GitLab freezes GraphQL project amid looming Facebook patent fears

Promising query language garbled by legal lingo

Using GraphQL, an increasingly popular query language for grabbing data, may someday infringe upon pending Facebook patents, making the technology inherently problematic for corporate usage.

In an analysis posted to Medium and in a related discussion in the GraphQL repo on GitHub, attorney and developer Dennis Walsh observed that Facebook's GraphQL specification doesn't include a patent license. In other words: using GraphQL in your software may lead to your code infringing a Facebook-held patent on the technology in future.

“The patents (as of a few weeks ago) were granted but not issued,” said Walsh in an email to The Register today. ”Damages can start before issuance but litigation cannot. But post-issuance, the threat is very real. My reading of two GraphQL granted applications and the GraphQL spec is that any properly implemented GraphQL server infringes.”

Potentially infringing projects, according to Walsh, include various open-source GraphQL implementations for server-side languages, such as Python, Scala, Java, and NodeJS. GraphQL-as-a-platform providers, such as GraphCool and Scaphold, are also at risk, we're told. And Facebook’s patents also cover GraphQL users such as Yelp, GitHub, Intuit, Pinterest, New York Times, and Twitter.

GraphQL isn't yet officially covered by a patent, but Facebook has applied for at least two – and, crucially, Walsh believes the patents will be fully granted. The chance of getting a patent has been estimated to be more than 70 per cent in the computers and communications sector.

Because patent language tends to be broad, Walsh argues that anyone implementing GraphQL could be infringing.

Facebook has tried to allay such concerns through the Facebook BSD+Patents license, which provides a conditional patent license. Facebook describes its terms thus: "The patent grant says that if you're going to use the software we've released under it, you lose the patent license from us if you sue us for patent infringement."

For those who could never see themselves in that situation, such worries may be too unlikely to consider. But the concerns raised by Walsh are being taken seriously by GitLab, which has put its GraphQL implementation on hold due to lack of legal clarity.

“Whether Facebook wants to assert these patents is the province of gut feelings and lore,” said Walsh. “I don’t believe that Facebook ever offensively litigated a patent, but the potential for litigation is more than theoretical — it’s very real if they choose that path.”

Stack Overflow GraphQL popularity

Interest in GraphQL on Stack Overflow

In a GitLab issues post, Jamie Hurewitz, senior director of legal affairs for the code repo biz, expressed concern that Facebook's pending patent applications, if granted, could become part of GraphQL's licensing terms. She sees that as a problem because Facebook's BSD+Patents license is incompatible with the Apache Software Foundation's (ASF) licensing requirements.

"If we were to allow this license, it could lead to potential future conflicts with software licensed under Apache," Hurewitz wrote." Also, we could be impairing the future rights of our customers. Essentially, this is not really an open source product based on the implications of the license. While there is no payment of cash, payment is in the form of giving up future rights."

Men in suits fighting

Facebook won't change React.js license despite Apache developer pain


In July, the ASF shunned Facebook's popular frontend framework React because it requires the Facebook BSD+Patents license. The foundation branded the React license "Category-X," meaning the library cannot be included in any Apache software project.

Facebook's response was something along the lines of sorry-to-see-you-go. "We recognize that we may lose some React community members because of this decision," said Facebook engineering director Adam Wolff last month. "We are sorry for that, but we need to balance our desire to participate in open source with our desire to protect ourselves from costly litigation."

Curiously, Facebook has proven to be more accommodating with RocksDB, an embedded database the company open sourced in 2013. Earlier this year, the social network re-licensed RocksDB under the Apache 2 and GPL 2 licenses.

In an email to The Register, Paul Berg, an open-source licensing expert who has worked at Amazon and advises Idaho National Laboratory, said the difference between Facebook's terms and Apache's is that Facebook revokes its patent grant for any offensive patent lawsuit against Facebook or its customers for using Facebook products.

The Apache license, he said, only revokes if the lawsuit is filed against someone using the specific Apache product.

"So Facebook wants to let you retain the patent grant for RocksDB if you sue them for an unrelated patent, but revoke the grant in React.js," he said. "This very strongly indicates to me that Facebook feels they have a patent that they have implemented in React.js that they think is a valuable part of their defensive portfolio because of its broad applicability. This allows them to threaten patent aggressors against them or their customers with a countersuit and since the patent applies to so many things, they can be pretty sure the aggressor is in breach of it."

Relicensing React.js under Apache 2, Berg said, would mean Facebook would only revoke its patent grant if they were being sued for React.js itself. That would narrow its defensive value significantly.

Whether Facebook sees the same value in its pending GraphQL patents as it does in its React-related intellectual property is unclear. Facebook did not immediately respond to a request for comment, but Lee Byron, one of the Facebook engineers behind GraphQL, has said the social network giant is considering the community's concerns.

Walsh argues Facebook should cancel their their GraphQL patents. “These patents are quite narrow and it’s hard to imagine viable protection outside of GraphQL,” he said. “They should also give a patent grant in the GraphQL specification.”

He added he believes the developer community is upset enough with Facebook to crowdfund and crowdsource a campaign to seek the reexamination of Facebook’s patent portfolio. ®

Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022