A feature - age verification-related code - which was not a grassroots feature request and appears to have been opposed by the overwhelming majority of users - was pushed into systemd without much discussion, and the discussion was then locked.
In the cases that I linked, the government prevailed and the project did not.
My understanding is that FOSS is based on copyright law.
FOSS licenses are subordinate to government law.
The mechanism to enforce FOSS licenses is through copyright law and government courts.
Laws are made by governments.
Developers do not need a license to use their own software.
Licenses are given by authors to consumers. (Licenses are given by developers to users.)
Therefore, I am not convinced that a FOSS license would protect developers (operating system providers) where the law is applicable.
There is a hierarchy here, and laws rank above software licenses.
So, at least from my current non-lawyer understanding, I am not convinced that the license would materially help with this specific concern.
Licenses do help users in important ways, but perhaps not in a major practical way here. Most users are using downloadable binary images and binary updates. They do not build their own images and package updates from source code.
FOSS licenses are still helping “quite a bit” but perhaps not “materially” yet, because they leave the door open for source-based distributions where users could more easily opt in or opt out of undesirable (but perhaps legally mandated for the operating system provider / developer) features.
Peaceful protest is legal in many countries, but that does not really address how “legal” (as in compliant with government law) civil disobedience by operating system providers affected by age verification laws would look in practice.
I am not giving legal advice here. I am only trying to discuss the practical issue of how a state would likely treat such conduct.
Redefining these words may add confusion. If these words are being redefined, it may be useful to say explicitly that “legal” is not being used to mean “permitted by government law” but instead some other definition.
Especially in a discussion about government laws, using clear definitions seems helpful.
I agree that this law is poorly worded. If understanding what it is supposed to mean already requires a lawyer, then that creates room for arbitrary enforcement. In my view, it is wrong to define rules so poorly and then threaten or punish enforcement when no non-lawyer could reasonably understand them.
legally based and registered
The table entry Non-U.S. incorporated legal entity is meant to document that none of the sample cases is incorporated in the U.S. Either there is no evidence of U.S. incorporation or there is evidence of the contrary, i.e. a non-U.S. legal entity.
That is one major point of the table. I am only adding examples of Non-U.S. incorporated legal entity.
Do you think commercially is really the key word to focus on here? Or would it be better to avoid or drop it? If it is relevant, which legal definition of commercially are you using here?
Also, which legal definition of operate in the US are you using?
Do you think Qubes does or does not operate in the US and/or operate commercially in the US?
Having clearer criteria for why it was applicable in the sample cases but not here could be useful.
I am not trying to make a legal claim here. I am trying to identify a practical framework that helps distinguish the sample cases from this case.
Full disclosure:
I am documenting various pieces of information about age API-related legal issues and adding them to the Kicksecure age-api wiki page. This page might contain material that could be useful to point legal counsel to.
trust in themselves not to have accidentally doxxed themselves (against the odds, adversaries’ advantage, defenders’ disadvantage. A single mistake can de-anonymize someone.);
willingness to engage in civil disobedience;
willingness to take huge legal risks;
not using a legal entity that might provide legal liability protection;
the practical challenges of running a project completely anonymously.
So, from my perspective, your thesis may be unrealistic because what you suggest should have happened had not actually been foreseen by any project.
The material seized includes bank statements, donor information from Zwiebelfreunde’s inception in 2011 that it painstakingly documented on paper receipts, and the identities of people active in partner projects like Tor, and Tails, the privacy-focused operating system.
Because the Tails project tries hard to protect the identities of its members, Zwiebelfreunde kept information out of any electronic documentation. But, under pressure from tax authorities, the organization had compiled paper receipts with names and passport numbers of those the project had reimbursed.
They also used to attend (and may still do) IT conferences in person. [2][3][4]
Note: Tails developers are not fully anonymous either. ↩︎
Not a secret for anyone who attended CCC conferences. ↩︎