Hacker News new | past | comments | ask | show | jobs | submit login
Beware the IP non-assert clause in AWS cloud service agreement (iam-media.com)
129 points by kalu on July 13, 2015 | hide | past | favorite | 59 comments



I'm not a lawyer, but my take on the clause is simple: one can't sue Amazon for IP related to the service AWS is providing. E.g., I couldn't use S3, but then try to hit Amazon with a file-like key-value-store patent. I think I'd still be free to hit Amazon with a web-based online-shopping patent though, since I'm not buying that service from them.

Edit: argh, I wish HN would accept underscores for italics.


What if your IP is the copyright on some open source software and amazon is violating the licence? The clause would prevent you from enforcing the licence if you find out through using AWS that they violate it.


Question for legal-minded readers: can this be worked around by having someone else, a non-AWS-user, enforce the license/copyright on one's behalf? Or perhaps simply terminating use of AWS and proceeding to then enforce the claim?


"During and after the Term, you will not assert, nor will you authorize, assist, or encourage any third party to assert, against us ... any patent infringement or other intellectual property infringement claim regarding any Service Offerings you have used"

It would appear that you cannot have someone else enforce this on your behalf.


The article already clearly covers your second case:

  > First is the duration – the provision seems to apply even
  > after a customer stops using AWS.
In fact, the text of the agreement states "During and after the Term...".


The scope is much broader than that, actually.

The scope would cover any software they use to provide these services.


>> Edit: argh, I wish HN would accept underscores for italics.

Try asterisks around it instead.


Seems the court decided Appistry Inc's patent was invalid. So we'll have to wait for another test case to see how enforceable this is. https://docs.justia.com/cases/federal/district-courts/washin...


While the warning appears to be well intentioned and the paranoia understandable to me, I didn't quite understand this bit:

  > Lastly, it’s well known that AWS utilises and hosts a wide range of open
  > source code which could include viral OSS licences that might further
  > extend the reach of the IP non-assert in unforeseen and unpredictable ways.
Could someone who understood explain this ? Is that last bit just FUD ? If it is, then is the entire article FUD ?


The license includes a provision that restricts users from asserting their patent rights against AWS licensors. When AWS uses an open source project, the project becomes an AWS licensor. The author's concern may be that the provision could extend to the contirbutors... or employers of the contributors... and so on.

This is not just FUD:

> Amazon is using the provision to defend itself in a patent infringement case brought by Appistry Inc in US district court in Seattle.


The entire article is FUD – the license is rather clear in indicating that as a condition of using AWS you promise not to bring IP lawsuits against Amazon, the duration bit is only too long if you don't read that clause all the way to the end, etc.

This is easily explained by the attribution:

“Bart Eppenauer, former chief patent counsel at Microsoft and now managing partner of law firm Shook Hardy & Bacon’s Seattle office”

A quick search leads to http://www.shb.com/news/2013/11/shook-to-open-seattle-office... which suggests that their Seattle office was founded to expand their IP practice:

“Eppenauer has served as chief patent counsel at Microsoft Corp. in Redmond, Wash., since 2003. In that role, he led the Patent Group in the Legal and Corporate Affairs Department, where he developed Microsoft’s patent portfolio of over 35,000 issued patents worldwide and managed a team of more than 100 patent professionals offering patent counseling and product development support across all of Microsoft’s business and research divisions. With extensive experience in complex, multilateral IP transactions and license agreements, Eppenauer has also worked closely with government and judicial officials, academics, and industry leaders worldwide on IP policy issues, in addition to participating in the recent passage of major U.S. patent reform legislation.”

So we have an attorney leaving a company with a track record of aggressive IP enforcement to open an IP-focused office for a law firm which does things like send people to chair conferences on monetizing IP (http://cf-conferences.com/conferences/ip-strategy-seattle-20...) telling businesses that he's deeply concerned about their ability to hire people like them to bring expensive IP lawsuits.


"The entire article is FUD – the license is rather clear in indicating that as a condition of using AWS you promise not to bring IP lawsuits against Amazon, the duration bit is only too long if you don't read that clause all the way to the end, etc."

It really isn't FUD, actually, despite the attribution.

First, You promise not to bring IP lawsuits against Amazon or it's customers, actually. Second, in fact, yes, if Amazon uses your open source (in some way that is a violation of the license), and you use AWS, you can't sue them.

Which is what the parent asked, and in fact, the clause specifically prohibits.

(Whether I like these clauses or not is another matter).


The reason I disagree with your interpretation is due to the end of the sentence: “regarding any Service Offerings you have used”. The agreement currently has these definitions:

    “Service Offerings” means the Services (including associated APIs), the AWS Content, the AWS Marks, the AWS Site, and any other product or service provided by us under this Agreement. Service Offerings do not include Third Party Content.

    “Service” means each of the web services made available by us or our affiliates, including those web services described in the Service Terms.
I'm definitely not a fan of the broad wording which Amazon uses but I would find it hard to believe that any company large enough to consider bringing a legitimate IP suit against Amazon would have trouble finding a lawyer who can come up with an argument that e.g. the open-source project which they're suing over is not part of the web services Amazon's agreement covers but rather just a component which Amazon chose, along with many other people, to use to build that service.


You can make this argument, for sure. You will almost certainly lose ;) I've seen cases where wording similar to this has been used. It was found to cover the pieces that provide the services, exactly because it is worthless as a protection otherwise. (If I can get an injunction against you stopping you from running a critical piece of your service , you won't be able to provide the service)


A lot of this would depend on the exact nature of the dispute. If this hypothetical open-source project was, say, an XML parser it'd be hard to claim that it was integral to AWS rather than an interchangeable component any more than, say, Intel hosting a microsite on S3 would give Amazon the rights to all of their processor IP. On the other hand, an AWS deployment tool or compute optimizer developed in a private beta that'd be a much harder case since Amazon could quite reasonably argue a privileged business relationship.

Right now we have one case which hasn't been settled and which apparently did involve a business partner. I think we'd need n > 1 or at least a final ruling before making the kind of sweeping claims presented originally.


An almost perfect example of an ad-hom. You've provided absolutely zero factual information about the point under discussion.


See https://news.ycombinator.com/item?id=9879188. It all comes down to whether you consider everything which has ever had a copy uploaded to AWS is included in the “each of the web services made available by us or our affiliates” definition in the license.

I don't see that term supporting the sweeping claims made in that article but you're certainly free to disagree. Ultimately I think this is somewhat moot until Amazon actually initiates action against anyone – the Appistry case was initiated by them and seems like to fail since the claims in e.g. https://www.google.com/patents/US7379959 don't appear to include anything which wasn't common HPC practice in 2002 – and we see how the courts react to it.


"you will not assert...against us or any of our...customers"

Is that Amazon customers or just AWS customers? Either way, that's a lot of people.


IANAL... I wonder if random AMZ customers could use this clause in a case without AMZ's cooperation?


It looks like the intent is to protect AMZN's customers from IP lawsuits related to their use of the service offerings.

So if you were sued for using VMs or S3 storage by a third-party who had used AWS, you could invoke that clause.


That's the intent, but is the language specific enough to limit its application to that?


  > It’s likely that thousands of Amazon customers don’t
  > realise they are giving away their valuable intellectual
  > property rights just for the privilege of using AWS; but
  > realise they should.
Does this mean that AWS is allowed to use the IP of any customer hosting their system on AWS?

I've built an application on AWS but would not have if this meant handing over all my IP to Amazon.

I must be misunderstanding the issue as I doubt any company or person would use AWS if it meant giving up their entire IP.

Can someone please explain what I am missing here?


The clause says you can not enforce any patents, copyrighted works or trademarks that is a part of an AWS service which you have used or are using. The service do not include code which you have brought to it.

In the extreme case that would allow amazon to steal code from customers and put that as a part of a customers currently running services, thus washing away the legal restrictions that copyright, patents and trademarks would otherwise create. I doubt that it would happen in practice since its a bit obvious scheme which would disregard authors intent of using AWS, and judges seems to have a history of following authors intent rather than legal loopholes.


What you're missing is that this is a FUD article.

AWS' terms basically come down to "if you use AWS, you lose the right to patent-troll AWS". The article is trying to spin it as "OH NOES NOW YOU GET TEH VIRAL FROM THE EEEEEEEEEEVIL GPL", though I have no idea on what theory they would base a claim that agreeing not to assert against Amazon and its contractors/vendors would somehow constitute GPL'ing your own code.


I don't think this is right. The terms of the IP non-assert clause say nothing about patent trolling. What the clause says is actually pretty simple: no customer of AWS services can assert a patent claim against Amazon related to an AWS service that the customer used--and that is equally true whether you have a legitimate patent infringement claim, or if you're trolling.

The article's open source point is perhaps a bit tendentious (or underexplained), but, contrary to the impression you convey, it is only a very small part of the article. The bulk of the article raises entirely real issues.

Edit: I think the open source issue is this: if an AWS customer uses open source software (or, more simply, if an OSS project is hosted on OSS) how far up the user/employer/vendor/contributor chain does the non-assert clause reach? If I contribute to project X, which is hosted on AWS, do I become a party to the non-assert clause? What about my employer? What if I contribute to the project as part of my employment? I think this concern is probably not too significant (particularly since it only bars someone from asserting a claim related to the AWS service used), but I don't think it's fair to call this FUD, much less to call the whole article FUD because it includes this as an ancillary point.


The part I'd like more clairification on, is the claim that by using AWS you cannot assert IP claims against any AWS customer.

That seems exceedingly broad.

As to the FUD:

Conflict of interest. Former Patent Chief at MSFT putting an article out on Legal Issues for the #1 Cloud Provider, and MSFT Competitor, Amazon.

Wonder how much MSFT stock the Author is holding?


It is specific to AWS services. It protects you from going after ABC company who is using an AWS service (that you also use) that infringes on your IP.

In other words if Amazon stole something and you use it, you can't go after another client of Amazon's for using that service.

If however they also infringed on you, you could, as you aren't going after them for using the service.

(Note that IANAL so my understanding my be incorrect)


I don't believe this to be correct because no court has established what patent-troll means and the contract certainly doesn't say 'patent-troll' so the test of whether it is allowed or not will not be if someone is patent-trolling amazon but whatever a court determines the contract means.


So, a bit more information here: http://www.geekwire.com/2015/amazon-fights-patent-suit-using...

An interesting point is that Appistry continued to use AWS services after learning about the clause. This led the Missouri judge to allow transfer of the case to Seattle (AWS hometown), basically doing a "you can't have your cake and eat it, too".


"First is the duration – the provision seems to apply even after a customer stops using AWS. " from what I remember in U.S contract law a permanent contracts are frowned on if they don't give some sort of way of terminating the contract?


Agreed, but it doesn't mean you don't have to end up fighting with Amazon in court.


  > I can safely say that I have never seen such a broad IP non-assert provision in a standard form contract.  
What about Facebook's React license?

https://github.com/facebook/react/blob/master/PATENTS

https://news.ycombinator.com/item?id=8985541

https://news.ycombinator.com/item?id=9111849


I believe 'standard form contract' was carefully chosen to qualify his statement, so it could sound general, but be exactingly specific.

On that note, is there such a thing as a standard contract for web-based service agreements?


The simple fix is to make the right to patent infringement assertions one that you cannot sign away so that any contract that includes it is void (at least for that section). Which makes me think it won't ever happen.


I don't know about the US, but in Europe it's quite possible that these clauses would be ruled invalid.


Even if you ware a lawyer (you don't specify but give what is essentially an, entirely reasonable, opinion on a point of law), that would normally be decided upon during the course of litigation. So, anyone would still be faced with substantial legal costs, even if the ruling was that one particular term was unenforceable.

There is a big difference between how the law works in theory and how it works in practice. Especially is one side is Amazon and has, to all intents and purposes, unlimited cash to drag out expensive litigation. Many large companies win like this in practice when, in theory, they have no merit to their case.


In most of the EU the loser in a case is instructed to pay the court costs of the winner.


What about the indirect costs of being involved in such litigation? For example, missed deals/profit due to one's reduced capacity to work while entangled in a legal mess.


> In most of the EU the loser in a case is instructed to pay the court costs of the winner.

If only the US civil litigation process worked this way... :-(


Pretty sure Amazon can stay solvent longer than I can.


Why do they call it the cloud? Because your exclusive I.P. just up and floats away one day.

Stay out of the cloud. Invest in cost-efficient IT. Avoid so many issues. I predicted this specific one years back. I'm surprised I haven't heard more of it among cloud vendors.


Let's play a game.

How long will it take you to get:

3 webservers 2 databases

Across 2 data centers.

Starting with nothing but a credit card, (and an email address).


You could probably have it up on Hetzner or OVH in a couple hours. Lots of dedicated server hosts with more than one DC, and many give you your server in an hour or two.


For colo, or dedicated/managed hardware?


I'm going off the goalposts in your original question.


Outside of performance, how are hosted dedicated servers different than hosted VPS?

Are you trading one cloud provider's feature set for another?

You still outsourcing via PaaS, and not actually investing in IT.


Physical isolation, control of whole environment, and more security/reliability/predictability when these are leveraged properly. You also have less legal risk if the FBI decides to kick in that colo's doors as they have in the past and seize shared servers just because one client was on it. I doubt the quantitative risk of this is high but I like risks not existing where possible.

And you're never investing in IT if you are doing IaaS or PaaS: you're just paying a third party for a temporary good. Colocation is investing in IT because you own the equipment and what's in it. The other parts are their problem with them having a financial incentive (eg competitiveness) to improve them over time.

Cloud can shut down tomorrow and what do you get out of that? If it's my PC with my data, I can get it back from them somehow and people trying to stop that might face criminal charges. A VPS service shutting down means my system probably ceases to exist unless they have specific provisions for the situation that work during bankruptcy. You might know of them since you clearly study the cloud offerings more. I don't so I stay in a low-risk situation.


So you don't want to use AWS because the risk Amazon will shut it down tomorrow?


I like how you ignored the most important stuff (first sentence) and a peripheral risk with precedent (second sentence) to focus on the lowest concern I had. Plus, that concern applies to more than Amazon: many vendors out there. Nice troll tactic, though.


You raised the point. I just called attention to it.

Also, ad hominem.


To just that. What of the main points of dedicated vs VPS?

Physical separation from other users defeats virtualization attack surface and many, covert channels immediately. Control down to hardware layer lets you do neat improvements to performance (eg custom drivers), maintenance (eg transactional kernels), and security (eg CheriBSD on FPGA-based CHERI processor). I also pointed out you can get more predictable with the implication of using a RTOS or other deterministic software + hardware combos. Heck, might even send in AS/400's, NonStop's, and/or OpenVMS clusters on cheap Alpha/Itanium servers to get uptime you haven't seen in cloud world: 17+ years for one OpenVMS cluster.

Those are the strongest points that cloud can't touch at all so far. The cloud-style research on making something comparable with strong correctness arguments is in infancy and almost all academic R&D. Which implies things about what they're using now... Of course, the outages and papers at DEFCON etc already told us that, didn't they?


I did high-security systems so let's modify that for what I would trust. Five servers that offload TCP/IP, a firewall, VPN, and packet/session authentication onto a PCI card with hardened RTOS (ex: Sentinel's HYDRA firewall). Let's me send sanitized data directly to application through trusted interface among other things. Further, the business's I.P. must be protected: physical separation rather than virtualization + legal protection through regulation and contracts. It will also need to run constantly, be tested periodically by intentional fail-overs, and have predictable cost despite this.

So, I spend 10-30 minutes Googling. I find Hong Kong and Switzerland are among best for regulations on data. Settle on Switzerland for various reasons. I haggle for a few hours with hosting companies to set up the deal. I have some hardware shipped 1-3 business days from other companies. We spend a few hours setting it up, doing disk encryption, configuring the guard (PCI card), setting up link encryption, and testing both sides in various ways. We save & standardize anything we figure out for scripted, instant deployment and testing when we scale out. I ship the relevant boxes to the datacenter. Meanwhile, I deploy the local boxes and thoroughly test the site.

Offshore site is probably up before the week is over. I spend a day re-running the tests. I simulate a bunch of fail-overs in various situations to make sure it works no matter what. Once I'm confident in it, we move all the relevant data into both of them. We might have already done that before shipping it if the situation allowed & then we just move what changed. We transition our domain to point at the new service. The users use it. If it fails, it fails over to the other one. The cost is likely $1,000+/mo and pretty flat except for the times where it takes the main load. Not likely to overdo my cap with only 3 webservers, though.

So, in summary, I have several secure boxes, total control of them, data at rest protection, data in transit protection, regulatory protection, acceptable network speed, predictable albeit higher cost, and long-term stability in various ways. It took around two weeks last time I did something like this. Given they usually charge for the rack, best to always ship a few extra boxes that stay off or idle: reduces impact of shipping time when boxes fail or workload increases.

What does Amazon charge and with what wait for a comparable offering with strong host, network, and I.P. protection?


It's not difficult to come up with a specific set of requirements that make 3rd party hosting suboptimal or even impossible. We have customers who do not want their data to leave their data centers, so we must oblige.

For many situations, services like AWS are a god send. Resources that were typically allocated to infrastructure can now be reallocated to other areas. With a little bit of common sense hopefully areas that drive real business value.

Cloud isn't appropriate for all situations, but I assert that for many, it is, and "investing in IT" isn't a default directive.


Oh, I agree with you that cloud offerings can be beneficial for a number of situations. I've strongly considered them for two areas in particular: non-confidential apps that need bandwidth that's too expensive to set up locally; one-off or temporary projects using non-confidential apps or data; backup storage of encrypted data or non-sensitive data. Hosting companies are usually good enough for most stuff but I've seen nice cost & ease of use arguments for above cases. I keep my eye open for other use cases I haven't seen.

The tech I'm most excited about are the various private cloud, open hardware, and cloud software initiatives. This stuff can bring a lot of the advantages in-house with few of the issues I gripe about. I hope to see continued innovation in that area.


Before, we used to call this "hosting".


And Dev Ops was called "IT"


Wow... that's interesting.

I'll summarize my take. First of all, take the article with a grain of salt. Possible issues brought up by Bart Eppenauer are being raised by the former chief counsel of Microsoft, a direct competitor to AWS (Azure). And the linked article has a somewhat alarmist phrasing.

That being said, there appears to be something real here. This contract is one that applies to thousands of businesses -- cloud computing is taking both small business and big business by storm, and AWS has the majority of the business in this area. The clause itself reads like this (retrieved today from http://aws.amazon.com/agreement/ ):

  During and after the Term, you will not assert, nor will
  you authorize, assist, or encourage any third party to
  assert, against us or any of our affiliates, customers,
  vendors, business partners, or licensors, any patent
  infringement or other intellectual property infringement
  claim regarding any Service Offerings you have used.
Now, I am not a lawyer, so my interpretation could be wrong; even if I WERE a lawyer I would be saying that nothing was certain at least until a court had ruled on a case that depended on this clause. But it appears that this clause is very broad in time (from now onwards), in scope (covers patents as well as "all IP") and in targets (against Amazon OR most anyone else like their customers or business partners). The clause is restricted ONLY by the statement that it applies to a claim about "Service Offerings you have used".

Now, my impression would be that this means you can't sue Amazon (or their partners/customers/etc) over IP violations BY THE AWS PRODUCT ITSELF. In other word, if you use AWS you can't then later sue Amazon or their customers saying that AWS itself violates your patent on using a computer remotely (or whatever ridiculous patent you may hold). With this interpretation it is an extremely reasonable provision and should not concern any company involved in normal business.

Furthermore, the one case where Amazon has asserted this clause (against Appistry)[1] fit this model. Appistry sued Amazon saying that Amazon violated its patent; Amazon countered that Appistry was using AWS and with this clause had agreed not to sue. That case is still underway.

So my evaluation is that this is probably an OK clause. But it certainly skirts the line and you ought to have your lawyer look it over. After that, you will probably ignore what your lawyer says and sign it anyway because Amazon is the giant of cloud computing and you don't have a whole lot of choice.

[1] - http://www.geekwire.com/2015/amazon-fights-patent-suit-using...


"Now, my impression would be that this means you can't sue Amazon (or their partners/customers/etc) over IP violations BY THE AWS PRODUCT ITSELF. In other word, if you use AWS you can't then later sue Amazon or their customers saying that AWS itself violates your patent on using a computer remotely (or whatever ridiculous patent you may hold). With this interpretation it is an extremely reasonable provision and should not concern any company involved in normal business."

The amount of bad armchair lawyering here is saddening :)

Why do people need to go on impressions?

The agreement "govern(s) your access to and use of the Service Offerings (as defined below)". Hey, looks like they define Service Offerings, below.

So rather than guess or have an impression as to what it means, why don't we look at the definition of service offerings, a defined term in the contract.

  “Service Offerings” means the Services (including associated APIs),
  the AWS Content, the AWS Marks, the AWS Site, and any other product
  or service provided by us under this Agreement.
  Service Offerings do not include Third Party Content.

  “Service” means each of the web services made available by us
   or our affiliates, including those web services described in the Service Terms.
So there you go, no need to guess or have an impression of what it covers. That is what it covers when it means service offerings.

As for it's okayness -- i'm actually generally in favor of these kinds of clauses. However, this one is a bit too broad. I hope you aren't an open source project who uses AWS, and who AWS uses to provide services in some fashion. Because if you are, congrats, Amazon can do what they want with your software and you can't stop them (ie violate the GPL, whatever).


What on earth does it even mean?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: