Home / News & insights / Policy

Exploring an increase in circumvention claims in our transparency data

Our full year of 2023 transparency reporting data is now available and we’re taking a deep dive into how a form change caused an abrupt increase in circumvention claims.

·@khxu
| 5 minutes

GitHub’s full year of 2023 transparency reporting data is now available on our transparency center and repository. This is our first data release since introducing the transparency center and now that we have an accessible, interactive, and easy to update platform for our transparency reporting, we will use these data release updates to share when we expand our reporting or find interesting insights in the data. For our first data deep dive, we are following up on the exploration into the uptick in circumvention claims we hinted at in the 2022 transparency report.

If you look at the circumvention claims chart of the Digital Millennium Copyright Act (DMCA) takedowns section, you’ll notice that there was an abrupt increase in DMCA notices for alleged circumvention in 2022. What caused this change?

Bar chart showing the number of DMCA notices that allege circumvention annually from 2015 to 2023, displaying a significant increase in 2022 and 2023 compared to 2015 to 2021.
DMCA notices that alleged circumvention
Line chart showing the cumulative sum of DMCA notices that allege circumvention from 2021 to 2023. The line chart's slope becomes significantly steeper at the end of September 2021. The number of circumvention-alleging notices reported in the full year of 2021 was 92. The number of circumvention-alleging notices reported in the full year of 2022 was 365. The number of circumvention-alleging notices reported in the full year of 2023 was 406.
Cumulative sum of DMCA notices that allege circumvention, 2021 – 2023

As shown above, we processed 365 notices that alleged circumvention in 2022 and 406 notices in 2023 compared to just 92 notices over the entire year of 2021. In terms of average notices per month, that’s more than four times the volume (7.67 per month in 2021 vs. 33.83 per month in 2023).

What happened at the end of September 2021?

A particularly observant chart-reader might be wondering why the slope of the line changed abruptly at the end of September 2021 from ~2 per month to ~30 per month.

Line chart of the cumulative sum of DMCA notices that allege circumvention from 2021 to 2023, with linear regression lines overlaid in two periods: one from January 1, 2021 to September 29, 2021, where the average number of notices per month was approximately 2, and another from September 30, 2021 to the end of 2023, where the average number of notices per month was approximately 30.
Cumulative sum of DMCA notices that allege circumvention, 2021 – 2023, with regression lines

On September 29, 2021, we updated our DMCA takedown submission form with questions related to circumvention. We made this change because DMCA circumvention claims typically require more extensive review, and marking takedown requests as circumvention claims allows us to triage them appropriately.

Screenshot of a portion of the web form on GitHub's page for submitting DMCA takedown requests, showing the following questions related to circumvention:

We anticipated that making this change could result in more submitters alleging circumvention, so shortly before the form update, we began adding annotations if we processed a circumvention-alleging takedown notice for reasons other than circumvention.

Line chart showing the cumulative sum of DMCA notices that allege circumvention from 2021 to 2023, broken out into series that plot whether the DMCA notice was processed due to circumvention or processed on other grounds. While the number of DMCA notices that allege circumvention accelerated significantly after the update to the DMCA form on September 29, 2021, this uptick largely resulted in a greater number of DMCA notices processed on grounds other than circumvention, such as a violation of our Acceptable Use Policies or copyright infringement. The number of DMCA notices processed solely because of circumvention appears to have stayed at the same rate since 2021.
Cumulative sum of DMCA notices that allege circumvention, were processed due to circumvention, or were processed on other grounds, 2021 – 2023

Breaking out the notices that alleged circumvention into notices we processed due to circumvention vs. those we processed on other grounds—such as for violating our Acceptable Use Policies—it appears that while significantly more notices we process allege circumvention, the rate at which we process takedown notices because of circumvention hasn’t accelerated.

What does this mean?

Under our developer-focused approach to the DMCA, every takedown notice we receive that contains a credible circumvention claim and can’t be processed on other grounds, such as a valid copyright infringement claim, or a violation of our Acceptable Use Policies, is reviewed by a team of lawyers and engineers.

Line chart showing the cumulative sum of DMCA notices that allege circumvention from 2021 to 2023, broken out into series that plot whether the DMCA notice was processed due to circumvention or processed on other grounds. An area between the line series for DMCA notices processed on other grounds and DMCA notices processed due to circumvention is highlighted to indicate that these notices do not require specialized analysis to assess whether the accused projects violate the anti-circumvention provisions of the DMCA.
Cumulative sum of DMCA notices that allege circumvention, were processed due to circumvention, or were processed on other grounds, 2021 – 2023, highlighting notices where circumvention analysis was unneeded

While this form change has resulted in an increase in circumvention claims and, consequently, time spent reviewing these claims, this process is an important component of our commitment to developers. GitHub handles DMCA claims with a goal to maximize the availability of code by limiting disruption for legitimate projects. Accordingly, we designed our DMCA Takedown Policy to safeguard developer interests against overreaching and ambiguous takedown requests. Each time we receive a valid DMCA takedown notice, we redact personal information, as well as any reported URLs where we were unable to determine there was a violation. We then post the notice to a public DMCA repository, where curious readers can find the redacted text of these notices, parse this data with regexes, and create charts like those in this deep dive. If you don’t want to do bespoke data analysis to classify circumvention claims, we plan to include this in a future transparency center update.

The DMCA generally makes it unlawful to circumvent technological measures used to prevent unauthorized access to copyrighted works, but it also establishes a triennial rulemaking process where users can petition for temporary exemptions to the prohibition of circumvention for noninfringing uses of copyrighted works. In the last rulemaking proceeding, GitHub filed comments advocating for a broader safe harbor for good faith security research. The ninth triennial proceedings are currently ongoing, and are considering interesting exemptions for software preservation, text and data mining, and generative AI research. We encourage developers to follow along and engage with DMCA reform as important stakeholders.

Do you have questions about our data or ideas for future data deep dives? Open an issue in the transparency center repository.

Tags:

Written by

Related posts