[License-review] Request for approval by license steward: Tidepool Open Access to Health Data Software License

[Brian Behlendorf]

Great to see a new license here which isn't about forging some new 
"compromise" with proprietary models, but instead about asking whether 
there are new kinds of rights worthy of protecting with the same kinds of 
nuances and range that we've managed with protecting access to source code 
and the rights to modify.

I find myself agreeing both with Nigel's description of need for an 
exemption for research (unless you think they'll be happy with the GPL) 
and Josh's suggestion that you look at this as all personal data, not just 
"health" data.  To the latter point, all data that is personal is also 
arguably about health - from my diet and walking to location and mood.  I 
know your interests are specific and the examples are compelling, but it'd 
be great to avoid a proliferation of licenses with the same terms only 
because someone decided their personal data use cases weren't primarily 
"health".  Same reason we've tried to avoid vendor-specific licenses.

Notwithstanding statute and case law (since we ignore those all the time 
here), there is a viewpoint that a mere copyright license is a weak tool 
for compelling specific action, in this case making data available to 
patients in specific ways.  The GPL works well in compelling specific 
action because those actions are limited to the two parties involved in 
the transaction (licensor/licensee) and because the source code is shared 
during the transaction as well (or provided through another means - at the 
same time - for a reasonable fee).  But, this specific action takes place 
outside of the license transaction, and involves a third party - the 
patient - which means it may be difficult to enforce, or police, and 
difficult to nudge well-meaning but mistaken parties towards correct 
behavior.

A better vehicle for this may be trademark.  Establish a strong brand - 
Tidepool, for instance - which stands unequivocally for patient access to 
their own health data.  Establish a standard for what that means, such 
that for-profit vendors can pay you a fee to audit them against that 
standard, in exchange for rights to use the brand.  Perhaps you allow it 
for use by small non-profits for free, based on self-certification, or 
something.  Then, patients and doctors will know when they use a 
Tidepool-certified product, they can get access to the data.  And, you 
have a sustainable revenue model.

You could build upon that by offering a personal-health-record service, 
under the Tidepool brand, that aggregates data from these different 
devices and helps consumers make sense of it all (and at the very least 
keep a backup).  Because the APIs must be open, data is not trapped in 
your silo, but the brand connection gives you an advantage when running 
the service.

Finally, I'd say leave the software under the GPL, and offer corporations 
allergic to the GPL a private contract to use your code, which is only 
valid so long as they meet the certification.  Or, they can use it under 
the GPL without needing to share patient data, but they can *not* use the 
Tidepool brand if they do so.

Thoughts?

Brian