With various open source circles barely having a second to catch their breath now that any Web apps developed with React.js could put those developers at risk of running afoul of Facebook’s licensing terms (Facebook controls the patent to React), various legal experts are apparently wondering what else of Facebook’s inventions might be too hot of a legal potato for anyone to touch. Perhaps we shouldn’t be surprised to learn that Facebook’s GraphQL — an up and coming alternative to the RESTful HTTP approach for making API calls — is also legally problematic.
Editor's Update (9/22/2017): One day after publishing this report, Facebook capitulated to the developer community and switched the license to React from BSD+Patents to the MIT open source license. No update on GraphQL yet.
(10/11/2017) The license for GraphQL was eventually updated to use the OWFa 1.0 license. However, some questions linger about whether that license is still too restrictive.
Earlier this year, after the Apache Software Foundation banned the inclusion of React from any of The Foundation’s projects due to concerns over Facebook’s BSD+patents license, the open source community was thrust into a major controversy the likes of which have yet to fully resolve themselves. Over on FOSSA.io, Heather Meeker made her case for why developers should not overreact (pun intended, we think).
But then, the nearly unthinkable happened. Last week, Matt Mullenweg, the founder of Wordpress notified his community that even though React was the basis for the ground up rewrite of Wordpress (Calypso) as well as the basis of the Gutenberg project, he had decided that the only choice was to rip React out of both. Noting that Automattic, the commercial arm of Wordpress, had not yet found a React replacement for Gutenberg, Mullenweg wrote "Automattic will also use whatever we choose for Gutenberg to rewrite Calypso.”
And now, while that controversy is still red hot, comes news that Facebook patent issues might similarly complicate adoption of GraphQL. GraphQL is one of two relatively new API technologies (the other is Google’s gRPC) that many API designers have been studying for potential use in their API endpoints. Enough so that ProgrammableWeb has adjusted the data model behind its API directory to accommodate a newer crop of APIs that are based on them.
While Facebook undoubtedly uses GraphQL for its own applications (ie: the Facebook mobile apps), the company’s public APIs are still HTTP-based. Facebook does not offer any GraphQL endpoints for third party developer consumption. But other API providers do. For example, one year ago, Github launched a GraphQL endpoint to its service (but the company did not shut down its HTTP endpoint). Since then, others — most notably Yelp have followed suit.
However, over on Medium.com, Dennis Walsh who is both a developer and attorney has pointed out that anyone deploying GraphQL technology is actually in a bit of legal limbo because Facebook’s patent on the technology is still pending and the company has offered nothing in the way of a patent grant to anyone using the tech. In other words, if you’re using GraphQL, then you have to assume that you're also infringing on Facebook’s patent. Walsh also notes that Facebook’s Lee Byron (the actual inventor of GraphQL) has chimed in to say that he’s working to get the situation resolved. According to a post made to that Github thread by Byron today, "Resolving this is still my top priority and I'm working to a conclusion with our legal team. I understand patience is hard to ask for when your company's legal counsel may be asking questions or making demands from you, and that open source licenses and patents are frustrating topics to operate around as an engineer… I expect to have more updates soon, thanks for caring about this issue and granting me a bit of your patience.”
Hopefully, he will be effective at making his case to the general counsel’s office at Facebook. However, judging by the pressure that was brought to bear on the company over the React flap and the way the company has publicly refused to budge, Facebook’s lawyers may have a different view of things (and, at most big companies, unless the CEO steps in, the lawyers typically win).
It should be noted that GraphQL is a specification. Technically speaking, you don’t need to take possession of any particular Facebook technology in order to deploy GraphQL. Your code — known in legal terms as an “implementation" -- just needs to conform to the spec. But if there’s a patent on a specification, then your implementation of that spec is known in legal terms to “read” on the patent. And if your implementation reads on a patent without license, then you are technically infringing on the patent and could be subject to legal action by the patent holder. Unsure of how the situation is going to resolve itself, one company — Gitlab — has already frozen development on its GraphQL project.
So, what are the risks if you continue to move forward with a GraphQL project? As long as you don’t have a patent grant to use the technology, Facebook could have a range of claims against you that, worst case scenario, could result in the sort of financial damages that could put a company out of business. For example, if some new startup rockets to financial success while infringing on a patent the whole way, the patent holder could claim it is entitled to all of that success. All of it.
Finally, this isn’t the first time in the API world that such an issue has come up. It is quite reminiscent of the days when Microsoft and IBM were initially reserving their patent rights when it came to Web services specifications like SOAP, WSDL, and UDDI — an equally risky situation that I also covered back in 2002 as executive editor at ZDNet.