Thirty-five days after publicly stating, in response to objections from the Apache Software Foundation among others, that the company would not be re-licensing its React library, Facebook on Friday announced that it was re-licensing its React library. It was a surprising but welcome reversal for many in the industry, including Automattic’s Matt Mullenweg.
Ten days ago, Mullenweg published a piece that was at once understanding and blunt announcing that React would be excised from WordPress related projects. The problem was not Automattic – their general counsel saw little problem with the license – but given the breadth of WordPress’ distribution, the decision was made to remove the software because of the uncertainties surrounding its license. As bad as it was being banished from Apache Software Foundation projects, this was worse. Depending on whose numbers you use, WordPress can account for something close to one in four websites.
Given such extensive and escalating costs, the burden of proving the offsetting benefits to a patent clause required by virtually no one else in the industry presumably became too great, at which point the only rational decision would be to re-license the asset – difficult as such backtracking may have been.
That React was re-licensed isn’t, in a vaccuum, particularly notable. Absent the patent provisions that were the cause of the complaints, the BSD portion of the license Facebook used is both well understood and permissive. The more interesting questions are one, why Facebook initially believed that this was a hill they wanted to die on, and two, why was MIT the new choice.
It’s difficult to answer the former question, because Facebook’s external communication on the subject of licensing has been limited. It’s impossible to know for sure, but it’s worth asking whether the timeline here was impacted in any way by James Pearce’s March departure from the open source team at Facebook – or not, as he was the one who announced the version in question.
Whether it was or was not, the primary issue at stake here is patents. Patent clauses in open source licenses are nothing new, but Facebook’s provisions were slightly more extensive. The primary difference between Facebook’s license and others, such as the Apache license, lies in its scope.
Here’s the relevant limitation from the Apache Software License:
If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed.
In layman’s terms, this means that the Apache software provisions are limited to the scope of the licensed asset. A suit, in other words, about patent infringements from the asset in question results in any patent licenses for that asset being terminated. Anything done outside of the scope of the licensed asset has no impact on the rights granted by the license. This is what’s known as a “Weak” patent retaliation cause.
Here is Facebook’s clause, taken from the “Additional Grant of Patent Rights Version 2.”
The license granted hereunder will terminate, automatically and without notice, if you (or any of your subsidiaries, corporate affiliates or agents) initiate directly or indirectly, or take a direct financial interest in, any Patent Assertion: (i) against Facebook or any of its subsidiaries or corporate affiliates, (ii) against any party if such Patent Assertion arises in whole or in part from any software, technology, product or service of Facebook or any of its subsidiaries or corporate affiliates, or (iii) against any party relating to the Software.
On the one hand, as Heather Meeker points out, the rights terminated by this license are, as with the Apache license, narrower than in the MPL or the GPLv3. But on the other, as the text above suggests, the threshold for triggering this is far lower. No longer is the trigger limited to the work itself, but instead is expanded to any patent claim made against Facebook or its subsidiaries. In contrast to the Apache license, then, this is what’s known as “Strong” patent retaliation clauses.
In practical terms, the difference is simple. Under an Apache license, an organization with a patent claim outside of React could sue Facebook and its rights to that project would remain unchanged. Under the BSD with the above patents clause, any suit – whether within or outside of React – would trigger the termination of patent rights granted by the license.
The Facebook BSD + Patents license, then, is similar to alternatives like Apache in its actual protections, they are just much more easily triggered.
But what does this actually mean for React users? Many, including IP patent attorney Dennis Walsh, argue the answer is: very little.
- First, it’s important to notice that even if the patent protections are triggered, it doesn’t terminate your license to the software granted to you by the BSD – that persists.
-
Second, the most likely to be impacted by the license aren’t the thousands of startups using React, but in the words of Automattic’s general counsel Paul Sieminski “companies that have large patent portfolios, and engage in offensive patent litigation (esp against FB).”
-
Third, as Walsh argues, the argument that large acquirers will not pursue smaller React users because of the implications of this license has already been proven false.
-
Fourth, as Meeker observes, Facebook’s approach here – while decidedly not the standard today – is not new. The grant itself is four years old, and licenses such as the Common Public License have taken similar approaches in the past.
Here’s the problem with the interpretation that this doesn’t have teeth, however: it took incredible pressure on Facebook to relicense the React asset.
In general, behavior is the most reliable signal of intent. If this didn’t have broader implications than the more narrow protections of the Apache license, why was this a major issue? The fact that Facebook was willing to relicense RocksDB initially but not React suggests that the enormous delta in their usage may be a significant factor in the decision. While popular in its own right, RocksDB is a specialized piece of software while React is a wildly popular front-end library that via projects such as WordPress had and would continue to have an enormous footprint on the web.
What difference does that footprint make? Consider the implications of the license discussed above in the context of React’s near ubiquity. The combination of an enormously popular project with more easily triggered patent protections is, in and of itself, a potential asset for Facebook. Licenses such as Apache protect only the asset they govern. BSD + Patents’ wider scope would make it at least questionable for hundreds if not thousands of organizations to sue Facebook for any reason, not just around a particular piece of software.
Which the cynical among us will no doubt attribute to a Machiavellian scheme on the part of Facebook; seed the community with a standard license in the BSD with an extra provision whose implications are not fully understood or vetted, the combination of which means that swaths of organizations are discouraged from a litigation perspective unless they’re willing to bear the cost for re-writes. An explanation which is possible, of course.
There’s another potential explanation, however, which is that if this licensing approach had been embraced at scale, it could result in a world in which it would be less practical for many organizations to resort to litigation.
Whatever the internal justification on the company’s part, like the Common Public License 1.0 before it, Facebook’s unique and overbroad patent approach appears destined for deprecation.
Which brings us back to the second question: why is React being relicensed under MIT as opposed to a license with an explicit, if more limited, patent grant such as Apache? The simplest explanation may be popularity; according to a number of repositories, including Black Duck and GitHub, the MIT license has become the most popular open source license in the world.
Another explanation may be that if it cannot accomplish its specific goals with respect to patents, whatever they might be, it sees little benefit to the more limited protections offered by Apache, in which case the MIT’s sheer popularity could tip the scales.
The problem is that by choosing this approach, Facebook does not convey with the MIT license any patent grants as they would have under the Apache. If Facebook has patents that read on React, in other words, users of that software are not given an explicit license to them via MIT, only an untested implicit license.
Which means that Facebook has effectively resolved one patent issue by introducing a second.
In any event, it is to Facebook’s credit that – whether pressured by external communities or no – they were willing to make this change based on external feedback. And as for members of various communities who have excoriated the company for its initial refusal, it’s useful to remember that Facebook was in this situation in the first place because it chose to make software that it wrote internally – software whose popularity is suggestive of its quality – available as open source software. So while it’s certainly reasonable to disagree with the company’s approach here, it’s important to remember that those would wish to see more open source software in the world should take care to encourage, rather than discourage, its release.
As Chris Aniszczyk has said, open source would be a lot more fun if we could assume good intentions. Unfortunately, when it comes to software, nothing is more antithetical to fun than patents.