[License-review] For Approval: The Cryptographic Autonomy License

Bruce Perens bruce at perens.com
Tue Apr 23 23:27:26 UTC 2019


Please do me the courtesy of assuming that my arguments are not always
misapprehensions, but may be valid objections to your license.

On Tue, Apr 23, 2019 at 3:18 PM VanL <van.lindberg at gmail.com> wrote:

> I don't really understand what you are going for here: Every license was
> designed to fulfill a specific purpose. The GPL was designed to preserve
> software freedom; the ISC license was written to be as short as possible;
> the MPL was written to allow a the joint compilation of separate works into
> a single binary.

Yes. But none of GPL, ISC, and MPL are specific to an application. The only
one that really mentions specific technology at all is GPL3, and that does
so specifically regarding license circumvention devices. In contrast, this
is the Cryptographic Autonomy License, the application is right in the
title. The software is for implementing cryptography in a carefully
controlled manner, where the user may be compelled to disclose a
significant amount of the data which is processed. I'm having trouble
understanding what application *other *than blockchain works with both
those conditions.

In this case, my client identified that it was in their business interest
> to have a strong network copyleft license that was maximally respecting of
> user freedom.

I am not yet convinced that a compulsion to reveal the data processed by
the program is maximally respecting of user freedom. I do note that other
well-known licenses promoted as freedom-respecting have very clearly stated
that you can run the software for any purpose, and that the actual running
of the program is *unencumbered by the license. *CAL clearly encumbers the
act of running the program and the data processed by that running.

It also appears that the license is clothed in the language and law of
protecting people from the effects of others holding their personal data.
This, however, seems a false impression, because the terms require a
potentially very broad compulsion to disclosure that does not respect
individual privacy - anyone with a possessory interest or a chain of
derivation regarding their data potentially has a right to *your *data.

And then we compel disclosure of data even in contexts that do not protect
people. Rather than personal data, the application of the program is
blockchain data used to implement a market. This sort of data is still
encumbered with disclosure compulsion regardless of whether it is actually
personal or not.

Since the user data release obligation is stated so unclearly that counsel
is necessary to determine just what it is, I believe the legal burden
necessary simply to comply with this license could also be unrespecting of
user freedom.

> The User Data is not encumbered. *This is a fundamental point*. There are
> no additional restrictions placed on any User Data that were not there in
> the first place. Users own or have the right to possess their own User Data.

But this seems self-contradictory. If users have the right to compel
disclosure of their user data separately from the license, why does the
license need to have language to compel disclosure of that data at all?

> The CAL just denies a licensee the right to lock up a User's Data and make
> it irretrievable or unreadable.

So, you're saying that it is in violation of the license for me to, for
example, encode passwords with a one-way hash. And that doesn't seem a use
restriction? For example, by making it impossible to properly implement
access control software under the license.

And what *other *purpose than access validation does unreadable or
irretrievable data have, that we must prevent a software user from ever
doing that? I guess that's implementing a blockchain. Doesn't that bring us
back to use restrictions?

> It is exactly analogous to the anti-Tivoization clause in the GPLv3.

I don't think so. The anti-Tivoization clause was designed to protect our
access to hardware upon which we could run Free Software, in the world *beyond
*desktop computers based on the IBM PC architecture, which we are rapidly
entering. In contrast, this requires disclosure of data for... keeping you
from making it unreadable. Even by yourself? I'm not sure that's even
"locking it down".

Let's say the CAL was applied to something like a photo storage site where
> you store your photos. *The CAL does not apply any licensing requirements
> on your photos*. *It does not encumber them at all*. It only states that
> the photo storage site using the software cannot encrypt *your *photos
> and prevent *you* from retrieving them.

That's not a use restriction?

If allowing a person to retrieve their own data is an encumbrance, then the
> AGPL provides a similar encumbrance, in that it ensures that a site
> operator also offer users a copy of the source code to which they are
> entitled.

Not so. The AGPL only applies to the program and its language is very
careful not to reach beyond the program. It requires that a person who
modifies the program must offer to distribute a copy of the program,
potentially a modified version, if they perform activities similar to
public performance. In contrast, the CAL *reaches **beyond the program* to
apply terms to data which is simply processed by the program. This is *not *an
encumberance like the AGPL!

We don't need any such theory. Ownership of intellectual property is
> mediated by the laws of a jurisdiction. For example,a photographer has an
> ownership interest in photos that she takes because of the operation of
> copyright law. I have an "mp3 locker" where I store copies of songs that I
> legally possess - I have non-ownership possessory interest.

So as the operator of a music or photo site, I either have an existing
legal responsibility to give you your data upon request, in which case the
license does not need to compel me to do that, or I don't, and the license
needs to compel me to do that. Which one are you stating is true?

This invents a hypothetical contrary to the terms of the license under
> discussion. The license doesn't grant the "very broad right" you are afraid
> of, and so the accompanying parade of horribles doesn't apply. If I don't
> have an ownership or possessory interest - both again, normal legal terms -
> then I can't ask for the data.

I am still hearing that you have an interest in law, and that the license
must still go beyond what your interest in law *is,* to compel the site
operator to distribute files to you that are *not *the program under the
license, and that she would not otherwise have to distribute to you.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-review_lists.opensource.org/attachments/20190423/ff446faf/attachment.html>

More information about the License-review mailing list