[License-review] For approval: The Cryptographic Autonomy License (Beta 4)

Pamela Chestek pamela.chestek at opensource.org
Fri Feb 14 17:38:21 UTC 2020


At the Board meeting of February 14, 2020, the Board of the Open Source
Initiative approved the Cryptographic Autonomy License, Beta 4. The
Board discussed the additional emails sent after the License Committee
made its recommendation to the Board and found that they did not raise
issues not previously considered. The vote was 8 in favor of approval, 0
opposed, 1 abstention, and 2 members not present.

Pam

Pamela Chestek
Chair, License Review committee
Open Source Initiative

On 2/9/2020 2:27 PM, Pamela Chestek wrote:
> To the Board of the OSI and the License-Review list:
>
> Below is the recommendation of the License Committee of the Open
> Source Initiative on the Cryptographic Autonomy License, Beta 4.
>
> ****
>
> License: Cryptographic Autonomy License Beta 4 (Exhibit A)
> Submitted:
> Beta 2 August 22, 2019:
> http://lists.opensource.org/pipermail/license-review_lists.opensource.org/2019-August/004310.html
>
> Beta 3 August 22, 2019:
> http://lists.opensource.org/pipermail/license-review_lists.opensource.org/2019-August/004310.html;
>
> Beta 4 December 4, 2019:
> http://lists.opensource.org/pipermail/license-review_lists.opensource.org/2019-December/004455.html
>
>
> Decision due no later than the first Board meeting after January 4, 2020.
>
> _License Review Committee Recommendation_:
>
> /Resolved that it is the opinion of the OSI that the Cryptographic
> Autonomy License Beta 4 be approved for the Uncategorized Licenses
> category./
>
> _Rationale Document__
> _
> _Notes_:
>
> The four versions of the license submitted were heavily reviewed, in
> discussion for five months with over 350 emails submitted to
> license-review. The OSI Board reached out during its affiliate calls
> and on Twitter to ensure that everyone was aware that the license was
> under discussion in an effort to have as many participants as possible
> in the discussion. The last email discussing the substance of the
> license was on January 5, 2020, followed by a call for a straw poll on
> February 6, 2020. In response there were three “yes” answers and one
> “more discussion needed.”
>
> The following criticisms were raised in the review process and there
> were strong views of both sides of many of them. The License Committee
> considered all the arguments, occasionally asking for additional
> information or clarification to ensure that the point was discussed
> fully and the argument was clear. Ultimately, as explained below, the
> License Committee did not view any of the criticisms as barriers to
> approval.
>
> /The CAL allows for assertion of copyright against APIs/. The license
> is written so that the copyleft obligation reaches to the full extent
> of the licensor’s copyright rights. As a comparison, the GPL imposes
> copyleft only when software is distributed, not when it is used in
> other ways that might nevertheless also implicate copyright, such as
> making available over a network. While the reach of the copyleft in
> this license is very far, it is not conceptually any further than some
> other approved network copyleft licenses. The reach of the copyleft is
> also dependent on the interpretation of the rights of copyright under
> each countries’ laws, so the copyleft effect will be limited by how
> each country interprets copyright rights.
>
> /The CAL applies to data, not just software/. The data aspect of the
> license is narrowly written to only apply where the absence of data
> will prevent the reimplementation of the software by another, as seen
> in the definition of “User Data”: “any data that is an input to or an
> output from the Work, where the presence of the data is necessary for
> substantially identical use of the Work in an equivalent context
> chosen by the Recipient, and where the Recipient has an existing
> ownership interest, an existing right to possess, or where the data
> has been generated by, for, or has been assigned to the Recipient.”
> Section 4.2. This requirement is consistent with the anti-Tivoization
> principle in the family of GNU Public LIcenses version 3.
>
> /A private user of the software still has a burden, to provide User
> Data/. This is incorrect, the duty to provide User Data is only if the
> software is used to provide services to a Recipient. Section 4.2.1.
>
> /The terms "fully use an independent copy" and "substantially
> identical use of the work" are ambiguous/. It is not possible to
> anticipate and then dictate the outcome for every potential factual
> situation. Written legal documents commonly use words that allow for
> the construction of a more exact scope when the context is known.
>
> /The CAL allows the licensor to prevent competitive implementations
> through the use of patents, and the license steward’s client would be
> motivated to do so to avoid sequestration of data by another/. Patents
> can be used to prevent a competitive implementation no matter what the
> open source license is, and different licensors may have different
> interests they wish to protect, using their patents to do so. The CAL
> is no different from other open source licenses in this respect.
>
> /A recipient of the source code and User Data may not know whether
> they are complying with Section 4.2/. Section 4.2.1 requires the
> disclosure of User Data only where the software user is providing
> services to a Recipient and only to the extent that the User Data is
> available to them. This is not an unduly onerous requirement.
>
> /Providing User Data is too burdensome, particularly for less
> sophisticated users/. All open source licenses have a compliance
> burden, some significant. This burden was not seen as overly
> burdensome given the goal of the license to avoid sequestration of
> User Data.
>
> /The CAL can be exploited in a dual-licensing scheme/. Copyleft
> licenses have been exploited in dual licensing schemes for over a
> decade. This license is unlikely to increase the behavior and the risk
> is tolerable given the potential benefit to software freedom this
> license offers.
>
> There were also objections raised about the OSI’s review process
> itself, which are not pertinent to the substance of the license.
>
> _Exhibit A_
>
> #Cryptographic Autonomy License version 1.0
>  
> *This Cryptographic Autonomy License (the “License”) applies to any
> Work whose owner has marked it with any of the following notices:*
>  
> *“Licensed under the Cryptographic Autonomy License version 1.0,” or
> “SPDX-License-Identifier: CAL-1.0,” or*
>  
> *“Licensed under the Cryptographic Autonomy License version 1.0, with
> Combined Work Exception,” or*
>  
> *“SPDX-License-Identifier: CAL-1.0-With-Exception”.*
> _________________________________________________________________
>  
>  
> ## 1. Purpose
> This License gives You unlimited permission to use and modify the
> software to which it applies (the “Work”), either as-is or in modified
> form, for Your private purposes, while protecting the owners and
> contributors to the software from liability. 
>  
> This License also strives to protect the freedom and autonomy of third
> parties who receive the Work from you.  If any non-affiliated third
> party receives any part, aspect, or element of the Work from You, this
> License requires that You provide that third party all the permissions
> and materials needed to independently use and modify the Work without
> that third party having a loss of data or capability due to your actions.
>  
> The full permissions, conditions, and other terms are laid out below.
>  
> ## 2. Receiving a License
> In order to receive this License, You must agree to its rules. The
> rules of this License are both obligations of Your agreement with the
> Licensor and conditions to your License. You must not do anything with
> the Work that triggers a rule You cannot or will not follow. 
>  
> ###    2.1. Application
> The terms of this License apply to the Work as you receive it from
> Licensor, as well as to any modifications, elaborations, or
> implementations created by You that contain any licenseable portion of
> the Work (a “Modified Work”). Unless specified, any reference to the
> Work also applies to a Modified Work.
>  
> ###    2.2. Offer and Acceptance
> This License is automatically offered to every person and
> organization. You show that you accept this License and agree to its
> conditions by taking any action with the Work that, absent this
> License, would infringe any intellectual property right held by
> Licensor. 
> ###    2.3. Compliance and Remedies
> Any failure to act according to the terms and conditions of this
> License places Your use of the Work outside the scope of the License
> and infringes the intellectual property rights of the Licensor. In the
> event of infringement, the terms and conditions of this License may be
> enforced by Licensor under the intellectual property laws of any
> jurisdiction to which You are subject. You also agree that either the
> Licensor or a Recipient (as an intended third-party beneficiary) may
> enforce the terms and conditions of this License against You via
> specific performance.
>  
> ## 3. Permissions and Conditions
> ###    3.1. Permissions Granted
> Conditioned on compliance with section 4, and subject to the
> limitations of section 3.2, Licensor grants You the world-wide,
> royalty-free, non-exclusive permission to:
>   > a) Take any action with the Work that would infringe the
> non-patent intellectual property laws of any jurisdiction to which You
> are subject; and
>  
>   > b) Take any action with the Work that would infringe any patent
> claims that Licensor can license or becomes able to license, to the
> extent that those claims are embodied in the Work as distributed by
> Licensor.
>  
> ###    3.2. Limitations on Permissions Granted
> The following limitations apply to the permissions granted in section
> 3.1: 
>   > a) Licensor does not grant any patent license for claims that are
> only infringed due to modification of the Work as provided by
> Licensor, or the combination of the Work as provided by Licensor,
> directly or indirectly, with any other component, including other
> software or hardware.
>  
>   > b) Licensor does not grant any license to the trademarks, service
> marks, or logos of Licensor, except to the extent necessary to comply
> with the attribution conditions in section 4.1 of this License.
>  
> ## 4. Conditions
> If You exercise any permission granted by this License, such that the
> Work, or any part, aspect, or element of the Work, is distributed,
> communicated, made available, or made perceptible to a non-Affiliate
> third party (a “Recipient”), either via physical delivery or via a
> network connection to the Recipient, You must comply with the
> following conditions: 
>  
> ###    4.1. Provide Access to Source Code
> Subject to the exception in section 4.4, You must provide to each
> Recipient a copy of, or no-charge unrestricted network access to, the
> Source Code corresponding to the Work.
>  
> The “Source Code” of the Work means the form of the Work preferred for
> making modifications, including any comments, configuration
> information, documentation, help materials, installation instructions,
> cryptographic seeds or keys, and any information reasonably necessary
> for the Recipient to independently compile and use the Source Code and
> to have full access to the functionality contained in the Work.
>  
> ####    4.1.1. Providing Network Access to the Source Code
> Network access to the Notices and Source Code may be provided by You
> or by a third party, such as a public software repository, and must
> persist during the same period in which You exercise any of the
> permissions granted to You under this License and for at least one
> year thereafter.
>  
> ####    4.1.2. Source Code for a Modified Work
> Subject to the exception in section 4.5, You must provide to each
> Recipient of a Modified Work Access to Source Code corresponding to
> those portions of the Work remaining in the Modified Work as well as
> the modifications used by You to create the Modified Work. The Source
> Code corresponding to the modifications in the Modified Work must be
> provided to the Recipient either a) under this License, or b) under a
> Compatible Open Source License.
>  
> A “Compatible Open Source License” means a license accepted by the
> Open Source Initiative that allows object code created using both
> Source Code provided under this License and Source Code provided under
> the other open source license to be distributed together as a single work.
>  
> ####    4.1.3. Coordinated Disclosure of Security Vulnerabilities
> You may delay providing the Source Code corresponding to a particular
> modification of the Work for up to ninety (90) days (the “Embargo
> Period”) if:
>  
>   > a) the modification is intended to address a newly-identified
> vulnerability or a security flaw in the Work, 
>  
>   > b) disclosure of the vulnerability or security flaw before the end
> of the Embargo Period would put the data, identity, or autonomy of one
> or more Recipients of the Work at significant risk,
>   
>   > c) You are participating in a coordinated disclosure of the
> vulnerability or security flaw with one or more additional Licensees,
> and 
>  
>   > d) Access to the Source Code pertaining to the modification is
> provided to all Recipients at the end of the Embargo Period.
>  
> ###    4.2. Maintain User Autonomy
> In addition to providing each Recipient the opportunity to have Access
> to the Source Code, You cannot use the permissions given under this
> License to interfere with a Recipient’s ability to fully use an
> independent copy of the Work generated from the Source Code You
> provide with the Recipient’s own User Data.
>  
> “User Data” means any data that is an input to or an output from the
> Work, where the presence of the data is necessary for substantially
> identical use of the Work in an equivalent context chosen by the
> Recipient, and where the Recipient has an existing ownership interest,
> an existing right to possess, or where the data has been generated by,
> for, or has been assigned to the Recipient.
>  
> ####    4.2.1. No Withholding User Data
> Throughout any period in which You exercise any of the permissions
> granted to You under this License, You must also provide to any
> Recipient to whom you provide services via the Work, a no-charge copy,
> provided in a commonly used electronic form, of the Recipient’s User
> Data in your possession, to the extent that such User Data is
> available to You for use in conjunction with the Work. 
>  
> ####    4.2.2. No Technical Measures that Limit Access
> You may not, by means of the use cryptographic methods applied to
> anything provided to the Recipient, by possession or control of
> cryptographic keys, seeds, hashes, by any other technological
> protection measures, or by any other method, limit a Recipient’s
> ability to access any functionality present in Recipient's independent
> copy of the Work, or to deny a Recipient full control of the
> Recipient’s User Data.
>  
> ####    4.2.3. No Legal or Contractual Measures that Limit Access
> You may not contractually restrict a Recipient's ability to
> independently exercise the permissions granted under this License. You
> waive any legal power to forbid circumvention of technical protection
> measures that include use of the Work, and You waive any claim that
> the capabilities of the Work were limited or modified as a means of
> enforcing the legal rights of third parties against Recipients.
>  
> ###    4.3. Provide Notices and Attribution
> You must retain all licensing, authorship, or attribution notices
> contained in the Source Code (the “Notices”), and provide all such
> Notices to each Recipient, together with a statement acknowledging the
> use of the Work. Notices may be provided directly to a Recipient or
> via an easy-to-find hyperlink to an Internet location also providing
> Access to Source Code.
>  
> ###    4.4. Scope of Conditions in this License
> You are required to uphold the conditions of this License only
> relative to those who are Recipients of the Work from You.  Other than
> providing Recipients with the applicable Notices, Access to Source
> Code, and a copy of and full control of their User Data, nothing in
> this License requires You to provide processing services to or engage
> in network interactions with anyone.
>  
> ###    4.5. Combined Work Exception
> As an exception to condition that You provide Recipients Access to
> Source Code, any Source Code files marked by the Licensor as having
> the “Combined Work Exception,” or any object code exclusively
> resulting from Source Code files so marked, may be combined with other
> Software into a “Larger Work.” So long as you comply with the
> requirements to provide Recipients the applicable Notices and Access
> to the Source Code provided to You by Licensor, and you provide
> Recipients access to their User Data and do not limit Recipient’s
> ability to independently work with their User Data, any other Software
> in the Larger Work as well as the Larger Work as a whole may be
> licensed under the terms of your choice.
>  
> ## 5. Term and Termination
> The term of this License begins when You receive the Work, and
> continues until terminated for any of the reasons described herein, or
> until all Licensor’s intellectual property rights in the Software
> expire, whichever comes first (“Term”). This License cannot be
> revoked, only terminated for the reasons listed below.
>  
> ###    5.1. Effect of Termination
> If this License is terminated for any reason, all permissions granted
> to You under Section 3 by any Licensor automatically terminate. You
> will immediately cease exercising any permissions granted in this
> License relative to the Work, including as part of any Modified Work.
>  
> ###    5.2. Termination for Non-Compliance; Reinstatement
> This License terminates automatically if You fail to comply with any
> of the conditions in section 4. As a special exception to termination
> for non-compliance, Your permissions for the Work under this License
> will automatically be reinstated if You come into compliance with all
> the conditions in section 2 within sixty (60) days of being notified
> by Licensor or an intended third party beneficiary of Your
> noncompliance. You are eligible for reinstatement of permissions for
> the Work one time only, and only for the sixty days immediately after
> becoming aware of noncompliance. Loss of permissions granted for the
> Work under this License due to either a) sustained noncompliance
> lasting more than sixty days or b) subsequent termination for
> noncompliance after reinstatement, is permanent, unless rights are
> specifically restored by Licensor in writing.
>  
> ###    5.3. Termination Due to Litigation
> If You initiate litigation against Licensor, or any Recipient of the
> Work, either direct or indirect, asserting that the Work directly or
> indirectly infringes any patent, then all permissions granted to You
> by this License shall terminate. In the event of termination due to
> litigation, all permissions validly granted by You under this License,
> directly or indirectly, shall survive termination. Administrative
> review procedures, declaratory judgment actions, counterclaims in
> response to patent litigation, and enforcement actions against former
> Licensees terminated under this section do not cause termination due
> to litigation.
>  
> ## 6. Disclaimer of Warranty and Limit on Liability
> As far as the law allows, the Work comes AS-IS, without any warranty
> of any kind, and no Licensor or contributor will be liable to anyone
> for any damages related to this software or this license, under any
> kind of legal claim, or for any type of damages, including indirect,
> special, incidental, or consequential damages of any type arising as a
> result of this License or the use of the Work including, without
> limitation, damages for loss of goodwill, work stoppage, computer
> failure or malfunction, loss of profits, revenue, or any and all other
> commercial damages or losses.
>  
> ## 7. Other Provisions
> ###    7.1. Affiliates
> An “Affiliate” means any other entity that, directly or indirectly
> through one or more intermediaries, controls, is controlled by, or is
> under common control with, the Licensee. Employees of a Licensee and
> natural persons acting as contractors exclusively providing services
> to Licensee are also Affiliates.
>  
> ###    7.2. Choice of Jurisdiction and Governing Law
> A Licensor may require that any action or suit by a Licensee relating
> to a Work provided by Licensor under this License may be brought only
> in the courts of a particular jurisdiction and under the laws of a
> particular jurisdiction (excluding its conflict-of-law provisions), if
> Licensor provides conspicuous notice of the particular jurisdiction to
> all Licensees.
>  
> ###    7.3. No Sublicensing
> This License is not sublicensable. Each time You provide the Work or a
> Modified Work to a Recipient, the Recipient automatically receives a
> license under the terms described in this License. You may not impose
> any further reservations, conditions, or other provisions on any
> Recipients’ exercise of the permissions granted herein.
>  
> ###    7.4. Attorneys' Fees 
> In any action to enforce the terms of this License, or seeking damages
> relating thereto, including by an intended third party beneficiary,
> the prevailing party shall be entitled to recover its costs and
> expenses, including, without limitation, reasonable attorneys' fees
> and costs incurred in connection with such action, including any
> appeal of such action. A “prevailing party” is the party that
> achieves, or avoids, compliance with this License, including through
> settlement. This section shall survive the termination of this License.
>  
> ###    7.5. No Waiver 
> Any failure by Licensor to enforce any provision of this License will
> not constitute a present or future waiver of such provision nor limit
> Licensor’s ability to enforce such provision at a later time.
>  
> ###    7.6. Severability 
> If any provision of this License is held to be unenforceable, such
> provision shall be reformed only to the extent necessary to make it
> enforceable. Any invalid or unenforceable portion will be interpreted
> to the effect and intent of the original portion. If such a
> construction is not possible, the invalid or unenforceable portion
> will be severed from this License but the rest of this License will
> remain in full force and effect.
>  
> ###    7.7. License for the Text of this License
> The text of this license is released under the Creative Commons
> Attribution-ShareAlike 4.0 International License, with the caveat that
> any modifications of this license may not use the name “Cryptographic
> Autonomy License” or any name confusingly similar thereto to describe
> any derived work of this License.
>
>
>
> Pamela Chestek
> Chair, License Review Committee
> Open Source Initiative
>
> On 12/4/2019 3:29 PM, VanL wrote:
>> Based upon ongoing discussions with the license review committee, I
>> am withdrawing Beta 3 and substituting Beta 4 (here attached).
>>
>> The primary change between Beta 3 and Beta 4 is the definition of
>> "User Data."
>>
>> My understanding of OSI's position is that data requirements, such as
>> are addressed by the CAL, are within scope of what an open source
>> license can reasonably address. However, there was a request by the
>> committee to more tightly define the definition of "User Data" so
>> that it was more closely tied to function and experience of using the
>> software by a user who chooses to self-host.
>>
>> In consultation with my client, we have proposed and received
>> positive feedback on the following modified definition of User Data
>> (most significant change bolded):
>>
>> “User Data” means any data that is an input to or an output from the
>> Work, *where the presence of the data is necessary for substantially
>> identical use of the Work in an equivalent context chosen by the
>> Recipient*, and where the Recipient has an existing ownership
>> interest, an existing right to possess, or where the data has been
>> generated by, for, or has been assigned to the Recipient.
>>
>> There are also a few cleanups and the following minor but substantive
>> changes:
>> - Section 7.4, There is a definition of "prevailing party" for
>> attorney fee awards (" A “prevailing party” is the party that
>> achieves, or avoids, compliance with this License, including through
>> settlement.")
>> - Section 5.3, Enforcing against a terminated licensee does not cause
>> termination for the license-enforcing party  ("Administrative review
>> procedures, declaratory judgment actions, counterclaims in response
>> to patent litigation, and enforcement actions against former
>> Licensees terminated under this section do not cause termination due
>> to litigation.")
>>
>> All other discussion regarding CAL Betas 2 and 3 should apply.
>>
>> From the original submission:
>>
>> /Rationale:/ The CAL is a new network copyleft license especially
>> applicable for distributed systems. It is designed to be as
>> protective as possible of downstream recipients of the software,
>> providing them all that they need to create and use an independent
>> copy of a licensed work without losing functionality or data./
>> /
>> /
>> /
>> /Distinguish:/ The CAL is most similar to the AGPL, and will have a
>> similar scope of action in most cases. However, the CAL has
>> provisions that require that operators provide recipients of the
>> software with a copy of their user data, enhancing their ability to
>> independently use the software. The CAL also allows the creation of
>> mixed "Larger Works," provides for affiliate use, and does not
>> specify a mechanism by which notice is given to recipients.
>>
>> /Legal Analysis/: The CAL was drafted by legal counsel. Previous
>> discussions have outlined many aspects of the legal analysis.
>>
>> A copy the the license in Markdown format is attached. For those who
>> would prefer it, a Google Docs version of the license is viewable
>> here: 
>> https://docs.google.com/document/d/1-eD9EH6i3wdSXgG4XJbF-a0cSSknOERjYzlVonOwAQ0/edit?usp=sharing
>>
>>
>>
>> _______________________________________________
>> License-review mailing list
>> License-review at lists.opensource.org
>> http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-review_lists.opensource.org/attachments/20200214/c89172cc/attachment-0001.html>


More information about the License-review mailing list