TrueCrypt licensing concern

Tom "spot" Callaway tcallawa at redhat.com
Thu Oct 9 10:36:08 PDT 2008 

On Wed, 2008-10-08 at 09:03 +1100, Ben Finney wrote:
> Which seems to come to a contradictory conclusion
> <URL:http://lists.debian.org/debian-legal/2006/07/msg00009.html>; i.e.
> that the license *is* free under the DFSG. (On a quick reading, I
> incline more toward the “non-free” side, but that's not something to
> be discussed at length here.)
> 
> I'd very much like to see Tom Calloway's reference for *why* the
> license terms are such a serious risk; preferably, placed in (or
> linked from) the Fedora wiki page where the work is forbidden.

Sorry for the delay, I just needed to clear it with counsel for me to
share our analysis.

These remarks are against v2.5 of the TrueCrypt license:

Section III:

1. d. :  This provision requires distribution of source code if you
distribute "Your Product".  However, it says

  To meet this condition, it is sufficient that You merely include the
  source code with every copy of Your Product that You make and
  distribute . . . *provided that You make the copies available to the
  general public free of charge*; it is also sufficient that You merely
  include information . . . about where the source code can be freely
  obtained . . . with every copy of Your Product that You make
  and distribute . . . *provided that You make the copies available to
  the general public free of charge*. 

This is ambiguous, but the best reading of "the copies" seems to refer
to "every copy of Your Product that You make and distribute".  That
therefore means that if you distribute modified versions of TrueCrypt,
you cannot charge for copies.  That is non-free.

We suggested that the first paragraph of 1d be changed to:

  If you distribute Your Product in a form other than source code, the
  complete source code of Your Product must be freely and publicly
  available (for exceptions, see Section III.2) at least until You
  cease to distribute Your Product. To meet this condition, it is
  sufficient that You merely include the source code with every copy of
  Your Product that You make and distribute (see also below in this
  Subsection III.1.d for conditions that licenses governing the source
  code must meet) provided that you make the source code available to
  the general public free of charge; it is also sufficient that You
  merely include information (valid and correct at least until You cease
  to distribute Your Product) about where the source code can be freely
  obtained (e.g. an Internet address, etc.) with every copy of Your
  Product  that You make and distribute (see also below in this
  Subsection III.1.d for conditions that licenses governing the source
  code must meet) provided that You make the source code available to
  the general public free of charge.

In addition, because there is no counterpart in III to II.2, there is
some doubt about whether "Your Product" can be used commercially.
Therefore, the following clause should be added to section III:

  Provided that You comply with all applicable terms and conditions of
  this License, You may use Your Product freely on any number of
  computers/systems for non-commercial and/or commercial purposes.

Alternatively, II.2 could be generalized to "Your Product" as well as
"This Product". 

Section VI, Paragraph 2:

The license says:

  NOTHING IN THIS LICENSE SHALL IMPLY OR BE CONSTRUED AS A PROMISE, 
  OBLIGATION, OR COVENANT NOT TO SUE FOR COPYRIGHT OR TRADEMARK 
  INFRINGEMENT.

We proposed that it be replaced with:

  NOTHING IN THIS LICENSE SHALL IMPLY OR BE CONSTRUED AS A PROMISE,
  OBLIGATION, OR COVENANT NOT TO SUE FOR TRADEMARK INFRINGEMENT.

While Fedora certainly has no intent to commit copyright infringement,
our
counsel advises that licenses are promises not to sue. If Fedora
complies with all of the conditions and/or obligations imposed by this
license, we would not be protected from a lawsuit from TrueCrypt. If we
cannot rely on this license granting us copyright permissions, counsel
advises us that this license is non-free.

The TrueCrypt license term in question declares that nothing in the
license constitutes a promise not to sue for copyright infringement. Our
counsel advises that a plain reading of this indicates that if Fedora
complies with all the requirements of the TrueCrypt license, we would
nonetheless have no assurance that TrueCrypt will not sue me for my acts
of copying, distribution, creation of derivative works, and so forth. 

Normally, a free software license can be considered as a promise
not to sue for actions that are allowed under the license. Our counsel
noted that it is a promise not to sue for actions that are
allowed under the license *even if those actions would otherwise
constitute copyright infringement*. The statement in the TrueCrypt
license casts doubt on whether the fully compliant licensee is shielded
from the possibility of a copyright infringement suit from TrueCrypt (to
which no defense of license would be effective).

To be blunt, our counsel advised that what the TrueCrypt license
explicitly 
says is that no matter how faithfully we comply with those conditions
or 
obligations, we still have no expectation that such compliance gives
rise 
to any obligation or undertaking on TrueCrypt's part not to sue us for 
copyright infringement.

TrueCrypt seems to be reserving the right to sue any licensee for
copyright infringement, no matter whether they comply with the
conditions of the license or not. Based on this, our counsel advised
that above and beyond being non-free, software under this license is not
safe to use.

Section VI, Paragraph 3:

The license says:

  3. This license does not constitute or imply a waiver of any
intellectual
  property rights. This license does not transfer, assign, or convey any
  intellectual property rights (e.g., it does not transfer ownership of
  copyrights or trademarks).

We proposed that it be replaced with:

  This License does not constitute or imply a waiver of any
  intellectual property rights, other than as specifically stated in
  this License.  This License does not transfer, assign, or convey any
  intellectual property rights (e.g., it does not transfer ownership of
  copyrights or trademarks).

The rational provided by our counsel is as follows:

In effect TrueCrypt ought to be waiving certain of its rights for this
to be operative as a license. Free software licenses do involve waivers
of rights. 

Our counsel advised us that this license has the appearance of being
full of clever traps, which make the license appear to be a sham (and
non-free).

There were other minor issues that might also make the license non-free,
but given TrueCrypts unwillingness to address any of these more serious
issues, I have omitted them.

Hope that helps,

~tom

More information about the Distributions mailing list