TrueCrypt licensing concern

Thu Oct 9 15:21:34 PDT 2008

"Tom \"spot\" Callaway" <tcallawa at redhat.com> writes:

> Sorry for the delay, I just needed to clear it with counsel for me to
> share our analysis.

No problem, thank you for the work to continue with this.

> These remarks are against v2.5 of the TrueCrypt license:
> 
> Section III:
> 
> 1. d. :  This provision requires distribution of source code if you
> distribute "Your Product".  However, it says
> 
>   To meet this condition, it is sufficient that You merely include the
>   source code with every copy of Your Product that You make and
>   distribute . . . *provided that You make the copies available to the
>   general public free of charge*; it is also sufficient that You merely
>   include information . . . about where the source code can be freely
>   obtained . . . with every copy of Your Product that You make
>   and distribute . . . *provided that You make the copies available to
>   the general public free of charge*. 
> 
> This is ambiguous, but the best reading of "the copies" seems to refer
> to "every copy of Your Product that You make and distribute".  That
> therefore means that if you distribute modified versions of TrueCrypt,
> you cannot charge for copies.  That is non-free.

I agree.

> We suggested that the first paragraph of 1d be changed to:
> 
>   If you distribute Your Product in a form other than source code, the
>   complete source code of Your Product must be freely and publicly
>   available (for exceptions, see Section III.2) at least until You
>   cease to distribute Your Product. To meet this condition, it is
>   sufficient that You merely include the source code with every copy of
>   Your Product that You make and distribute (see also below in this
>   Subsection III.1.d for conditions that licenses governing the source
>   code must meet) provided that you make the source code available to
>   the general public free of charge;

I don't see how this proviso is necessary; why, if one is
“includ[ing] the source code with every copy of Your Product that You
make and distribute”, must one *also* “make the source code
available to the general public”? Moreover, what does “make
available” mean here?

I also don't think it's a free restriction to require that one do
something free of charge; it forbids someone who cannot afford
whatever costs may pertain to the action (whatever “make available”
may entail) from doing it at all.

> In addition, because there is no counterpart in III to II.2, there is
> some doubt about whether "Your Product" can be used commercially.
> Therefore, the following clause should be added to section III:
> 
>   Provided that You comply with all applicable terms and conditions of
>   this License, You may use Your Product freely on any number of
>   computers/systems for non-commercial and/or commercial purposes.

Perhaps simplify to “for any purpose”?

> While Fedora certainly has no intent to commit copyright
> infringement, our counsel advises that licenses are promises not to
> sue.

One would certainly hope so. I'm glad to see your counsel agrees :-)

> If Fedora complies with all of the conditions and/or obligations
> imposed by this license, we would not be protected from a lawsuit
> from TrueCrypt. If we cannot rely on this license granting us
> copyright permissions, counsel advises us that this license is
> non-free.

I agree.

> To be blunt, our counsel advised that what the TrueCrypt license
> explicitly says is that no matter how faithfully we comply with
> those conditions or obligations, we still have no expectation that
> such compliance gives rise to any obligation or undertaking on
> TrueCrypt's part not to sue us for copyright infringement.
> 
> TrueCrypt seems to be reserving the right to sue any licensee for
> copyright infringement, no matter whether they comply with the
> conditions of the license or not. Based on this, our counsel advised
> that above and beyond being non-free, software under this license is
> not safe to use.

Thanks for the explanation, I agree that this is indeed unnecessarily
risky as well as non-free.

> Section VI, Paragraph 3:
> 
> The license says:
> 
>   3. This license does not constitute or imply a waiver of any
> intellectual
>   property rights. This license does not transfer, assign, or convey any
>   intellectual property rights (e.g., it does not transfer ownership of
>   copyrights or trademarks).
> 
> We proposed that it be replaced with:
> 
>   This License does not constitute or imply a waiver of any
>   intellectual property rights, other than as specifically stated in
>   this License. This License does not transfer, assign, or convey
>   any intellectual property rights (e.g., it does not transfer
>   ownership of copyrights or trademarks).

I do wish that the license made no mention of the nebulous,
over-reaching, and nigh-meaningless “intellectual property” at all.
It should talk about specific bodies of law; in this case, copyright
and trademark.

Perhaps:

    This License does not constitute or imply a waiver of any rights,
    other than as specifically stated in this License. This License
    does not transfer, assign, or convey any copyright or trademark
    rights.

If other rights are intended to be discussed, they should be explicit
rather than handwaved.

> Our counsel advised us that this license has the appearance of being
> full of clever traps, which make the license appear to be a sham
> (and non-free).

I wonder if your counsel is familiar with the term “lawyerbomb”,
often used to describe such traps :-)

I would suspect incompetence before malice, here; a great many
home-brewed licenses contain such lawyerbombs as the simple result of
trying to do too many things, and lack of wide peer review.

> There were other minor issues that might also make the license
> non-free, but given TrueCrypts unwillingness to address any of these
> more serious issues, I have omitted them.

That's unfortunate. I'm glad and thankful for your perseverence (and
your counsel's), and hope that the above issues can be addressed at
least.

-- 
 \     “The trouble with the world is that the stupid are cocksure and |
  `\             the intelligent are full of doubt.” —Bertrand Russell |
_o__)                                                                  |
Ben Finney