[License-review] For approval: The Cryptographic Autonomy License (Beta 4)

Brian Behlendorf brian at behlendorf.com
Sat Feb 15 00:24:42 UTC 2020

On Thu, 13 Feb 2020, Pamela Chestek wrote:
> Yes, that was one of the very first issues raised with the CAL license 
> v1 on license-discuss before it was submitted to license-review almost a 
> year ago, in April 2019. This is Van's explanation about why they are 
> about two different things: 
> http://lists.opensource.org/pipermail/license-discuss_lists.opensource.org/2019-March/020324.html.

I realize this is moot with the OSI board recommending approval (or did 
they approve?), but I'm not persuaded by what was written at that link 
(starting with "GDPR is about privacy, not data" - the "D" is literally 
"Data" and the P is not "Privacy"). I'm not a GDPR expert by any stretch, 
but found in other discussions that making self-sovereign identity systems 
GDPR-compatible to involve several layers of non-trivial issues. Issues 
such as the fact that any particular bit of data is rarely about just one 
person, and more often than not about two people; hashed/encrypted data 
can also be PII; and that there are reasonable exceptions where data can't 
be shared or deleted upon request that are not machine-parseable 
situations (such as "valid business reason"). GDPR's impact is also still 
evolving as enforcement actions establish a track record for how it will 
be enforced and accepted by judges on broad or narrow interpretive bases. 
It's a ton of complexity - but all of which I find myself arguing on the 
side of being an unavoidable part of the ethics of dealing with data about 
other people.

I would have more trust in an analysis of these issues by someone not 
vested in whether OSI approves the license. Elizabeth Renieris 
(@hackylawyer on Twitter) for instance.

All of this is not to argue for or against CAL as an OSD-compliant 
license, though it feels like the first (I could be wrong) to bring the 
data created or managed by the application into the license itself. That 
seems to veer very much on limitations on use, but more importantly - data 
is a complex subject, and at times will defy the kind of predictability 
and automated-conformance-checking that open source licenses have long 
offered their users. Perhaps it's not OSI's role to argue that an approved 
license should not be used, but this license will add to the compliance 
burden for end users, no matter how much this license authors believe 
their obligations are a strict subset.


> Pam
> Pamela S. Chestek
> Chestek Legal
> PO Box 2492
> Raleigh, NC 27602
> 919-800-8033
> pamela at chesteklegal.com
> www.chesteklegal.com
> On 2/13/2020 2:55 PM, Brian Behlendorf wrote:
>       Has anyone considered the PII and GDPR/CCPA/etc implications of the CAL? Could there be scenarios where the CAL requires behavior that the GDPR prevents? Those licenses introduce a concept
>       completely foreign to copyright law, which is data protection rights for the subjects of data (who that data is about), even if that subject isn't a party to the transfer of software and
>       thus covered by this license. What would be the ramifications of such a clash? Could someone using the software have to stop using it based on a request from a data subject?
>       Brian
>       On Thu, 13 Feb 2020, Eric Schultz wrote:
>             Sorry to bring this up at a late stage but I just thought of a situation I wanted clarification on. Let's say a voice recognition provider using the CAL allows users to
>             confidentially choose to submit
>             their voice recordings to improve the quality of recognition. Is there any sort of dynamic here where one user would be able to request access to all of the other users
>             confidential recordings? My
>             hunch is no but it's a little bit of a different situation than I had seen considered on the list.
>             Eric
> _______________________________________________
> License-review mailing list
> License-review at lists.opensource.org
> http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org
-------------- next part --------------
License-review mailing list
License-review at lists.opensource.org

More information about the License-review mailing list