Cryptographic Autonomy License Approved by OSI

After a submission process of over a year and three versions, the CAL was approved last week by OSI.

CAL is a copyleft license, requiring a redistributors to make source code available, but more importantly, also contains a requirement to “maintain user autonomy” with respect to user data processed using the software:

4.2. Maintain User Autonomy.
In addition to providing each Recipient the opportunity to have Access to the Source Code, You cannot use the permissions given under this License to interfere with a Recipient’s ability to fully use an independent copy of the Work generated from the Source Code You provide with the Recipient’s own User Data.
“User Data” means any data that is an input to or an output from the Work, where the presence of the data is necessary for substantially identical use of the Work in an equivalent context chosen by the Recipient, and where the Recipient has an existing ownership interest, an existing right to possess, or where the data has been generated by, for, or has been assigned to the Recipient.
4.2.1. No Withholding User Data. Throughout any period in which You exercise any of the permissions granted to You under this License, You must also provide to any Recipient to whom you provide services via the Work, a no-charge copy, provided in a commonly used electronic form, of the Recipient’s User Data in your possession, to the extent that such User Data is available to You for use in conjunction with the Work.
4.2.2. No Technical Measures that Limit Access.  You may not, by the use of cryptographic methods applied to anything provided to the Recipient, by possession or control of cryptographic keys, seeds, or hashes, by other technological protection measures, or by any other method, limit a Recipient's ability to access any functionality present in the Recipient's independent copy of the Work, or deny a Recipient full control of the Recipient's User Data.
4.2.3. No Legal or Contractual Measures that Limit Access.  You may not contractually restrict a Recipient's ability to independently exercise the permissions granted under this License. You waive any legal power to forbid circumvention of technical protection measures that include use of the Work, and You waive any claim that the capabilities of the Work were limited or modified as a means of enforcing the legal rights of third parties against Recipients.

The intention of this license was to help preserve a user’s access to its own data. The license was promulgated by Holochain, which develops a framework on which developers can build their own applications. Holochain is a distributed ledger technology that was designed to avoid the scalability issues of familiar block-chain based systems like Bitcoin and Ethereum. It uses peer-to-peer networking for processing where “every device on the network gets its own secure ledger, or Holochain, and can function independently while also interacting with all the other devices.” The conditions of the license disallow use of the software with distributed-ledger applications that withhold from a user cryptographic keys that control the user’s own data in the network.

We want Holochain apps to be trusted as maximizing end-user autonomy and control. As that starts to happen, we can’t let someone claim their software is a “Holochain” app if they are actually maintaining central control of end-user cryptographic keys. Otherwise, people will think they’re in control of their accounts, money, personal information, or communications without realizing, at any moment, someone could strip them of their autonomy via revocation keys or a master seed.

At the center of the OSI license approval controversy was whether the conditions requiring sharing users’own data were effectively a restriction in violation of section 6 of the Open Source Definition, or a necessity to compel behavior to preserve freedom, similar to the “Installation Information” requirements of GPL3.

The controversy over the scope of copyleft these days remains brisk. Regarding CAL, it was so heated that OSI founder Bruce Perens resigned in protest, as the license approached approval. There is a also a larger controversy over whether copyleft licenses written by single companies, and not part of the community drafting process, should be approved, regardless of content.

Author: heatherjmeeker

Technology licensing lawyer, drummer

2 thoughts on “Cryptographic Autonomy License Approved by OSI”

Leave a Reply