<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Thanks for letting us know, I appreciate it.</p>
<p>Pam</p>
Chair, License Committee<br>
Open Source Initiative<br>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">n 12/14/20 12:53 PM, Wayne Thornton
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:176626268f8.113ef1d7e75533.2240558286267506114@viratrace.us">
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
<div style="font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 10pt;">
<div>ViraTrace hereby withdraws the the proposed VPSL from
license review. We will resubmit for reconsideration once
legal review and changes have been drafted.<br>
</div>
<div><br>
</div>
<div>Thank you for your insight and suggestions.</div>
<br>
<div data-zbluepencil-ignore="true" id="Zm-_Id_-Sgn">
<div><span class="highlight" style="background-color:rgb(255,
255, 255)"><span class="colour" style="color:rgb(0, 0, 0)"><span
class="font" style="font-family:Verdana, Arial,
Helvetica, sans-serif"><span class="size"
style="font-size: 13.333333px; font-style: normal;
font-weight: normal; letter-spacing: normal;
text-indent: 0px; text-transform: none; white-space:
normal; word-spacing: 0px; text-decoration: none;
float: none;">Regards,</span></span></span></span><br>
</div>
<div><br>
</div>
<p style="margin: 0px; font-style: normal; font-weight:
normal; letter-spacing: normal; text-indent: 0px;
text-transform: none; white-space: normal; word-spacing:
0px; text-decoration: none" class=""><span class="colour"
style="color:rgb(0, 0, 0)"><span class="font"
style="font-family:Calibri, sans-serif"><span
class="size" style="font-size: 11pt; margin: 0px;
font-style: normal; font-weight: normal;
letter-spacing: normal; text-indent: 0px;
text-transform: none; white-space: normal;
word-spacing: 0px; text-decoration: none;"><span
class="colour" style="color:black"><span
class="font" style="font-family:verdana,
sans-serif"><span class="size"
style="font-size:13.333333px">Wayne M. Thornton,
B.S., CPDT<br>
Co-Founder & Project Manager<br>
VIRATRACE©<br>
720-766-0254 – Direct</span></span></span></span></span></span></p>
<p style="margin: 0px; font-style: normal; font-weight:
normal; letter-spacing: normal; text-indent: 0px;
text-transform: none; white-space: normal; word-spacing:
0px; text-decoration: none" class=""><span class="colour"
style="color:rgb(0, 0, 0)"><span class="font"
style="font-family:Calibri, sans-serif"><span
class="size" style="font-size: 11pt; margin: 0px;
font-style: normal; font-weight: normal;
letter-spacing: normal; text-indent: 0px;
text-transform: none; white-space: normal;
word-spacing: 0px; text-decoration: none;"><span
class="colour" style="color:black"><span
class="colour" style="color:rgb(5, 99, 193)"><span
class="font" style="font-family:verdana,
sans-serif"><span class="size"
style="font-size:13.333333px"><a style="color:
rgb(89, 143, 222); cursor: pointer"
href="https://www.viratrace.org/"
target="_blank" moz-do-not-send="true">https://www.viratrace.o</a>rg</span></span></span></span><br>
</span></span></span></p>
<div style="color: rgb(0, 0, 0); font-family: Verdana, Arial,
Helvetica, sans-serif; font-size: 13.333333px; font-style:
normal; font-weight: normal; letter-spacing: normal;
text-indent: 0px; text-transform: none; white-space: normal;
word-spacing: 0px; text-decoration: none"><span
class="colour" style="color:black"><span class="colour"
style="color:rgb(5, 99, 193)"><span class="font"
style="font-family:verdana, sans-serif"><span
class="size" style="font-size:13.333333px"></span></span></span><span
class="font" style="font-family:verdana, sans-serif"><span
class="size" style="font-size:13.333333px"><br>
Be sure to join our </span></span><a style="color:
rgb(89, 143, 222); cursor: pointer"
href="https://teams.microsoft.com/join/lw83179ktnqf"
target="_blank" moz-do-not-send="true"><span
class="colour" style="color:rgb(5, 99, 193)"><span
class="font" style="font-family:verdana, sans-serif"><span
class="size" style="font-size:13.333333px">Microsoft
Teams</span></span></span></a><span class="font"
style="font-family:verdana, sans-serif"><span
class="size" style="font-size:13.333333px"> channel
for updates and to contribute!<br>
<br>
This message is intended only for the individual or
entity to which it is addressed. It may contain
privileged, confidential information which is exempt
from disclosure under applicable laws. If you are not
the intended recipient, please note that you are
strictly prohibited from disseminating or distributing
this information (other than to the intended
recipient) or copying this information. If you have
received this communication in error, please notify us
immediately by e-mail. Thank you.</span></span></span></div>
</div>
<br>
<div style="border-top-width: 1px; border-top-style: solid;
border-top-color: rgb(204, 204, 204); height: 0px; margin-top:
10px; margin-bottom: 10px; line-height: 0px;"
class="zmail_extra_hr"><br>
</div>
<div style="" data-zbluepencil-ignore="true" class="zmail_extra"><br>
<div id="Zm-_Id_-Sgn1">---- On Sat, 12 Dec 2020 14:39:05 -0700
<b> <a class="moz-txt-link-rfc2396E" href="mailto:license-review-request@lists.opensource.org"><license-review-request@lists.opensource.org></a></b>
wrote ----<br>
</div>
<br>
<blockquote style="margin: 0px;">
<div>Send License-review mailing list submissions to <br>
<a href="mailto:license-review@lists.opensource.org"
target="_blank" moz-do-not-send="true">license-review@lists.opensource.org</a>
<br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit
<br>
<a
href="http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org"
target="_blank" moz-do-not-send="true">http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org</a>
<br>
<br>
or, via email, send a message with subject or body 'help'
to <br>
<a
href="mailto:license-review-request@lists.opensource.org"
target="_blank" moz-do-not-send="true">license-review-request@lists.opensource.org</a>
<br>
<br>
You can reach the person managing the list at <br>
<a
href="mailto:license-review-owner@lists.opensource.org"
target="_blank" moz-do-not-send="true">license-review-owner@lists.opensource.org</a>
<br>
<br>
When replying, please edit your Subject line so it is more
specific <br>
than "Re: Contents of License-review digest..." <br>
<br>
<br>
Today's Topics: <br>
<br>
1. Re: GDPR compliance through software license terms?
(Re: <br>
Approval Request - ViraTrace Public Source License 1.0) <br>
(Roland Turner) <br>
<br>
<br>
---------------------------------------------------------------------- <br>
<br>
Message: 1 <br>
Date: Sat, 12 Dec 2020 16:10:43 +0800 <br>
From: Roland Turner <<a
href="mailto:roland@rolandturner.com" target="_blank"
moz-do-not-send="true">roland@rolandturner.com</a>> <br>
To: Wayne Thornton <<a href="mailto:wayne@viratrace.us"
target="_blank" moz-do-not-send="true">wayne@viratrace.us</a>>
<br>
Cc: License submissions for OSI review <br>
<<a
href="mailto:license-review@lists.opensource.org"
target="_blank" moz-do-not-send="true">license-review@lists.opensource.org</a>>
<br>
Subject: Re: [License-review] GDPR compliance through
software license <br>
terms? (Re: Approval Request - ViraTrace Public Source
License 1.0) <br>
Message-ID: <d174bbba<a
href="mailto:-0fac-0f3d-a00d-82f636c0e99a@rolandturner.com"
target="_blank" moz-do-not-send="true">-0fac-0f3d-a00d-82f636c0e99a@rolandturner.com</a>>
<br>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
<br>
<br>
Hi Wayne, <br>
<br>
Thanks for your reply. <br>
<br>
In fact I only asked one question and ? although you
referred to it in <br>
your reply ? you don't appear to have addressed it. In
particular, GDPR <br>
creates non-delegable obligations for several classes of
actors <br>
(controllers, processors, authorities, DPOs, EDPB, ...),
none of which <br>
you appear to have addressed. So far as I've been able to
determine <br>
you've also not published elsewhere an analysis of the
compliance basis <br>
that you're claiming. You have asserted without evidence a
compliance <br>
determination of your software by the "Information
Commissioner?s Office <br>
for the EU" (which doesn't exist; presumably you mean the
UK?). I can <br>
find no evidence of such a determination, nor of any legal
basis for the <br>
ICO to make such a determination outside of a formal
investigation into <br>
a suspected infringement, and even then only into
compliance by a <br>
controller or processor, not by a piece of software. Have
you been the <br>
subject of a formal investigation? Is documentary evidence
of the <br>
determination public? Is it possible that you are instead
referring to <br>
simply registering a data processing operation with the
ICO, an <br>
operation which does not imply any GDPR compliance finding
on the ICO's <br>
part, whether of the registering organisation or a piece
of software? <br>
<br>
You are quite properly concerned about the protection of
individuals in <br>
the face of poorly-designed tracing support systems (or
straight-out <br>
tracking systems), even in places where health authorities
really should <br>
know better[1], let alone places lacking technical,
ethical, and legal <br>
expertise in personal data protection. Unfortunately your
approach <br>
amounts to an unaccountable private sector actor seeking
to insert <br>
itself into a position of control ? over national health
authorities no <br>
less ? while not taking on the obligations of a data
controller, an <br>
approach that is not at all compatible with GDPR. Even the
FSF refers to <br>
variants of the arrangement that you have in mind as
instruments of <br>
unjust power. Quite what government would be willing to
operate under <br>
these conditions is not clear. More likely they'll (a)
write their own, <br>
(b) approach you for a more appropriate license, or in
some cases (c) <br>
ignore your license. <br>
<br>
I'd suggest therefore that, even if borderline
ODS-compatibility were <br>
established, there isn't some enormous potential benefit
to individual <br>
or developer freedoms to weigh against a general
unwillingness to <br>
stretch the definition. Per the rest of the discussion,
however, the <br>
incompatibility with OSD appears extensive and likely
insurmountable <br>
anyway. I'd hazard a guess that part of the problem is
that no matter <br>
how well-intentioned your approach, it stems from basic <br>
misunderstandings about what OSI is about; in particular
your repeated <br>
reference to a "spirit of open source", rather than to OSD
and the <br>
freedoms that it seeks to sustain, etc. I'd guess that
what you're after <br>
is closer to various non-open-source "source-available"
schemes (e.g. <br>
Microsoft's Shared Source Initiative) in which source is
made available <br>
publicly with an automatic (non-negotiated,
non-registered) license <br>
grant, but under a license which keeps control very much
in its <br>
developer's hands. These are perfectly reasonable schemes
of course, but <br>
are not at all compatible with OSI's objectives and the
associated <br>
licenses are not candidates for OSI approval. <br>
<br>
Although I don't agree with it, your approach is an
interesting one and <br>
far less objectionable than the approaches that I
critiqued in my OSI <br>
SOTS talk[2] earlier this year. Thank you again for your
reply. <br>
<br>
- Roland <br>
<br>
<br>
1: Norway <br>
<<a
href="https://edpb.europa.eu/news/national-news/2020/temporary-suspension-norwegian-covid-19-contact-tracing-app_en"
target="_blank" moz-do-not-send="true">https://edpb.europa.eu/news/national-news/2020/temporary-suspension-norwegian-covid-19-contact-tracing-app_en</a>>
<br>
springs to mind. <br>
<br>
2: The critical importance of use-neutrality in F/OSS
licensing <br>
<<a href="https://rolandturner.com/sots/"
target="_blank" moz-do-not-send="true">https://rolandturner.com/sots/</a>>
<br>
<br>
------------------------------------------------------------------------
<br>
<br>
On 12/12/20 1:04 am, Wayne Thornton wrote: <br>
> <br>
> Hello Roland, <br>
> <br>
> <br>
> You raise an interesting set of questions and I will
admit that when <br>
> it comes to the ?ins-and-outs? of GDPR and HIPPA
compliance, I am <br>
> probably not as well versed as yourself or our
attorneys. That being <br>
> said, we at ViraTrace have from the very beginning
sought to ensure <br>
> that the products we develop for automated contact
tracing are the <br>
> most secure and privacy-protective on the market. <br>
> <br>
> <br>
> As you may be aware from your work with
TraceTogether, there is a <br>
> large percentage of the populations across the globe
who object to the <br>
> concept of automated contact tracing. These
objections are generally <br>
> centered around privacy. Here in the United States,
everyone is <br>
> concerned with government eavesdropping and
monitoring ? they think <br>
> that by using an automated contact tracing
application they are <br>
> providing the government with a means to track their
day-to-day <br>
> activities and to glean nefarious insights into that
data. This is of <br>
> course an oversimplification of the issues, but I
believe it is <br>
> nonetheless a powerful one. <br>
> <br>
> <br>
> My co-founders are citizens of former Eastern Bloc
countries and these <br>
> concerns are just as real for them as they are for
everyone else, if <br>
> not more so. Their countries are seeking to release
automated contact <br>
> tracing applications which have little to no privacy
protections for <br>
> users and then to make these applications mandatory,
and this has led <br>
> to backlash from the population. Although some of
this is a result of <br>
> rampant political corruption, a large portion of it
is the result of a <br>
> lack of knowledge on how to release something that is
more secure and <br>
> privacy-centric. This provided an opening for
ViraTrace to engage in <br>
> ongoing negotiations with these governments to
develop and maintain an <br>
> automated contact tracing solution. <br>
> <br>
> <br>
> The solutions and frameworks we have developed are
designed from the <br>
> ground-up to ensure end-users that their data is safe
and that <br>
> automated contact tracing is confidential, private
and secure from <br>
> governmental intrusion. <br>
> <br>
> <br>
> Thus far, we have developed: <br>
> <br>
> <br>
> 1)A cross-platform mobile application. <br>
> <br>
> 2)A cross-platform BLE/GPS/WiFi-baseddevice-to-device
communications <br>
> protocol for use in third-party automated contact
tracing applications. <br>
> <br>
> 3)A secure, delay tolerant communications protocol
for <br>
> device-to-secure enclave communications. <br>
> <br>
> 4)A second-generation mutli-node propogation
infection model which <br>
> utilizes distributed simulations to determine
infection risk for <br>
> users. This model has been peer reviewed by
professors at Oxford and <br>
> University of Torino and proven to be 85% more
effective than other <br>
> models and has already been deployed to over 150+
million users via <br>
> the Aarogya Setu app. <br>
> <br>
> 5)A secure enclave processing environment which is
designed to strip <br>
> confidential data obtained from the infection model
and our <br>
> communications protocol and output a cleansed and
sanitized data set <br>
> for analysis. <br>
> <br>
> 6)A web dashboard which allows government health
workers to utilize <br>
> the cleansed and sanitized data set and communicate
anonymously with <br>
> end users. <br>
> <br>
> <br>
> We have released (or are planning to release) each
and every one of <br>
> these technologies as open source for implementation
by anyone <br>
> developing contact tracing platforms. Because of the
nature of each <br>
> component being separate and designed to operate
independently, there <br>
> are a number of potential data privacy violations
that could be <br>
> introduced by downstream developers. <br>
> <br>
> <br>
> As the maintainer and inventor of the underlying
technologies, <br>
> ViraTrace believe we are responsible for ensuring
that data privacy <br>
> violations are not introduced and that end users of
automated contact <br>
> tracing applications enjoy aconsistent level of data
security and privacy. <br>
> <br>
> <br>
> This brings me to your specific question regarding
software license <br>
> terms as an element of compliance. <br>
> <br>
> <br>
> Our software is used as a means of processing data
that is protected <br>
> by GDPR and HIPPA. <br>
> <br>
> It is the position of ViraTrace that as a maintainer
and inventor of <br>
> these underlying technologies, the only way we can
ensure a consistent <br>
> level of data security and privacy for end users is
to include <br>
> provisions within our license that provide for
oversight consistent <br>
> with our goals. <br>
> <br>
> <br>
> The software we have, are and will release under the
proposed license <br>
> has undergone stringent legal review for both HIPPA
and GDPR <br>
> compliance in terms of automated contact tracing
applications. It has <br>
> been determined to be fully compliant with both
regulations by the <br>
> Information Commissioner?s Office for the EU and the
Attorney <br>
> General?s Office of the United States. <br>
> <br>
> <br>
> By including the provisions at issue within our
license, we ensure <br>
> that we remain responsible for legal compliance with
data privacy <br>
> regulations and that end users have a central point
of contact for <br>
> questions or concerns regardless of where or how, or
by whom the <br>
> technology is deployed. <br>
> <br>
> <br>
> Our review process as specified for in the proposed
license is used to <br>
> review the modifications and implementation of our
software source <br>
> code and to determine if it meets compliance
standards at every point <br>
> in a developer?s implementation. If it does not, the
license provides <br>
> a process by which the developer must rectify the
deficiencies or <br>
> withdraw the software from the market upon license
termination. <br>
> <br>
> <br>
> Although one could argue that it is the
responsibility of the party <br>
> deploying the automated contact tracing solution to
comply with data <br>
> privacy regulations in the means you describe, we
fully believe that <br>
> it is our responsibility to the end users, as the
maintainer and <br>
> inventor of the underlying technologies used for data
processing, to <br>
> ensure that the software we provide and that is
deployed basedon our <br>
> technologies remains fully compliant with GDPR and
HIPPA. <br>
> <br>
> We would acknowledge that this is not normal practice
within the <br>
> industry, but neither is it precluded. <br>
> <br>
> <br>
> Hopefully that helps answer questions. If not, you
can of course <br>
> respond within this thread or if you have other
questions or comments, <br>
> you may contact me directly at the number/email
within my signature below. <br>
> <br>
> <br>
> Best to you and yours. <br>
> <br>
> <br>
> Regards, <br>
> <br>
> Wayne M. Thornton, B.S., CPDT <br>
> Co-Founder & Project Manager <br>
> VIRATRACE? <br>
> 720-766-0254 ??Direct <br>
> <br>
> <a href="https://www.viratrace.o" target="_blank"
moz-do-not-send="true">https://www.viratrace.o</a> <<a
href="https://www.viratrace.org/" target="_blank"
moz-do-not-send="true">https://www.viratrace.org/</a>>rg
<br>
> <br>
> ? <br>
> Be sure to join our Microsoft Teams <br>
> <<a
href="https://teams.microsoft.com/join/lw83179ktnqf"
target="_blank" moz-do-not-send="true">https://teams.microsoft.com/join/lw83179ktnqf</a>>?channel
for updates <br>
> and to contribute! <br>
> <br>
> This message is intended only for the individual or
entity to which it <br>
> is addressed. It may contain privileged, confidential
information <br>
> which is exempt from disclosure under applicable
laws. If you are not <br>
> the intended recipient, please note that you are
strictly <br>
> prohibited?from disseminating or distributing this
information (other <br>
> than to the intended recipient) or copying this
information. If you <br>
> have received this communication in error, please
notify us <br>
> immediately by e-mail. Thank you. <br>
> <br>
> <br>
> <br>
> ---- On Thu, 10 Dec 2020 20:39:10 -0700 *Roland
Turner <br>
> <<a href="mailto:roland@rolandturner.com"
target="_blank" moz-do-not-send="true">roland@rolandturner.com</a>>*
wrote ---- <br>
> <br>
> Hi Wayne, <br>
> <br>
> First, regarding rationale: Our company is in the
business of <br>
> creating frameworks and software products which
facilitate <br>
> automated contact tracing initiatives across the
globe. These <br>
> frameworks and products must be GDPR- and
HIPPA-compliant and <br>
> have been designed to be such, with strict, ongoing
legal <br>
> review processes undertaken to ensure this. The
frameworks and <br>
> products that we create are designed to be utilized
by <br>
> governmental agencies and private corporations in the
creation <br>
> of applications and platforms which aid in the fight
against <br>
> COVID-19 and future pandemic scenarios. In order for
this to <br>
> be of benefit, the frameworks and software we develop
must be <br>
> open source, so that the governmental agencies and
private <br>
> corporations can be free to utilize them.
Unfortunately, due <br>
> to the legal compliance issues vis-a-vis GDPR and
HIPPA, a <br>
> level of control regarding development must be
maintained. It <br>
> is our position that the GNU and other OSI-approved
licenses <br>
> do not provide this level of control. <br>
> <br>
> Others are addressing the appearance of a profound
incompatibility <br>
> between what you're proposing ("free to utilise" vs.
"level of <br>
> control [by Viratrace]") and the Open Source
Definition. <br>
> <br>
> I'm interested in the concept of software license
terms as an <br>
> element of GDPR compliance. Can you explain how you
see license <br>
> terms being a relevant part of this? It is my
understanding that <br>
> data protection law in most jurisdictions is about
the legal <br>
> obligations of organisations in control of personal
data both with <br>
> respect to that data and to people that it relates to
(and often <br>
> to regulators), and legal/contractual obligations of
other <br>
> organisations processing that data on their behalf;
software <br>
> licensors are not part of the picture. As neither
Viratrace nor <br>
> likely licensees would be looking to establish a <br>
> controller/processor relationship[1] through the
license, the <br>
> relevance is not immediately clear to me. <br>
> <br>
> (For a sense of where I'm coming from: <br>
> <br>
> * Although this is my first ever post to
license-review, I've <br>
> been involved in open-source license advocacy for
rather a <br>
> long time. It was I who initially proposed late last
century <br>
> (!) a multi-license approach for Mozilla. <br>
> * I serve as Chief Privacy Officer for my employer ?
a <br>
> specialist processor of personal data ? and in that
capacity <br>
> have assisted customers with data protection
obligations <br>
> across a dozen jurisdictions on four continents. <br>
> * Although the specific concerns of Free Software are
largely <br>
> out of scope here, I am an advocate of the approach
and have <br>
> spoken in public about the overlapping objectives of
Software <br>
> Freedom and of GDPR data subject rights. <br>
> * I am tangentially involved in Singapore's
TraceTogether <br>
> program as an independent expert, both on the
technology and <br>
> on personal data protection. <br>
> * I am working on a design for a system to extend
TraceTogether <br>
> which coincidentally also uses secure enclaves,
although for a <br>
> much simpler purpose that the one that you appear to
be pursuing.) <br>
> <br>
> <br>
> - Roland <br>
> <br>
> <br>
> 1: nor the analogous relationships in other
jurisdictions <br>
> <br>
> <br>
> <br>
> <br>
<br>
-------------- next part -------------- <br>
An HTML attachment was scrubbed... <br>
URL: <<a
href="http://lists.opensource.org/pipermail/license-review_lists.opensource.org/attachments/20201212/6d02272c/attachment.html"
target="_blank" moz-do-not-send="true">http://lists.opensource.org/pipermail/license-review_lists.opensource.org/attachments/20201212/6d02272c/attachment.html</a>>
<br>
<br>
------------------------------ <br>
<br>
Subject: Digest Footer <br>
<br>
_______________________________________________ <br>
License-review mailing list <br>
<a href="mailto:License-review@lists.opensource.org"
target="_blank" moz-do-not-send="true">License-review@lists.opensource.org</a>
<br>
<a
href="http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org"
target="_blank" moz-do-not-send="true">http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org</a>
<br>
<br>
<br>
------------------------------ <br>
<br>
End of License-review Digest, Vol 97, Issue 18 <br>
********************************************** <br>
</div>
</blockquote>
</div>
<div><br>
</div>
</div>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
The opinions expressed in this email are those of the sender and not necessarily those of the Open Source Initiative. Communication from the Open Source Initiative will be sent from an opensource.org email address.
License-review mailing list
<a class="moz-txt-link-abbreviated" href="mailto:License-review@lists.opensource.org">License-review@lists.opensource.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org">http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Pamela S. Chestek
Chair, License Committee
Open Source Initiative</pre>
</body>
</html>