments.)

And the letter says that RSA is immediately terminating PGP's license to
use/make software including the RSA public-key algorithm because of those

PGP hadn't filed a response yet - they'll have 30 days to do so from the
date of service, and I think they were served with the suit somewhere
around the 10th of May. (There was a proof of service document in the file,
but I didn't bother having it copied.) 
Greg Broiles                | US crypto export control policy in a nutshell:         | | Export jobs, not crypto.