[License-review] For Approval: The Cryptographic Autonomy License

VanL van.lindberg at gmail.com
Tue Apr 23 22:18:00 UTC 2019

Hello Bruce,

It seems that there are still misapprehensions.

On Mon, Apr 22, 2019 at 7:59 PM Bruce Perens via License-review <
>> license-review at lists.opensource.org> wrote:
>> You are correct that there is a business purpose that we believe will be
>> furthered by this license. But you are fundamentally incorrect in your
>> assertion: the license itself is written to be completely independent of
>> the business purpose. It can be used in many different ways by many
>> different users.
> I suppose it is *possible *for different users to use it for other
> purposes, and your statement would apply to any license, no matter how
> contrived it is to fulfill a particular purpose. But there isn't really any
> getting around the fact that this was designed for a specific purpose of
> your customer.

I don't really understand what you are going for here: Every license was
designed to fulfill a specific purpose. The GPL was designed to preserve
software freedom; the ISC license was written to be as short as possible;
the MPL was written to allow a the joint compilation of separate works into
a single binary.

In this case, my client identified that it was in their business interest
to have a strong network copyleft license that was maximally respecting of
user freedom. Preserving user freedom is at the core of Free Software,
which is highly related to open source. To the extent that this benefits my
client it is because preserving user freedom and autonomy is seen as a
prerequisite for establishing user trust. I refer you to my writeup,
referenced above, for more explanation.

> Again this is incorrect. The license only and exclusively 1) grants
>> permissions to the Work, and 2) places conditions on the use of the Work
> No, we have terms regarding User Data, which is only related to the work
> in that the work has some role in processing it - not necessarily a large
> or significant role, the work nearly has to be involved in some way. A
> transmission through the software which did not alter the data nor derive
> information from it would be sufficient, under the terms. So, I think we
> should consider User Data to be *an entirely separate piece of property
> which is encumbered simply because you make use of this software.*

The User Data is not encumbered. *This is a fundamental point*. There are
no additional restrictions placed on any User Data that were not there in
the first place. Users own or have the right to possess their own User
Data. The CAL just denies a licensee the right to lock up a User's Data and
make it irretrievable or unreadable. It is exactly analogous to the
anti-Tivoization clause in the GPLv3.

Let's say the CAL was applied to something like a photo storage site where
you store your photos. *The CAL does not apply any licensing requirements
on your photos*. *It does not encumber them at all*. It only states that
the photo storage site using the software cannot encrypt *your *photos and
prevent *you* from retrieving them.

If allowing a person to retrieve their own data is an encumbrance, then the
AGPL provides a similar encumbrance, in that it ensures that a site
operator also offer users a copy of the source code to which they are

> “Lawful Interest” means either 1) an ownership interest or 2) a
>> non-ownership property or possessory interest, including but not limited to
>> lawful possession of a particular copy of a work.
> This doesn't really tell us much at all. As far as *ownership *interests
> go, we need a theory regarding ownership of data.

We don't need any such theory. Ownership of intellectual property is
mediated by the laws of a jurisdiction. For example,a photographer has an
ownership interest in photos that she takes because of the operation of
copyright law. I have an "mp3 locker" where I store copies of songs that I
legally possess - I have non-ownership possessory interest.

Generally, if the law grants an ownership interest, it exists. If the law
does not recognize an ownership interest, it does not exist.

Possessory interest is also not applicable to the person *seeking* the
> data, unless the license seeks to grant a *very broad *right regarding
> processed data which is derived *in any way* from data for which someone
> has a possessory interest.

This invents a hypothetical contrary to the terms of the license under
discussion. The license doesn't grant the "very broad right" you are afraid
of, and so the accompanying parade of horribles doesn't apply. If I don't
have an ownership or possessory interest - both again, normal legal terms -
then I can't ask for the data.

> This leaves us with GDPR, which does not actually settle the question of
> data ownership, only of such things as right to access, correct, or to be
> forgotten.

The GDPR has some similar concepts, but is mostly irrelevant to the license
here. The GDPR could go away and it would not matter one bit to the CAL.
The only connection is to say that the "formatting and transmission
requirement" and "number of copies" provided should be interpreted
consistently. I refer you to the extensive discussion on this point in
license-discuss, where this exact point of confusion was raised and

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-review_lists.opensource.org/attachments/20190423/605793be/attachment-0001.html>

More information about the License-review mailing list