Tell HN: Discord is violating open source licenses

91 points by alexhultman ↗ HN
As you might understand, having your own private open source library used by Discord is something big. Something that makes your effort worth while. So you download the distribution and look for your own, hard earned, copyright notice. Well it's not there because fuck you.

What I found by downloading the (Linux) Discord client from discordapp.com was that they clearly were distributing source copies of my project, but it had no license or copyright mentioning me (which is required). I also found that they are distributing ffmpeg binaries but I couldn't find any matching LGPL license or source code in the distribution.

So of course I contacted them. First via GitHub where I have reached them before, and then two times via their support people on their home page. I get about the same response as any one else: "I'm sorry but we cannot help you. Were you satisfied with the support response?".

It's not okay for companies to pull their pants down and take a big dump on your personal work. Not when they clearly do not even bother with complying with basic open source exchanges. If I write something I want to be properly mentioned as is required in my very license.

Discord, is this so fucking hard to understand?

54 comments

[ 3.0 ms ] story [ 80.5 ms ] thread
(comment deleted)
The library in question would be uWebSockets?

https://github.com/uWebSockets/uWebSockets

If so, that's the zlib license, which requires no acknowledgement for binary distributions.

If they distributed the sourcecode, they'd have to include the license, but the zlib license has nothing to say about compiling it in.

(comment deleted)
They are distributing both binary (no problem here) and source (problem).
Maybe I'm an idiot, but I don't see any problems?

——————————

Copyright (c) 2016 Alex Hultman and contributors

This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software.

Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:

1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgement in the product documentation would be appreciated but is not required.

2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.

3. This notice may not be removed or altered from any source distribution.

——————————

a) This software is provided ‘as-is’, and as the author, you are not liable for damages if someone uses your library for something crazy.

b) Anyone can freely use it, for any purpose, with following restrictions:

1. “If you use this software in a product, an acknowledgement in the product documentation would be appreciated but is not required.”. They decided not to acknowledge the use of your library. You explicitly said this is OK.

2. Altered source code -> probably not.. it’s a web socket handling library.

3. This notice may not be removed. They have probably not removed it from their source code, given they distribute a binary.

Can you find this notice in their distribution? I have looked in their client UI and in their client tar.gz but I cannot find anything. I can however easily find my project in there (I would think the license would be nicely placed where the sources are).
Can you share where you found the project files in the client tar.gz?

edit: Found it, uws.js in resources/bootstrap/discord_rpc.zip

edit2: This is arguably worse, but the argument may be "it's a compiled binary":

  -bash-4.1$ strings discord_rpc.node | grep uws.*cpp$
  ../../discord_common/native/third_party/uws/nodejs/addon.cpp
  ../../discord_common/native/third_party/uws/nodejs/addon.cpp
  ../../discord_common/native/third_party/uws/src/EventSystem.cpp
  ../../discord_common/native/third_party/uws/src/Extensions.cpp
  ../../discord_common/native/third_party/uws/src/HTTPSocket.cpp
  ../../discord_common/native/third_party/uws/src/Network.cpp
  ../../discord_common/native/third_party/uws/src/Server.cpp
  ../../discord_common/native/third_party/uws/src/UTF8.cpp
  ../../discord_common/native/third_party/uws/src/WebSocket.cpp
  ../../discord_common/native/third_party/uws/nodejs/addon.cpp
  ../../discord_common/native/third_party/uws/src/HTTPSocket.cpp
  ../../discord_common/native/third_party/uws/src/WebSocket.cpp
  ../../discord_common/native/third_party/uws/src/EventSystem.cpp
  ../../discord_common/native/third_party/uws/src/Extensions.cpp
  ../../discord_common/native/third_party/uws/src/Network.cpp
  ../../discord_common/native/third_party/uws/src/Server.cpp
  ../../discord_common/native/third_party/uws/src/UTF8.cpp
  -bash-4.1$
If it's compiled, they don't need to add anything. If it's interpreted, i.e. a JS file, they do (at the top of the JS file)
edit2: This is arguably worse, but the argument may be "it's a compiled binary":

discord_rpc.node is an ELF file. It's hard to see how that would not be considered a binary distribution (if it was that file alone, and not being distributed with source files)

You're correct, I was a bit too quick on the 'reply' button there.
As a compiled binary (i.e. your library was compiled into their binary), or as source code? Given we're talking C/C++, I doubt they added it as actual source code.

If they are not distributing source code ("3. This notice may not be removed or altered from any source distribution."), it frankly does not matter if they disclose whether they use your library or not. And if they were distributing source code, the notice would just have to stay visible in the distributed source file. An average user wouldn't be able to find that anyway.

A compiled binary != distributing source code.

As a library user under the license you used, there is no legal obligation to include the actual license in (the documentation of) your app. If you wanted that, you should have included that in the license header of your source code. Sorry to break it to you, but they're probably not doing anything wrong here.

I doubt they added it as actual source code.

https://dl.discordapp.net/apps/linux/0.0.1/discord-0.0.1.tar...

expand that out, then navigate to: resources/bootstrap/

expand out: discord_rpc.zip

note the presence of uws.js which is the source code for this library.

Thus this is a distribution of this library as source, not binary.

Then you can contact them and request they add the license header again, in this JS file. But is it worth pursuing this? Chances are no one will ever actually see it, though.
Then you can

Just to be clear, I'm not the original author, and thus have no ability to enforce copyrights for this library. Just someone who doesn't like the easy stuff of license/attribution being thrown away.

(comment deleted)
> First via GitHub where I have reached them before, and then two times via their support people on their home page.

I don't know why you thought dev/tech support would be the path you go down. This is a legal issue, so if this matters to you, send them a legal notice. I've done the work of exporting their contact for you abuse@discordapp.com (from https://discordapp.com/tos)

Lawyers didn't write the Discord source, and they probably wouldn't even know where to look on a repo for the license of an included package.

If it was a mistake, an oversight, or just a total afterthought I'd say he started in the right place.

Being that the transaction happened on Github it's likely that the exchange will be public record should litigation ever take place.

Informally, sending a question via legal avenues is a good way for a company to go into "Our lawyers will be in touch, we can't say anything more on advice of counsel" mode - if you think a question can be satisfactorily resolved without lawyers (and I'd hope that "can you follow the rules" is a question that most people can answer with "yes"), everything will be more pleasant on all sides if the company doesn't go into lawyers-only mode.

Formally, neither the (US) legal code nor the zlib license says that you need to contact a violating company via some particular channel. A company is a single legal entity, and if you've contacted them somehow, you've contacted them, and they're now willfully violating the license.

Practically, abuse@ seems wrong; that's likely to reach an abuse department (which is just a specific support role that's empowered to do a specific subset of tasks), not a legal department.

More specifically, the abuse@ is clearly their DMCA department, whose response is very likely to be something along the lines of, "this isn't a valid DMCA complaint, please review the instructions at X, and submit the appropriate documentation. Once we have that, we'll remove the 3rd party content."
> I don't know why you thought dev/tech support would be the path you go down.

Dev would be the first path I go down in this case. I'd like to think it was an honest mistake and if I made that mistake and someone brought it to my attention I'd be grateful this wasn't immediately escalated to legal.

I'd like to think everyone is chill/friendly, but I could be naive :)

Would you mind sharing with HN the data that you shared with the Discord team? I'm afraid that you didn't link what the project was, or how exactly it's a "private open-source library", which seems like a self-contradictory statement.
If you don't get a satisfactory response from contacting them as nemothekid said, contact the EFF

http://www.eff.org

The EFF are wonderful people but this isn't quite their usual business. I'd probably contact the Software Freedom Conservancy or the Software Freedom Law Center, who engage in free-software compliance efforts (including, if absolutely necessary, lawsuits).
From the attitude many discord devs have shown in their channels towards other devs, this doesn't surprise me. Unless you make bots for discord, there is little respect. Especially if you're creating your own UI features that Discord just 'happens' to implement once they get popular. While simultaneously turning around and bashing said platform it was possible in in the first place.

Also, dev/tech support is absolutely the correct path in many cases, because they /lead/ you to legal, if necessary. Why users are claiming otherwise does not reflect the purpose of having a support network. Infact, abuse@discordapp.com is much more for actual abuse of discord TOS, not directly legal matters. I could easily turn it around and ask why anyone would think /that/ is the correct contact.

Right, I agree 100%. Support should be able to direct the communication to where it makes sense. I cannot be hanging out on Snapchat or follow them on Twitter or things like that, I just need support for my issue.

It truly is a world for the rich - money makes money. Censor and sue everything that goes in your way. Get bigger, sue more. Get richer. Disregard everything in your path.

For anyone else slightly confused at first: the Discord Linux release (https://discordapp.com/download) includes uWebSockets in ./resources/bootstrap/discord_rpc/uws.js.

This is only the JS source code and there is no licensing information attached whatsoever.

This directly conflicts with uWebSocket's licence (https://github.com/uWebSockets/uWebSockets/blob/master/LICEN...), which clearly states:

"3. This notice may not be removed or altered from any source distribution."

One of the reasons the GPL is suggested to be applied to every source file is to make sure people don't miss it, which can cause issues like this (the other reason being to fully convey exclusion of warranty)
So this post gets 60 upvotes in 30 minutes and is immediately censored by HN and taken off the front page. Right, thank you very much for stealing my work, giving me no credit and then censoring my appeal.
(comment deleted)
I think all self posts get penalised. You should have written a blog post and linked to that.

You can try emailing the mods and asking them to lift the penalty.

I have to assume it was an algorithm and not a person.

I think everyone on HN could learn from this situation. I'm not sure how to contact mods but maybe reach out to them...maybe the algorithm took it out due to profanity?

Best of luck!

Did HN steal your work?
Hello, troll
I'm not trolling you, i'm asking you what HN has to do with this. You got all huffy at HN for not featuring your post crying about a license and then implied HN is at fault for stealing your work and then "censoring" you. Get off your high horse and try not to act like an emotional child if you want people to take you seriously.
Personal attacks and uncivil comments will get your account banned here, so please stop doing that.
IMHO, you aren't going to get any respect from HN mods for being "correct".

Group-Think is what runs things around here not fairness.

Users flagged it. Moderators didn't touch it. That's routine.

You can call it censorship if you want to but it's a community reaction.

It could have been flagged by an algorithm, or may be some over-eager Discord developers to remove this post from public appearance.
(comment deleted)
(Discord Dev here)

Hey Alex, this definitely sounds like a miss on our part, so apologies.

As you know, we're fans of uws and not including the original license was a screw-up in our automation. We're working on fixing it and immediately releasing it with the proper license. I've also asked support to follow up with you directly in case there are further issues.

For the contact, either opening an issue on one of our repos or emailing our legal team (abuse@discordapp.com) would have been guaranteed to get you an accurate response. Unfortunately the verbiage you used in the email is very similar to that used in other support tickets we get for our API, and our team (as they did in your case) forwards users on to our API chat which can provide more in-depth/advanced support.

Well what can I say, I'm passionate and I don't like it when people ignore me. Thanks for the quick resolution.
It's nice to see you've reached out to Alex publicly.

Any time someone or an organization brings in someone else's code and makes use of it, no matter what the license we really need to recognize that, it's just the morally responsible thing to do.

As far as ourselves, we're definitely using uWS and that is not going to go without recognition.

Nobody should need to "open a ticket", send an email or post on HN to get that sorted.

npm install and git clone making it way too easy for people not to give a crap about the works of others.

Good to see you guys are doing the right thing, uWS is a serious piece of tech and well worth recognition.

(comment deleted)
Hahahahah, now this post is FLAGGED. Right, first blow is to censor it straight from the front page at its most trending moment and now it is reported. Can this fucking HN get any more cancerous?