Software

Devops

GitLab freezes GraphQL project amid looming Facebook patent fears

Promising query language garbled by legal lingo


Using GraphQL, an increasingly popular query language for grabbing data, may someday infringe upon pending Facebook patents, making the technology inherently problematic for corporate usage.

In an analysis posted to Medium and in a related discussion in the GraphQL repo on GitHub, attorney and developer Dennis Walsh observed that Facebook's GraphQL specification doesn't include a patent license. In other words: using GraphQL in your software may lead to your code infringing a Facebook-held patent on the technology in future.

“The patents (as of a few weeks ago) were granted but not issued,” said Walsh in an email to The Register today. ”Damages can start before issuance but litigation cannot. But post-issuance, the threat is very real. My reading of two GraphQL granted applications and the GraphQL spec is that any properly implemented GraphQL server infringes.”

Potentially infringing projects, according to Walsh, include various open-source GraphQL implementations for server-side languages, such as Python, Scala, Java, and NodeJS. GraphQL-as-a-platform providers, such as GraphCool and Scaphold, are also at risk, we're told. And Facebook’s patents also cover GraphQL users such as Yelp, GitHub, Intuit, Pinterest, New York Times, and Twitter.

GraphQL isn't yet officially covered by a patent, but Facebook has applied for at least two – and, crucially, Walsh believes the patents will be fully granted. The chance of getting a patent has been estimated to be more than 70 per cent in the computers and communications sector.

Because patent language tends to be broad, Walsh argues that anyone implementing GraphQL could be infringing.

Facebook has tried to allay such concerns through the Facebook BSD+Patents license, which provides a conditional patent license. Facebook describes its terms thus: "The patent grant says that if you're going to use the software we've released under it, you lose the patent license from us if you sue us for patent infringement."

For those who could never see themselves in that situation, such worries may be too unlikely to consider. But the concerns raised by Walsh are being taken seriously by GitLab, which has put its GraphQL implementation on hold due to lack of legal clarity.

“Whether Facebook wants to assert these patents is the province of gut feelings and lore,” said Walsh. “I don’t believe that Facebook ever offensively litigated a patent, but the potential for litigation is more than theoretical — it’s very real if they choose that path.”

Interest in GraphQL on Stack Overflow

In a GitLab issues post, Jamie Hurewitz, senior director of legal affairs for the code repo biz, expressed concern that Facebook's pending patent applications, if granted, could become part of GraphQL's licensing terms. She sees that as a problem because Facebook's BSD+Patents license is incompatible with the Apache Software Foundation's (ASF) licensing requirements.

"If we were to allow this license, it could lead to potential future conflicts with software licensed under Apache," Hurewitz wrote." Also, we could be impairing the future rights of our customers. Essentially, this is not really an open source product based on the implications of the license. While there is no payment of cash, payment is in the form of giving up future rights."

Facebook won't change React.js license despite Apache developer pain

READ MORE

In July, the ASF shunned Facebook's popular frontend framework React because it requires the Facebook BSD+Patents license. The foundation branded the React license "Category-X," meaning the library cannot be included in any Apache software project.

Facebook's response was something along the lines of sorry-to-see-you-go. "We recognize that we may lose some React community members because of this decision," said Facebook engineering director Adam Wolff last month. "We are sorry for that, but we need to balance our desire to participate in open source with our desire to protect ourselves from costly litigation."

Curiously, Facebook has proven to be more accommodating with RocksDB, an embedded database the company open sourced in 2013. Earlier this year, the social network re-licensed RocksDB under the Apache 2 and GPL 2 licenses.

In an email to The Register, Paul Berg, an open-source licensing expert who has worked at Amazon and advises Idaho National Laboratory, said the difference between Facebook's terms and Apache's is that Facebook revokes its patent grant for any offensive patent lawsuit against Facebook or its customers for using Facebook products.

The Apache license, he said, only revokes if the lawsuit is filed against someone using the specific Apache product.

"So Facebook wants to let you retain the patent grant for RocksDB if you sue them for an unrelated patent, but revoke the grant in React.js," he said. "This very strongly indicates to me that Facebook feels they have a patent that they have implemented in React.js that they think is a valuable part of their defensive portfolio because of its broad applicability. This allows them to threaten patent aggressors against them or their customers with a countersuit and since the patent applies to so many things, they can be pretty sure the aggressor is in breach of it."

Relicensing React.js under Apache 2, Berg said, would mean Facebook would only revoke its patent grant if they were being sued for React.js itself. That would narrow its defensive value significantly.

Whether Facebook sees the same value in its pending GraphQL patents as it does in its React-related intellectual property is unclear. Facebook did not immediately respond to a request for comment, but Lee Byron, one of the Facebook engineers behind GraphQL, has said the social network giant is considering the community's concerns.

Walsh argues Facebook should cancel their their GraphQL patents. “These patents are quite narrow and it’s hard to imagine viable protection outside of GraphQL,” he said. “They should also give a patent grant in the GraphQL specification.”

He added he believes the developer community is upset enough with Facebook to crowdfund and crowdsource a campaign to seek the reexamination of Facebook’s patent portfolio. ®

Send us news
9 Comments

Good news: HMRC offers a Linux version of Basic PAYE Tools. Bad news: It broke

Python 2 has been dead for four years

Flox rocks the Nix box by conquering code chaos

FOSS CLI package management framework for repeatable, declarative deployments across multiple platforms

Meta accused of snarfing people's Snapchat data via traffic decryption

I ain't afraid of no ghosts, but in this case...

Securing open source software: Whose job is it, anyway?

CISA announces more help, and calls on app makers to step up

Redis tightens its license terms, pleasing basically no one

FOSS developers gotta eat, but users need certainty

Progress outbids private equity in offer for MariaDB plc

MySQL sibling saga continues as 40-year-old infrastructure software firm enters the fray

In-app browsers are still a privacy, security, and choice problem

Regulators reminded that longstanding concerns haven't been addressed

Canva acquires Affinity, further wounding a regulator-bruised Adobe

Yet another reason to reconsider that overpriced Creative Cloud subscription

FreeBSD Foundation hands out Beacon gongs for safer software

Multiple CHERI-related projects win money for important research that prizes safety over speed

Licensing labyrinth for Power Apps and Dynamics 365 must be clarified, warns expert

Rules still unclear for Microsoft users making potentially costly decisions on enterprise applications

University of Washington's Workday woes leave research grants in limbo

$340M finance upgrade still working out the kinks

Majority of Americans now use ad blockers

We're dreaming of a white list, because we're just like the ones you used to know