Choosing an Open Source license for your end-to-end encrypted app
Tips and ideas on evaluating and choosing an Open Source license.
When building a secure end-to-end encrypted app, you have a lot of decisions to make. Which cryptographic algorithms do you use? What protocols do you use for communication? How do you store user data securely? And so on.
It's easy to get lost in a sea of choices, and it can be daunting trying to figure out what the right one is for your project. Even if you have experience with cryptography, Open Source licensing, and software licensing in general, it's likely that there are terms that are new to you.
This article will take you through some key considerations when choosing an Open Source license for your end-to-end encrypted app, though it could likely be applied to any other kind of software.
What is an Open Source license?
When you choose an Open Source license for your app, you give those who create the software permission to use your code. Open Source licenses vary greatly, but they have a few common traits:
- They allow anyone to use and modify your code.
- They allow others to create derivative works of your code, so long as they attribute you and license their derivative works under the same open source license as you.
- They usually include some sort of disclaimer that states that you don't hold the copyright to any code that is under the Open Source license.
How to choose an Open Source license for your app
Choosing the right Open Source license can be challenging. There are many factors to consider, including the type of application you're building, the market for your app, and your own personal preference.
Ultimately, one of the most important factors is the intended audience for your app. If you're developing a product that is intended for the general public, then you may want to choose an Open Source license that is more widely known.
If you, however, are developing an end-to-end encrypted app for a specific group of people, then you may want to choose a less-known Open Source license that suits your needs more appropriately.
Popular Open Source licenses for end-to-end encrypted apps
The most widely used Open Source license for end-to-end encrypted apps is the MIT License. It is very common in the cryptography space, but it can work well for other applications as well as it's very permissive.
Another popular Open Source license for end-to-end encrypted apps is Apache 2.0. It's a very broad license, with no attribution or copyleft requirements.
Drawbacks of popular Open Source licenses
There's no question that the Apache 2.0 and MIT licenses are both well-known Open Source licenses. However, they're not exactly well-known for their user-friendliness.
Apache 2.0 has no attribution or copyleft requirements, and MIT is known to be quite permissive, to the point of being confusing.
As a result, both of these licenses have been criticized for being too easy for developers to misuse. That's when options like MPL, GPL (and AGPL) come in, with clearer definitions and terms, and also less permissiveness (or more protection, depending on your point of view).
Other considerations when choosing an Open Source license
It's important to remember that, even for Open Source licenses that you think are best for your end-to-end encrypted app, you will still need to incorporate them into your code. If you don't follow the terms and conditions of the license, then you will be violating the law.
Furthermore, all Open Source licenses come with a disclaimer that states that you don't hold the copyright to any code that is under the Open Source license. If a court case challenges that disclaimer, then you will be held liable for violating the copyright of the Open Source code.
As stated before, it largely depends on the type of application you're building, the market for your app, and your own personal preference.
For Budget Zen I chose AGPL because it allows anyone to use it, modify it, and share it on a personal and commercial context, while having to still make its source code available. Obviously, for white-labeling solutions or specific needs it might not be ideal, and that's why you can always reach out and ask for a specific license.