[License-review] For approval: The Cryptographic Autonomy License (Beta 4)

Pamela Chestek pamela at chesteklegal.com
Tue Dec 10 15:11:14 UTC 2019

On 12/10/2019 9:41 AM, Nigel T wrote:
> The *software is not a safety deposit box* because of the requirement
> that you must also return /"//data has been generated by, for, or has
> been assigned to the Recipient". /Safety deposit boxes don't generate
> new content for users. Software often does.  
> Even ignoring generated data that you'd have go though each and every
> UI screen and make sure all inputs provided by user are correctly
> mapped to an export field...and you have to do this every time you
> update from upstream.
> *If the original software cannot export all of the data required to
> meet the requirements of 4.2 then all subsequent users of the software
> are in breach of the license.*  *This is a point that you continue to
> dance around. *You are handwaving significant legal and technical
> burden you are placing on users of CAL licensed software because you
> want to extend licensing requirements beyond open *source*into open
> *data *and non-technical users who just use the software out of the
> box don't control that at all. There are no exceptions for
> non-compliance of the original code in this license so it's *a
> compliance nightmare**for every downstream user whether they change
> the code or not*.
Hi Nigel,

Can you help me understand your point better? Section 4.2.1 says
"Throughout any period in which You exercise any of the permissions
granted to You under this License, You must also provide to any
Recipient /to whom you provide services via the Work/, ... the
Recipient's User Data in your possession, /to the extent that such User
Data is available to You/ for use in conjunction with the Work."

I acknowledge your dislike of the ambiguity of "to the extent that such
User Data is available to You," but I'd like to put that point aside.
For the purposes of argument let's assume that it is an easily
ascertainable set of data, something like "any User Data you received in
plain text." The scenario is that I have received data about a Recipient
from upstream, and now I am providing services to that same Recipient,
which is the only situation in which I would have to provide User Data.
Is your point that the program architecture may make it too difficult to
extract and provide the plain text that upstream provided to me? Is your
argument that there is something that is not open source about this
arrangement, or is it that the license will be used in situations for
which it is poorly suited?


Pamela S. Chestek
Chestek Legal
PO Box 2492
Raleigh, NC 27602
pamela at chesteklegal.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-review_lists.opensource.org/attachments/20191210/280fd6f9/attachment-0001.html>

More information about the License-review mailing list