What then does the NIST say about patents? At page 8 the Institute states its intellectual property policy:
Innovation and Intellectual Property (IP): While developing its cryptographic standards and guidelines for non-national security systems, NIST has noted a strong preference among its users for solutions that are unencumbered by royalty-bearing patented technologies [it is predicted that, when offered a choice of pay-to-use or free solutions, many will prefer the latter; however it is not clear whether this is because of the cost, the hassle of negotiation or the feeling that non-patented technologies are more secret and secure than those covered by published patent information]. NIST has observed that widespread adoption of cryptographic solutions that it has developed has been facilitated by royalty-free licensing terms. While NIST prefers to select algorithms that are unencumbered by intellectual property claims, it may select algorithms with associated patents if the technical benefits outweigh the potential costs that would be incurred in implementing the patented technologies. NIST will explicitly recognize and respect the value of IP [as a Federal technology agency it presumably has to] and the need to protect IP if it is incorporated into standards or guidelines. Furthermore, NIST believes it is important to balance the rights of IP holders and of those seeking to utilize technologies involving intellectual property rights [this sounds encouraging, but when it comes to balancing the rights of IP holders and users there is no objectively verifiable state of equilibrium. Does 'balancing' involve enforcement and/or fair recompense for the patent owner, the grant of compulsory licences in appropriate situations, or what?].The document goes further. At pages 24-25, under the heading "Policies and Processes for the Life Cycle Management of Cryptographic Standards and Guidelines", item 5 reads:
5. Develop a NIST Federal Information Processing Standard (FIPS) or Special Publication (SP) GuidelineAt this stage there's not much more that anyone can do other than watch this space and see how things develop. Readers' thoughts and comments as to how exploitation of innovation within the sector might evolve are very welcome.
If NIST concludes that it will produce a FIPS or SP, a multi-step process is used. NIST will:
- Announce its intent to develop a FIPS or SP via multiple mechanisms, including the NIST website, newsletters, public presentations, and direct notifications to relevant SDOs and communities of interest.
- Seek information about existing standards, standards in development, guidelines, or other information that could inform and assist NIST in the effort.
- Request information on potentially pertinent patents (in initial solicitations for information as well as in its publication of draft standards). This includes disclosure, where possible, of issued U.S. patents, pending U.S. patent applications, and corresponding foreign patents and applications [In "What we know and what we don't: a review of patents for Cybersecurity", here, Aistemos reviewed the position regarding US cybersecurity businesses relative to non-US players and their patents. Data published there suggests that NIST will be focusing a good deal on the growing quantity of non-indigenous patent information which is generated from China, Russia, Japan and Europe]. In considering an algorithm that is or may be subject to patent protection, NIST may seek assurances from the patent holder that royalty-free or royalty-bearing licenses will be made available on a Reasonable and Non-Discriminatory (RAND) basis [if high-tech cryptography is a new field, FRAND licensing of standard-essential patents is not much older, and it can be expected that litigation will result wherever a FRAND licensor feels badly treated, or a licensee considers itself to be excluded or overcharged for committing to the licence. There is little reason to assume that the conditions of the telecoms and IT sector that have shaped global FRAND licensing for cellphones and other devices that require a high level of interconnectivity will suit the very different conditions in which cybersecurity operates].
- Consider the option of using, adapting or profiling an existing standard or guideline, rather than producing an entirely new standard or guideline. ...