[License-review] For Approval: Twente License

Anand Chowdhary anandchowdhary at gmail.com
Wed Feb 6 16:02:17 UTC 2019


Hello again Carlo/Lukas,

There are a few things at play here which I want to target:

1. Open-source repository “A” is Twente licensed (say, a date/time library)
2. Open-source repository “B” is a fork of “A” with an additional feature (say, added support for multiple timezones), also Twente licensed
3. Proprietary application “C” uses “B” to show a UNIX timestamp formatted  in the user’s specific timezone.

In this case, the following should apply:

• “C” does not have to be open-source, it just has to include the copyright and permission notices as in the MIT license
• “C” has to have a clear statement indicating a list of Data Controllers (as defined in the GDPR, essentially decision-making authorities on data processing) (should it also include the list of Data Processors? What is your opinion, Lukas? I think it should.)
• “B” continues to be an open-source project so it doesn’t need to include the aforementioned list, since just “code” doesn’t collect data, “products” do.

Lukas, in your previous email, you said "Unfortunately, that would make it very difficult to
distribute binaries without taking on responsibilities as a Controller.” I am curious about why it would be hard to have a project like “B” and distribute binaries with a LICENSE.md file, or do you mean binaries of collected data, in which case I think it seems fair to add the sharees to the list.

I am thinking something along the lines of:

> The "Data Controller Statement" is a notice listing each Data Controller ("Data Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data). The above copyright notice, the Data Controller Statement, and this permission notice shall be included in all copies or substantial portions of the Software and the Derivative.

Again, I’m very grateful to all the insights and feedback I have received. I am highly motived to make changes to this proposal and have a license people can actually use, promotes good (tm), and perhaps be OSI-compliant.

Best,

Anand Chowdhary
Chief Executive Officer
Oswald Labs

NL +31 644691056
IN +91 9555297989
ceo at oswaldlabs.com
On 6 Feb 2019, 16:05 +0100, Carlo Piana , wrote:
>
> Anand,
>
> that's a very good suggestion, in my humble opinion. The implementation of that suggestion looks quite hard (details are important here), but anything along the lines of providing more information in the space where today we have proper attribution and reasonable copyright notice is less likely to be at odds with the OSD rules and principles, yes. I am currently working on where one can push the limit WRT AGPLv3, and there you can find guidance, methinks.
>
> Carlo
>
>
> On 06/02/19 15:30, Anand Chowdhary wrote:
> > Hi Lukas,
> >
> > Thank you for your thorough evaluation. I agree with you, especially how a better license can be created with transparency requirements. I will definitely think about this some more.
> >
> > Carlo, I would like you thank you once again for your in-depth explanation. Do you think your perspective changes with a transparency requirement, since there is not laws mandated?
> >
> > Best,
> >
> > Anand Chowdhary
> > Chief Executive Officer
> > Oswald Labs
> >
> > NL +31 644691056
> > IN +91 9555297989
> > ceo at oswaldlabs.com
> > On 6 Feb 2019, 15:11 +0100, Lukas Atkinson <opensource at lukasatkinson.de>, wrote:
> > > While any open source license expresses certain values, I do not think
> > > licenses are a good vehicle of ethics. To fulfil the goal of Twente,
> > > the next best available Open Source license would likely be a network
> > > copyleft like the AGPL: that way, end users can at least inspect the
> > > software they are using.
> > >
> > > Here, a problem is that the Twente License aims to regulate *use* of
> > > the software, not just the copying and modification of the software.
> > > I.e. it regulates something that is out of scope for copyright, and
> > > takes away rights that users would otherwise have. (Similar problems
> > > have been discussed regarding the SSPL). This is definitively an
> > > OSD-incompatible restriction in jurisdictions where these privacy
> > > rules wouldn't be mandatory anyway.
> > >
> > > I'd like to point out that even the EU is such a jurisdiction, as the
> > > Twente License has a weird intersection with the GDPR: Twente covers a
> > > more narrow area, but in that area is more restrictive.
> > > - Twente covers only collecting PII from users and releasing that data
> > > to third parties. GDPR covers any processing of any personal data, and
> > > has a clear concept of Data Processors that are not third parties.
> > > - Twente only recognizes consent as the basis for collection &
> > > release. GDPR also recognizes legitimate interest, necessity for
> > > fulfilment of a contract, and legal obligations (like a warrant, or
> > > maintaining accounting records).
> > > - Twente does not define critical terms such as user, PII, collect,
> > > consent, release, third party.
> > >
> > > In a literal reading of the Twente license, the privacy paragraph
> > > could be circumvented by running the Twente-covered software as a
> > > separate service so that it neither collects nor releases any data
> > > directly. If Twente's restrictions do not apply to the *software* but
> > > to the *operator* of the software, this makes it so much clearer that
> > > this is indeed an OSD #6 violation.
> > >
> > > I am also not sure whether Twente-covered software could realistically
> > > be used e.g. for e-commerce solutions due to the high bar that
> > > “unambiguous prior consent� represents, for example when sharing
> > > necessary data with a payment processor or logistics provider.
> > >
> > > I think it might be possible to construct a better license by dropping
> > > any usage restrictions and substituting transparency requirements.
> > > E.g. when the software is conveyed in non-source form or publicly
> > > performed so that others can interact with the software, then the
> > > software must provide (a) proper attribution like under the normal MIT
> > > license; and (b) a statement on who acts as a Data Controller in the
> > > sense of the GDPR. Unfortunately, that would make it very difficult to
> > > distribute binaries without taking on responsibilities as a
> > > Controller.
> > >
> > > _______________________________________________
> > > License-review mailing list
> > > License-review at lists.opensource.org
> > > http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org
> >
> > _______________________________________________
> > License-review mailing list
> > License-review at lists.opensource.org
> > http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org
>
> _______________________________________________
> License-review mailing list
> License-review at lists.opensource.org
> http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-review_lists.opensource.org/attachments/20190206/f9e6c1c6/attachment.html>


More information about the License-review mailing list