[License-review] For Approval: Twente License

Lukas Atkinson opensource at lukasatkinson.de
Wed Feb 6 14:10:03 UTC 2019


While any open source license expresses certain values, I do not think
licenses are a good vehicle of ethics. To fulfil the goal of Twente,
the next best available Open Source license would likely be a network
copyleft like the AGPL: that way, end users can at least inspect the
software they are using.

Here, a problem is that the Twente License aims to regulate *use* of
the software, not just the copying and modification of the software.
I.e. it regulates something that is out of scope for copyright, and
takes away rights that users would otherwise have. (Similar problems
have been discussed regarding the SSPL). This is definitively an
OSD-incompatible restriction in jurisdictions where these privacy
rules wouldn't be mandatory anyway.

I'd like to point out that even the EU is such a jurisdiction, as the
Twente License has a weird intersection with the GDPR: Twente covers a
more narrow area, but in that area is more restrictive.
- Twente covers only collecting PII from users and releasing that data
to third parties. GDPR covers any processing of any personal data, and
has a clear concept of Data Processors that are not third parties.
- Twente only recognizes consent as the basis for collection &
release. GDPR also recognizes legitimate interest, necessity for
fulfilment of a contract, and legal obligations (like a warrant, or
maintaining accounting records).
- Twente does not define critical terms such as user, PII, collect,
consent, release, third party.

In a literal reading of the Twente license, the privacy paragraph
could be circumvented by running the Twente-covered software as a
separate service so that it neither collects nor releases any data
directly. If Twente's restrictions do not apply to the *software* but
to the *operator* of the software, this makes it so much clearer that
this is indeed an OSD #6 violation.

I am also not sure whether Twente-covered software could realistically
be used e.g. for e-commerce solutions due to the high bar that
“unambiguous prior consent” represents, for example when sharing
necessary data with a payment processor or logistics provider.

I think it might be possible to construct a better license by dropping
any usage restrictions and substituting transparency requirements.
E.g. when the software is conveyed in non-source form or publicly
performed so that others can interact with the software, then the
software must provide (a) proper attribution like under the normal MIT
license; and (b) a statement on who acts as a Data Controller in the
sense of the GDPR. Unfortunately, that would make it very difficult to
distribute binaries without taking on responsibilities as a
Controller.



More information about the License-review mailing list