GitLab freezes GraphQL project amid looming Facebook patent fears
Promising query language garbled by legal lingo
Using GraphQL, an increasingly popular query language for grabbing data, may someday infringe upon pending Facebook patents, making the technology inherently problematic for corporate usage.
In an analysis posted to Medium and in a related discussion in the GraphQL repo on GitHub, attorney and developer Dennis Walsh observed that Facebook's GraphQL specification doesn't include a patent license. In other words: using GraphQL in your software may lead to your code infringing a Facebook-held patent on the technology in future.
“The patents (as of a few weeks ago) were granted but not issued,” said Walsh in an email to The Register today. ”Damages can start before issuance but litigation cannot. But post-issuance, the threat is very real. My reading of two GraphQL granted applications and the GraphQL spec is that any properly implemented GraphQL server infringes.”
Potentially infringing projects, according to Walsh, include various open-source GraphQL implementations for server-side languages, such as Python, Scala, Java, and NodeJS. GraphQL-as-a-platform providers, such as GraphCool and Scaphold, are also at risk, we're told. And Facebook’s patents also cover GraphQL users such as Yelp, GitHub, Intuit, Pinterest, New York Times, and Twitter.
GraphQL isn't yet officially covered by a patent, but Facebook has applied for at least two – and, crucially, Walsh believes the patents will be fully granted. The chance of getting a patent has been estimated to be more than 70 per cent in the computers and communications sector.
Because patent language tends to be broad, Walsh argues that anyone implementing GraphQL could be infringing.
Facebook has tried to allay such concerns through the Facebook BSD+Patents license, which provides a conditional patent license. Facebook describes its terms thus: "The patent grant says that if you're going to use the software we've released under it, you lose the patent license from us if you sue us for patent infringement."
For those who could never see themselves in that situation, such worries may be too unlikely to consider. But the concerns raised by Walsh are being taken seriously by GitLab, which has put its GraphQL implementation on hold due to lack of legal clarity.
“Whether Facebook wants to assert these patents is the province of gut feelings and lore,” said Walsh. “I don’t believe that Facebook ever offensively litigated a patent, but the potential for litigation is more than theoretical — it’s very real if they choose that path.”
Interest in GraphQL on Stack Overflow
In a GitLab issues post, Jamie Hurewitz, senior director of legal affairs for the code repo biz, expressed concern that Facebook's pending patent applications, if granted, could become part of GraphQL's licensing terms. She sees that as a problem because Facebook's BSD+Patents license is incompatible with the Apache Software Foundation's (ASF) licensing requirements.
"If we were to allow this license, it could lead to potential future conflicts with software licensed under Apache," Hurewitz wrote." Also, we could be impairing the future rights of our customers. Essentially, this is not really an open source product based on the implications of the license. While there is no payment of cash, payment is in the form of giving up future rights."
Facebook won't change React.js license despite Apache developer painREAD MORE
In July, the ASF shunned Facebook's popular frontend framework React because it requires the Facebook BSD+Patents license. The foundation branded the React license "Category-X," meaning the library cannot be included in any Apache software project.
Facebook's response was something along the lines of sorry-to-see-you-go. "We recognize that we may lose some React community members because of this decision," said Facebook engineering director Adam Wolff last month. "We are sorry for that, but we need to balance our desire to participate in open source with our desire to protect ourselves from costly litigation."
Curiously, Facebook has proven to be more accommodating with RocksDB, an embedded database the company open sourced in 2013. Earlier this year, the social network re-licensed RocksDB under the Apache 2 and GPL 2 licenses.
In an email to The Register, Paul Berg, an open-source licensing expert who has worked at Amazon and advises Idaho National Laboratory, said the difference between Facebook's terms and Apache's is that Facebook revokes its patent grant for any offensive patent lawsuit against Facebook or its customers for using Facebook products.
The Apache license, he said, only revokes if the lawsuit is filed against someone using the specific Apache product.
"So Facebook wants to let you retain the patent grant for RocksDB if you sue them for an unrelated patent, but revoke the grant in React.js," he said. "This very strongly indicates to me that Facebook feels they have a patent that they have implemented in React.js that they think is a valuable part of their defensive portfolio because of its broad applicability. This allows them to threaten patent aggressors against them or their customers with a countersuit and since the patent applies to so many things, they can be pretty sure the aggressor is in breach of it."
Relicensing React.js under Apache 2, Berg said, would mean Facebook would only revoke its patent grant if they were being sued for React.js itself. That would narrow its defensive value significantly.
Whether Facebook sees the same value in its pending GraphQL patents as it does in its React-related intellectual property is unclear. Facebook did not immediately respond to a request for comment, but Lee Byron, one of the Facebook engineers behind GraphQL, has said the social network giant is considering the community's concerns.
Walsh argues Facebook should cancel their their GraphQL patents. “These patents are quite narrow and it’s hard to imagine viable protection outside of GraphQL,” he said. “They should also give a patent grant in the GraphQL specification.”
He added he believes the developer community is upset enough with Facebook to crowdfund and crowdsource a campaign to seek the reexamination of Facebook’s patent portfolio. ®
Sponsored: Becoming a Pragmatic Security Leader