License: Cryptographic Autonomy License (as captured 8 May 2019, Exhibit A)
 Submitted: April 22, 2019:
 Decision due no later than the first Board meeting after June 21, 2019

License Review Committee Recommendation:

Resolved that it is the opinion of the OSI that the Cryptographic Autonomy License does not conform to the OSD and assure software freedom and the license is therefore not approved. The license submitter is invited to submit a new draft for consideration by the OSI after revision. See [link] for rationale document.

Rationale Document

Reasons for withholding approval:

  1. Specific provision for GDPR: The license makes special accommodations for those who must comply with General Data Protection Regulation (EU) 2016/679 ("GDPR") Arts. 15(3) and 20(1) but does not make those same accommodations for those who may be obliged to comply with similar requirements found in other data privacy laws. An additional permission or restriction granted specifically for a particular class or group is, on its face, non-compliance with OSD5/6. However, the license submitter said that this provision will be removed if it is the remaining issue.
  2. The mechanism of “public performance”: The health of an open source software project relies on a predictable and consistent understanding of what the license permits and what it requires for compliance. However, this license uses a term specific to US law, which is “public performance.” The use of of a term found only in one jurisdiction’s body of law leads to the possibility of highly disparate outcomes under other legal systems. The license submitter suggests that public performance “appears analogous” to the EU concept of communication to the public,; however, there is no reason to believe an EU court would find that the words “public performance” mean the same thing as “communication to the public” or that an EU court would view “communication to the public” as applying to APIs in the same way that the license submitter posits “public performance” does under US law. (A number of commenters on license-review also disagreed with the license submitter’s belief that under US law the right of public performance will extend to the use of APIs.) The submitter argues that the term is defined in the license and therefore does not rely on local interpretation, However, the definition does rely on copyright law for scope (“‘Public Performance’ (or ‘Publicly Performing’) means using the Software to take any action that implicates the rights of public performance or public display of a work under copyright law, ...”). The high likelihood that the license would be interpreted in significantly different ways in different legal jurisdictions militates against its approval. Although the CAL is not, by any means, a “crayon” license, it has the potential for the same negative consequence, which is unpredictable interpretation.

Open questions

The above are the reasons that the license has not been approved and the submitter is encouraged to revise and resubmit the license. However, there are also additional issues raised during the discussion of the license that merit further community input and discussion before the license would be approved. These issues are:

1.   Scope of copyleft.
 Until now, the principle of copyleft has only been applied to literal code, not APIs. The license submitter’s proposal is for a copyleft effect that would apply to new implementations of the API even when the underlying has been written from scratch. The license also makes this extension even if the legal system would not extend copyright (and therefore copyleft) so far. During the license-review process some commentators objected to this extension of the copyleft principle this far. However, the license review committee does not believe that there was sufficient discussion representing all points of view on the license-review list and so does not reject the license for this reason. The license submitter should also be aware that the OSI was a signatory on a brief submitted to the U.S. Supreme Court advocating against the copyrightability of APIs. APIs are also known to be outside the scope of copyright under European law. We are consequently uncomfortable endorsing an application of copyright law to APIs in any form without further discussion.

2.   At what point the licensor can oblige licensee behavior.
The trigger for meeting license obligations can differ across licenses. The most common, almost universal trigger, is distribution of software. The AGPL license triggers upon allowing network interaction with modified software. The CAL license implements a new trigger, which is the obligation to make unmodified software available to anyone interacting with an interface for the software. In other words, someone might install a program that allows for interaction with the website (perhaps providing a webform to sign up for a newsletter) and would now be obliged to make the source code available to any person who filled out the webform. The License Review Committee does not believe that there has been adequate airing of this issue from a variety of viewpoints on the license-review discussion about this aspect of the license, so has not reached a conclusion about at what point imposing license obligations is appropriate.

3.   A license that requires data portability.
Section 2.3(b) obliges the user of a software to “provide to any third party with which you have an enforceable legal agreement, a no-charge copy … of the User Data in your possession in which that third party has a Lawful Interest ….” The license submitter confirmed in this sequence of emails that the intent of this provision is to expand the scope of software freedom:
The members of the License Review Committee do not agree whether this is appropriate for an open source license. It therefore requires extensive additional public discussion before the OSI will be able to reach a conclusion on this point.

If the license submitter is interested in resubmitting this license for review, the license review committee recommends eliciting additional, more diverse discussion on these points on the license-discuss list prior to its resubmission.

Exhibit A 

Cryptographic Autonomy License version 1.0

This Cryptographic Autonomy License (the “License”) applies to any Work whose owner has marked it with any of the following notices:

“Licensed under the Cryptographic Autonomy License version 1.0,” or “CAL-1.0”, or
 “Licensed under the Cryptographic Autonomy License version 1.0, with Combined Work Exception,” or “CAL-1.0-With-Exception.”

The owner may also specify in the same location as the notice a jurisdiction for disputes arising from the use of a particular Work:

“The Applicable Jurisdiction for disputes arising from the licensing or use of this Work is _____.”



1.      License Grant

1.1.  Grants

Conditioned on compliance with section 2, and subject to the reservations of section 1.2, you have world-wide, royalty-free, non-exclusive permission to:

a)      Take any action with the Work or a Modified Work that would infringe the copyright or database protection laws of an Applicable Jurisdiction applying to the Work, including Publicly Performing any element included in or derived from the Work; and

b)      Take any action with the Work or a Modified Work that would infringe any patent claims Licensable by Licensor, to the extent that those claims are embodied in the Work as distributed by Licensor.

1.2.  Limitations on Grants

The following reservations apply to the permissions granted in section 1.1:

a)      Licensor does not grant any patent license for claims that are only infringed due to the modification of the Work or the combination of the Work, directly or indirectly, with any other component, including other Software or hardware.

b)      Licensor does not grant any license to the trademarks, service marks, or logos of Licensor, except to the extent necessary to comply with the attribution conditions in section 2.1 of this License. Describing a Modified Work as being derived from the Work, or compatible or not compatible with the Work, is allowed as a fair or nominative use.

2.      Conditions

The following conditions apply to any exercise of the permissions given in section 1. These are the only conditions imposed by this license relative to the Work; any other exercise of the permissions given in section 1 is allowed.

2.1.  Attribution

You must a) retain all copyright, patent, or trademark notices contained in the Source Code, as well as any notices of licensing, authorship, or attribution, and b) provide all such notices to each Recipient, together with a statement acknowledging the use of the Software. Notices may be provided directly to a Recipient or via an easy-to-find hyperlink to an Internet location also providing Access to Source Code. 

2.2.  Licensed Distribution

Any distribution, Public Performance, sale, or offer for sale of the Work to a Recipient is subject to the following conditions:

2.2.1.                  Distribution of Source Code for an Unmodified Work

Subject to the exception in section 2.4, You must provide to each Recipient of the Work Access to all the Source Code for the Work provided, sold, or offered to the Recipient.

2.2.2.                  Distribution of Source Code for a Modified Work

Subject to the exception in section 2.4, You must provide to each Recipient of a Modified Work Access to Source Code corresponding to those portions of the Work remaining in the Modified Work as well as  the modifications used by You to create the Modified Work. The Source Code corresponding to the modifications in a Modified Work must be provided to the Recipient either a) under this License, or b) under a Compatible Open Source License.

2.3.  Maintaining User Autonomy

You must refrain from using the permissions given under this License to interfere with Recipient’s quiet enjoyment of any Lawful Interest in their own User Data. This includes:

a)      You may not, by means of cryptographic controls, technological protection measures, or any other method, limit a third party from independently Processing User Data in which they have a Lawful Interest;

b)      Throughout any period in which You exercise any of the permissions granted to You under this License, You must also provide to any third party with which you have an enforceable legal agreement, a no-charge copy, provided in a commonly used electronic form, of the User Data in your possession in which that third party has a Lawful Interest, to the extent that such User Data is available to You for use in conjunction with the Work;

c)      You may not use the Software to control any cryptographic keys, seeds, or hashes pertaining to third parties where such control would prevent the third party from independently exercising the permissions granted under this License;

d)      You waive any legal power to forbid circumvention of technical protection measures that include use of the Work; and

e)      You waive any claim that the capabilities of the Work were limited or modified as a means of enforcing the legal rights of third parties against Recipients.

Other than the conditions in sections 2.2 and 2.3(b), nothing in this License requires You to provide processing services to anyone.

2.4.  Combined Work Exception

As an exception to the conditions in sections 2.2.1 and 2.2.2, any Source Code files marked by the Licensor as having the “Combined Work Exception,” or any Object Code exclusively resulting from Source Code files so marked, may be combined with other Software into a “Larger Work.” So long as you comply with the conditions in 2.1, 2.2, and 2.3 relative to the Source Code provided to you by Licensor, any other Software in the Larger Work as well as the Larger Work as a whole may be licensed under the terms of your choice.

3.      Acceptance and Remedies

By taking any action that, absent this License, would infringe Licensor’s intellectual property in the Software under the laws of an Applicable Jurisdiction, You agree to the terms and conditions of this License in consideration of the permissions granted. Any use of the Work outside the scope of this License infringes the rights of the Licensor. In the event of infringement, the terms and conditions of this License may be enforced via the intellectual property laws of the Applicable Jurisdiction. In addition, You are not responsible for enforcing compliance by third parties with this License, but You agree that either the Licensor or a Recipient (as an intended third-party beneficiary) may enforce these conditions via specific performance.

4.      Term and Termination

The term of this License begins when You receive the Work, and continues until terminated for any of the reasons described herein, or until all Licensor’s intellectual property rights in the Software expire, whichever comes first (“Term”). If this License is terminated for any reason, all permissions granted to You under section 1 by any Licensor automatically terminate. You will immediately cease exercising any permissions granted in this License relative to the Work, including as part of any Modified Work.

4.1.  Termination for Non-Compliance; Reinstatement

This License terminates automatically if You fail to comply with any of the conditions in section 2. As a special exception to termination for non-compliance, Your permissions for the Work under this License will automatically be reinstated if You come into compliance with all the conditions in section 2 within sixty days of being notified by Licensor or an intended third party beneficiary of Your noncompliance. You are eligible for reinstatement of permissions for the Work one time only, and only for the sixty days immediately after becoming aware of noncompliance. Loss of permissions granted for the Work under this License due to either a) sustained noncompliance lasting more than sixty days or b) subsequent termination for noncompliance after reinstatement, is permanent, unless rights are specifically restored by Licensor in writing.


4.2.  Termination Due to Litigation

If You initiate litigation against Licensor, or any Recipient of the Work, either direct or indirect, asserting that the Work directly or indirectly infringes any patent, then all permissions granted to You by this License shall terminate. In the event of termination due to litigation, all permissions validly granted by You under this License, directly or indirectly, shall survive termination. Administrative review procedures, declaratory judgment actions, and counterclaims in response to patent litigation do not cause termination due to litigation.

5.      Disclaimer of Warranty and Limits on Liability

5.1.  Disclaimer of Warranty

The Work is provided under this License on an "AS IS" BASIS and WITHOUT WARRANTY, either express or implied, including, without limitation, the warranties of non-infringement, merchantability or fitness for a particular purpose. THE ENTIRE RISK AS TO THE QUALITY OF THE WORK IS WITH YOU. This disclaimer is an essential part of this License. No license to the Work is granted except under this disclaimer.

5.2.  Limitation of Liability

Under no circumstances and under no legal theory, whether in tort (including negligence), contract, or otherwise, shall the Licensor be liable to anyone for any indirect, special, incidental, or consequential damages of any character arising as a result of this License or the use of the Work including, without limitation, damages for loss of goodwill, work stoppage, computer failure or malfunction, loss of profits, revenue, or any and all other commercial damages or losses. This limitation of liability shall not apply to the extent applicable law prohibits such limitation.

6.      Definitions

a)      “Access to Source Code” means any of  a) a copy of, or b) no-charge unrestricted network access to, the Source Code. Network access to the Source Code may be provided by You or by a third party, such as a public software repository, and must persist during the same period in which You exercise any of the permissions granted to You under this License and for at least one (1) year thereafter.

b)      “Affiliate” means any other entity that, directly or indirectly through one or more intermediaries, controls, is controlled by, or is under common control with, the Licensee.

c)      “Applicable Jurisdiction” means any of: i) the jurisdiction where the Licensor is located; ii) the jurisdiction where the Licensee is located; or iii) any jurisdiction in which the Licensee is subject to the legal system.

d)      “Compatible Open Source License” means an Open Source License that allows Object Code that is created using both Source Code provided under this License and Source Code provided under the Open Source License to be distributed together as a single work.

e)      “Lawful Interest” means either 1) an ownership interest or 2) a non-ownership property or possessory interest, including but not limited to lawful possession of a particular copy of a work.

f)       “Licensable” means having the right to grant, to the maximum extent possible, whether at the time of the initial grant or subsequently, any and all of the rights conveyed by this License.

g)      “Licensee” (also “You” or “Your”) means an individual or a legal entity exercising rights under this License.

h)      “Licensor” means the individual or legal entity that creates, contributes to the creation of, or owns a Work subject to this License.

i)        “Modified Work” means any work containing, directly combining with, derivative of, or Publicly Performing elements included in or derived from the Work.

j)        “Object Code” means any form of the work other than Source Code form, provided by Licensor or the result of any compilation process applied to the Source Code.

k)      “Open Source License” means any license approved by the Open Source Initiative (see

l)        “Process User Data” (or “Processing User Data”) means 1) use a system, 2) perform a method, or 3) cause any other party to use a system or perform a method, using at least in part the Work provided under this License, where User Data is an input or an output to the system or method.

m)   “Public Performance” (or “Publicly Performing”) means using the Software to take any action that implicates the rights of public performance or public display of a work under copyright law, specifically including making aspects of the Software, including any interfaces used for access to or manipulation of User Data, directly or indirectly available to the public.

n)      “Recipient” means any non-Affiliate third party being offered the Software, receiving the Software, or receiving a Public Performance of any element of the Software from You.

o)      “Software” means either Source Code or Object Code.

p)      “Source Code” means the form of the work preferred for making modifications, including any comments, design documentation, help materials, installation instructions, cryptographic keys, and any information reasonably necessary to compile the Source Code into Object Code or Process User Data using generated Object Code.

q)      “User Data” means any data that is either a) an input to, or b) an output from, the Work or a Modified Work, in which a third party other than the Licensee has a Lawful Interest in the data.

r)       “Work” means any original creation protectable under the patent, copyright, or database protection rights of either the Licensor’s or the Licensee’s jurisdiction.

7.      Other Provisions

7.1.  Jurisdiction and Governing Law

A Licensor may require that any action or suit by a Licensee relating to a Work provided by Licensor under this License may be brought only in the courts of a particular jurisdiction and under the laws of a particular jurisdiction (excluding its conflict-of-law provisions), if Licensor provides conspicuous notice of the particular jurisdiction to all Licensees.

7.1.1.                  Interpretation of Provisions

To the extent allowable under the Applicable Jurisdiction, provision of User Data in compliance with the conditions in section 2.3(a) and 2.3(b)  shall be interpreted consistently with the formatting and transmission requirements of General Data Protection Regulation (EU) 2016/679 ("GDPR") Arts. 15(3) and 20(1). The number of copies of User Data provided in compliance with the conditions in section 2.3(b) shall at least the same number needed to comply with GDPR Art. 15(3).

7.1.2.                  No extension beyond intellectual property

The scope of the permissions granted in section 1.1 shall be interpreted to be coextensive with the rights granted to the Licensor under the intellectual property laws of the jurisdiction in which this License is enforced. The scope of the permissions granted also includes any necessary permissions, such as for moral rights, needed in a jurisdiction to exercise the permissions explicitly granted in section 1.1.

7.2.  No Sublicensing

This License is not sublicensable. Each time You provide the Work or a Modified Work to a Recipient, the Recipient automatically receives a license under the terms described in this License. You may not impose any further reservations, conditions, or other provisions on any Recipients’ exercise of the permissions granted herein.

7.3.  Attorneys' Fees

In any action to enforce the terms of this License, or seeking damages relating thereto,  including by an intended third party beneficiary, the prevailing party shall be entitled to recover its costs and expenses, including, without limitation, reasonable attorneys' fees and costs incurred in connection with such action, including any appeal of such action. This section shall survive the termination of this License.

7.4.  No Waiver

Any failure by Licensor to enforce any provision of this License will not constitute a present or future waiver of such provision nor limit Licensor’s ability to enforce such provision at a later time.

7.5.  Severability

If any provision of this License is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. Any invalid or unenforceable portions will be interpreted to the effect and intent of the original portion. If such construction is not possible, the invalid or unenforceable portion will be severed from this License but the rest of this License will remain in full force and effect.

7.6.  License for the Text of this License.

The text of this license is released under the Creative Commons Attribution-ShareAlike 4.0 International License, with the caveat that any modifications of this license may not use the name “Cryptographic Autonomy License” or any name confusingly similar thereto to describe any derived work of this License.

Created by Pamela Chestek on 2019/08/16 22:28

Submit feedback regarding this wiki to

This wiki is licensed under a Creative Commons 2.0 license
XWiki 11.10.5 - Documentation