In my 2019 open source licenses year in review, I suggested that 2020 would see more adoption of licenses with a strong ethical focus. Just on schedule, last week the authors of the Hippocratic License (a license that prohibits usage in situations that violate human rights) released version 2.0, and the vcr project adopted it. Kurtis Rainbolt-Greene, the lead author of vcr, gave the following straightforward explanation for the change: before the license change “anyone ... could start using our collected works for things that should be opposed on an ethical level.”
Since vcr has over 15,000 dependent repositories, and is in our dependency stack at Tidelift, I thought it would be timely to share how an attorney (like myself) might assess this license change and advise clients.
Will it get evaluated at all?
The most common way in which the license will get evaluated is “not at all.” The vast majority of users won’t notice this library’s new license, and will continue using it just as they have in the past. This is probably not ideal for anyone. For the authors of vcr, of course, it means their ethical goals likely are not going to be met. For the corporations using vcr and unaware of the license change, it’ll mean an ongoing potential copyright license violation.
Will the evaluation be just a checklist?
The next most common evaluation will be a simple check against a list of accepted licenses, usually the list from the Open Source Initiative, a license-scanner vendor, or from counsel. Organizations using this approach are sophisticated enough to know what code they’re using, but prefer to take a risk-averse approach to what they accept.
In this case, the license will be rejected immediately, because the license isn’t on any of these lists yet (and may never be). These organizations will likely stick with vcr 5.0.0 (the last version under the old license) as long as they can, in the hopes either that newer versions will switch back to the old license, or that someone else will write a viable replacement, under a more permissive license, that they can use instead.
A more sophisticated evaluation
A very small number of organizations will go to the trouble of reading the license and figuring out if they can comply with its terms. This will be rare, because few organizations have the right kind of legal skills (or the time!) to analyze this. But for those that do analyze it, the first pass will be a simple search for any egregious flaw that would cause the document to be rejected immediately; only if there is a really compelling business reason to use the software will the lawyer dig further (say, by doing more research or looking for ways to work around problems).
Version 1.3 of the license, used (as of this writing) by vcr, has a number of these showstoppers; perhaps most importantly for most businesses, it prohibited harm to the “economic well-being” of others—which is a tough ask for businesses who see themselves as being in economic competition! So license compliance would have been very difficult for many businesses, unless they wanted to use loopholes to avoid the plain language of the license.
The new version 2.0 of the license removes some of the most obvious flaws of this sort, probably in part because it was the first version drafted with help from attorneys. These changes will force any counsel grappling with vcr and the Hippocratic License more generally to answer some fundamental questions about their business and their tolerance for risk—never fun or easy exercises!
In particular, four of the tough questions forced by the license include:
- Legal compliance: the license says, in essence, “you have to comply with relevant laws.” On its face, this is easy: all businesses of course agree to comply with the law. The trickier question is, who enforces the law? And what are the penalties? Accepting this license signs a company up for third-party monitoring of your legal compliance, with the stick now being copyright law penalties rather than other, potentially milder, penalties the law may call for. This probably isn’t a deal-breaker for most companies, but might be in some situations.
For example, if the Linux kernel adopted this, then for SaaS companies even the smallest, most inadvertent violations of labor law could turn from something resolvable with payment of a governmentally determined reasonable fine into a huge, potentially extinction-level problem.
- Human rights compliance: The clause of the license that references the UN Universal Declaration on Human Rights allows the licensor to terminate a license based on any allegation (even self-made) of a violation. This makes the licensor judge, jury, and executioner, because there is no requirement that the allegation be supported or proven. This invests a lot of power in the licensor. As we’ve been reminded in several GPL copyright troll cases, one can’t always count on good-faith behavior from licensors, and so businesses will look on provisions of this sort with some skepticism since it could mean that even a bad-faith licensor could cancel the license without much warning. (Coraline Ada Ehmke, the creator of the Hippocratic license, has indicated on Twitter that the drafting team is trying to figure how to address this in version 2.1 of the license, perhaps through arbitration.)
- Failure modes: A key question to ask of any legal agreement is “what happens if a court finds it invalid or unenforceable?” In the case of most open source copyright licenses, the answer is “then no one can use the work.” This sounds bad, but works out great, because it dissuades people who are violating the license from attacking its validity. In other words, you might argue with nuances of the license, but you aren’t going to claim that the license itself is invalid, because if it is invalid, then you still can’t use the work. The Hippocratic License puts in some language in 2.0 to attempt to address this, but I suspect it needs some work and will be revised in future versions.
- Governance and new versions: Companies that use software licensed under version 2.0 of the license now may comply with version 2.0, or “any subsequent version published on the Hippocratic License Website.” This is not a showstopper for a business (since they can ignore later versions if those terms are unfavorable) but should lead any project developer who wants to use the license to push for robust, shared governance of the website.
Alternatively, consider the case of an upstanding nonprofit, whose own motives (and legal team) are unimpeachable.
For such an organization, some of the same concerns about the license will still apply. For example, most practicing nonprofit lawyers will still not be familiar with the UN UDHR. (They’re also, sadly, even more likely to be crunched for time.) So the license is still likely to face legal hurdles to adoption because they won’t have time to do that sort of research.
In fact, in some ways the license may be more difficult for a nonprofit to use. Where a hostile or risk tolerant for-profit will feel comfortable taking advantage of any ambiguity, and ignore the spirit of the license, a nonprofit will likely respect the spirit and reject attempts to use loopholes or ambiguity. They may also still have obligations (to funders or existing communities) that prevent them from following every detail of the license, just like for-profits do.
The lawyer assessment
Despite my personal sympathy towards the goals of the license, I’ve asked the Tidelift team to keep us on the MIT-licensed version of vcr—for now.
To Coraline’s credit, the Hippocratic License is adopting a very open-source-y release-early, release-often model. This leads to some uncertainty (never ideal in a license) but also seems likely to help the license iterate more quickly. She has also engaged pro bono legal help, which is a great sign. So even though they aren’t there yet, that combination makes me optimistic that the project can move towards a license that can meet the moral goals of projects like vcr and pragmatic needs of the many businesses (like ours) that rely on them.