Licensing needs for Truly P2P Software

Truly P2P Software brings unique licensing considerations about identity and data ownership

This article is preserved for historical purposes 
but HAS BEEN SUPERSEDED BY 
THE CRYPTOGRAPHIC AUTONOMY LICENSE.


Software licenses are about USAGE constraints of software — Do you have a right to run it, copy it, distribute it, for how many people, under what conditions, etc… However, in a new era of decentralized software, I believe we must also uncover an assumption buried into past licenses that a licenses also implicitly includes ownership of data and user accounts created by the software.

Let me say that differently. Since past software has been centrally controlled and administered, it was assumed, that the license-holder of a database owns the data in the database, as well as controlling whatever user accounts and permissions exist for accessing it. Even the most open of organizations (like Wikipedia, who lets you download copies of their databases) can still terminate user accounts or purge spammy advertisements from their database, because it runs on their centrally controlled servers.

Think of your corporate email account. The company you work for can change your password, lock you out of your own email, and they own messages sitting on their server. They control both the identity and the data.

However, what happens when software no longer runs on a central server, but each person publishes data to their own local storage first? Then when that data is intended to be shared, gets published to a shared space (DHT) from your local store. Since Holochain is structured this way, by default each user controls their own data, and via our key management app, they control their own identity, even across any and all Holochain applications. So if a corporation wanted to run a Holochain application under centralized control, instead of generating your own app keys and revocation keys, a corporation would do that and maintain control the revocation keys, so that they could kick you off the system at any time.

On Holochain, to accomplish the old pattern of centralized control that is assumed by software licenses of the past, you essentially have to strip away each user’s control of their own cryptography by owning their keys. This seems like a very different category of USAGE of the software, than Holochain’s native design where users control their own data and identity, thus it merits a different class of license. This isn’t about whether you can copy or change the software, but about how you structure the cyrptographic relationship to users and data generated by the software.

Introducing the Human Commons License

If people run your Holochain app as network of autonomous humans, where each one manages the keys that control their data and identity, then you are operating a “human commons” and operate under that classification as Holochain apps are intended to operate.

However, If you structure the management of keys for the people running your hApp such that you can revoke their keys to the hApp or if you have required them to agree to be stripped of their ownership of data they’ve authored, then this is a commercial classification of the software (not autonomous humans, not a shared commons among them).

We’re still sorting out some of the details for each classification. For example, in the Human Commons case, the software license may be fully free and permissive (like MIT license?), where the commercial usage may be more restrictive (like GPL) such that you’re at least contributing new code back into the commons if you’re taking away people’s identity and data.

However, this classification may be more important to the apps running on top of the Holochain software, than the effect it has on your rights to Holochain. Distinguishing these different usage types at the underlying level lets apps more effectively choose how they want to charge customers. Consider an app like P2P Slack where everyone controls their own data and identity, in contrast to one where a corporation owns the data and user accounts. The builder of that hApp may want to give it freely to those operating a commons, and charge for usage in the corporate case.

New Distinctions in Licensing

Whether you agree with our explorations of increasing restriction on commercial use or not, the point of this article is to call out the importance of distinguishing the fundamentally new patterns of data ownership and identity as part of software licensing concerns for truly P2P software.

In addition to the topic of control of your own data and identity, authored by you and stored on your own device, is the matter of data shared to into a shared space (in Holochain this means published to that apps DHT). For this we look to licenses like Open Data Commons for models there.

What else should we be considering to get licensing of P2P apps right?