[License-review] For Approval: The Cryptographic Autonomy License

Fri Apr 26 15:14:07 UTC 2019

Hello Henrik,

On Fri, Apr 26, 2019 at 9:49 AM Henrik Ingo <henrik.ingo at avoinelama.fi>
wrote:

> I was not very clear about it, but indirectly I was inviting you to
> justify why you think it is *necessary* to use the concept of Public
> Performance in CAL. What problem - other than just maximizing the
> power of copyright law - does it solve for you that wasn't adequately
> solved without it?
>

There are a couple reasons. First, when dealing with a network copyleft,
there aren't a lot of options - only the AGPL. Thus the analysis started
with "would the AGPL work" and proceeded from there. In this case, the AGPL
was not considered a sufficient vehicle because:

1. The network aspect of the AGPL only applies to network interaction with
a modified version. There are issues with this:
   - It doesn't clearly provide attribution or source code for unmodified
versions
   - Network interaction is gameable to avoid providing source (Just put a
proxy in place - I have seen this happen many times)
   - In the context of protecting access to User Data, the AGPL's "network
interaction with a modified version" would only be effective in the cases
where the software was modified - a minority of the time.
2. The AGPL is ambiguous in its application in a corporate context. For
example, if a modified version of an AGPL program is used within a company,
and not provided to any outsider, do employees have rights to the code to
the modified version? I would argue that they do, and that the employer
cannot prevent the spread of trade secret AGPL programs because to do so
would be an additional restriction.

Finally, I personally think that grounding the network interaction in a
clearly articulated existing right, already written into copyright law, is
superior to defining a new term like "network interaction" that is unique.

> > If you take a look at the exact text, the text is very close to the
> GPLv3. There was quite a bit of "borrowing" in exactly the way you suggest.
> >
>

I am not sure how to respond to your question about the evolution of the
GPLv3, maybe Richard can help there. But to be more explicit:

GPLv3, Section 3: No covered work shall be deemed part of an effective
technological measure under any applicable law...

CAL 2.3(a): You may not, by means of cryptographic controls, technological
protection measures, or any other method, limit a third party from
independently Processing User Data in which they have a Lawful Interest

GPLv3, Section 3: When you convey a covered work, you waive any legal power
to forbid circumvention of technological measures to the extent such
circumvention is effected by exercising rights under this License with
respect to the covered work

CAL, 2.3(d): You waive any legal power to forbid circumvention of technical
protection measures that include use of the Work

GPLv3, Section 3: You disclaim any intention to limit operation or
modification of the work as a means of enforcing, against the work's users,
your or third parties' legal rights to forbid circumvention of
technological measures.

CAL: 2.3(e): You waive any claim that the capabilities of the work were
limited or modified as a means of enforcing the legal rights of third
parties against Recipients

Thanks,
Van
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-review_lists.opensource.org/attachments/20190426/e44bf9ca/attachment.html>