[License-review] For Approval: The Cryptographic Autonomy License
bruce at perens.com
Tue Apr 23 00:58:40 UTC 2019
I suspect that it might not really be time to submit the license yet, and
that it needs further work.
The purpose of the license is to implement a sort of market and to protect
the operation *of the market,* rather than simply *the rights regarding the
program.* This necessarily requires that the terms of the license go
substantially beyond terms regarding the software itself. Thus, we have
the terms regarding user data, which apply to *any data whatsoever* which
the program has touched in some way:
*b) Throughout any period in which You exercise any of the permissions
granted to You under this License, You must also provide to any third party
with which you have an enforceable legal agreement, a no-charge copy,
provided in a commonly used electronic form, of the User Data in your
possession in which that third party has a Lawful Interest;*
And then we define user data this way:
*l) “User Data” means any data that is either a) an input to, or b) an
output from, the Work or a Modified Work, in which a third party other than
the Licensee has a Lawful Interest in the data.*
But we never define* lawful interest. *We refer to GDPR and, I guess,
vaguely wave at the body of law entire.
So, consider that each user processes data about the *entire market, *as is
common in blockchain systems*.* Each user may thus have an obligation to
disclose data to very many other users who have a legal interest in that
data. The user may also have an obligation to guard data from being
disclosed to the wrong people, because this would endanger the user's
privacy rights or those of other users, or break the market. So, this can
be a very large legal obligation to properly verify requests and distribute
Now, I can guess that Van intended these terms to apply only to a large
operator of a financial network of the sort theorized. But as written they
apply to every user.
The user is very poorly informed regarding user data. When does another
user actually have a *legal interest* in it? And where, since this is
European law? Why are we using a term from real estate law: "quiet
enjoyment", which we can not expect the user to understand regarding
software? Since GDPR is referenced, the user needs to understand that too,
even if it doesn't apply where they live.
If the user data is stored using a one-way hash, and we also have terms
regarding cryptographic hashes, must the specifics of the one-way hash be
revealed, even when they would put the security of other users at risk?
So, it strikes me that overall, this is a license that requires a lawyer
simply to *use *the software, and that a user without legal counsel would
not practically be able to exercise their responsibility regarding the
I am not recommending approval until the actual complexity of the license
as faced by a non-developer user is much better bounded than it is by the
On Mon, Apr 22, 2019 at 11:44 AM VanL <van.lindberg at gmail.com> wrote:
> I'd like to thank everyone who provided feedback on earlier drafts of the
> Cryptographic Autonomy License (CAL). Since we presented the draft license
> in February, we have received hundreds of comments and suggestions, all of
> which have helped us fine-tune the license.
> We now present the CAL 1.0-Beta for approval at the next board meeting:
> Google Docs link:
> PDF Link: https://www.processmechanics.com/static/CAL-1.0-Beta.pdf
> The CAL is still open for revision until it is approved by the Board, and
> the links above will be updated as appropriate.
> I also refer everyone here again to the blog post describing the legal
> foundations of the license (
> as well as the discussion on license-discuss, summarized by Lukas Atkinson
> License-review mailing list
> License-review at lists.opensource.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the License-review