DPGAlliance / DPG-Standard

Digital Public Goods Standard
Creative Commons Attribution Share Alike 4.0 International
116 stars 47 forks source link

Proposal: Add Ethical Source licenses as acceptable licenses to DPG Standard indicator 2 #137

Open jwflory opened 2 years ago

jwflory commented 2 years ago

Summary

Add Ethical Source licenses as acceptable open licenses for DPG Standard indicator 2

Background

The Organization for Ethical Source stewards the Ethical Source Principles. The simplest way of explaining the Ethical Source Principles is as an extension of the Open Source Definition, but with extra provisions to prevent open work from being used to harm others. They also maintain a list of licenses that meet the Ethical Source Principles. The Open Source Definition is already used as the foundation of DPG Standard indicator 2, but there is not a precedent for including the Ethical Source Principles in the same way for the DPG Standard.

This is also an extension of one of the oldest incomplete DPG nominations, DPGAlliance/publicgoods-candidates#115.

Why now?

For the last four months, I am working with Oky, an existing Digital Public Good. But after the recent United States Supreme Court ruling that overturned Roe v. Wade (right to abortion), this has put Oky in an ethical dilemma for how people may use and reuse their open work. Oky is unique from other DPGs in that it deliberately targets a vulnerable population: young girls and women who trust in Oky to securely and privately store data related to menstrual cycles. The Oky team is concerned about the risk of whether their work and trademarks are used in non-ethical ways to collect and sell the data, especially if the data is used as legal evidence in a court of law against the users who trust in Oky to store their confidential data.

Currently, Oky is considering to abandon the AGPL-3.0 copyleft license because it does not sufficiently address their concerns about ethical use and reuse of their original works. Additional trademark protections are not available because Oky is not a registered trademark. Registering Oky as a trademark seems unlikely in the context of UNICEF's recent head of Legal, who does not believe UNICEF should be in the business of registering trademarks. This leaves Oky in a vulnerable position for abuse by those who would choose to reuse the existing branding and identity to consciously or unconsciously inflict harm on the vulnerable population that Oky serves.

The point raised by Oky is that a ten-year-old won't read a privacy policy or legal documentation to understand whether an app is the DPG-recognized Oky or a lookalike clone sharing the same open source code. The Oky team believes an approach that centers ethics first is most important in centering users and what the Oky team stands for in their work. They feel that open source licenses forget the end users and do not offer enough protections for Oky to comfortable share and build their work as an open source product.

Details

I propose that the DPG Standard, indicator 2, is revised to include licenses that meet the Ethical Source Principles (full list of licenses here). Adding these as acceptable licenses to the DPG Standard addresses an important consideration of how DPGs are used in modified downstream works, which would not necessarily be DPGs themselves. This also enables a new pool of content, software, and data to be considered eligible as Digital Public Goods.

The main consideration with adopting Ethical Source Principles as acceptable for licenses is that it restricts the open source right to free use, i.e. unrestricted and total free use in any shape or form. The Open Source Definition is adamant that any open source work should not and cannot have any additional restrictions added to it. The Ethical Source Principles add new restrictions that protect safety, privacy, and human rights as de facto parts of the license. Although these two license definitions conflict with each other, their missions are often aligned and centered on achieving the same positive outcome.

The challenge for the DPG Alliance is to consider these additional restrictions for how DPGs are shared and what terms are placed on their use and reuse by any implementing partner or pathfinder country.

Alternative

Alternatively, if the Ethical Source Principles feel too broad to adopt wholly, an alternative could be to accept only the Hippocratic License, which could be argued as the most pervasive and most common of the Ethical Source licenses used in mainstream ethical source software.

Outcome

A more inclusive DPG Standard that incorporates open projects that put extra priority/emphasis on protecting human rights in downstream implementations of DPGs


CC: @CoralineAda

downeymj commented 2 years ago

A few quick thoughts I wanted to jot down before tending to other issues today:

The simplest way of explaining the Ethical Source Principles is as an extension of the Open Source Definition, but with extra provisions to prevent open work from being used to harm others.

I was surprised to hear this type of description; my perception was the community had reached consensus that the Hippocratic License and others did not meet the Open Source Definition (OSD) prima facie as those "extra provisions" were in conflict with the OSD. While no such licenses have been submitted for approval through the Open Source Initiative (OSI) license review process, extensive discussion did occur in the first quarter of 2021 on OSI's license-discuss mailing list. Several people involved in that effort ran for the OSI's board and were not elected by the membership, and there wasn't any further discussion about the topic since 2021.

Recapping: Public goods (digital or otherwise) can't be restricted just because we don't like the people using them. Just as groups we may not like are allowed to use the city park, software released under an Open Source license extends those license terms to everyone, even if we don't agree with what they do. Software with licenses that include such restrictions may be freely distributed, but it is not Open Source, not a public good, and as such I don't see it how it could possibly align with the vision set out by the SG (p.23) when describing Digital Public Goods in the UN's Roadmap for Digital Cooperation.

Those involved support and promoting Digital Public Goods can (and perhaps should!) do all they can to call attention to unethical implementations of public goods. That could certainly be another separate activity that could operate in close coordination with legal policy advocacy to protect privacy rights, exposure and enforcement of other human rights abuses, etc. As a well-known lawyer said on the aforementioned mailing list discussion, "banning illegality is not generally considered to be an enforceable term in a contract/license. Illegal things are already illegal, so making them illegal and a breach of contract does not do anything extra."


Oky is unique from other DPGs in that it deliberately targets a vulnerable population

Many DPGs target vulnerable populations; Oky is not alone in this respect. In fact, the notion of technology in service of vulnerable populations was often the key driver of the predecessor "tech for good" and "ICT for Development" movements and such groups of people became key user personas, sometimes directly leading to the creation of new software. There are lots of these in the DPG Registry. Some of them, like Oky, made the decision to store direct or linked PII on the Internet, some software simply runs locally to simplify/reduce the risk profile.

Oky team is concerned about the risk of whether their work and trademarks are used in non-ethical ways to collect and sell the data

In that case, and based on further statements in the OP, it sounds like an Open Source license might not have been the right choice for their project; proprietary software licenses allow such restrictions, although enforcing such restrictions would implicitly require the copyright holder(s) (UNICEF?) to then "be in the business" of intellectual property litigation.

Registering Oky as a trademark seems unlikely in the context of UNICEF's recent head of Legal, who does not believe UNICEF should be in the business of registering trademarks.

Since (AFAIK) none of these license terms have yet been tested in courts, it's unclear whether the same issues about consistent enforcement might appear as with trademarks, e.g., if one does not regularly and consistently enforce violations it eventually loses standing to enforce subsequent claims. (In other words, one can't pick and choose if and when to enforce trademark violations.) I would be surprised if they are hungry for such a role with respect to license restrictions, if they're not interested in trademark registration.

Additional trademark protections are not available because Oky is not a registered trademark.

Finally I don't know the jurisdiction in question, and IANAL, but in the United States a trademark need not be registered to be protected. See https://www.justia.com/intellectual-property/trademarks/unregistered-trademarks/ for details.

Nolski commented 2 years ago

I would support the addition of ES licenses to the DPG standard indicator. Furthermore, as community discussion continues, I would encourage folks to focus on the following:

  1. The purpose of the discussion is whether or not ES licensed software should be banned from being considered a Digital Public Good.
  2. The purpose of the discussion is not whether you find ES licenses effective in achieving a particular goal.

Public goods (digital or otherwise) can't be restricted just because we don't like the people using them. Just as groups we may not like are allowed to use the city park, software released under an Open Source license extends those license terms to everyone, even if we don't agree with what they do

Public goods (such as parks which are a great example) are often regulated by both the states and organizations maintaining them even in the most neo-liberal of societies such as the US. People can be banned from doing certain things from them, rules can be enacted by the community managing them. Material restrictions on access are placed on digital and physical public goods both explicitly (you can only use the park between these hours) and implicitly (only people within a geographic area can feasibly use this park). This happens digitally as well with both explicit and implicit gatekeeping.

realpixelcode commented 2 years ago

Public goods (digital or otherwise) can't be restricted just because we don't like the people using them.

Yes, they can be, as @Nolski pointed out. Also, it's not the people that we “don't like”, in fact, it's their unethical and socially detrimental behaviour that we condemn. Tolerance doesn't mean having to tolerate intolerance, just like, for example, the freedom of speech doesn't give you the right to incite hatred or crimes.

Illegal things are already illegal, so making them a breach of contract does not do anything extra.

Where I live, committing crimes unrelated to a contract does not constitute a breach of that contract. In fact, there are many kinds of contracts with clauses that make illegal conduct a contract breach, such as the so-called Auftragsverarbeitungsverträge that basically force contractors to adhere to the GDPR. Thus, the argument that “bans of illegality can't be enforced” doesn't make much sense IMO.

CoralineAda commented 2 years ago

Recapping: Public goods (digital or otherwise) can't be restricted just because we don't like the people using them.

The Hippocratic License isn't about restrictions against "people we don't like" and framing it that way comes across as reductive and disingenuous. From the FAQ at https://firstdonoharm.dev/learn :

The Hippocratic License 3.0 allows open source technologists to articulate and legally enforce a clear set of ethical standards that licensees must abide by in order to adopt their code. These standards were derived from a variety of international agreements and authorities on international human rights norms, including the United Nations Universal Declaration of Human Rights; the International Covenant on Economic, Social and Cultural Rights; the International Covenant on Civil and Political Rights; and the International Labour Organization. These sources are a compilation of international ethical standards agreed upon by the vast majority of nations in the world. We’ve adopted those principles which can and should be applied to private actors.

We've seen-- and continue to see-- that "open" alone is not a guarantee of pro-social, human-rights-preserving outcomes. There are endless examples of private actors leveraging open source technologies to forward agendas of militarism, surveillance capitalism, ad-tech, digital colonization, and even genocide. (It should also go without saying that "legal" does not always equate with "ethical".)

As a recent example, this twitter thread by Abeba Birhane, a Senior Fellow in trustworthy AI at Mozilla, talks about "open" data sets being weaponized by Google and Meta against communities on the African continent: https://twitter.com/Abebab/status/1554896387237711872 .

We really need to move past holding up the open source definition as the only measure of what constitutes a public good, and freedom zero as the only relevant ethical stance to address the very real, very complex, and very nuanced technosocial challenges we face in today's world.

Tech is not and has never been neutral; the subset of technology that is open source is not different, special, or somehow immune to real-world impact and consequences.

downeymj commented 2 years ago

I agree that:

The purpose of the discussion is whether or not ES licensed software should be banned from being considered a Digital Public Good.

As such, whereas (a) the Secretary-General (through a broad and open international consultative process) defined digital public goods as open source software, and (b) Ethical Source licenses are not open source software, therefore (c) software with such licenses can not be considered a Digital Public Good.


There's not really too much left to say in light of that logic, but I will add a few relevant lines from related essays from Software Freedom Conservancy that highlight the risks of adding these type of proprietary software licenses to the working definition of "digital public goods", against the criteria laid out by the Secretary-General:

In jurisdictions that already hold human life and the rights of its people in low regard (or simply have an exceedingly corrupt government), it's a pointless symbolic act to also take away the permissions of software redistribution and modification for bad behavior (of any kind). Companies and oligarchs operating in a corrupt, unjust society will successfully ignore those injunctions, too.

Copyleft works because it's the best strategy we have for software freedom, and because copyleft elegantly confines itself to the software rights of users. Attempts to apply the copyleft strategy to software-unrelated causes will (at the very least) fail to achieve the intended results, and at their worst, will primarily serve to trivialize the important issue of software freedom that copyleft was invented to accentuate.

-- from "Copyleft Won't Solve All Problems, Just Some of Them"

I have long argued that technologists (and especially software freedom activists) should dedicate more care and resources to the ethical use of technology and eliminating discrimination and oppression that technology often enables. While I don't believe software licenses are the best way to accomplish this task, I've wondered since the conference what FOSS contributors can do to protect human rights. The proposed licenses have been essential to starting these discussions, but the license changes themselves seem unlikely to work: they'd introduce nonfree provisions, introduce license uncertainty and on top of that, we know that companies that would commit atrocities will ignore licenses and act from judgement-proof jurisdictions.

-- from "Ethical Employment Contracts Instead of Ethical Licenses?"

wwahammy commented 2 years ago

I want to point out a risk that may be easy to overlook about ES licenses and why you may not want to allow them in the DPG standard. The ES licenses, intentionally, give more power to a copyright holder. It's practically impossible to know though how many one of the copyright holders will apply that power. (NOTE: in many projects, every contributor is a copyright holder of what they contributed and has the right to enforce the terms of the license)

Since abortion rights is the initial topic, let's think through some ways this could come up. consider that there's a significant group of people who believe abortion is human rights violation. If I receive software that they contributed to and use it to assist abortions in some manner, they may sue me. On the other hand, if an abortion rights supporter contributes to a project under an ES license, they could consider suing someone who used it as part of anti-abortion advocacy group. Nothing in the license tells a user what risks they have of being sued other than "one of the creators might sue me if I use it in manner that violates human rights". And, while a simple lawsuit being filed would be enough to stop many users, if it got to a court in the US, I think any reasonable person would conclude that courts could rule for or against either side of this argument. I 100% believe abortion rights are human rights but I can see how a court could conclude differently.

The problem isn't just for people for or against abortion rights, similar problems exist for groups supporting sex workers, needle exchange programs, LGBTQ groups, religious groups opposed by extremists and a whole host of other groups. There's this massive risk of being sued with an ES license over the interpretation of human rights rules that just doesn't exist with an open source license. Ultimately, I believe people who are at the most risk from that are people who can least afford more legal risk, i.e people who are already marginalized legally.

I don't know whether others interpret the risk the same but if there's even a small chance of that being the case, I don't see how software that is more dangerous for the marginalized to use can also be a "public good".

robbyoconnor commented 2 years ago

Excellent point @wwahammy -- the funny part is I don't necessarily disagree with ES but it's written in such a shitty way that it should not be used in any tangible way in public goods projects until it's written in a way that will hold water. You can't just hand wave like the current method and think it won't be used in a nefarious way.

I feel like the supporters of ES seem not to be grounded in reality. It would help if you had real lawyers review your license. I doubt any big corporation, defense contractor, or ICE(or its contractors) will give two shits about your license and won't bat an eye to violating it because it won't stand up in court. At best the whole thing is just virtue signaling. The execution is all wrong.

nemobis commented 2 years ago

Public goods (digital or otherwise) can't be restricted just because we don't like the people using them.

Yes, they can be, as @Nolski pointed out. Also, it's not the people that we “don't like”, in fact, it's their unethical and socially detrimental behaviour that we condemn.

I'm confused whether we're talking about public goods like air, or commons (common-pool resources) like water basins. Please clarify.

Should the water company cut access to water for "unethical" users? Under what criteria and limitations? And what about a hypothetical "air authority"?

realpixelcode commented 2 years ago

@downeymj You say that big companies wouldn't care about (ethical) licences in the first place. Why do you believe they would care about copyleft on the other hand? If they don't care about copyright infringements, they don't care about copyright infringements.

proprietary software licenses

The term “proprietary” refers to intellectual property that that may only be used by its owner, meaning that a fitting synonym for that is “all rights reserved”. Since the purpose of every licence is granting rights, it makes zero sense to speak of “all-rights-reserved licences” in any context. Consider using the term “OSD-compliant” instead, if that's what you're actually referring to.

@wwahammy

consider that there's a significant group of people who believe abortion is human rights violation

It doesn't matter what someome subjectively believes to be a human rights violation. All that matters is what it says in the licence. And if we're talking about the Hippocratic Licence, then it clearly defines human rights based on the UDHR – which simply doesn't consider abortion a human rights violation.

@nemobis

I'm confused whether we're talking about public goods like air, or commons (common-pool resources) like water basins. Please clarify.

I'm not the one who brought up the comparison with the public park.

Should the water company cut access to water for "unethical" users?

Regardless of whether it should, it already does. Think of those customers who don't pay the water bill.

And what about a hypothetical "air authority"?

Having air to breathe is a constitutionally declared human right that noone shall be deprived of. Using other people's creations is not such a human right.

nemobis commented 2 years ago

Il 06/08/22 13:43, Pixelcode ha scritto:

Think of those customers who don't pay the water bill.

There are places where they can't be cut from municipal water anyway. Check it out!

Nolski commented 2 years ago

This will be my last comment and then I'm unsubscribing from this thread as I'd prefer not to add my name to the growing list of people who have advocated for an ES license and received harassment for doing so.

As such, whereas (a) the Secretary-General (through a broad and open international consultative process) defined digital public goods as open source software, and (b) Ethical Source licenses are not open source software, therefore (c) software with such licenses can not be considered a Digital Public Good.

I think the maintainers can determine on their own whether ES fits within the intended implication of using the term "open-source". I see no reason why that definition can't be revised due to very relevant and reasonable justifications such as those proposed by @jwflory.

In response to the issues proposed by @wwahammy - Unless I am missing something, no interpretation of any license listed on the Organization for Ethical Source's website could come to the conclusion you have made. To me, this seems to be a straw man.

In response to @robbyoconnor 's disrespectful comments - I'd encourage you to read the code of conduct for this repository. Furthermore, the Hippocratic license was written by lawyers at the Corporate Accountability Lab.

In response to @nemobis 's mentioning air and water as a comparison... The neo-classical economics definition you linked to was created with the purpose of better understanding and modeling economic systems. While it is useful in the context of an undergraduate econ 101 course, it is misleading in helping people understand how resources such as air, water, and public spaces are actually governed in reality. Air is heavily regulated (where can drones fly? where can planes fly? What substances can you put into the air? How much?). As is water (how much can you use? What can you use it for? Can you water your plants? Can you wash your car?).


I'm sure there are many criticisms that could be directed towards Ethical Source licenses about how effective they are and whether they achieve their intended goals. I don't personally think those criticisms are relevant here as I don't see how that would create a problem if an ES-licensed project were listed as a DPG. I think that the reason @jwflory provided for allowing an ES-licensed project to be listed as a DPG is a good one.

Have a good weekend y'all :v:

robbyoconnor commented 2 years ago

It doesn't matter what someome subjectively believes to be a human rights violation. All that matters is what it says in the licence. And if we're talking about the Hippocratic Licence, then it clearly defines human rights based on the UDHR – which simply doesn't consider abortion a human rights violation.

I'm sorry, but what? Licenses and legal contracts need to be specific, not ambiguous. The other bit is that the UN Declaration of Human Rights is not a legal instrument that can be used in a legal contract, which licenses are. It is not meant to be used in this manner.

realpixelcode commented 2 years ago

Licences and legal contracts need to be specific, not ambiguous.

I generally trust lawyers not to make a legal document too “ambiguous”.

[The UDHR] is not meant to be used in this manner.

That's no sufficient reason why it can't be referenced in a legal document. The “worst” that could happen is that the civil court rules that the sued licensee's alleged misconduct cannot be clearly considered a breach of the UDHR.

robbyoconnor commented 2 years ago

I generally trust lawyers not to make a legal document too “ambiguous”.

They did.

That's no sufficient reason why it can't be referenced in a legal document. The “worst” that could happen is that the civil court rules that the sued licensee's alleged misconduct cannot be clearly considered a breach of the UDHR.

The other outcome is the license gets laughed out of court.