[License-discuss] For Public Comment: The Cryptographic Autonomy License

Henrik Ingo henrik.ingo at avoinelama.fi
Sat Mar 16 19:46:25 UTC 2019

Hi Van

Thanks for sharing such an interesting and fresh proposal for our
discussion. I choose this over Finnish Saturday Night Live any time!

*About the main goal of this proposal, User Data:*

It immediately stands out that this license also grants rights to third
parties. This is also novel, isn't it? Potential OSD issues come to mind if
this is seen as analogous to "you must also kill your cat" or "you must
also pay a fee to the MPEG-LA". But after sleeping on it, I do agree that
there will exist third parties who have such GDPR rights to their User
Data, without being users nor Licensees of the licensed work.

The Lawful Interest concept seems like an odd entry point. As an EU citizen
the GDPR grants me rights wrt my User Data, but a US citizen doesn't have
such rights (at least not for data that you have stored in a US based
company). Does this license grant me more rights than a US citizen? Or was
the intent to grant GDPR-like rights globally? I don't read the latter.

If the intent is the former, why is this license needed at all? EU already
ensures I have these rights.

Finally, if the intent is to enforce compliance with the GDPR, is that
against OSD#6? Can an open source license forbid use for illegal acts?

My conclusion: It would be better to write the license such that it grants
GDPR-like rights globally, also in cases where no Lawful Interest exists. I
don't know if that is feasible though. In particular, the license should be
able to stand on its own, and not sound like "you cannot break the law".

The definition of "User Data" could easily be misunderstood too narrowly as
data I have actively input into the system, such as via a form. I'm not so
familiar with the GDPR that I could propose better wording, sorry. But for
example, data Google collected about me, including from news sites, etc, is
surely covered by the GDPR. Also, I expect that GDPR also includes data
about me that the system has developed internally? (E.g. even if I had
never input such a fact into Facebook, and Facebook never output it, some
ML algorithm has probably inferred that I'm married to another FB user
called Sanna Ingo. This is User Data in European law.)

Btw, it's probably an oversight that the Licensee is not themselves a
beneficiary of the User Data rights. I would expect to see similar anti-DRM
measures as in GPLv3 to ensure that I can access both software and data on
a device I bought that has software with this license.

*About Public Performance*


First reaction is like "Convey" in GPLv3: Why can't you use existing
industry terminology instead of inventing new stuff that has no established
precedent? I would much prefer simple language like "if SaaS, you must ...".

If you hadn't introduced this as a network copyleft license, it would not
at all be obvious from the language. More specifically, "interface" can
mean a lot of things: 1) a GUI, 2) a REST APi, 3) a traditional API as in
Oracle vs Google.

1) seems like something for which Public Performance can apply. I can see
the GUI on my screen, much like a movie.
3) it's not at all obvious that you want or don't want this to be covered.
Note especially that such an "interface" may be copyrighted even if it
contains zero code from the licensed work. You'd probably have to spend a
few more words to explain what is affected by this license and how.

Second, about Public Performance:

I don't think this approach will work. You want to create a license with
conditions for SaaS usage. But Public Performance is much broader than
that. In Europe we have these collecting societies, several per country,
who have full time lawyers working to maximize compulsory licensing
revenue. In pursuit of this, they have been able to establish solid case
law, that the following are examples of public performance:
 * The GUI of the work is visible on a screen in the park and seen by a
hundred passers by
 * At a local programming club, I show a demo of my project that includes
the licensed work to 5 participants
 * The display in a Taxi is visible to the passanger, showing a GUI of a
CAL licensed Work
 * Same, but a pizza place and the GUI of the cash register
 * The TV menu in a hotel room

If any of the above "performers" failed to offer a copy of the source code
(and remember the attribution too!) to the passers by, passengers and hotel
guests, I can sue them for copyright infringement.

*Smaller comments:*

I basically fail to understand what you mean by "Compatible Open Source
License". If it's "any OSI approved Open Source license", then why not say
so? If you mean BSD and Apache style licenses, then compatibility is a
property of those, and mentioning this seems redundant? In any case, saying
"Open Source" without "OSI approved" feels undefined to me. A lot of people
claim all kinds of licenses as open source.

You'd better spell out General Data Protection Regulation and also add "of
the European Union".

2.4: Rather than an optional exception, I'd much prefer that you develop 2
or more separate licenses with clearly different names like is the case
with LGPL, GPĹ and AGPL. Now if I see that some software is licensed under
CAL, such as in a github label or search, I won't be able to tell what I
can do with that software.

Didn't read your entire blog post, but since this license clearly arises
out of EU context, at least some EU countries (maybe all?) don't register
copyrights as you can in the US.

Good night :-)

On Fri, Mar 15, 2019 at 6:32 PM VanL <van.lindberg at gmail.com> wrote:

> I have mentioned some time back that I was working on a new strong network
> copyleft license. The result is the Cryptographic Autonomy License, which I
> described at CopyleftConf. I wrote up an explainer laying out the legal
> rationales behind the CAL:
> https://www.processmechanics.com/2019/03/15/the-cryptographic-autonomy-license/
> Specifically of note are a) the use of patent rights to enforce copyleft,
> b) the use of the public performance right as the hook, and c) the
> definition of the "Work" as including interfaces.
> The CAL is a strongly pro-software-freedom license, and so, I would
> particularly welcome criticism by anyone coming from that perspective.
> Thanks,
> Van
> PS: The page at my blog is free software-friendly. There is no proprietary
> Javascript loaded by the page, and I have also included a PDF copy of the
> license for anyone who would prefer not to use the Google Docs link.
> _______________________________________________
> License-discuss mailing list
> License-discuss at lists.opensource.org
> http://lists.opensource.org/mailman/listinfo/license-discuss_lists.opensource.org

henrik.ingo at avoinelama.fi
+358-40-5697354        skype: henrik.ingo            irc: hingo

My LinkedIn profile: http://fi.linkedin.com/pub/henrik-ingo/3/232/8a7
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-discuss_lists.opensource.org/attachments/20190316/1bc10725/attachment-0001.html>

More information about the License-discuss mailing list