[License-review] For approval: The Cryptographic Autonomy License (Beta 4)

Pamela Chestek pamela.chestek at opensource.org
Sun Feb 9 19:27:30 UTC 2020

To the Board of the OSI and the License-Review list:

Below is the recommendation of the License Committee of the Open Source
Initiative on the Cryptographic Autonomy License, Beta 4.


License: Cryptographic Autonomy License Beta 4 (Exhibit A)
Beta 2 August 22, 2019:

Beta 3 August 22, 2019:

Beta 4 December 4, 2019:

Decision due no later than the first Board meeting after January 4, 2020.

_License Review Committee Recommendation_:

/Resolved that it is the opinion of the OSI that the Cryptographic
Autonomy License Beta 4 be approved for the Uncategorized Licenses

_Rationale Document__

The four versions of the license submitted were heavily reviewed, in
discussion for five months with over 350 emails submitted to
license-review. The OSI Board reached out during its affiliate calls and
on Twitter to ensure that everyone was aware that the license was under
discussion in an effort to have as many participants as possible in the
discussion. The last email discussing the substance of the license was
on January 5, 2020, followed by a call for a straw poll on February 6,
2020. In response there were three “yes” answers and one “more
discussion needed.”

The following criticisms were raised in the review process and there
were strong views of both sides of many of them. The License Committee
considered all the arguments, occasionally asking for additional
information or clarification to ensure that the point was discussed
fully and the argument was clear. Ultimately, as explained below, the
License Committee did not view any of the criticisms as barriers to

/The CAL allows for assertion of copyright against APIs/. The license is
written so that the copyleft obligation reaches to the full extent of
the licensor’s copyright rights. As a comparison, the GPL imposes
copyleft only when software is distributed, not when it is used in other
ways that might nevertheless also implicate copyright, such as making
available over a network. While the reach of the copyleft in this
license is very far, it is not conceptually any further than some other
approved network copyleft licenses. The reach of the copyleft is also
dependent on the interpretation of the rights of copyright under each
countries’ laws, so the copyleft effect will be limited by how each
country interprets copyright rights.

/The CAL applies to data, not just software/. The data aspect of the
license is narrowly written to only apply where the absence of data will
prevent the reimplementation of the software by another, as seen in the
definition of “User Data”: “any data that is an input to or an output
from the Work, where the presence of the data is necessary for
substantially identical use of the Work in an equivalent context chosen
by the Recipient, and where the Recipient has an existing ownership
interest, an existing right to possess, or where the data has been
generated by, for, or has been assigned to the Recipient.” Section 4.2.
This requirement is consistent with the anti-Tivoization principle in
the family of GNU Public LIcenses version 3.

/A private user of the software still has a burden, to provide User
Data/. This is incorrect, the duty to provide User Data is only if the
software is used to provide services to a Recipient. Section 4.2.1.

/The terms "fully use an independent copy" and "substantially identical
use of the work" are ambiguous/. It is not possible to anticipate and
then dictate the outcome for every potential factual situation. Written
legal documents commonly use words that allow for the construction of a
more exact scope when the context is known.

/The CAL allows the licensor to prevent competitive implementations
through the use of patents, and the license steward’s client would be
motivated to do so to avoid sequestration of data by another/. Patents
can be used to prevent a competitive implementation no matter what the
open source license is, and different licensors may have different
interests they wish to protect, using their patents to do so. The CAL is
no different from other open source licenses in this respect.

/A recipient of the source code and User Data may not know whether they
are complying with Section 4.2/. Section 4.2.1 requires the disclosure
of User Data only where the software user is providing services to a
Recipient and only to the extent that the User Data is available to
them. This is not an unduly onerous requirement.

/Providing User Data is too burdensome, particularly for less
sophisticated users/. All open source licenses have a compliance burden,
some significant. This burden was not seen as overly burdensome given
the goal of the license to avoid sequestration of User Data.

/The CAL can be exploited in a dual-licensing scheme/. Copyleft licenses
have been exploited in dual licensing schemes for over a decade. This
license is unlikely to increase the behavior and the risk is tolerable
given the potential benefit to software freedom this license offers.

There were also objections raised about the OSI’s review process itself,
which are not pertinent to the substance of the license.

_Exhibit A_

#Cryptographic Autonomy License version 1.0
*This Cryptographic Autonomy License (the “License”) applies to any Work
whose owner has marked it with any of the following notices:*
*“Licensed under the Cryptographic Autonomy License version 1.0,” or
“SPDX-License-Identifier: CAL-1.0,” or*
*“Licensed under the Cryptographic Autonomy License version 1.0, with
Combined Work Exception,” or*
*“SPDX-License-Identifier: CAL-1.0-With-Exception”.*
## 1. Purpose
This License gives You unlimited permission to use and modify the
software to which it applies (the “Work”), either as-is or in modified
form, for Your private purposes, while protecting the owners and
contributors to the software from liability. 
This License also strives to protect the freedom and autonomy of third
parties who receive the Work from you.  If any non-affiliated third
party receives any part, aspect, or element of the Work from You, this
License requires that You provide that third party all the permissions
and materials needed to independently use and modify the Work without
that third party having a loss of data or capability due to your actions.
The full permissions, conditions, and other terms are laid out below.
## 2. Receiving a License
In order to receive this License, You must agree to its rules. The rules
of this License are both obligations of Your agreement with the Licensor
and conditions to your License. You must not do anything with the Work
that triggers a rule You cannot or will not follow. 
###    2.1. Application
The terms of this License apply to the Work as you receive it from
Licensor, as well as to any modifications, elaborations, or
implementations created by You that contain any licenseable portion of
the Work (a “Modified Work”). Unless specified, any reference to the
Work also applies to a Modified Work.
###    2.2. Offer and Acceptance
This License is automatically offered to every person and organization.
You show that you accept this License and agree to its conditions by
taking any action with the Work that, absent this License, would
infringe any intellectual property right held by Licensor. 
###    2.3. Compliance and Remedies
Any failure to act according to the terms and conditions of this License
places Your use of the Work outside the scope of the License and
infringes the intellectual property rights of the Licensor. In the event
of infringement, the terms and conditions of this License may be
enforced by Licensor under the intellectual property laws of any
jurisdiction to which You are subject. You also agree that either the
Licensor or a Recipient (as an intended third-party beneficiary) may
enforce the terms and conditions of this License against You via
specific performance.
## 3. Permissions and Conditions
###    3.1. Permissions Granted
Conditioned on compliance with section 4, and subject to the limitations
of section 3.2, Licensor grants You the world-wide, royalty-free,
non-exclusive permission to:
  > a) Take any action with the Work that would infringe the non-patent
intellectual property laws of any jurisdiction to which You are subject; and
  > b) Take any action with the Work that would infringe any patent
claims that Licensor can license or becomes able to license, to the
extent that those claims are embodied in the Work as distributed by
###    3.2. Limitations on Permissions Granted
The following limitations apply to the permissions granted in section 3.1: 
  > a) Licensor does not grant any patent license for claims that are
only infringed due to modification of the Work as provided by Licensor,
or the combination of the Work as provided by Licensor, directly or
indirectly, with any other component, including other software or hardware.
  > b) Licensor does not grant any license to the trademarks, service
marks, or logos of Licensor, except to the extent necessary to comply
with the attribution conditions in section 4.1 of this License.
## 4. Conditions
If You exercise any permission granted by this License, such that the
Work, or any part, aspect, or element of the Work, is distributed,
communicated, made available, or made perceptible to a non-Affiliate
third party (a “Recipient”), either via physical delivery or via a
network connection to the Recipient, You must comply with the following
###    4.1. Provide Access to Source Code
Subject to the exception in section 4.4, You must provide to each
Recipient a copy of, or no-charge unrestricted network access to, the
Source Code corresponding to the Work.
The “Source Code” of the Work means the form of the Work preferred for
making modifications, including any comments, configuration information,
documentation, help materials, installation instructions, cryptographic
seeds or keys, and any information reasonably necessary for the
Recipient to independently compile and use the Source Code and to have
full access to the functionality contained in the Work.
####    4.1.1. Providing Network Access to the Source Code
Network access to the Notices and Source Code may be provided by You or
by a third party, such as a public software repository, and must persist
during the same period in which You exercise any of the permissions
granted to You under this License and for at least one year thereafter.
####    4.1.2. Source Code for a Modified Work
Subject to the exception in section 4.5, You must provide to each
Recipient of a Modified Work Access to Source Code corresponding to
those portions of the Work remaining in the Modified Work as well as the
modifications used by You to create the Modified Work. The Source Code
corresponding to the modifications in the Modified Work must be provided
to the Recipient either a) under this License, or b) under a Compatible
Open Source License.
A “Compatible Open Source License” means a license accepted by the Open
Source Initiative that allows object code created using both Source Code
provided under this License and Source Code provided under the other
open source license to be distributed together as a single work.
####    4.1.3. Coordinated Disclosure of Security Vulnerabilities
You may delay providing the Source Code corresponding to a particular
modification of the Work for up to ninety (90) days (the “Embargo
Period”) if:
  > a) the modification is intended to address a newly-identified
vulnerability or a security flaw in the Work, 
  > b) disclosure of the vulnerability or security flaw before the end
of the Embargo Period would put the data, identity, or autonomy of one
or more Recipients of the Work at significant risk,
  > c) You are participating in a coordinated disclosure of the
vulnerability or security flaw with one or more additional Licensees, and 
  > d) Access to the Source Code pertaining to the modification is
provided to all Recipients at the end of the Embargo Period.
###    4.2. Maintain User Autonomy
In addition to providing each Recipient the opportunity to have Access
to the Source Code, You cannot use the permissions given under this
License to interfere with a Recipient’s ability to fully use an
independent copy of the Work generated from the Source Code You provide
with the Recipient’s own User Data.
“User Data” means any data that is an input to or an output from the
Work, where the presence of the data is necessary for substantially
identical use of the Work in an equivalent context chosen by the
Recipient, and where the Recipient has an existing ownership interest,
an existing right to possess, or where the data has been generated by,
for, or has been assigned to the Recipient.
####    4.2.1. No Withholding User Data
Throughout any period in which You exercise any of the permissions
granted to You under this License, You must also provide to any
Recipient to whom you provide services via the Work, a no-charge copy,
provided in a commonly used electronic form, of the Recipient’s User
Data in your possession, to the extent that such User Data is available
to You for use in conjunction with the Work. 
####    4.2.2. No Technical Measures that Limit Access
You may not, by means of the use cryptographic methods applied to
anything provided to the Recipient, by possession or control of
cryptographic keys, seeds, hashes, by any other technological protection
measures, or by any other method, limit a Recipient’s ability to access
any functionality present in Recipient's independent copy of the Work,
or to deny a Recipient full control of the Recipient’s User Data.
####    4.2.3. No Legal or Contractual Measures that Limit Access
You may not contractually restrict a Recipient's ability to
independently exercise the permissions granted under this License. You
waive any legal power to forbid circumvention of technical protection
measures that include use of the Work, and You waive any claim that the
capabilities of the Work were limited or modified as a means of
enforcing the legal rights of third parties against Recipients.
###    4.3. Provide Notices and Attribution
You must retain all licensing, authorship, or attribution notices
contained in the Source Code (the “Notices”), and provide all such
Notices to each Recipient, together with a statement acknowledging the
use of the Work. Notices may be provided directly to a Recipient or via
an easy-to-find hyperlink to an Internet location also providing Access
to Source Code.
###    4.4. Scope of Conditions in this License
You are required to uphold the conditions of this License only relative
to those who are Recipients of the Work from You.  Other than providing
Recipients with the applicable Notices, Access to Source Code, and a
copy of and full control of their User Data, nothing in this License
requires You to provide processing services to or engage in network
interactions with anyone.
###    4.5. Combined Work Exception
As an exception to condition that You provide Recipients Access to
Source Code, any Source Code files marked by the Licensor as having the
“Combined Work Exception,” or any object code exclusively resulting from
Source Code files so marked, may be combined with other Software into a
“Larger Work.” So long as you comply with the requirements to provide
Recipients the applicable Notices and Access to the Source Code provided
to You by Licensor, and you provide Recipients access to their User Data
and do not limit Recipient’s ability to independently work with their
User Data, any other Software in the Larger Work as well as the Larger
Work as a whole may be licensed under the terms of your choice.
## 5. Term and Termination
The term of this License begins when You receive the Work, and continues
until terminated for any of the reasons described herein, or until all
Licensor’s intellectual property rights in the Software expire,
whichever comes first (“Term”). This License cannot be revoked, only
terminated for the reasons listed below.
###    5.1. Effect of Termination
If this License is terminated for any reason, all permissions granted to
You under Section 3 by any Licensor automatically terminate. You will
immediately cease exercising any permissions granted in this License
relative to the Work, including as part of any Modified Work.
###    5.2. Termination for Non-Compliance; Reinstatement
This License terminates automatically if You fail to comply with any of
the conditions in section 4. As a special exception to termination for
non-compliance, Your permissions for the Work under this License will
automatically be reinstated if You come into compliance with all the
conditions in section 2 within sixty (60) days of being notified by
Licensor or an intended third party beneficiary of Your noncompliance.
You are eligible for reinstatement of permissions for the Work one time
only, and only for the sixty days immediately after becoming aware of
noncompliance. Loss of permissions granted for the Work under this
License due to either a) sustained noncompliance lasting more than sixty
days or b) subsequent termination for noncompliance after reinstatement,
is permanent, unless rights are specifically restored by Licensor in
###    5.3. Termination Due to Litigation
If You initiate litigation against Licensor, or any Recipient of the
Work, either direct or indirect, asserting that the Work directly or
indirectly infringes any patent, then all permissions granted to You by
this License shall terminate. In the event of termination due to
litigation, all permissions validly granted by You under this License,
directly or indirectly, shall survive termination. Administrative review
procedures, declaratory judgment actions, counterclaims in response to
patent litigation, and enforcement actions against former Licensees
terminated under this section do not cause termination due to litigation.
## 6. Disclaimer of Warranty and Limit on Liability
As far as the law allows, the Work comes AS-IS, without any warranty of
any kind, and no Licensor or contributor will be liable to anyone for
any damages related to this software or this license, under any kind of
legal claim, or for any type of damages, including indirect, special,
incidental, or consequential damages of any type arising as a result of
this License or the use of the Work including, without limitation,
damages for loss of goodwill, work stoppage, computer failure or
malfunction, loss of profits, revenue, or any and all other commercial
damages or losses.
## 7. Other Provisions
###    7.1. Affiliates
An “Affiliate” means any other entity that, directly or indirectly
through one or more intermediaries, controls, is controlled by, or is
under common control with, the Licensee. Employees of a Licensee and
natural persons acting as contractors exclusively providing services to
Licensee are also Affiliates.
###    7.2. Choice of Jurisdiction and Governing Law
A Licensor may require that any action or suit by a Licensee relating to
a Work provided by Licensor under this License may be brought only in
the courts of a particular jurisdiction and under the laws of a
particular jurisdiction (excluding its conflict-of-law provisions), if
Licensor provides conspicuous notice of the particular jurisdiction to
all Licensees.
###    7.3. No Sublicensing
This License is not sublicensable. Each time You provide the Work or a
Modified Work to a Recipient, the Recipient automatically receives a
license under the terms described in this License. You may not impose
any further reservations, conditions, or other provisions on any
Recipients’ exercise of the permissions granted herein.
###    7.4. Attorneys' Fees 
In any action to enforce the terms of this License, or seeking damages
relating thereto, including by an intended third party beneficiary, the
prevailing party shall be entitled to recover its costs and expenses,
including, without limitation, reasonable attorneys' fees and costs
incurred in connection with such action, including any appeal of such
action. A “prevailing party” is the party that achieves, or avoids,
compliance with this License, including through settlement. This section
shall survive the termination of this License.
###    7.5. No Waiver 
Any failure by Licensor to enforce any provision of this License will
not constitute a present or future waiver of such provision nor limit
Licensor’s ability to enforce such provision at a later time.
###    7.6. Severability 
If any provision of this License is held to be unenforceable, such
provision shall be reformed only to the extent necessary to make it
enforceable. Any invalid or unenforceable portion will be interpreted to
the effect and intent of the original portion. If such a construction is
not possible, the invalid or unenforceable portion will be severed from
this License but the rest of this License will remain in full force and
###    7.7. License for the Text of this License
The text of this license is released under the Creative Commons
Attribution-ShareAlike 4.0 International License, with the caveat that
any modifications of this license may not use the name “Cryptographic
Autonomy License” or any name confusingly similar thereto to describe
any derived work of this License.

Pamela Chestek
Chair, License Review Committee
Open Source Initiative

On 12/4/2019 3:29 PM, VanL wrote:
> Based upon ongoing discussions with the license review committee, I am
> withdrawing Beta 3 and substituting Beta 4 (here attached).
> The primary change between Beta 3 and Beta 4 is the definition of
> "User Data."
> My understanding of OSI's position is that data requirements, such as
> are addressed by the CAL, are within scope of what an open source
> license can reasonably address. However, there was a request by the
> committee to more tightly define the definition of "User Data" so that
> it was more closely tied to function and experience of using the
> software by a user who chooses to self-host.
> In consultation with my client, we have proposed and received positive
> feedback on the following modified definition of User Data (most
> significant change bolded):
> “User Data” means any data that is an input to or an output from the
> Work, *where the presence of the data is necessary for substantially
> identical use of the Work in an equivalent context chosen by the
> Recipient*, and where the Recipient has an existing ownership
> interest, an existing right to possess, or where the data has been
> generated by, for, or has been assigned to the Recipient.
> There are also a few cleanups and the following minor but substantive
> changes:
> - Section 7.4, There is a definition of "prevailing party" for
> attorney fee awards (" A “prevailing party” is the party that
> achieves, or avoids, compliance with this License, including through
> settlement.")
> - Section 5.3, Enforcing against a terminated licensee does not cause
> termination for the license-enforcing party  ("Administrative review
> procedures, declaratory judgment actions, counterclaims in response to
> patent litigation, and enforcement actions against former Licensees
> terminated under this section do not cause termination due to
> litigation.")
> All other discussion regarding CAL Betas 2 and 3 should apply.
> From the original submission:
> /Rationale:/ The CAL is a new network copyleft license especially
> applicable for distributed systems. It is designed to be as protective
> as possible of downstream recipients of the software, providing them
> all that they need to create and use an independent copy of a licensed
> work without losing functionality or data./
> /
> /
> /
> /Distinguish:/ The CAL is most similar to the AGPL, and will have a
> similar scope of action in most cases. However, the CAL has provisions
> that require that operators provide recipients of the software with a
> copy of their user data, enhancing their ability to independently use
> the software. The CAL also allows the creation of mixed "Larger
> Works," provides for affiliate use, and does not specify a mechanism
> by which notice is given to recipients.
> /Legal Analysis/: The CAL was drafted by legal counsel. Previous
> discussions have outlined many aspects of the legal analysis.
> A copy the the license in Markdown format is attached. For those who
> would prefer it, a Google Docs version of the license is viewable
> here: 
> https://docs.google.com/document/d/1-eD9EH6i3wdSXgG4XJbF-a0cSSknOERjYzlVonOwAQ0/edit?usp=sharing
> _______________________________________________
> License-review mailing list
> License-review at lists.opensource.org
> http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-review_lists.opensource.org/attachments/20200209/cacea881/attachment-0001.html>

More information about the License-review mailing list