Standing up for developers: youtube-dl is back

Today we reinstated youtube-dl, a popular project on GitHub, after we received additional information about the project that enabled us to reverse a Digital Millennium Copyright Act (DMCA) takedown. 

|
| 9 minutes

Today we reinstated youtube-dl, a popular project on GitHub, after we received additional information about the project that enabled us to reverse a Digital Millennium Copyright Act (DMCA) takedown. 

At GitHub, our priority is supporting open source and the developer community. And so we share developers’ frustration with this takedown—especially since this project has many legitimate purposes. Our actions were driven by processes required to comply with laws like the DMCA that put platforms like GitHub and developers in a difficult spot. And our reinstatement, based on new information that showed the project was not circumventing a technical protection measure (TPM), was inline with our values of putting developers first. We know developers want to understand what happened here, and want to know how GitHub will stand up for developers and refine our processes on these issues. 

In this post, we provide answers to common questions about the DMCA and why GitHub handled this case the way we did, describe why circumvention claims deserve special treatment, and share how we’re updating our policies and fighting to improve the law.

Why did GitHub process this takedown in the first place? 

As a platform, we must comply with laws—even ones that we don’t think are fair for developers. As we’ve seen, this can lead to situations where GitHub is required to remove code—even if it has a multitude of non-infringing uses—if it is in fact designed to circumvent a TPM. But this is exceedingly rare. 

Less than two percent of the DMCA takedowns we process are based on circumvention claims, and of those two percent, this was a particularly unusual case. 

DMCA takedown claims based on circumvention are a growing, industry-wide issue for developers with far-reaching implications. We’ll get into this in more detail, but first, here’s some quick background. 

Circumvention claims under the DMCA

Most takedown notices we receive allege copyright infringement—that someone used their copyrighted work (often software code) in a way that infringes their rights. But as many people noticed, the youtube-dl takedown notice fell into a more unusual category: anticircumvention—an allegation that the code was designed to circumvent technical measures that control access or copying of copyrighted material, in violation of Section 1201 of the DMCA.

Section 1201 dates back to the late 1990s and did not anticipate the various implications it has for software use today. As a result, Section 1201 makes it illegal to use or distribute technology (including source code) that bypasses technical measures that control access or copying of copyrighted works, even if that technology can be used in a way that would not be copyright infringement. Circumvention was the core claim in the youtube-dl takedown. 

GitHub’s developer-focused approach to the DMCA 

GitHub handles DMCA claims to maximize protections for developers, and we designed our DMCA Takedown Policy with developers in mind. Nearly every platform with user-generated content accepts and processes DMCA takedown notices to comply with the law. For GitHub, many of those notices come from developers wanting us to enforce the terms of their open source licenses, for example, when someone is using their code without the proper attribution required by the open source license they adopted. Here are ways our approach protects developers:

  • Given the cost to developers of an unwarranted takedown of code, we ensure we have a complete notice before we take action. We distinguish between code that merely can be used in an infringing way and code that is preconfigured to be used a certain way. We also recognize that code can provide access to copyrighted content without violating the law (for example, fair use). In some cases we can keep a project up because the content identified in the takedown notice is not in fact infringing or circumventing a TPM that controls access or copying of copyrighted works. 
  • Our process sets a higher bar for 1201 claims than the infringement claims we typically get. We require complainants to provide additional information specific to circumvention, and to describe the technical measures and how the project is designed to circumvent them, for us to consider a notice complete. Below we explain how we’re further strengthening our process.
  • Whenever we process takedowns, we notify all the affected repository owners about the takedown and give them options to dispute it. We allow the repository owner to make changes to address the allegations in the notice and in many cases, we can keep projects up because they do. 
  • We are transparent with the developer community about DMCA takedown notices. Every time we process a DMCA takedown notice or counter notice, we publish the text to our DMCA repository, dated on the date we process it (as opposed to when we receive it), so that anyone can see the notice and the basis for our action. 

These are all steps we currently take to help developers, which go beyond our legal obligations and typical industry practice while still meeting the requirements of the DMCA.

youtube-dl

As we explained, the key claim in the youtube-dl takedown is circumvention. Although we did initially take the project down, we understand that just because code can be used to access copyrighted works doesn’t mean it can’t also be used to access works in non-infringing ways. We also understood that this project’s code has many legitimate purposes, including changing playback speeds for accessibility, preserving evidence in the fight for human rights, aiding journalists in fact-checking, and downloading Creative Commons-licensed or public domain videos. When we see it is possible to modify a project to remove allegedly infringing content, we give the owners a chance to fix problems before we take content down. If not, they can always respond to the notification disabling the repository and offer to make changes, or file a counter notice. 

That’s what happened in this case. First, we were able to reinstate a fork of youtube-dl after one of the fork owners applied a patch with changes in response to the notice. 

Then, after we received new information that showed the youtube-dl project does not in fact violate the DMCA‘s anticircumvention prohibitions, we concluded that the allegations did not establish a violation of the law. In addition, the maintainer submitted a patch to the project addressing the allegations of infringement based on unit tests referencing copyrighted videos. Based on all of this, we reinstated the youtube-dl project and will be providing options for reinstatement to all of its forks. 

What we’re changing

Going forward, we are overhauling our 1201 claim review process to ensure that the following steps are completed before any takedown claim is processed:

  1. Every single credible 1201 takedown claim will be reviewed by technical experts, including when appropriate independent specialists retained by GitHub, to ensure that the project actually circumvents a technical protection measure as described in the claim.
  2. The claim will also be carefully scrutinized by legal experts to ensure that unwarranted claims or claims that extend beyond the boundaries of the DMCA are rejected.
  3. In the case where the claim is ambiguous, we will err on the side of the developer, and leave up the repository unless there is clear evidence of illegal circumvention.
  4. In the event that the claim is found to be complete, legal, and technically legitimate by our experts, we will contact the repository owner and give them a chance to respond to the claim or make changes to the repo to avoid a takedown. If they don’t respond, we will attempt to contact the repository owner again before taking any further steps.
  5. Only once these steps have been completed will a repository be taken down.
  6. After a repository is taken down due to what appears to be a valid and legitimate 1201 claim, we will continue to reach out to the repository owner if they have not already responded to us, in order to provide them the opportunity to address the claim and restore the repository. 
  7. Even after a repository has been taken down due to what appears to be a valid claim, we will ensure that repository owners can export their issues and PRs and other repository data that do not contain the alleged circumvention code, where legally possible.
  8. We will staff our Trust and Safety frontline team to respond to developer tickets in such cases as a top priority, so that we can ensure that claims are resolved quickly and repositories are promptly reinstated once claims have been resolved.

All of this will be done at our own cost and at no cost to the developers who use GitHub. We believe this represents the gold standard in developer-first 1201 claims handling. Like we do with all of our site policies, we will document and open source this process so that other companies that host code or packages can build on it as well. And we will continue to refine and improve this process as our experience with these types of cases inevitably grows.

Developer defense fund

Developers who are personally affected by a takedown notice or other legal claim rely on non-profits like the Software Freedom Law center and the Electronic Frontier Foundation (EFF) to provide them with legal advice and support in the event that they face an IP claim, under the DMCA or otherwise. These organizations provide critical legal support to developers who would otherwise be on their own, facing off against giant corporations or consortia.

Nonetheless, developers who want to push back against unwarranted takedowns may face the risk of taking on personal liability and legal defense costs. To help them, GitHub will establish and donate $1M to a developer defense fund to help protect open source developers on GitHub from unwarranted DMCA Section 1201 takedown claims. We will immediately begin working with other members of the community to set up this fund and take other measures to collectively protect developers and safeguard developer collaboration. 

If you want to support developers facing legal challenges, you can consider supporting SFLC and EFF yourself as well.

How we’re working to improve the law

No matter what we do to protect developer rights, we still must work within the boundaries of the law. And the DMCA’s current boundaries are hurting developers. One way to address the problems with the DMCA is to work to improve the law itself—and to prevent even worse laws from being enacted around the world. We were successful in a multi-year effort to stop the EU copyright directive from mandating upload filters for software development, and we’re taking lessons from that fight to the US as broader DMCA reform begins to be discussed. 

We are also advocating specifically on the anti-circumvention provisions of the DMCA to promote developers’ freedom to build socially beneficial tools like youtube-dl. Right now, the U.S. Copyright Office is conducting its eighth triennial review process of exceptions to the anti-circumvention provisions of Section 1201. We will be saying more about that soon, but if you believe, like we do, that the DMCA is overly restrictive in its anti-circumvention provisions and want to change that, you can contact the Copyright Office directly too.

We will have more to say about how you can join the fight to make copyright law more developer-friendly soon–stay tuned.

Written by

Abby Vollmer

Abby Vollmer

@vollmera

I'm GitHub's Director of Platform Policy and Counsel, building and guiding implementation of GitHub’s approach to content moderation. My work focuses on developing GitHub’s policy positions, providing legal support on content policy development and enforcement, and engaging with policymakers to support policy outcomes that empower developers and shape the future of software.

Related posts