[License-review] GDPR compliance through software license terms? (Re: Approval Request - ViraTrace Public Source License 1.0)

Lukas Atkinson opensource at lukasatkinson.de
Fri Dec 11 17:45:44 UTC 2020

Hello Wayne,

You clearly have the laudable goal of ensuring that your products provide a
high level of data protection. What confuses me is that you seek to extend
this high level of data protection to *other* products, in particular
modified versions of your software. While you connect this to legal
compliance, it clearly has a discriminatory effect (e.g. when considering
use in jurisdictions where neither GDPR nor HIPAA applies).

I've excerpted some parts of your response below:

> […] The solutions and frameworks we have developed are designed from the
> ground-up to ensure end-users that their data is safe and that automated
> contact tracing is confidential, private and secure from governmental
> intrusion.
> […] Because of the nature of each component being separate and designed to
> operate independently, there are a number of potential data privacy
> violations that could be introduced by downstream developers.

But downstream changes do not affect *your* software products!

As the maintainer and inventor of the underlying technologies, ViraTrace
> believe we are responsible for ensuring that data privacy violations are
> not introduced and that end users of automated contact tracing applications
> enjoy a  consistent level of data security and privacy.

You have this belief that you are responsible for all versions of your
software, including modifications by third parties. There is no reason to
do this, neither for Open Source reasons nor for GDPR compliance reasons.
At most I can see a public relations argument. However, this desire to
control the public image of your software clashes with the right to freely
use and modify the software, at least when using your proposed review

> This brings me to your specific question regarding software license terms
> as an element of compliance.
> Our software is used as a means of processing data that is protected by
> It is the position of ViraTrace that as a maintainer and inventor of these
> underlying technologies, the only way we can ensure a consistent level of
> data security and privacy for end users is to include provisions within our
> license that provide for oversight consistent with our goals.

But why is this the only way? Of course you can provide for a high level of
privacy for the software that *you* offer. But why do you also have to
offer this high level of privacy for software that *other* people offer?

Also, you see VIraTrace in a *special position as the “maintainer and
inventor”*. In an Open Source context, it is usually more appropriate to
see all contributors / copyright holders as *peers*. That's also one reason
why non-reusable licenses are problematic.

The general effect of the license *reminds me of the “Convertible Free
Software License”* that was reviewed on this list roughly 2 years ago. It
tried to give the “Original Authors” of the software control over the
direction of the project, including also a requirement for modifications to
be made available. That concept was widely criticized on this list and the
license was not approved. I wrote a summary of the discussion here:

The software we have, are and will release under the proposed license has
> undergone stringent legal review for both HIPPA and GDPR compliance in
> terms of automated contact tracing applications. It has been determined to
> be fully compliant with both regulations by the Information Commissioner’s
> Office for the EU and the Attorney General’s Office of the United States.

Maybe *your* version of the software was deemed compliant (though I don't
think the UK ICO offers such certifications, especially not for the EU…).
But you can't derive from this a duty to also ensure that other people's
modifications must also be compliant.

> By including the provisions at issue within our license, we ensure that we
> remain responsible for legal compliance with data privacy regulations and
> that end users have a central point of contact for questions or concerns
> regardless of where or how, or by whom the technology is deployed.

This seems like inserting yourself into a situation and causing an
unnecessary problem. Why do you want to provide end user support for other
software? If I offer an unrelated product that just copies a few utility
functions from one of your ViraTrace projects, do you really want to get
questions about the security of my product? Do you really want to have to
review my codebase? Do you consider yourself legally responsible, or just
morally responsible for the compliance of my unrelated product?

Our review process as specified for in the proposed license is used to
> review the modifications and implementation of our software source code and
> to determine if it meets compliance standards at every point in a
> developer’s implementation. If it does not, the license provides a process
> by which the developer must rectify the deficiencies or withdraw the
> software from the market upon license termination.
> Although one could argue that it is the responsibility of the party
> deploying the automated contact tracing solution to comply with data
> privacy regulations in the means you describe, we fully believe that it is
> our responsibility to the end users, as the maintainer and inventor of the
> underlying technologies used for data processing, to ensure that the
> software we provide and that is deployed based  on our technologies
> remains fully compliant with GDPR and HIPPA.
> We would acknowledge that this is not normal practice within the industry,
> but neither is it precluded.

Of course this is not precluded within the industry, but it causes problems
in the Open Source ecosystem. Again, you “believe” that you have a
particular responsibility, but this responsibility is clashing with the
concept of Open Source. I also think your stance is problematic from a GDPR
compliance perspective, though that's a discussion for a different venue.

*Here's how other projects do it:* everyone is free to modify the software.
But the modified software is not the same as the original software.
Instead, many licenses require modifications to be prominently noted, e.g.
per the Apache-2.0 license (which is the license used by the *Corona Warn
App*). Some projects might also control the public image of their software
using trademarks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-review_lists.opensource.org/attachments/20201211/3beb911f/attachment.html>

More information about the License-review mailing list