<div dir="ltr"><p></p>
<p>In April, the License-Review mailing list saw extensive debate on the Cryptographic Autonomy License, in particular:</p>
<ul><li>its user data clause, and how it affects user freedom</li><li>obligations placed on the software operator</li><li>API copyright</li><li>strategic concerns for the OSI</li><li>public performance rights for software</li></ul>
<p>The summary can also be read online at <a class="gmail-uri" href="https://opensource.org/LicenseReview042019">https://opensource.org/LicenseReview042019</a></p>
<p>The corresponding License-Discuss summary is online at <a class="gmail-uri" href="https://opensource.org/LicenseDiscuss042019">https://opensource.org/LicenseDiscuss042019</a> and covers discussions about non-commercial licenses, license revocability, and LGPL/Apache compatibility.</p>
<p><b id="gmail-cal">Cryptographic Autonomy License</b></p>
<p>Van Lindberg submits his Cryptographic Autonomy License (CAL) to the
review process. This is a network copyleft license, but with a broader
scope than the AGPL. The CAL is motivated by ensuring user autonomy in
blockchain-based applications. Lindberg has also written an <a href="https://www.processmechanics.com/2019/03/15/the-cryptographic-autonomy-license/">in-depth blog post</a>
that serves as a rationale document. Last month, there had already been
preliminary discussion about the license on the license-discuss list
(see the <a href="https://opensource.org/LicenseDiscuss032019#cal">summary</a>).</p>
<p>Lindberg and Pamela Chestek summarize the core goals of the CAL:</p>
<ul><li>that derivative works are handled in a copyleft manner</li><li>that any software offering the same API is under a compatible license</li><li>that user data is portable</li></ul>
<p>Note: this summary uses the term “operator” to describe a user who
runs the software so that other end users can interact with it.</p>
<p><b id="gmail-cal-opinions">Summary of Opinions</b></p>
<p>While the license presents welcome innovation in the network copyleft licensing space, there is also major criticism:</p>
<ul><li>operators are subject to unacceptable restrictions regarding user data</li><li>it is not in OSI’s interest to approve an API-copyleft license</li><li>the novel use of public performance is unclear, untested, unnecessary, and possibly ineffective</li></ul>
<p>Bruce Perens does not recommend approval. Henrik Ingo thinks that a
“revised, less hazardous version of this license” could eventually get
approved.</p>
<p><b id="gmail-cal-meta">Meta</b></p>
<p>While Perens was eager to get his concerns heard early, Richard
Fontana reminds that no urgency exists: as per the review process, new
licenses get an initial 60 days of discussion before any decision. Simon
Phipps adds that since Fontana’s tenure as license committee director
has ended, any review progress will be stalled until a replacement is
appointed at the next board meeting.</p>
<p><b id="gmail-cal-purpose">License Purpose</b></p>
<p>Bruce Perens is concerned that the CAL goes beyond licensing <em>software</em>, but tries to establish some <em>market</em>. Perens suggests that the license’s business purpose might better be reached through an ordinary contract.</p>
<p>Van Lindberg responds that while the CAL is being drafted because of a
business purpose, its terms are independent of that purpose. The terms
only cover licensing of the software, under some conditions. Ultimately,
every license has some purpose behind it. In the case of the CAL, the
business purpose required a network copyleft license.</p>
<p>Perens argues that while other licenses may have their own purpose,
they are not specific to some application. In contrast, the CAL seems
specific to blockchain applications.</p>
<p><b id="gmail-cal-lawful-interest">Lawful Interest in User Data</b></p>
<p>The CAL requires that operators must provide user data to which an
end user has a lawful interest. For example, a user might have a
ownership interest in the photos they upload to a photo storage service.</p>
<p>Bruce Perens thinks that “lawful interest” is not sufficiently
defined, and would require novel theories of data ownership: “There are
opinions, and little case law.” This could even require disclosure to
third parties if they establish a lawful interest.</p>
<p>Van Lindberg responds that lawful interest is defined using known
legal terms. The CAL does not grant new rights to user data: either the
law recognizes some kind of data ownership or it does not. You can’t end
up with rights that you didn’t already have.</p>
<p>Lindberg clarifies that the CAL references the GDPR not to define
lawful interest, but to clarify how an operator must provide user data.</p>
<p>Perens points out: if the users already have a right to their data,
why does the license need terms to that effect? Lindberg responds: “Just
because I have ownership of data does not mean that you have an
existing legal responsibility to give it to me. This is exactly the
problem addressed by the CAL.”</p>
<p><b id="gmail-cal-freedom-data">User Freedom and Data</b></p>
<p>Van Lindberg explains why he believes provisions about user data to
be necessary. Preserving user freedom is core to Free Software. User
data must be protected for that freedom to be effective:</p>
<blockquote>
<p>The insight is that, increasingly, the data and the code are needed
together to realize the program’s function. Existing open source
licenses, such as the GPLv3 family, recognize this and requires the
provision of cryptographic keys that would prevent the execution of the
code. The CAL recognizes that user freedom also includes the provision
of the user’s data so that the program functions completely and fully in
a context of the user’s choice.</p>
<p>[…] I may <em>own</em> my data. I may be able to get a copy of the
source code. But […] unless I can use the software to process my own
data, I also don’t have effective freedom.</p>
</blockquote>
<p>The CAL does not encumber or restrict user data, it just prevents it
from being locked into a platform – similar to GPLv3’s anti-Tivoization
clause. Such a clause is necessary because hashchain applications offer
new ways to lock down a program.</p>
<p>Bruce Perens is not convinced that end user freedom requires the
disclosure of this user data. And the license must protect freedom not
only for end users but also for operators, so why should it be
acceptable to compel operator actions?</p>
<p>Pamela Chestek and Bruce Perens disagree with the comparison to the
GPL’s anti-Tivoization clause. It applies when a device with embedded
software changes ownership, so that the new owner can install modified
software on their hardware. In contrast, the CAL’s user data provisions
burden the operator of the software to provide access to user data. This
is a fundamentally different kind of obligation.</p>
<p><b id="gmail-cal-operator-obligations">Operator Obligations</b></p>
<p>Bruce Perens is concerned that the operator’s obligations regarding user data are unclear and excessive:</p>
<ul><li><p>The CAL’s requirements trigger on mere use of the software, which
looks like an OSD #6 and #9 violation. How can forbidding or compelling
an action not be a usage restriction?</p></li><li><p>It should be fine to just run software under an OSI-approved
license, without having to read it. The CAL’s user data requirements
break this expectation. Operators have to hire a lawyer to understand
the extent of their obligations. This is an unreasonable burden that
limits their freedom.</p></li><li><p>The CAL affects data that is processed with the software.</p></li></ul>
<p>Van Lindberg counters:</p>
<ul><li><p>The CAL’s user data requirements are about as restrictive as the
AGPL’s source disclosure requirements: “The license compels an action by
the licensee – to make the source code and data available. This is
exactly the same type of action required under every copyleft license.”</p></li><li><p>The CAL does not extend to data: “No rights or obligations are created in any other work.”</p></li><li><p>The CAL does not restrict usage. It only requires user data to be
provided to the extent that it is available. E.g. data may have to be
decrypted for a user with a lawful interest, but the CAL is careful to
not require disclosure of private keys.</p></li><li><p>The CAL only compels actions while the operator provides a service. They are free to stop at any time.</p></li></ul>
<p>Lindberg appreciates the point that users should be able to run the
software without reading the license. But with the CAL, the legal load
for end users is still zero. Extra burdens are only placed on operators
who want to provision the software as a service to others, which is the
same scenario where the AGPL applies extra requirements. And anyway: “if
you are providing services to others, you have already taken upon you
substantial legal liability.”</p>
<p>Lindberg is amazed that Peren’s examples boil down to preserving
operator’s freedom to lock down their user’s data. “That freedom is
definitely granted under some more permissive licenses, but preserving
the rights of users is a core aspect of Free Software, which is the
tradition addressed by the CAL.”</p>
<p>Henrik Ingo points out that open source licenses generally grant rights to users <em>and</em>
shield them from legal risks. For example, restrictions on DRM are “a
great example of protecting user rights”. Peren’s objections seem to be
problematic primarily with P2P software where end users simultaneously
act as operators.</p>
<p><b id="gmail-cal-social">Solving Social Issues</b></p>
<p>Bruce Perens agrees that data being hold hostage is a legitimate problem – but it is a <em>social</em>
problem. OSI has previously rejected licenses that try to address
social issues beyond the software. While OSI-approved licenses sometimes
require disclosure of source code, also requiring disclosure of user
data would be overreach.</p>
<p>Van Lindberg disagrees. The CAL is not in the same bucket of
(non-free) licenses like 996 or JSON “do no evil”. The CAL tries to
address an issue (user autonomy) “in the exact same way the GPL
addresses the social issue of software freedom.”</p>
<p><b id="gmail-cal-api">API Copyright</b></p>
<p>Pamela Chestek summarizes the CAL’s relationship to API copyright:
Any reimplementation of a CAL-covered API must be offered under the CAL
or a compatible license. The CAL does not have a copyleft effect on
software that merely uses/consumes the APIs. Assuming API copyright
(Oracle v. Google) is overturned, the CAL will not be affected since the
CAL is about public performance of APIs and not their reproduction. But
without that precedent, how could other implementations be restricted?</p>
<p>Van Lindberg confirms that Chestek’s analysis is correct, but thinks
the chances of API copyright being overturned are rather slim. Even
then, CAL hooks into patent rights as a secondary means of enforcing
copyleft.</p>
<p>Richard Fontana notes that API reimplementations have to be
open-sourced when their binaries are distributed or their interfaces are
publicly performed. He criticizes the concept of “publicly performing
an interface” as unclear, and thinks the relevant clause is written
ambiguously. This launches a side discussion about the Oxford Comma.</p>
<p>Richard Fontana asks about the legal situation of API copyright in the EU under the 2012 <span class="elide">SAS Institute Inc. v. World Programming Ltd.</span>
decision. Carlo Piana explains that the SAS ruling excludes language
APIs, programming languages, and file formats from copyrightability in
the EU.</p>
<p><b id="gmail-cal-strategy">Strategic Concerns on API Copyright</b></p>
<p>Richard Fontana warns that the CAL would be the first license to
intentionally expand copyleft to APIs. Henrik Ingo is aghast at
Lindberg’s explanations: “this couldn’t possibly be your intention”.
They call some strategic concerns to attention.</p>
<p>Fontana believes that current community consensus is opposed to API
copyleft. He sees “a deep-rooted policy against […] restrictive
application of interface copyright in free software/open source […] that
ought to be read into the OSD and our understanding of software
freedom”. This “is supported by widespread hostility in the [community]
to the result in Oracle v. Google” and the FSF’s policy of opposing API
copyrightability. While a license might acknowledge API
copyrightability, it should only do so under highly permissive terms and
not use it to impose copyleft requirements.</p>
<p>Henrik Ingo hopes the OSI “won’t and can’t approve of” such
copyright-maximalist features. Instead, the open source community has an
interest in promoting the view that interface implementations always or
typically are fair use. Maybe, many years later APIs do become widely
copyrighted. Only then would it be in the interest of the community to
wield this power as well.</p>
<p>Ingo also mentions that right now, OSI approval of a license with API
copyright elements would be highly undesirable as this could be used by
Oracle lawyers as evidence that such views were widely accepted in the
industry and open source community.</p>
<p>Van Lindberg understands the strategic objections, but doesn’t think
“it is an extension to use legal terminology and case law which already
presumptively applies to software.”</p>
<p>Bruce Perens asks whether it is in OSI’s interest to approve licenses that use public performance rights “for purposes <em>other</em> than requiring publication of the source code”.</p>
<p>There is also the matter of precedent. Perens notes the FSF (although
disapproving of software public performance) did something similar with
the AGPL, and the OSI eventually approved it. Pamela Chestek thinks
this leads to “the understandable complaint that the OSI decisionmaking
process can be unpredictable”, especially since no one has claimed that
the CAL’s API/public-performance aspects would violate the OSD.</p>
<p><b id="gmail-cal-public-performance">Public Performance</b></p>
<p>Henrik Ingo cautions that the “use of public performance in a
software license is novel and untested.” This is risky for users. The
license doesn’t even need public performance rights to work but could
use “legal methods that are more boring, but better tested and safer”.
So for what reason should the license rely on public performance, other
than maximizing its copyright power?</p>
<p>Van Lindberg fundamentally disagrees here, and considers public
performance key to the CAL. Practically speaking, the AGPL is the only
available network copyleft license. But Lindberg found its network
copyleft provisions lacking:</p>
<ul><li>they do not trigger for unmodified versions</li><li>they can be gamed by using proxies</li><li>they are unsuitable to ensure user data access</li><li>they are unclear in a corporate context</li></ul>
<p>Lindberg thinks that it’s better to use <em>public performance</em> –
an established right in copyright law – than to define a unique term
like “network interaction”. The use of public performance paired with
some other definitions also clarifies corporate compliance.</p>
<p>Henrik Ingo agrees with Lindberg’s analysis of the AGPL, and welcomes
alternatives. Ingo criticizes the proxy loophole, and its GPL-like
mindset that software will be executed as a single process on a single
computer which accepts network connections.</p>
<p>However, Ingo vehemently disputes that public performance would be a
solution. This is completely uncharted territory, and the CAL fails to
bound its implications. Public performance “only adds uncertainty, but
little practical value.”</p>
<p>The AGPL protects users by giving explicit and unlimited permission
to run the program. Instead of restricting public performance, it uses
an awkward construction that compels features of the software but not
actions by the operator. Other licenses don’t have to use that approach,
but simple and clear legal terms help protect users. Perhaps the AGPL
could be fixed by merely replacing “network interaction” with
“interaction”.</p>
<p>Bruce Perens is confused why, if public performance rights are given,
the AGPL went through the trouble of synthesizing a separate public
performance-like right.</p>
<p>Pamela Chestek wonders how the CAL would work in the EU, where no
equivalent public performance right might exist. Lukas Atkinson points
to “communication to the public”, and suggests that the CAL could
reference the WIPO treaty where it is defined.</p>
<p>Scott Peterson is concerned that the CAL tries to introduce the
notion that software interoperation could be the copyright holder’s
exclusive right. This would attract FUD. Actions that impact the
interpretation of copyright law should be considered for their broader
impact. Bruce Perens refers to Lindberg’s argument that public
performance is an existing right for software because software is a
literary work.</p>
<p>McCoy Smith links to an article that argues that public performance rights do <em>exist</em> for software, but would not generally <em>apply</em> (Lothar Determann (2015): <em>What Happens in the Cloud: Software as a Service and Copyrights.</em> In: 29 Berkeley Tech. L.J. DOI: <a class="gmail-uri" href="https://doi.org/10.15779/Z38DX3N">https://doi.org/10.15779/Z38DX3N</a>).</p>
<p><b id="gmail-cal-other">Other points</b></p>
<p>Pamela Chestek provides a careful analysis of unclear language in the license.</p>
<p>Henrik Ingo is concerned that the anti-DRM provision might not be effective, which leads to some comparisons with the GPLv3.</p>
</div>