Debating the Cryptographic Autonomy License

If one were to ask a group of free-software developers whether the community needs more software licenses, the majority of the group would almost certainly answer "no". We have the licenses we need to express a range of views of software freedom, and adding to the list just tends to create confusion and compatibility issues. That does not stop people from writing new licenses, though. While much of the "innovation" in software licenses in recent times is focused on giving copyright holders more control over how others use their code (while still being able to brand it "open source"), there are exceptions. The proposed "Cryptographic Autonomy License" (CAL) is one of those; its purpose is to give users of CAL-licensed code control over the data that is processed with that code.

Van Lindberg first went to the Open Source Initiative's license-review list with the CAL in April. At that point, it ran into a number of objections and was rejected by the OSI's license review committee. The license has since been revised to address (most of) the objections that were raised; a third version with minor tweaks was posted on August 22.

At its core, the CAL is a copyleft license; distribution of derived products is only allowed if the corresponding source is made available under the same (or a compatible) license. The third version added one exception: release of source can be delayed for up to 90 days if required to comply with a security embargo. There is, however, another set of conditions that sits at the core of the CAL and are its reason for existence; they are worth quoting in full:

The license also includes a prohibition against the use of contractual measures to prevent users from exercising the rights described above. The intent of all this language is relatively straightforward: if you are a user of an application (perhaps hosted on the net somewhere), you have the right to extract your data from that application to use with your own modified version of the code. Control of data is not to be used to lock users into a de-facto proprietary system.

This language turned out to be quite controversial on the license-review list. The most vocal opponent is undoubtedly Bruce Perens, who expressed concerns about what others may try to put into future licenses based on the example of the CAL:

He went on to argue that the prohibition against locking up users' data should be seen as a field-of-use restriction, which would make the CAL non-compliant with section 6 of the Open Source Definition. Perens compared the CAL to the "badgeware" licenses that the OSI accepted back in 2007. The OSI took a lot of criticism for that decision; Perens suggested that the same thing could happen this time around.

Josh Berkus, instead, characterized Perens's reasoning as "a 'slippery slope' argument" and argued that the CAL should be accepted:

He also rejected the field-of-use argument as being "a huge stretch" and concluded by saying: "While it is not the OSI's job to challenge Amazon's business model, it is not our job to protect it either".

That was not the end of the discussion; indeed, it went on at such length that list moderator Simon Phipps eventually asked the participants to reduce the rate at which they were posting. Little new ground was covered in all that volume, though.

In the end, the OSI will have to decide whether mandating access to the data managed by a given program is an appropriate feature of an open-source license. The badgeware decision was not seen at the time (or later) as being one of the OSI's finest moments; the decision on the CAL carries similar risks. Badgeware licenses, though, sought to increase the rights of copyright holders, while the CAL gives rights to software users. Whether that difference will tip the balance in this decision remains to be seen. The actual decision, it seems, is likely to be made at a face-to-face meeting in mid-November.

---

to post comments

Debating the Cryptographic Autonomy License

Posted Aug 24, 2019 22:07 UTC (Sat) by IanKelling (subscriber, #89418) [Link]

I perused license-review. I intended to make this comment but the conversation was a bit overwhelming, I think these articles are very relevant and useful when considering CAL and should have been mentioned but I didn't see them: https://www.gnu.org/philosophy/who-does-that-server-reall... . https://www.gnu.org/philosophy/network-services-arent-fre... .

Debating the Cryptographic Autonomy License

Posted Aug 25, 2019 11:23 UTC (Sun) by giggls (subscriber, #48434) [Link] (8 responses)

Does this really need discussion?

"The freedom to run the program as you wish, for any purpose (freedom 0)."

Debating the Cryptographic Autonomy License

Posted Aug 26, 2019 11:25 UTC (Mon) by bahner (guest, #35608) [Link]

Indeed, but who is running the program?

Debating the Cryptographic Autonomy License

Posted Aug 26, 2019 17:06 UTC (Mon) by jzb (editor, #7867) [Link] (2 responses)

You're quoting the FSF/GNU Free Software Definition, which informs but is not the OSD.

Also, I don't see much daylight between the using the AGPL to close the "ASP loophole" and using a license to address a problem that wasn't really apparent when the "four freedoms" were published. It seems to be meant to ensure that your data is yours, and my data is mine. I don't have any problem with "limiting" someone else's freedom in their ability to hide my data from me.

I'm not sure this license goes far enough or how it'd be interpreted by courts, but I don't have a philosophical issue with it. It is unclear to me, for example, what happens if something under this license is used to process data about me that I did not give it. Is that my data? If they're gathering data about me but not providing me services, do I have any claim to the data?

Debating the Cryptographic Autonomy License

Posted Aug 26, 2019 17:19 UTC (Mon) by josh (subscriber, #17465) [Link]

The AGPL just says that you must provide source to additional people; it doesn't restrict running or modifying the program. It's extending what "user" means.

Similarly, the GPLv3's handling of DRM doesn't say "you may not implement DRM"; it just states for the purposes of the DMCA and similar laws that that DRM doesn't count as a "technological protection measure", meaning that breaking such systems doesn't break the law. It's a grant of additional permission to people using the program.

This license, on the other hand, places restrictions on what you can do with the program, and with how you can process data using the program.

Debating the Cryptographic Autonomy License

Posted Aug 27, 2019 7:12 UTC (Tue) by gfernandes (subscriber, #119910) [Link]

It's actually quite simple - capturing data about you, **without your awareness or consent** essentially breaks the warrant process, and therefore breaks the constitutional protections citizens **normally** expect, from government advising power.

If you don't have a problem with that, you clearly don't see this problem. Doesn't mean it doesn't exist though.

Note that the Third Party Doctrine basically means law enforcement agencies can gather a lot more information about you than they could before Google, Facebook et al existed.

This is not a GPL concern, in general, but it is something every citizen of a democratically elected government should be concerned about.

Debating the Cryptographic Autonomy License

Posted Sep 2, 2019 4:47 UTC (Mon) by raof (subscriber, #57409) [Link] (3 responses)

I agree that this license is not Free Software, by the current definition.

However, I don't think that's a problem. Indeed, I think that the current definition of Free Software is not a good one - or, rather, it's not a good definition for ensuring user freedom¹. It is a good definition if you want to financially benefit from the free work of other. Freedom 0 is incompatible with ensuring user freedom.

¹: It is a good definition if you want to financially benefit from exploiting the software commons; see also the perennial “open-source software sustainability” discussions.

Debating the Cryptographic Autonomy License

Posted Sep 4, 2019 7:19 UTC (Wed) by ceplm (subscriber, #41334) [Link] (2 responses)

Free software was never about *the users’ freedom* always about *the developers’ one*. Big difference which is too often overlooked.

Debating the Cryptographic Autonomy License

Posted Sep 4, 2019 10:21 UTC (Wed) by pizza (subscriber, #46) [Link] (1 responses)

You have that backwards.

Free Software is explicitly about the *users* but Open Source is about *developers*.

Debating the Cryptographic Autonomy License

Posted Sep 5, 2019 16:58 UTC (Thu) by Wol (subscriber, #4433) [Link]

Yup. And this licence is about the users.

Think of "parties to the action". This is a good licence because it doesn't try to give a 3rd-party rights. If I buy Office software and use it to create documents, the copyright holder is NOT a party to my creating documents. They shouldn't have any rights over said documents.

Aiui, this licence says "people *using* the software are parties to the action. They have rights". It may require the copyright holders to enforce the rights on behalf of the users, sadly, but the thing is the user has the right.

Cheers,
Wol

Debating the Cryptographic Autonomy License

Posted Aug 26, 2019 17:38 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

Why would anyone use CAL? Is there any code written under this license?

Debating the Cryptographic Autonomy License

Posted Aug 26, 2019 19:13 UTC (Mon) by k8to (guest, #15413) [Link]

Presumably people who strongly ideologically align with the idea that their code shouldn't be used to build services that lock up user data.

I feel like that. If I publish free software, I'm happy that companies might use that software to build business functionality, but I'm not so happy if they use it build businesses that lock up user data in a way that prevents user freedom.

I'm not sure I feel strongly enough to license my code specifically for this concern though. I also would be sad if my free software was used to build an anti-vax propoganda engine, but I don't feel the need to put most political concerns in the license I use.

Debating the Cryptographic Autonomy License

Posted Aug 26, 2019 20:57 UTC (Mon) by MarcB (guest, #101804) [Link] (2 responses)

In the OSI discussion, there is a comparison of this license with EU regulations that require giving users the ability to export their data.

However, there are significant differences: While the legal regulations are between you, your customer and, in escalating cases, the courts, this license brings in an additional party in form of the software's copyright holder. That party might well be placed in a completely different jurisdiction. This is an absurd complication that is not worth bothering with.

Additionally, the legal regulations place some "obviously sane" limitations on data access. For example, you do not have to grant criminals access to their stolen data ("The right ... shall not adversely affect the rights and freedoms of others").

In general, data freedom is a thing better enforced by laws instead of licenses because there is an inevitable clash of interests, likely with multiple involved parties.

The energy spent discussing this license would be better spend campaigning for proper data portability laws in the US. This is battle conservative think tanks have long since entered.

Debating the Cryptographic Autonomy License

Posted Aug 27, 2019 7:14 UTC (Tue) by gfernandes (subscriber, #119910) [Link]

I agree completely.

Debating the Cryptographic Autonomy License

Posted Sep 1, 2019 17:37 UTC (Sun) by mlinksva (guest, #38268) [Link]

I also agree completely, but extend this analysis from data freedom to software freedom. If software freedom is a human right, copyright holders are distracting third parties and licenses distractions from law.

Strange naming choice?

Posted Aug 26, 2019 21:09 UTC (Mon) by leromarinvit (subscriber, #56850) [Link] (13 responses)

The name makes it sound like the license is somehow related to cryptography, while that doesn't seem to be the case. It only mentions cryptography in two places: once in the definition of the term "source code", and again in section 4.2.2 (emphasis mine):

#### 4.2.2. No Technical Measures that Limit Access
You may not, by means of cryptographic controls, control of encryption keys, seeds, hashes, or any other technological protection measures, or any other method, limit a Recipient’s ability to access any functionality present in Recipient's independent copy of the Work, or to deny a Recipient full control of the Recipient’s User Data.

It seems to me that the mention of cryptography is only an example of how access could be limited (and the license thus violated). Indeed, an entity could be violating this license without running any crypto code at all. So why focus on cryptography to the point of including it in the name?

Strange naming choice?

Posted Aug 27, 2019 6:57 UTC (Tue) by nim-nim (subscriber, #34454) [Link] (11 responses)

Presumably, because withholding crypto keys, is the usual way to block user access to his data (as replicated on the smartphone client for example).

Such licenses do not spring up out of the blue. Writing them is a lot of work. They are the outcome of years of rampant VC-friendly antifeaturing.

Strange naming choice?

Posted Aug 27, 2019 7:17 UTC (Tue) by gfernandes (subscriber, #119910) [Link] (10 responses)

But what data are we talking about, that is **currently** locked cryptographically, that **can't equally easily** be blocked by other means (license agreements etc.)?

Strange naming choice?

Posted Aug 27, 2019 11:38 UTC (Tue) by nim-nim (subscriber, #34454) [Link] (7 responses)

Ah, licensing agreements, dangerous stuff, that takes you in legal land, and judges actually understand when you try overreaching and screwing up other parties.

Much safer to use technical means, that a lot of judges will wave over because they don't want to be dragged into software voodoo discussions.

Strange naming choice?

Posted Aug 27, 2019 16:53 UTC (Tue) by gfernandes (subscriber, #119910) [Link] (6 responses)

Isn't that exactly what this "license" is as well?

Strange naming choice?

Posted Aug 28, 2019 7:34 UTC (Wed) by nim-nim (subscriber, #34454) [Link] (5 responses)

Yes that’s exactly what it is and why it will work.

Remember that the people writing this license want the exact opposite of the people deploying sneaky underhanded technical ways to screw up the population.

So from their point of view, clearing the technical fog, and putting the ball squarely in legal land, is a good thing. *They* do not fear any scrutiny, nor judges or the general public wisenning up to what’s been going on.

Strange naming choice?

Posted Aug 28, 2019 13:52 UTC (Wed) by gfernandes (subscriber, #119910) [Link] (4 responses)

I doubt it'll work. Look at Google. Successfully side stepped the limitations of the GPL, but **only** using the Linux kernel, and **rewriting** the entire stack on top of it!

The Google's and the Facebook's of this world have ample resources to completely sidestep this license, as they have demonstrated time and time again.

This license changes nothing.

Only strong government legislation, like that introduced recently by the EU, will work.

Strange naming choice?

Posted Aug 28, 2019 15:01 UTC (Wed) by nim-nim (subscriber, #34454) [Link] (3 responses)

This isn't aimed at Google of Facebook, they are already in the regulator visor, this is aimed at the miriad boutique shops that add antifeatures to squeeze as much value from users as possible, without the capability to rewrite the free software world.

And rewriting the world privately is not comfortable, even when you’re Google, or it would have never bothered to open source kubernetes.

Strange naming choice?

Posted Aug 28, 2019 15:04 UTC (Wed) by nim-nim (subscriber, #34454) [Link] (1 responses)

(and BTW “strong legislation” means moving the problem legal-side exactly like this license does)

Strange naming choice?

Posted Aug 29, 2019 6:26 UTC (Thu) by gfernandes (subscriber, #119910) [Link]

Not really. This license is a license, like any other. Under most jurisdictions it falls under either copyright or contact law.

Strong legislation is neither. It's **new** laws introduced specifically for data protection, like the GDPR.

Strange naming choice?

Posted Aug 29, 2019 6:30 UTC (Thu) by gfernandes (subscriber, #119910) [Link]

Are you serious?
Have you looked at the Apache family is licenses? Or the permissive licenses used by Facebook and Google?

Have you taken an inventory of the libraries published under **those** _permissive_ licenses?

And then compared them with the libraries published under this license you so strongly advocate?

What data?

Posted Aug 27, 2019 15:49 UTC (Tue) by Herve5 (guest, #115399) [Link] (1 responses)

Currently? Basically all the data your wrist cardiograph is recording, for instance, like mine. Or steps. Or geoloc.
Or the graph of your friends and relations on your social network -even : here (who you did reply to, who you criticized. Who you are close to.)
This among many, no, most others.
I think this is the kind of applications the authors had in mind, more than terrible data-crunchers showing next week's weather... (but there it may apply too, indeed, as raw meteo data is indeed free...)

What data?

Posted Aug 27, 2019 16:52 UTC (Tue) by gfernandes (subscriber, #119910) [Link]

Then this license does little, if anything, to stop that. Stopping misusing of personal data is a legal, legislation challenge. Not a licensing challenge.

Strange naming choice?

Posted Aug 29, 2019 16:40 UTC (Thu) by kpfleming (subscriber, #23250) [Link]

This license was created by VanL at the request of one of his clients, who intend to use it for a distributed-ledger-style system where cryptography is part of the essential nature of the system. The expectation is that once the code is published under this license, anyone will be able to use it to create their own distributed-ledger networks, with the caveat that they must always allow users of those networks to get copies of the data they've placed into the network.