[License-review] Submission for review of Accountable Resolver License

Roland Turner roland at rolandturner.com
Wed Oct 23 02:34:55 UTC 2024 

On 22/10/24 01:39, Victor Grey via License-review wrote:
> To the OSI community, this is a request for approval for a new special-purpose open source license, as attached. The license is intended for software that provides registration and resolution services for Decentralized Identifiers (DIDs -https://w3c.github.io/did-core/). Such software may be used as a standalone service or incorporated into any other software to provide DID resolution services for any purpose, conditioned on it not being used to violate the privacy rights of end users of the service.

 From the license text:

> 4.6 Respect for DID subject’s Privacy
> You may not use the permissions granted under this License to 
> infringe, invade, breach, or otherwise fail to protect the privacy of 
> any DID subject making use of the services provided by the Work.
>
> Privacy, for the purpose of this license, means a duty of care for the 
> protection and confidentiality of any data generated by the operation 
> of the Work, such as server logs or any other logs or metadata, that 
> would enable the surveillance or correlation of the activities of the 
> DID subject or other entities identified in the DID document by the 
> Receiver or third parties, unless the Receiver is legally compelled 
> otherwise.

This is an *explicit* use condition, which therefore unambiguously 
breaches OSD6.


I'd suggest that a better protection for the intended risk is reliance 
on privacy-related law that the licensee is subject to. This does have 
some consequences of course:

  * What those rules are varies drastically between developed the
    economies and blocs alone — particularly the EU, US, and China,
    which jointly account for ~1/4 of the world's population and most of
    the world's GDP — let alone the rest of the world. There's no way to
    square this circle, different people live differently and under
    different laws (indeed different systems of law); the protections
    that would be appropriate in one place are frequently inappropriate
    in others. It would be harmful to attempt to impose a
    one-size-fits-all rule in the context of an OSS license.
  * The good news is that you don't need to worry about it. Licensees
    are already subject to the law no matter the text of the license
    says. (You do not, for example, need to put text in about licensees
    complying with the law; this is implicit in all contracts and
    licenses. Indeed, any clause which purports to authorise illegal
    activity is simply null and void.)

I've not evaluated the rest of the license text, but with respect to the 
use conditions the fix to the text is simple: just remove them completely.

- Roland

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-review_lists.opensource.org/attachments/20241023/99546894/attachment-0001.htm>

More information about the License-review mailing list