FOSS or not? - source and license auditing project for TrueCrypt disk encryption software

By: Florian Idelberger

TrueCrypt, a major open source project that is widely used and of a very special nature due to its use for encrypting data, has, compared to other big projects, received relatively little scrutiny so far. The "istruecryptauditedyet" project aims to change that.

One of the great advantages of free and open source software is that due to the availability of the source code, developers from all over the world can review the code base of a project, ideally finding bugs and other mistakes that would otherwise go unnoticed or without resources for a fix. Whether this happens in practice can vary widely, depending on the number of people working on a project or how many are familiar enough with a topic to even review a specific part of the project.

This is why two security researchers, Kenneth White and Matthew Green decided that an important piece of free and open source software such as TrueCrypt, deserves a proper source-code and security audit. This includes both the source code in general, and especially the program code and routines responsible for the cryptography itself, as those require special review by developers, cryptographers or mathematicians with the right skills. The whole situation is however made even more complex, but also more interesting and relevant for legal professionals, because the license used by TrueCrypt,  the TrueCrypt License 3.0 is customary. Even in the past, lawyers for popular Linux distributions already reviewed earlier versions of the license, and although certain provisions were changed, it was still decided/recommended that TrueCrypt would not be included in the maintained packages for many distributions. This is, in large part, because while on the one hand the TrueCrypt license wants to be a Free and Open Source License, another part of it doesn’t want to be. Especially in an Open Source license, but also in many other licenses and due to the contractual nature of licenses, contracts as well, it is important that all parties are clear of their rights and obligations derived from the license or contract, so that they can honor them. This is the basis of a good contract. It might be possible to slip in that one extra clause that seems like it affords an advantage – but what good is that if business partners later feel cheated or don’t know what was expected of them.Similarly, with the TrueCrypt License, on the one hand it says, that as long as you stick to the terms of the license, you may freely use the source code and the resulting software, while on the other hand reads much more like a commercial user license agreement, trying to indemnify against everything and excluding every possibility of giving away rights. This not only makes it very hard for users to actually understand the License (many open source licenses try to be shorter and easier to understand) but might actually be counter-productive in some instances. Paragraph 7 of part 6 comes to mind, where it says:

7. IF (IN RELEVANT CONTEXT) ANY PROVISION OF CHAPTER IV OF THIS LICENSE IS UNENFORCEABLE, INVALID, OR PROHIBITED UNDER APPLICABLE LAW IN YOUR JURISDICTION, YOU HAVE NO RIGHTS UNDER THIS LICENSE AND YOU MUST NOT USE, COPY, MODIFY, CREATE DERIVATIVE WORKS OF, NOR (RE)DISTRIBUTE THIS PRODUCT, NOR ANY PORTION(S) THEREOF.”

Chapter 4 covers a disclaimer of liability, disclaimer of warranty and indemnification in a lot of detail. This could for example be a problem in Germany, as a full disclaimer and indemnification is problematic. In addition, according to Chapter 6, paragraph 6, if you are not sure that you understand the license, and what you have to do to comply, you are not allowed to use the software:

“6. IF YOU ARE NOT SURE WHETHER YOU UNDERSTAND ALL PARTS OF THIS LICENSE OR IF YOU ARE NOT SURE WHETHER YOU CAN COMPLY WITH ALL TERMS AND CONDITIONS OF THIS LICENSE, YOU MUST NOT USE, COPY, MODIFY, CREATE DERIVATIVE WORKS OF, NOR (RE)DISTRIBUTE THIS PRODUCT, NOR ANY PORTION(S) OF IT. YOU SHOULD CONSULT WITH A LAWYER.”

As a result, in an extreme scenario, most people who use TrueCrypt today, probably could be held to violate the license. In practice, this is more of a theoretical problem, because as long as there is no accuser or claimant, there is no problem. However clauses like these were still seen as problematic enough for some distributions to keep TrueCrypt out of their maintained packages. To this end, the “istruecryptauditedyet.com” project also aims to conduct a license review. So far the project has just started, but we are looking forward to seeing it progress.