
Ask HN: Is it safe to use Facebook's open source projects? - kfei
There is a PATENTS file in almost all Facebook&#x27;s open source projects with statements on &quot;Additional Grant of Patent Rights&quot;.<p>E.g., React (https:&#x2F;&#x2F;github.com&#x2F;facebook&#x2F;react&#x2F;blob&#x2F;master&#x2F;PATENTS)<p>Why Facebook adds this declaration on top of the BSD license of the software? Is it safe to use those projects in my commercial project?
======
lmm
There is no way to be safe from patents. Anyone could have them, they don't
have to declare them, and they're written in deliberately obtuse ways so that
you have no way of finding relevant patents before you're sued for infringing
them (you don't have to have copied, or even be aware of, any patented thing
to violate a patent). It's just a hazard of the software industry.

The BSD license says nothing about patents, so this project is in some sense
_safer_ than a "normal" BSD-licensed project (but not an Apache, EPL or
GPLv3-licensed project). The grant Facebook is giving you is fairly minimal
but that's understandable from their perspective: they don't want to give you
any extra patent rights, just enough to use the stuff they're actually trying
to release.

It's not _safe_ to use software in a commercial project. Facebook might hold
patents on any random library you're using. Companies that aren't Facebook
might hold patents on any random library or on React. You could develop a
library in-house in a clean room and it could still infringe someone else's
patent. Patents really suck that way. But React is in no more danger than any
other code you might use.

EDIT: no more danger than any other BSD-licensed code. It would be safer to
use code that has a less revocable patent grant, such as that in the Apache
License, EPL, or GPLv3.

~~~
vkjv
"You could develop a library in-house in a clean room and it could still
infringe someone else's patent."

IANAL, but, it is my understanding that if that's the case the patent wouldn't
hold up to the novel requirement.

~~~
kibibu
It all depends on how the court sees it.

See "Carmack's Reverse" \- where John Carmack independently developed an
acceleration for robust stencil shadows, documented his discovery and then had
to capitulate to Creative Labs who owned a patent on the algorithm from a few
months earlier.

------
SixSigma
No. The license has a chilling clause that says if you ever suggest that _any_
Facebook patent might be invalid, your license to use their code is
automatically revoked.

And in corporate world, that means any comment of any of your employees in an
official capacity.

Edit downvotes, well maybe the text of the clause will help

> The license granted hereunder will terminate, automatically and without
> notice, for anyone that makes any claim ... by ... assertion or other action
> ... alleging .. that any right in any patent claim of Facebook is invalid or
> unenforceable.

>
> [https://github.com/facebook/fbcunn/blob/master/PATENTS](https://github.com/facebook/fbcunn/blob/master/PATENTS)

~~~
matthewmacleod
_…if you ever suggest that any Facebook patent might be invalid, your license
to use their code is automatically revoked._

This is not correct — your _license to use any patent of Facebook 's that
covers the software_ is revoked. You are still not infringing copyright on the
software by using it, but you will no longer be protected by Facebook's patent
grant, which is _in addition_ to your license to use the software.

This is a boilerplate patent grant, and it doesn't mean that Facebook holds
any patents on e.g. React.

To be clear, this parent grant is _in addition to your license to use the
software_ and as a result _does not restrict your freedom in any way_ , versus
the license not being granted at all.

~~~
guscost
Are you saying that they _could not_ come after you for simply using React
(even if you were to dispute the relevant patents in court), or just that
there is no _evidence_ that they could?

~~~
matthewmacleod
Facebook cannot 'come after you' for using React if you have not accused them
of patent infringement.

They can 'come after you' iff you _have_ accused them of that, _and_ you are
using their software in such a way that a parent of theirs is violated.

It's pretty straightforward:

\- Facebook has released some open source software. In the case of React, it's
under the BSD license.

\- You can use this software however you want, in accordance with the license.

\- In _addition_ to granting you a license to use the software, Facebook has
granted you a license to any patents they own that cover the software.

\- There is no enumeration or claim that any patents _do_ cover the software.

\- Your license to use any hypothetical patent that _does_ cover the software
will be revoked if you make a claim—legal or otherwise—that Facebook has
infringed any patent.

\- At that point, you will no longer have a license to use any patent that
covers the software.

\- If you are subsequently using the software in a way that infringes one of
their patents, Facebook would legitimately be able to claim patent
infringement.

------
jonas21
Facebook is granting you additional rights on top of the BSD license. In the
worst case, where you do something that causes the patent rights to be
revoked, you're still left with the same rights you have under the BSD
license.

This is unambiguously safer to use than if they had released it under a
vanilla BSD license. As for why Facebook did this, they're most likely trying
to give away additional rights while still maintaining the ability to use
these patents defensively, in the event someone sues them for infringing a
different patent.

It's ironic that people are freaking out about this. If anything, we should be
encouraging more companies to give away patent rights. Sure, it's not as broad
as the Apache license, but it's a lot better than the default (nothing), and
given some of the ridiculous patent lawsuits that have been brought against
Facebook, Google, and others, I can understand why they'd want to avoid
restricting their ability to use their patents defensively.

~~~
DannyBee
"Facebook is granting you additional rights on top of the BSD license. In the
worst case, where you do something that causes the patent rights to be
revoked, you're still left with the same rights you have under the BSD
license. This is unambiguously safer to use than if they had released it under
a vanilla BSD license. As for why Facebook did this, they're most likely
trying to give away additional rights while still maintaining the ability to
use these patents defensively, in the event someone sues them for infringing a
different patent. "

This is 100% totally and completely wrong :)

The BSD license normally includes an implied patent license.

It says " Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met ..
"

This grants an implied patent license to the patents necessary to actually do
this, as long as you meet the restrictions.

This is actually well settled law. You don't get to give people stuff
unrestricted, and say "you can use this for free", and then say "just kidding,
what i meant was, you can use this for free as long as you pay me for the
patents"

However, when you do what facebook has done, and give _an explicit license_ ,
you have overwritten the terms of that implied license, and you get no implied
license.

So it is not only "not unambiguously safer", you are not "left with the same
rights you had under the bsd license if it is revoked".

This is because if you revoke the explicit grant, you get nothing in terms of
patents. But the implicit grant is not revokable unless you violate _the
copyright license_.

So sorry, but this is not "better than the default" and does not in fact, help
you.

~~~
matthewmacleod
_This is actually well settled law._

I'm not sure it is, and I'd argue the situation is unclear. I'd be keen to see
any examples though – it would be awesome if there was something to fall back
on.

All I can find is evidence that it would be at best very risky to rely on an
implied patent grant.

For example, it's considered unclear enough that the ClearBSD license was
explicitly created to clarify that it doesn't offer patent grants -
[http://directory.fsf.org/wiki/License:ClearBSD](http://directory.fsf.org/wiki/License:ClearBSD)

Even more damning:

 _In the absence of an explicit patent grant, but considering the word use in
the license, can we assume that the BSD license impliedly grants enough of
whatever patent rights the Univer- sity of California then owned that a
licensee may use the soft- ware as it was originally distributed by the
University? Most licensees under the BSD assume it does on the theory that
oth- erwise the copyright license would be of no value. What good, they say,
is software that can be copied but not used?

Such a conclusion is not based on the law of licenses. Indeed, a bare license
of copyright need not include a bare license of patent at all. It is only if
the BSD is viewed as a contract that we can introduce contract law principles
such as reliance or reasonable expectations of the parties. If software is
licensed under the BSD without forming a contract between licensor and
licensee, the extent of any patent grant is at best ambiguous.

As to whether an implied grant of patent rights extends to versions of the
software with modifications, that’s an even more complicated question. The BSD
license is silent about a patent license for derivative works. So if a
licensee improves the origi- nal Berkeley Software Distribution in a way that
infringes a patent owned by the University of California, there is no easy way
of knowing whether an implied BSD patent license includes a patent license for
that improvement.

Since courts are likely to construe implied grants of license narrowly, a
licensee should consider obtaining separately from the licensor an explicit
grant of patent rights that might be needed for modified versions of BSD-
licensed software._

    
    
      http://rosenlaw.com/wp-content/uploads/Academic-Licenses.pdf

~~~
DannyBee
""I'm not sure it is, and I'd argue the situation is unclear."

I wouldn't. What you've quoted is Larry Rosen's view. Larry is a wonderful
guy, but his views are pretty far outside the norm for open source lawyers.

To start "If software is licensed under the BSD without forming a contract
between licensor and licensee, the extent of any patent grant is at best
ambiguous."

This is now settled since he wrote this. It is in fact a contract, that, if
breached, leaves the licensor without a copyright license (causing both
infringement of copyright and breach of contract).

So you don't have to worry about this.

The latter is a real issue, but one that most explicit grants don't solve
either.

In particular, apache/et al have explicit grants do _not_ cover modifications
by others that suddenly encompass patents.

So you aren't any better off there either :)

------
pretaliationc
Pardon my ignorance, but isn't this just equivalent to Apache's patent
retaliation clause?[0][1]

[0]
[http://en.swpat.org/wiki/Patent_clauses_in_software_licences...](http://en.swpat.org/wiki/Patent_clauses_in_software_licences#Apache_License_2.0)

[1]
[http://en.wikipedia.org/wiki/Software_patents_and_free_softw...](http://en.wikipedia.org/wiki/Software_patents_and_free_software#Patent_retaliation)

~~~
richardfontana
The events that trigger Apache License 2.0 patent termination are much
narrower: "If You institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work or a
Contribution incorporated within the Work constitutes direct or contributory
patent infringement, then any patent licenses granted to You under this
License for that Work shall terminate as of the date such litigation is
filed."

~~~
spacemanmatt
Yeah, Apache is a little more giving in actual terms, but it's a similar deal.

------
ramchip
Discussion:
[https://news.ycombinator.com/item?id=8985541](https://news.ycombinator.com/item?id=8985541)

~~~
nostrademons
Also here, which IMHO is more informative:

[https://news.ycombinator.com/item?id=8901357](https://news.ycombinator.com/item?id=8901357)

~~~
stupidcar
Yeah, this discussion points out an important point that it's easy to miss if
you scan Facebook's patent grant: The license Facebook grants you is
invalidated by _any action_ that even alleges that _any_ of Facebook's patents
is invalid.

E.g. if you so much as Tweet that one of Facebook's patents, even one entirely
unrelated to React, is invalid, you've lost your license.

Compare this with the patent grant in the Apache license, as used in a library
like Angular:
[https://github.com/angular/angular/blob/master/LICENSE](https://github.com/angular/angular/blob/master/LICENSE)

Here the license is only terminated in the event that you institute litigation
alleging patent infringement by the software itself. You're still free to
challenge shitty patents and call out companies about them. Not so with
Facebook's license.

~~~
fncypants
No. In context it refers to "filing any ... action." Lawsuits and similar
procedures in other legal forums are often called actions. Think the movie
called A Civil Action staring John Travolta about a civil lawsuit. The concern
here is not how it is triggered (it must be by a lawsuit or something similar)
but rather the balance of power it provides if you get into a war with
Facebook, since you cannot undo having used their software.

~~~
nostrademons
In DannyBee's original post, he says that the key words there are "for anyone
that makes any claim (including by filing any lawsuit, assertion or other
action)", and that by including the words for "assertion or other action", it
encompasses claims outside of a court of law. A post on Hacker News or a tweet
on Twitter is an assertion, and so would fall under this. Otherwise why
include that language?

IANAL, but he is, and this is his area of expertise (IIRC he runs the open-
source program for Google).

------
DougBTX
IANAL, but shouldn't you be more concerned about open source projects which
_don 't_ grant you patent rights required to use the software?

~~~
pbhjpbhj
Do [m|]any open source projects hold patents?

------
matthewmacleod
Of course it is – you've got this back to front. The grant of additional
rights to use any patent Facebook may hold is an additional benefit and in no
way places any restriction on you.

If you're going to worry about anything, worry about the squillions of open-
source projects that _don 't_ include any patent grants. But you probably
shouldn't worry about that either.

~~~
vertex-four
Most open-source projects' owners and contributors don't have any patents to
enforce, thus can't grant anything. The rest tend to be less chilling than the
clause that Facebook uses - there's no "we'll only grant you this if you
promise never to mention that any of our patents might be invalid".

Are you certain that Facebook doesn't have any patents that cover any of its
open-source software?

------
mobiplayer
The best way to stay safe from software patents is to not enter the US market,
if you can afford that :)

------
bencollier49
Hmm, interesting. The grant of rights looks as though it's designed to build a
defense against patent claims against Facebook. Get everyone using their
stuff, and anyone who does will find it quite difficult to challenge Facebook
patents.

------
rurban
It is safer than using SW without those "Additional Grant of Patent Rights".
They explictly state that you can use it, other didn't make the effort to
check for patents, or simply can screw you later.

------
powatom
IANAL, but does this just mean that you can use and amend _their work_ , but
you can't create the same basic thing from scratch and claim that you created
it?

------
anonbanker
other than a) (ii) of that PATENTS file, it's way better than I thought it
would be. Unless I'm reading it wrong, I'm losing my right to use the package
if I publicly state that someone is misusing Facebook's software.

------
dutchbrit
It all boils down to the license - open source means jack all.

