Alison:
Hello good people of tor-project@! I'm excited to present to you something that a number of us core members have been working on for some time now: the Tor Project Social Contract 1.0 [1]. Modeled after the Debian Social Contract [2], the Tor Project Social Contract is a set of promises to our community about what Tor stands for and why we create it.
I'm sharing it with all of you today so that we can work on ratification. I think that the best way to do this is as follows:
By 6 August at 00:00 UTC, please respond to me or to the list if you accept or object to this social contract so that we can ratify this through rough consensus [3].
If objecting: Please be specific about your objections so that we can discuss changes as needed. If you respond directly to me, I will assume that you don't want your name shared with the group, but please specify if you don't want your comments shared either. NB: THIS IS NOT AN INVITATION TO EDIT BY COMMITTEE. I'm interested in feedback like "this does not represent the Tor that I know" not "I'd like this sentence reworded". Please also be kind, because this was written by humans.
I hate to be late to the party, and I hate to start a libre/free/open flamewar, but I am concerned about the specific language "free of cost" with respect to our tools in Point #3.
In my opinion, dragging statements about money/revenue into the social contract is limiting and may cause unnecessary divisions in the community. Here are three examples to consider:
1. If a member of the Tor community (ex: the Guardian Project, an independent for-profit entity, or perhaps a for-profit subsidiary of Tor Project Inc) creates a Tor-enabled Android phone, a Tor-enabled Chromebook, a Tor Router, or similar, and sells pre-installed versions of that hardware for fundraising purposes or directly for profit, is that a violation of Point #3? What if the implementations are open source? What if they are not? What if some components are not (like video drivers, or similar non-security-critical components)?
2. If an alternate bridge provider created a BridgeDB instance that handed out bridges in exchange for money/bitcoin, would that be in violation of the "free to access" standard? What if they upstreamed their modifications and open sourced their implementation? What if they didn't?
3. OnionBrowser costs $1 in the iOS App Store, but it is open source, and people are free to build their own versions. Would Mike Tigas be in violation of the social contract for doing this? For an extra wrinkle, OnionBrowser was not initially open source. Does that make a difference? (I think it does.)
In my opinion, all of the above would be cleaner to answer if we chose some wording that did not invoke any monetary interpretation in our use of "free", or even the word "free" at all. I see nothing wrong with paid versions of Tor tools, paid hardware, or paid access, so long as the implementations of security-critical components are open source and auditable. Maybe others disagree?
Here's an attempt to reword to capture my thinking:
3. Our tools are universally available to access, use, adapt, and distribute
The more diverse our users, the less simply being a user of Tor implies about any user, so we aim to create tools that anyone can access and use. We do not restrict access to our tools unless it is for the security of all users, and we design, build, and deploy our tools without collecting identifiable information about our users. We expect the code and research we publish to be improved by many different people, and that is only possible if everyone has the ability to use, copy, modify, and redistribute our tools.
Otherwise, I'm on board with the rest of the social contract. Nice work Alison, et al!