search

EthicalSource / hippocratic-license

An ethical license for open source.
https://firstdonoharm.dev
Other
294 stars 37 forks source link

Add clause for service providers #24

Closed y6nH closed 5 years ago

y6nH commented 5 years ago

This relates to issue #15, and attempts to require users to require their users to be good in turn. The additional clause certainly needs legal review, and may be deemed beyond the scope of this license by the authors. But it's a starting point for discussion.

CoralineAda commented 5 years ago

I think this is really interesting. I'd like to have the lawyer weigh in on it, so I've shared it with him. Thank you for this!

mattsb42 commented 5 years ago

and take reasonable measures to prevent such use

This clause feels potentially problematic to me from a user privacy and usage intent perspective. Is the intent here to require proactive or merely reactive action on the part of the service provider?

Some hypotheticals:

  1. I am a service provider who provides a file storage service. Am I required to analyze the contents of every file uploaded to attempt to determine both content and intent for compliance? What if my users are using client-side encryption?
  2. I am a service provider who provides end-to-end encrypted chat services. The keys are exchanged out of band, so I cannot decrypt the messages, but users are not anonymous, so I could ban violating users (however that might be determined). Are reactive user bans sufficient to comply with this clause?
  3. I am a service provider who provides an anonymous, end-to-end encrypted, file drop service (say, intended for journalists and whistle-blowers). The keys are exchanged out of band, so I cannot decrypt the files. The users are anonymous, so I cannot ban violating users. The most I can do is delete files that are (somehow) determined to be in violation of this clause. Is that sufficient?

What is the burden of proof that a service provider can or must require in order to prove that user activity is in violation of this clause? To what authority?

If the above file drop service is being used by a whistle-blower to report illegal activity, what keeps a bad actor from reporting that activity to this service provider as a violation of this license clause? On whom is the burden of proof that both the content and the intent of the user is in violation of this clause, in order for the service provider to itself be compliant with this clause?

y6nH commented 5 years ago

Any suggestions on how to make it more useful? I'd interpret "reasonable measures" to exclude breaking the encryption of a private message service, or manually checking every user upload. Reasonable measures (in my not-legally-trained opinion) would be having a system for abuse reporting in place, publishing clear rules about what constitutes abuse, and taking action on reports in accordance with those rules.

CoralineAda commented 5 years ago

Addressed in amended language for the proposed 1.2 version of the license here: #28