Partnering with EU policymakers to ensure the Cyber Resilience Act works for developers
We’re looking forward to working with policymakers to improve cybersecurity and support developers.
Last year, we wrote up our 2014 Transparency Report, the first report of its kind we've been able to do. It's important to continue to update our community on the…
Last year, we wrote up our 2014 Transparency Report, the first report of its kind we’ve been able to do. It’s important to continue to update our community on the kinds of legal requests we receive and respond to, so we’re happy to be able to offer our 2015 Transparency Report to follow up.
The kinds of legal requests we received in 2015 were very similar to the requests we received in 2014. As in 2014, we received subpoenas but no court orders or warrants, and the number of subpoenas we received did not increase significantly. However, the number of gag orders we received nearly doubled in 2015. On a happier note, the number of removal requests we received from foreign governments went down notably: we only received one takedown request from a foreign government in 2015. Other takedown statistics are not as rosy. The number of DMCA takedown notices we received in 2015 nearly doubled, and we processed more than 3.5 times the number of retractions and counter notices we processed in 2014. Many of these notices were either mass removals or notices sent by a few organizations that frequently asked us to take down content. In all, fewer than twenty notice senders asked us to remove more than 90% of the repositories we took down under the DMCA in 2015.
This 2015 report details the types of requests we receive for user accounts, user content, information about our users, and other such information, and how we process those requests. Transparency and trust are essential to GitHub and to the open source community, and giving you access to information about these requests can protect you, protect us, and help you feel safe as you work on GitHub.
We notify our users before sending their information to a third party in response to a legal request, whenever possible. We also provide clear, thorough guidelines to law enforcement that describe how to request information about our users, and what legal process we require to obtain certain user information. We provide these guidelines both for the protection and education of our users and for the benefit of law enforcement.
This report will discuss the two main categories of legal requests we receive:
As you may have noticed in our guidelines to law enforcement, we require a subpoena for certain kinds of user information, like a name, an email address, or an IP address associated with an account, and a court order or warrant for all other kinds of user information, like access logs or the contents of a private repository. A subpoena is a legal process that does not require review by a judge or magistrate. By contrast, a warrant or court order does require judicial review. These requests may be part of a criminal investigation or a civil dispute, and may come from law enforcement, a government agency, or litigants in a civil trial.
Because some legal processes are part of ongoing criminal investigations, we may receive, along with them, a court order that forbids us from giving notice to the targeted account holder. Even when we do not receive that kind of order, there are often significant privacy concerns involved with these disputes. Therefore, we do not publish subpoenas or other legal requests for user information.
In 2015, we received twelve subpoenas for user data. This includes every request we received for user data, regardless of whether we disclosed information or not. Not all of these came from law enforcement; some of these may have come from civil litigants wanting information about another party.
We did not disclose user information in response to every request we received. In some cases, this is because the request was not specific enough, and when we asked for clarification, the requesting party withdrew the subpoena. In some cases, we received very broad requests, and we were able to limit the scope of the information we provided.
This is not a significant increase from 2014, when we received ten requests for user information. However, we have seen an increase in the number of orders preventing us from notifying our users about legal requests, nearly doubling from four to seven in 2015.
As in 2014, we did not receive any warrants or court orders.
As noted above, many of the requests we receive pertain to criminal investigations. We may also receive subpoenas from individuals involved in civil litigation or arbitration. We may also receive requests from foreign government agencies through the Department of Justice, via a mutual legal assistance treaty or similar form of cooperation. The following chart shows the sources of the subpoenas we received in 2015 (note that some federal agencies may have issued subpoenas through a grand jury):
We are not allowed to say much about this last category of legal disclosure requests, including national security letters from law enforcement and orders from the Foreign Intelligence Surveillance Court. If one of these requests comes with a gag order—and they usually do—that not only prevents us from talking about the specifics of the request, but even the existence of the request itself. The courts are currently reviewing the constitutionality of these prior restraints on free speech, and GitHub supports the efforts to increase transparency in this area. Until such time, we are not even allowed to say if we’ve received zero of these reports—we can only report information about these types of requests in broad ranges:
In 2014, for the first time, we started seeing requests from foreign governments to remove content. These requests continued in 2015, but as in 2014, they were very uncommon and limited to one particular country.
When we receive requests like this, we provide transparency in at least two ways: we notify the affected account holder before removing the content, and we post the notice publicly, to our government takedowns repository. In 2015, we only received one takedown request from a foreign government.
In 2015, other than that takedown request, we did not block content at the request of any foreign government. Because of our commitment to transparency, if we agree to block content under similar circumstances in the future, we intend to follow the same protocol—providing notice to affected account holders and posting the requests publicly.
The most significant number of requests we receive for removal of content are notices submitted under the Digital Millennium Copyright Act, or the DMCA. The DMCA provides a process by which a copyright holder can request that GitHub take down content the holder believes is infringing, and the user who posted the content can send a counter notice disputing the claim. Each time we receive a complete DMCA takedown notice, we redact any personal information and post it to a public DMCA repository.
In 2015, we received significantly more takedown notices, and took down significantly more content, than we did in 2014. Here are the total number of complete notices that we received and processed in 2015. In the case of takedown notices, this is the number of separate notices where we took down content or asked our users to remove content:
By contrast, in 2014, we received 258 notices, and only received 17 counter notices or retractions. In late 2014, we changed the way we processed DMCA takedown requests for forked repositories, so our comparison of the number of projects affected by takedown notices in 2014 to the number affected in 2015 is not exact. However, even a rough estimation based on the number of notices we received shows a remarkable increase.
By month, the notices we received, and counter notices or retractions received, looks like this:
From time to time, we do receive incomplete or insufficient notices regarding copyright infringement. Because these notices don’t result in us taking down content, we don’t currently keep track of how many incomplete notices we receive, or how often our users are able to work out their issues without sending a takedown notice.
Often, a single takedown notice can encompass more than one project. We wanted to look at the total number of projects, such as repositories, Gists, and Pages sites, that we had taken down due to DMCA takedown requests in 2015. By month, the projects we took down, and the projects that remained down after we processed retractions and counter notices, looks like this:
That large spike in September had us wanting to look more closely. What happened there?
Usually, the DMCA reports we receive are from people or organizations reporting a single potentially infringing repository. However, every now and then we receive a single notice asking us to take down many repositories. We classified “Mass Removals” as any takedown notice asking us to remove content from more than one hundred repositories, counting each fork separately, in a single takedown notice.
If we look at the same graph as above, of the projects we took down, and the projects that remained down after we processed retractions and counter notices, but exclude all incidents of Mass Removals, the graph looks very different:
The activity over the year normalizes significantly when we don’t consider those anomalous mass removals.
In contrast to the Mass Removals, which are notices that contain many removal requests in one notice, we also noticed that some notice senders spread out their notices: they may send many over time. In some cases, this may be because they maintain projects that are frequently infringed, or in others, it may be because it takes several notices over time to take down all the forks of an infringing repository. For the purposes of our measurements, a “Frequent Noticer” is one notice sender who sends more than four DMCA takedown notices over the course of a year. In one case, a Frequent Noticer also sent us several Mass Removals.
Looking at our takedown notices over the year in this light gives us a lot of information. For example, while 83% of our 505 DMCA takedown notices came in from individuals and organizations sending requests to take down small numbers of repositories, the remaining 17% of notices accounted for the overwhelming majority of the content we actually removed. In all, fewer than twenty individual notice senders requested removal of over 90% of the content GitHub took down in 2015.
We can’t draw any conclusions about what this means for GitHub or our users. Additionally, because we did not expect to be doing this kind of analysis on our data this year, there may be some inconsistencies in the data we compiled; we hope to be correcting those as we go forward. We do make all the notices we receive publicly available at https://github.com/github/dmca and you can also view the data we compiled to create this report in our DMCA repository.
We want to be as open as possible to help you understand how legal requests may affect your projects. We hope that each year we put out a transparency report, we’ll be able to improve it with more thorough analysis and more insight into our processes, so if there’s anything you’d like to see us include in next year’s report, please let us know.