Is TrueCrypt pining for the fjords?

TrueCryptBrokenLogo170As Monty Python famously opined in the Parrot Sketch from Monty Python’s Flying Circus, no amount of jostling, explanations or hopeful wishes will bring back something that is well and truly dead.

The mystery surrounding the demise of TrueCrypt continues, but not without additional drama from those who refuse to let go.

Last week John Leyden, writing for The Register, posted about an attempt at keeping TrueCrypt alive on a site hosted in Switzerland by Thomas Bruderer and Joseph Doekbrijder.

The site is in clear violation of the TrueCrypt license 3.1 as revised with the final 7.2 release of TrueCrypt on the 28th of May. The license states:


"c. Your Product (and any associated materials, e.g., the documentation, the content of the official web site of Your Product, etc.) must not present any Internet address containing the domain name truecrypt (or any domain name that forwards to the domain name truecrypt) in a manner that might suggest that it is where information about Your Product may be obtained or where bugs found in Your Product may be reported or where support for Your Product may be available or otherwise attempt to indicate that the domain name truecrypt is associated with Your Product."

While Thomas and Joseph likely have the best intentions, simply hiding a website in Switzerland doesn’t really change the fact that they are acting against the wishes of the authors and may struggle with legal issues using any code they release.

The letter of the law and the intent of the owner(s) may be two different things, but should you ever intentionally violate their wishes?

Whatever your beliefs on this point, there are bigger questions to be pondered than small print and license concerns.

Earlier this week we surveyed just over 100 IT professionals over on Spiceworks, a community for the people who have to actually get the work we talk about done.

TrueCryptCriticallyChart250In fact, one of the more interesting results in our survey was that 64% of TrueCrypt business users are thinking more critically about choosing TrueCrypt after learning about the questions that have been raised by its sudden disappearance.

We can only speculate as to why people are less sure than before. Perhaps the message from the developer(s) saying the code is insecure and not to use it is having its intended impact.

TrueCryptCryptoTypeChart250The percentage of TrueCrypt users was no small number; it tied for first place in the survey.

Exactly 1/3 of all respondents who use encryption are using TrueCrypt at home, at work or both.

I am sure that popularity is due to the small and mid-size of the companies represented in the survey. 87% of respondents worked for organizations of 1,000 or fewer users.

TrueCryptUsageChart250Another interesting finding was that only 52% of the IT people who participated say that their organization uses encryption to protect their data.

30% said they don’t use encryption at home or at work, 28% said they use encryption at home and at work and 24% only use encryption products at work.

This entire drama has been very interesting and educational. It has allowed me to start a conversation about data protection and hear from a lot of people about their opinions on the topic.

I get the impression that a lot of people were unaware of TrueCrypt’s origins and will likely rethink whether they want to continue to use it with the cloud that is now hanging over its status now and in the future.

John Shier had some time last week to interview me for a short podcast on the topic. If you have a few minutes, why not give it a listen?

(Audio player above not working for you? Download to listen offline, or listen on Soundcloud.)

For those interested in moving away from TrueCrypt or simply interested in data protection, we have put together a page with some help information at