The most common failure mode in civic technology is not technical. It is organizational. A well-intentioned founder builds a platform. It gains traction. Investors acquire influence. Incentives shift. The platform that began as democratic infrastructure becomes a data extraction business.

This isn't a hypothetical risk. It is the documented pattern of the last two decades of social technology. Project Liberty — Frank McCourt's initiative to build a people-centered internet — has identified this capture dynamic as the central design challenge of the next generation of digital infrastructure. Their research into data cooperatives as alternatives to centralized digital economies provides the intellectual foundation for what Open Caucus is building: governance structures where the people who generate data are the people who control how it's used.

Open Caucus extends this vision with a specific architectural commitment: the governance structure is reinforced by open source code and Swiss cooperative law working together, so that the promises embedded in the governance cannot be silently violated in the software.

Governance: three entities, three protections

The long-term architecture places the platform's mission under the custody of three legally distinct organizations, each providing a protection the others cannot:

Swiss AG

Canton Zug (planned) — Commercial operating company

Accepts investment, employs the team, signs B2B contracts, generates revenue. Governed by articles of incorporation requiring a supermajority to change data governance provisions. At formation, the AG holds the platform's core intellectual property under those supermajority protections.

Swiss Cooperative

Canton Zurich (planned) — Democratic governance body

One member, one vote. Every paying user ("Navigator") is a cooperative member. When the Cooperative forms, it takes custody of the platform's core intellectual property, with the AG continuing to operate under a license-back agreement. This means the Cooperative — not any investor coalition — controls the fundamental terms under which the platform's code can be used. No acquisition of the AG transfers that IP ownership. The Cooperative also holds a blocking minority in the AG, meaning no investor coalition can change data policies without a member vote. Together, these mechanisms are what make the claim "users own their data" structurally true rather than merely contractual. Swiss cooperative law under the Swiss Code of Obligations has governed such structures since 1911.

Liechtenstein Foundation

Vaduz (planned) — Permanent mission lock

At the final stage of the architecture, the Foundation takes custody of the core intellectual property under a purpose-locked charter supervised by the Liechtenstein FMA (Financial Market Authority). If an acquirer purchases the AG, they acquire operating rights — not the ability to repurpose the technology. Deviation from the chartered purpose triggers regulatory intervention, not a policy review.

Together, these entities create interlocking constraints: the AG cannot change data governance without the Cooperative's vote. The Cooperative cannot sell the IP because the Foundation holds it. The Foundation cannot deviate from its charter because the FMA enforces it. No single party — including the founder — can compromise the mission unilaterally.

Open source: code you can verify, not promises you must trust

Governance structures protect against organizational capture. But governance alone cannot protect against a platform that says it respects your privacy while its code does something different. This is why Open Caucus is committed to auditable code — not as a marketing label, but as a structural trust mechanism.

Our approach draws on what Proton demonstrated in encrypted communications and what Project Liberty's DSNP is building for decentralized social networking: when the infrastructure serves a public interest function, the code must be publicly auditable. Privacy claims that cannot be independently verified are privacy theater.

The code licensing follows our entity structure. We state that sequence directly, because the communities we serve will verify it.

Core infrastructure — Today

Core platform code is published under BUSL 1.1 — a source-available license. BUSL is not open source by OSI definition, and we state that clearly. What it does: anyone can read and audit the code on behalf of the communities it serves. What it prevents: a well-funded actor from forking the codebase, stripping the privacy protections, and redeploying a surveillance-enabled version without restriction. We are starting with BUSL and making the conversion date a public commitment, not re-closing a project that was previously open.

Core infrastructure — At Swiss AG formation

When the Swiss AG registers, the codebase converts from BUSL to AGPL-3.0 — the strongest widely-adopted open source license, and an OSI-approved one. AGPL requires that anyone who modifies the code and runs it as a network service must publish their modifications. This means a hostile actor cannot fork Open Caucus, strip the privacy protections, and deploy a surveillance-enabled version without exposing the changes publicly. Mastodon, Nextcloud, and Gitea use the same license for the same reason. The conversion is tied to the AG registration — not to a discretionary decision by the team.

Developer SDKs & verification tools

Released under AGPL-3.0 beginning at Swiss AG formation, transitioning to Apache 2.0 when the Cooperative forms and democratic IP governance is active. Apache 2.0 maximizes adoption by researchers, civic technologists, and independent auditors who want to build on or verify the platform without copyleft obligations.

Contributor provenance

Managed through the Developer Certificate of Origin (DCO), beginning at Swiss AG formation — the same lightweight mechanism used by the Linux kernel and Docker. DCO ensures clean intellectual property provenance without the friction of contributor license agreements.

Commercial features — the B2B tools for researchers and political organizations — remain proprietary. This is the open core model: the democratic infrastructure is open and auditable; the business layer that funds it is commercially licensed. Investors need this boundary. Users benefit from it because the revenue it generates funds the infrastructure's independence.

The code is the proof. Under any license, auditable or fully open, any developer can verify whether our privacy claims match what the code actually does. That audit capability exists today. Full open source protections follow when the Swiss AG forms.

The cooperative model: paying as resistance

The "Navigator" tier (~$1.30 USD/month) is not a subscription to an app. It is a membership reservation in the Swiss Cooperative. When the Cooperative forms, Navigators become founding members with governance rights over how their collective data is used.

This framing draws on a principle articulated by Doc Searls in his concept of the Intention Economy: instead of platforms extracting your attention and selling it to advertisers, individuals broadcast their intentions directly, and markets compete to serve them. Project Liberty's Alliance of 160+ organizations is building toward the same structural shift — moving from an internet that extracts value from people to one that serves them. Open Caucus is designed to be part of that transition.

The Navigator payment is the structural mechanism that makes cooperative governance possible. The person who pays is the person who cannot be sold. Revenue from Navigator memberships funds the cooperative's independence, ensuring the democratic governance body never depends on the commercial entity for its existence.

Where we are honestly

None of these entities exist yet. Open Caucus is currently operated by Quiet and Helpful, LLC, a Minnesota limited liability company. The Swiss AG, the Cooperative, and the Foundation will be formed at specific milestones as the project matures — each triggered by real adoption metrics, not arbitrary timelines.

What that means for trust right now: four protections are active today. Your political preferences are stored on your device, not our servers — individual political data cannot be produced from infrastructure that doesn't hold it. You are the licensor in our Terms of Service; we are the licensee, and you can revoke that license anytime. The source code is published and readable — any developer can audit it on your behalf. And our build process is designed for verifiability.

Additional protections — jurisdictional, democratic governance, and mission permanence — activate as the entity structure matures through its milestones. We name those milestones publicly because the communities we serve will track them. What you have today is real. What comes next is staged, budgeted, and tied to verifiable triggers.

We publish this roadmap — including the honest gaps — because vague promises about future governance structures are worth less than a clear vision with stated limitations at each stage.

The vision is a platform where the people who generate political data are the people who govern how it's used — and where the code that implements those governance commitments is publicly auditable. Structurally, not rhetorically. Getting there requires building trust one verified step at a time.

← Back to Open Caucus Why Switzerland →