Axolotl and Proteus

When we decided to implement full end-to-end encryption at Wire we looked around and decided on the Axolotl protocol — with certain custom-developed extensions to allow for full syncing between multiple devices.
 
At the time, we reached out to Moxie Marlinspike to ask if he would like to cooperate in helping us to review our own implementation. He declined, telling us instead to take a “license” for USD 2.5M (binaries only).

Our independent implementation of the Axolotl protocol in Rust commenced in January 2015. It has been arduous, mostly due to a lack of documentation, where the primary references for our implementation have been the Axolotl specification, the paper “How Secure is TextSecure”, as well as a multitude of blog posts from Open Whisper Systems — OWS [1, 2, 3, 4]. Like everyone else in the cryptographic community, our team obviously had access to OWS’ GPL’d Java reference implementation online.

Here’s the conundrum: Moxie et al have publicly stated that they want wide adoption of the Axolotl protocol — but if you do an independent implementation, using the published reference documentation and background knowledge from having seen their code online, you can be accused of copyright infringement and asked to pay a “license fee.”
 
The risk of being wrongly accused of infringement is of a particular concern in this situation because implementing the protocol has certain defined steps that obviously must be the same, irrespective of the programming language used, making it easy to claim infringement based on the resulting similarities — and, like any negative, difficult to disprove. This puts developers in an impossible situation when they independently implement an idea — even though this is precisely what copyright laws are intended to encourage, not prohibit.
 
And so it happened. When we launched Proteus-based end-to-encryption, Moxie contacted us. He claimed that we had copied his work and demanded that we either recreate it without looking at his code, or take a license from him and add his copyright header to our code. We explained that we have not copied his work. His behavior was concerning and went beyond a reasonable business exchange — he claimed to have recorded a phone call with me without my knowledge or consent, and he threatened to go public with information about alleged vulnerabilities in Wire’s implementation that he refused to identify.
 
This is when we decided to seek clarity from the courts to get legal affirmation that we had not infringed on their rights.
 
When the lawsuit was filed, the attorneys started to talk and the matter was ultimately settled before having to appear in court — which all sides seemed to believe was a far better result than spending months or years fighting in court over rights to software that should be widely available.

To resolve the dispute amicably, we agreed to dismiss our claims in exchange for a release of the claims Moxie had made against us. While we would not agree to Moxie’s request to give OWS copyright attribution, we did provide attribution to the original version of Axolotl in our implementation — which we had already publicly stated and were happy to do. Litigation was something we would rather have avoided, but we felt we had no other choice under the circumstances.

Proteus is published as open-source under GPLv3 and we will continue to work with the community to make it available under less restrictive licensing conditions. We hope that we can work productively with Moxie in the future to promote our shared desire to expand on and improve end-to-end encryption.

Alan Duric, Wire co-founder and CTO

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.