Hacker News new | comments | show | ask | jobs | submit login
Ask HN: Is it safe to use Facebook's open source projects?
160 points by kfei 852 days ago | hide | past | web | 54 comments | favorite
There is a PATENTS file in almost all Facebook's open source projects with statements on "Additional Grant of Patent Rights".

E.g., React (https://github.com/facebook/react/blob/master/PATENTS)

Why Facebook adds this declaration on top of the BSD license of the software? Is it safe to use those projects in my commercial project?




There is no way to be safe from patents. Anyone could have them, they don't have to declare them, and they're written in deliberately obtuse ways so that you have no way of finding relevant patents before you're sued for infringing them (you don't have to have copied, or even be aware of, any patented thing to violate a patent). It's just a hazard of the software industry.

The BSD license says nothing about patents, so this project is in some sense safer than a "normal" BSD-licensed project (but not an Apache, EPL or GPLv3-licensed project). The grant Facebook is giving you is fairly minimal but that's understandable from their perspective: they don't want to give you any extra patent rights, just enough to use the stuff they're actually trying to release.

It's not safe to use software in a commercial project. Facebook might hold patents on any random library you're using. Companies that aren't Facebook might hold patents on any random library or on React. You could develop a library in-house in a clean room and it could still infringe someone else's patent. Patents really suck that way. But React is in no more danger than any other code you might use.

EDIT: no more danger than any other BSD-licensed code. It would be safer to use code that has a less revocable patent grant, such as that in the Apache License, EPL, or GPLv3.


"The BSD license says nothing about patents, so this project is in some sense safer than a "normal" BSD-licensed project (but not an Apache, EPL or GPLv3-licensed project). "

As I've mentioned in another common, this is both false and a common misunderstanding, because most engineers are not familiar with implied patent licenses.

BSD normally carries one. So you do in fact, get a implied grant. By doing this you don't, you only get the explicit grant. The implied grant is normally not revokable unless the underlying BSD terms are violated, whereas the explicit grant is revokable for other reasons.

The reason people use explicit patent grants is to avoid getting into some unsettled law. Particularly, the sublicensability of implied patent licenses is not clear. The TL;DR of this is "the answer is clear if you get the software directly from person owning the patents. If you get it through someone else, like say, a linux distribution, it's not clear what happens". The related doctrine of "patent exhaustion" that plays into this is also not settled, and currently the subject of a Supreme Court cert petition by Cisco.


FYI my favorite patent ever is from Facebook:

"A social networking system user may associate an emoji representing the user's emotional reaction with a content item presented by the social networking system. The user is presented with one or more emoji maintained by the social networking system and selects an emoji for associating with the content item."

[1] http://www.google.com.ar/patents/US8918339

That's right folks, they patented using the emoji to respond to content.


Actually, if you RTFClaims (which is the first thing you should read), they patented asking for payment for using emoji to respond to content. Which is ridiculous from a business perspective as well.


What is ridiculous about it? LINE is earning millions of dollars from exactly that.

On the other hand, I think the patent is invalid because LINE predates this like a year or so.


Food for thought. For reasons that SixSigma brought up in another comment, both you and your employer have just lost your rights to the patent grant that would let you safely use Facebook's open source contributions.

That's pretty bad.


I think the word 'claim' is used a little ambiguously, but given how it is used in the rest of the patent declaration, I don't think the intent of Facebook is to stop you from saying anything about infringement, rather it is to stop you from filing a claim in court or with the patent office.


Don't worry about intent, worry about what they actually say. They have smart lawyers, and wouldn't say it if they didn't mean it.

They say you lose the license if you make a claim "...that any right in any patent claim of Facebook is invalid or unenforceable." They also helpfully indicate what a claim means, and making an assertion counts.

Now why would they do this? My guess is that they wanted to have a legal tool that they could use to provide a chilling effect on any third parties who might volunteer information that is useful to someone filing a lawsuit against them. Which, if you are a lawyer, might seem like a good response to the demonstrated ability of groups like groklaw to crowdsource legal research. And if they were in such a lawsuit, that comment is exactly what Facebook would not want to see.

But there is no need to speculate. Their patent grant is quite clear, and the comment I pointed at is in violation.


Wow, I did not imagine people would pay for emoji. I stand corrected.


As I understand it, you're better off not looking for relevant patents so that you can claim accidental infringement rather than wilful infringement


Only if your company would survive half-damages and not survive full-damages, or probably a more complex weighted calculation. Doesn't seem too likely, especially if looking can help you do trivial workarounds to avoid infringing at all.


It would be nice to find and share if React infringes any of the patents.


"You could develop a library in-house in a clean room and it could still infringe someone else's patent."

IANAL, but, it is my understanding that if that's the case the patent wouldn't hold up to the novel requirement.


It all depends on how the court sees it.

See "Carmack's Reverse" - where John Carmack independently developed an acceleration for robust stencil shadows, documented his discovery and then had to capitulate to Creative Labs who owned a patent on the algorithm from a few months earlier.


Novelty at the time, perhaps? You might be thinking of "non-obvious" but just because two people invented something doesn't make it obvious. More importantly, though, once the patent is granted it doesn't matter, you're in violation. That it shouldn't have been granted in the first place is a separate issue, and one that almost nobody is going to spend the time and money on to sue for a change.


Patents are granted on who files for the patent first. The invention protected must be non-obvious to the notional skilled practitioner in the relevant arts and should never have been disclosed in public before (novelty).


You're thinking of reverse engineering.


>Anyone could have them, they don't have to declare them, and they're written in deliberately obtuse ways so that you have no way of finding relevant patents before you're sued for infringing them (you don't have to have copied, or even be aware of, any patented thing to violate a patent).

Not "anyone" could have them only people who have their details registered as patentees at the relevant patent office, eg USPTO or WIPO.

Patent claims are written in a legal way as they define the monopoly the patent protects, it's necessary not to use normal language as they must at once be legally precise and also define as broad a field to serve the patentee. Claims are drafted by, or for, the patentee.

The patent description must, in order to comply with the relevant laws, disclose the invention in a way that makes it possible for a skilled worker in the art to repeat the invention. If it does not the application should fail. Patent description must include at least one concrete implementation of the invention but the invention itself can cover many different implementations. The description needs to support the breadth of the claims.

Yes, practically - especially in the USA in the past - so-called submarine patents could surface out of the depths. If you're working in an area of technology you should be using patents both to advance your knowledge of the market and to ensure you're not in breech of other's IPR.

Your parenthetical remarks are entirely correct however.

Patent infringement isn't just a hazard of the software industry it's a part of how all technological industries work in countries that use patents (nearly all countries [may be all established ones?]).


No. The license has a chilling clause that says if you ever suggest that any Facebook patent might be invalid, your license to use their code is automatically revoked.

And in corporate world, that means any comment of any of your employees in an official capacity.

Edit downvotes, well maybe the text of the clause will help

> The license granted hereunder will terminate, automatically and without notice, for anyone that makes any claim ... by ... assertion or other action ... alleging .. that any right in any patent claim of Facebook is invalid or unenforceable.

> https://github.com/facebook/fbcunn/blob/master/PATENTS


…if you ever suggest that any Facebook patent might be invalid, your license to use their code is automatically revoked.

This is not correct — your license to use any patent of Facebook's that covers the software is revoked. You are still not infringing copyright on the software by using it, but you will no longer be protected by Facebook's patent grant, which is in addition to your license to use the software.

This is a boilerplate patent grant, and it doesn't mean that Facebook holds any patents on e.g. React.

To be clear, this parent grant is in addition to your license to use the software and as a result does not restrict your freedom in any way, versus the license not being granted at all.


While it's true that you only lose your license to the patents, not the code, I don't see how you can argue the grant isn't a restriction of your freedom? Surely any license whose conferred rights are predicated on the recipient not being able to take particular actions, up to and including saying particular things, must be considered to be restricting freedoms, even if those restrictions are in exchange for other freedoms granted?

Of course, all free software licenses involve some exchange of freedoms: You give up your ability to publish closed-source modifications of the software in exchange for being able to use and modify it at all. The question is whether the freedoms you are asked to give up are reasonable in exchange for what you gain. A patent grant that restricts your freedom to launch patent infringement litigation against other users of the software seem reasonable to me. Whereas a grant that is invalidated simply by alleging, through any action, that any of the original author's patents are invalid, does not.


Are you saying that they could not come after you for simply using React (even if you were to dispute the relevant patents in court), or just that there is no evidence that they could?


Facebook cannot 'come after you' for using React if you have not accused them of patent infringement.

They can 'come after you' iff you have accused them of that, and you are using their software in such a way that a parent of theirs is violated.

It's pretty straightforward:

- Facebook has released some open source software. In the case of React, it's under the BSD license.

- You can use this software however you want, in accordance with the license.

- In addition to granting you a license to use the software, Facebook has granted you a license to any patents they own that cover the software.

- There is no enumeration or claim that any patents do cover the software.

- Your license to use any hypothetical patent that does cover the software will be revoked if you make a claim—legal or otherwise—that Facebook has infringed any patent.

- At that point, you will no longer have a license to use any patent that covers the software.

- If you are subsequently using the software in a way that infringes one of their patents, Facebook would legitimately be able to claim patent infringement.


So if you ever need to sue Facebook for patent infringement - you'll still be able to use React/React Native once they release it?


Thanks for sharing this. It brings up some interesting questions. Does this mean React cannot be used by European government agencies since they claim (via law) that patents are not enforcable?

What if I merely live in the EU and thus implicitly agree to the laws in Europw. Does that fall under "other action" or would I have to explicitly state that I think their patents are not enforceable.

What if I have actively participated in the anti software patents movement? Do I have to single out specific Facebook patents for this clause to trigger or is it enough that they are caught in the general umbrella?

Edit: I'm assuming this is found on all the stuff they release and not just fbcunn? At least it's also true for react: https://github.com/facebook/react/blob/master/PATENTS


> What if I merely live in the EU and thus implicitly agree to the laws in Europw. Does that fall under "other action" or would I have to explicitly state that I think their patents are not enforceable.

It doesn't matter. If their patents aren't valid where you live, you don't need their patent grant.


If I live where I do and thus could be said to agree with the fact that their patents cannot be enforced here it still matters if I want to use it for software that is used elsewhere.

The way I read it I could be constructed as claiming their patents are not enforcable here and thus the grant would be revoked in countries where I'd need it (not here).


So... I think Facebook has at least one unenforceable patent in my country.

There, I may no longer use their code :D


Who is downvoting this? Could you comment and explain why?


Was probably because I asserted it without citation.


Facebook is granting you additional rights on top of the BSD license. In the worst case, where you do something that causes the patent rights to be revoked, you're still left with the same rights you have under the BSD license.

This is unambiguously safer to use than if they had released it under a vanilla BSD license. As for why Facebook did this, they're most likely trying to give away additional rights while still maintaining the ability to use these patents defensively, in the event someone sues them for infringing a different patent.

It's ironic that people are freaking out about this. If anything, we should be encouraging more companies to give away patent rights. Sure, it's not as broad as the Apache license, but it's a lot better than the default (nothing), and given some of the ridiculous patent lawsuits that have been brought against Facebook, Google, and others, I can understand why they'd want to avoid restricting their ability to use their patents defensively.


"Facebook is granting you additional rights on top of the BSD license. In the worst case, where you do something that causes the patent rights to be revoked, you're still left with the same rights you have under the BSD license. This is unambiguously safer to use than if they had released it under a vanilla BSD license. As for why Facebook did this, they're most likely trying to give away additional rights while still maintaining the ability to use these patents defensively, in the event someone sues them for infringing a different patent. "

This is 100% totally and completely wrong :)

The BSD license normally includes an implied patent license.

It says " Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met .. "

This grants an implied patent license to the patents necessary to actually do this, as long as you meet the restrictions.

This is actually well settled law. You don't get to give people stuff unrestricted, and say "you can use this for free", and then say "just kidding, what i meant was, you can use this for free as long as you pay me for the patents"

However, when you do what facebook has done, and give an explicit license, you have overwritten the terms of that implied license, and you get no implied license.

So it is not only "not unambiguously safer", you are not "left with the same rights you had under the bsd license if it is revoked".

This is because if you revoke the explicit grant, you get nothing in terms of patents. But the implicit grant is not revokable unless you violate the copyright license.

So sorry, but this is not "better than the default" and does not in fact, help you.


This is actually well settled law.

I'm not sure it is, and I'd argue the situation is unclear. I'd be keen to see any examples though – it would be awesome if there was something to fall back on.

All I can find is evidence that it would be at best very risky to rely on an implied patent grant.

For example, it's considered unclear enough that the ClearBSD license was explicitly created to clarify that it doesn't offer patent grants - http://directory.fsf.org/wiki/License:ClearBSD

Even more damning:

In the absence of an explicit patent grant, but considering the word use in the license, can we assume that the BSD license impliedly grants enough of whatever patent rights the Univer- sity of California then owned that a licensee may use the soft- ware as it was originally distributed by the University? Most licensees under the BSD assume it does on the theory that oth- erwise the copyright license would be of no value. What good, they say, is software that can be copied but not used?

Such a conclusion is not based on the law of licenses. Indeed, a bare license of copyright need not include a bare license of patent at all. It is only if the BSD is viewed as a contract that we can introduce contract law principles such as reliance or reasonable expectations of the parties. If software is licensed under the BSD without forming a contract between licensor and licensee, the extent of any patent grant is at best ambiguous.

As to whether an implied grant of patent rights extends to versions of the software with modifications, that’s an even more complicated question. The BSD license is silent about a patent license for derivative works. So if a licensee improves the origi- nal Berkeley Software Distribution in a way that infringes a patent owned by the University of California, there is no easy way of knowing whether an implied BSD patent license includes a patent license for that improvement.

Since courts are likely to construe implied grants of license narrowly, a licensee should consider obtaining separately from the licensor an explicit grant of patent rights that might be needed for modified versions of BSD-licensed software.

  http://rosenlaw.com/wp-content/uploads/Academic-Licenses.pdf


""I'm not sure it is, and I'd argue the situation is unclear."

I wouldn't. What you've quoted is Larry Rosen's view. Larry is a wonderful guy, but his views are pretty far outside the norm for open source lawyers.

To start "If software is licensed under the BSD without forming a contract between licensor and licensee, the extent of any patent grant is at best ambiguous."

This is now settled since he wrote this. It is in fact a contract, that, if breached, leaves the licensor without a copyright license (causing both infringement of copyright and breach of contract).

So you don't have to worry about this.

The latter is a real issue, but one that most explicit grants don't solve either.

In particular, apache/et al have explicit grants do not cover modifications by others that suddenly encompass patents.

So you aren't any better off there either :)


Sorry to jump in here - I can't see how to connect with you otherwise. Is React and future React Native not safe to use then? In my mind Facebook could eventually try to enforce, ask for money or other, for patents they hold against you - and if you try to fight them then you'll lose the ability to use this software? That seems horrific to me and something I'm surprised the development community isn't up in arms over.


Pardon my ignorance, but isn't this just equivalent to Apache's patent retaliation clause?[0][1]

[0] http://en.swpat.org/wiki/Patent_clauses_in_software_licences...

[1] http://en.wikipedia.org/wiki/Software_patents_and_free_softw...


The events that trigger Apache License 2.0 patent termination are much narrower: "If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed."


Yeah, Apache is a little more giving in actual terms, but it's a similar deal.



Also here, which IMHO is more informative:

https://news.ycombinator.com/item?id=8901357


Yeah, this discussion points out an important point that it's easy to miss if you scan Facebook's patent grant: The license Facebook grants you is invalidated by any action that even alleges that any of Facebook's patents is invalid.

E.g. if you so much as Tweet that one of Facebook's patents, even one entirely unrelated to React, is invalid, you've lost your license.

Compare this with the patent grant in the Apache license, as used in a library like Angular: https://github.com/angular/angular/blob/master/LICENSE

Here the license is only terminated in the event that you institute litigation alleging patent infringement by the software itself. You're still free to challenge shitty patents and call out companies about them. Not so with Facebook's license.


This is an interesting thing (to me!).

Can you give a license that says, words to the effect, that if one accuses you of a crime then the license is revoked? This would make licenses beholden to not report the licensor for criminal activities.

IPR infringements tend to be torts, which is different, but I'm still interested in how far you can push license terms before something in the law, USC here presumably, pushes back and says "woah, you can't do that".

Anyone?


No. In context it refers to "filing any ... action." Lawsuits and similar procedures in other legal forums are often called actions. Think the movie called A Civil Action staring John Travolta about a civil lawsuit. The concern here is not how it is triggered (it must be by a lawsuit or something similar) but rather the balance of power it provides if you get into a war with Facebook, since you cannot undo having used their software.


In DannyBee's original post, he says that the key words there are "for anyone that makes any claim (including by filing any lawsuit, assertion or other action)", and that by including the words for "assertion or other action", it encompasses claims outside of a court of law. A post on Hacker News or a tweet on Twitter is an assertion, and so would fall under this. Otherwise why include that language?

IANAL, but he is, and this is his area of expertise (IIRC he runs the open-source program for Google).


IANAL, but shouldn't you be more concerned about open source projects which don't grant you patent rights required to use the software?


Do [m|]any open source projects hold patents?


Of course it is – you've got this back to front. The grant of additional rights to use any patent Facebook may hold is an additional benefit and in no way places any restriction on you.

If you're going to worry about anything, worry about the squillions of open-source projects that don't include any patent grants. But you probably shouldn't worry about that either.


Most open-source projects' owners and contributors don't have any patents to enforce, thus can't grant anything. The rest tend to be less chilling than the clause that Facebook uses - there's no "we'll only grant you this if you promise never to mention that any of our patents might be invalid".

Are you certain that Facebook doesn't have any patents that cover any of its open-source software?


The best way to stay safe from software patents is to not enter the US market, if you can afford that :)


Hmm, interesting. The grant of rights looks as though it's designed to build a defense against patent claims against Facebook. Get everyone using their stuff, and anyone who does will find it quite difficult to challenge Facebook patents.


It is safer than using SW without those "Additional Grant of Patent Rights". They explictly state that you can use it, other didn't make the effort to check for patents, or simply can screw you later.


IANAL, but does this just mean that you can use and amend their work, but you can't create the same basic thing from scratch and claim that you created it?


other than a) (ii) of that PATENTS file, it's way better than I thought it would be. Unless I'm reading it wrong, I'm losing my right to use the package if I publicly state that someone is misusing Facebook's software.


It all boils down to the license - open source means jack all.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: