This is interesting because the DMCA process is, as I understood it (as a paralegal working on DMCA issues in a past life), a fairly rigid prescription that provides a safe harbor for providers like GitHub, ISPs, YouTube, etc.
The simplified version of the process:
1. The party claiming to own the rights to copied content submits a well-formed DMCA takedown notice to the listed DMCA agent contact information of the provider.
2. The provider blocks access to the content as soon as possible, and informs their customer/user about the takedown notice.
3. The user may then submit a counter-notice to the provider claiming that they do indeed have the rights.
4. The provider then re-enables access to the content and notifies the claiming party of the counter-notice.
5. If the claiming party disagrees, they file suit in court, notify the provider, and the provider generally again disables access.
As long as the provider takes these steps without delay, it is safe from any claims that it is itself in violation of the DMCA.
So here, GitHub is actually stating that they're delaying proceeding from step 1 to step 2. It's certainly customer-friendly, but I wonder if it causes any issues with the safe harbor.
Here's the actual relevant text from the bill [1]:
> upon notification of claimed infringement as described in subsection (c)(3), responds expeditiously to remove, or disable access to, the material that is claimed to be infringing or to be the subject of infringing activity
Immediately contacting the repository owner, and asking them to remove the content themselves within a short window of time, sounds like an expeditious response to my non-lawyer ears.
One nitpick as well:
> it is safe from any claims that it is itself in violation of the DMCA
§ 512 of the DMCA provides for immunity from liability for breaking another law, the copyright act. It's not "violating the DMCA", and service providers do not have to take advantage of § 512 safe harbor provisions if they don't want the benefits of doing so. Without this safe harbor, the service provider could be guilty of infringing the copyright of whomevers' property they're distributing copies of on behalf of their user. If they _voluntarily_ opt to meet the § 512 requirements by expeditiously taking down content, then they can't be held liable for that illegal act, even though it did happen.
"Immediately contacting the repository owner, and asking them to remove the content themselves within a short window of time, sounds like an expeditious response to my non-lawyer ears.
Except, uh, you cut out the object of this sentence, which is the service provider, not the user.
That is, github, not the user, is supposed to be the person responding expeditiously to remove.
Contacting someone is neither "removing" nor "disabling access".
The law is simply not ambiguous here, and github trying to play this game is not likely to go well in an actual court, as much as i'd like it to be the case (i know other companies have been threatened on exactly this point before).
If the user doesn't do it themselves within that short window, then GitHub has to. Every web hosting company I've worked with in the last 10 years has forwarded DMCA notices on to customers. They only disable a server if you don't handle the removal yourself. I don't think GitHub is trying anything new here.
"If the user doesn't do it themselves within that short window, then GitHub has to."
It sounded like you were claiming otherwise, saying that asking the user is acting expeditiously "enough", and that they can then "not remove" or slow down removal.
If you aren't claiming that, then we have no argument :)
This caught me at first too. My guess is that they are blocking access to the infringing file for people other than the alleged offender.
Previously they disabled the whole repo, and this blocked everyone, including the alleged offender from accessing it.
Now it sounds like they will restrict access on a file level and give the alleged offender access to attempt to respond/modify the file to comply or appeal.
This effectively removes the offending content from public view, which should be interpreted as blocking access.
I'm not sure if this is exactly what happens but from how the process was described, it seems plausible and avoids some of the worries that Github isn't responding fast enough to claims.
Is there a mechanism they could use for blocking access to the file from within git without rewriting all of the commits (and therefore changing hashes)?
I'm not sure I completely understand your question, but my guess is they are blocking access to the file from github.com which is all they need to do to comply with the DMCA request. They can't do anything about people's local copies.
Sure, they can block access to the file from their web interface. I'm asking how they block access to a specific file when someone does a "git clone" or "git pull".
It sounds like they just wait 24 hours to get contact.
"because GitHub cannot disable access to specific files within a repository, we will contact the user who created the repository and give them approximately 24 hours to delete or modify the content specified in the notice. We'll notify the copyright owner if and when we give the user a chance to make changes."
If that's the law, then why isn't content from various large companies vanishing (and later reappearing, as in part 4) from the web all the time?
Pick any large company. Surely somewhere among the 7 billion people in this world is someone who (1) hates that company, (2) can put together a well formed DMCA takedown notice, and (3) is willing to give it a shot.
Following that, if your description of the law is correct, the specified content must be taken down, at least temporarily.
So why don't we see major corporate web pages & content disappearing & reappearing on a daily basis?
Was that what they said? Typically you have 24 hours to disable from a DMCA notice. All they said is they would give the user a chance to fix it before the takedown they didn't say how long that chance may be. Could be 23 hours.
If someone took my sourcecode and posted it up on github without my permission, I'm not entirely sure I'd agree that that stance is 'customer friendly'. Only the infringing customer wins in that scenario.
"Accordingly, from now on we will require copyright owners to investigate and report each fork explicitly in a DMCA takedown notice."
I don't see how there are no legal fears or at least administrative ones here. If one submits a legitimate DMCA takedown and your site allows copies, it might be unreasonable (to a judge) that they must name all copies considering forks can happen between when the DMCA was submitted and the takedown occurs. Of course I don't know of a better way without GitHub annoying forked repository owners and favoring DMCA submitters.
1. Does the DMCA require GitHub to take down forks? AFAICT, it is up to the copyright holder to find and submit takedown notices for each copy. Plus, it's literally one click for a copyright holder to get a list of all direct forks for a repository. And if it becomes a problem, GitHub can just change the policy -- retroactively, even, if a particular incident makes it necessary.
2. This could be an abuse vector. Fork a popular repository, add some DMCAed content to it, and watch the parent get taken down. Or compromise the parent because it's old/unmaintained/abandoned and watch all the child forks get taken down.
3. Everything on the internet has legal fears. The question is, how much, and are you willing to tolerate that risk?
Thanks to 17 USC § 512 (c), service providers are not liable for hosting copies of copyright infringing material so long as they don't have actual knowledge of that infringement. Since a fork can differ from its parent, notice that the parent may be infringing is not actual knowledge that the forks are as well. That means Github has, in theory, no legal liability for those copies. It can just point to federal law.
"is not actual knowledge that the forks are as well"
You assert this as if this is how a judge would see it (or as if it is well tested).
That seems highly unlikely to me.
It seems to be very easy to make the legal argument that because github knows which forks are copies and which aren't, they have actual knowledge of the ones that are still copies.
In order for GitHub to be presumed to know that the forks are also infringing, the takedown notice would have to specify what in the repo is infringing so that GitHub could compare the contents of the forks against the instance that the takedown notice is filed against. If the notice doesn't specify any particular files in the repo, then GitHub can't be expected to remove any fork that has any deletions in its history since the branch. The ease with which the accuser can check the forks for infringement also shifts the burden away from GitHub.
But once they get a takedown notice they have actual knowledge that the material is infringing. If there is a fork that they know about, they do have actual knowledge. They have been doing it in the past, and if they now try to make sure they don't know about forks, that is willful blindness and they will still be found to be infringing.
512(c)(1)(a)(ii) has the so called "red flag" requirement. "n the absence of such actual knowledge, is not aware of facts or circumstances from which infringing activity is apparent"
Essentially, if they know about a fork and a reasonable person would know it is infringing, they lose their safe harbor.
Does GitHub have in house counsel? This policy is risky and doing it response to an outcry about actual pirate programs this will look horrendous if they end up in court.
from what i understood they have knowledge of the fork, but they don't have knowledge if the fork also contains copyrighted material -- so, if i fork x and i remove all the supposedly copyright stuff, my fork should be ok.
Under the red flag requirement, they got to at least check or think about how identical the fork is.
Yea, if you fork Linux and your fork just happens to use a stolen logo. Obviously there is no reason to think Linux is infringing.
But if you are forking popcorn time, that is unreasonable to assume that the fork is going to be non-infringing.
A general assumption that forks are okay is not a reasonable assumption. They'll have to look at this on a case by case basis.
This is even easier when the infringing content is a file or code. There is no excuse for not removing the infringing file from all github projects. And it is easy to check the forks for containing the alleged infringing code.
The safe harbor is not there to protect people acting in bad faith.
Any site that allows users to upload content allows 'copies'. In the sense that a user can easily download and then reupload a copy to any such site.
I'm sure there are _some_ legal fears, which is why they started with the original policy. But they have decided it is likely that the law does not require them to take down copies not specifically identified in the complaint -- just as it does not require other ISP's to identify on their own copies not mentioned in the complaint.
I think the main important point is that a fork isn't _neccesarily_ a copy, it may or may not be, the infringing material may have been added to the 'original' after the fork, or deleted from the copy after the fork.
But what if the forks didn't have the same code, and therefore didn't infringe? Lets say for example I just loved popcorn time's app so I forked it, but then I made my app only get video from free, non pirated sources or something. It would be a fork of popcorn time still, but not infringing.
(PS) I don't think popcorn time should have been taken down as it wasn't stealing some copyrighted code.
Just a note concerning this. Popcorn allows users to easily find and watch torrents, which could be illegal copies. Why does the software that enables that fall under a DMCA request? Shouldn't any web browser or search engine also fall under the same rules because they allow me to browse and watch mp4 movies?
I can't help but think of the Snapchat breach. Surely the world understands that once something is on the internet, it's there forever, right? Complying with the DMCA is security theater at best, and at worst, stifling to innovation.
I mean, we have many laws centered around the difference between intentionally and unintentionally inflicting harm on others. So for example if you break someone’s rib performing CPR, you’re protected as a good samaritan. Or if you veer off the road and run someone over because you were texting, you can still be tried for manslaughter because you shouldn’t have been typing on your cell phone in the first place. I think we can all agree that it’s good we have these types of laws and don’t just focus on premeditated crime.
But the DMCA tries to be a moral compass when it’s not mathematically possible to do so. It’s a bit like setting up a booth on the Grand Canyon that charges money to take pictures. Sure, they can bust bootleggers that set up black market booths without a license. They can even bust scalpers selling photos. But in the end, the Grand Canyon is still there.
Whether someone gets irate about piracy/copying trade secrets or not, in the end, perhaps as a society we should ask if it makes any sense to spend tax dollars trying to stop something that can’t be stopped once the cat’s out of the bag.
Actually, I think GitHub is in a unique position to not comply with the DMCA. It has nothing to do with the size of GitHub, because no matter how large a private entity is, it is always subject to the laws of its government. It has more to do with the fact that every developer in the world has either heard of GitHub or uses it every day.
In other words, we are the people that form what can be thought of as the technology arm of society, so by extension the technology arm of government. That gives us a seat at the table in matters of technology, the same way that teachers unions are able to influence education or the American Medical Association can influence public health. If we decide that the DMCA is not a good use of taxpayer money and should no longer be enforced (in fact can’t be enforced), then it’s not up to a court to decide that, since they will side with the law every time (as they should). The law itself is what must be adjusted or repealed, by the people who have the means to do so by virtue of the role they play in society. We have the leverage to repeal it because without our support, there is no expertise to enforce it in the first place.
If GitHub complies with the DMCA and we use GitHub, then we are quietly endorsing the DMCA.
> If GitHub complies with the DMCA and we use GitHub, then we are quietly endorsing the DMCA.
I happily endorse § 512 of the DMCA. Not only is the safe harbor provision a well-balanced law for all parties involved, but it's the only thing that makes startups that host UCG legally viable. Without the DMCA, Github could not exist. They'd be personally liable for every copy of every file they distribute without a copyright holder's permission.
This particular piece of the DMCA doesn't have to eliminate all piracy online to be effective. Take the case of a feature film release -- a $XXXMM investment by the copyright holders into their product -- that could be seriously harmed to the tune of tens of millions of dollars by someone leaking a copy online a few days before ticket sales begin. The DMCA notices can disable the most visible (and most damaging) copies, expeditiously enough to save the film's box office sales. Mitigating much of the harm is better than nothing.
> perhaps as a society we should ask if it makes any sense to spend tax dollars
This part I don't get. The alternative to the above is an emergency court hearing for every instance of infringement, hoping to attain an emergency injunction, then get it to an ISP before too much damage is done. The safe harbor provision doesn't (directly) cost tax payers anything. It saves us billions. Every day, hundreds or thousands of instances of copyright infringement are handled by an e-mail instead of a taxpayer-funded court hearing.
It sounds to me like you're making an argument against copyright, not the DMCA. DMCA § 512 (the notice/counternotice safe harbor system) is about mitigating the legal liability created by the copyright act on service providers. In its entirety, the DMCA was the US's implementation of the WIPO Copyright and Performances and Phonograms Treaties. It is not what created copyright protection itself.
I was surprised to get down voted for my comment, but, that's a perfect example of the chilling effect that the DMCA has had upon discussing freedom in the information age.
What the DMCA (and similar IP law) gets wrong is persecuting sharers with "intent to distribute". Copyright law was originally intended to protect creators from other people profiting off of their work by copying it. I'm all for the government cracking down on bootleggers.
But I’m very much against the notion that we should go after people who use or view content that is already publicly available. To use your example, the MPAA could and should go after someone who leaks a movie online. But, they should have to prove that the person profited in some way from his or her actions (and correspondingly, the penalty for doing so should be somehow proportionate to that profit). Individual users who share the movie on BitTorrent are not breaking copyright law, because they are not selling copies. It’s really that simple. I personally don’t think that it’s the government’s responsibility to devote resources to tracking down sharers, and certainly not to prosecute them. If we want to consider laws regarding “stealing” intellectual property, we can certainly do that as a society, but that has nothing to do with copyright (trademarks or patents either).
And to be clear, the only thing that new IP laws could address is the potential lost income of content producers. But, there is no way to prove that a sharer would have paid to view that work in the first place. I personally think that this flies in the face of free market economics. The government’s role is to create and manage a fair playing field for all players. So if it is going to start prosecuting thought crime, then it needs to remember its duty and crack down on monopolies and the bribery (ahem, lobbying) that props up media corporations with lifetime-length copyrights and the loss of the public domain through the use of paywalls (among other things). So the DMCA put the cart before the horse by not reinstating the Sherman Antitrust Act, not setting realistic limits on copyright and other IP laws, etc. The DMCA has done nothing to increase the income of new artists, and everything to further enrich established media corporations like Disney (I would argue by design).
We need to also consider that courtrooms and juries are the most important link in the legal chain. By not hearing every case in a court of law, we are passing the burden to individuals to prove their innocence against large institutions (by settling out of court, since they simply can’t afford to lose). I think this flies in the face of the notion of innocent until proven guilty. Whenever I see another child or elderly person being prosecuted for file sharing, it strikes me as being closer to extortion than justice.
So to summarize, I don’t recognize “§ 512 of the DMCA” as necessary or even valid, because ISPs and hosting providers that don’t sell the copies they store are not breaking copyright law in the first place. A website that charges money to view HBO Go’s stream is breaking the law. A website that provides a storage space for a file is not. So the DMCA was not necessary in the first place, and we should be enforcing the laws that are already on the books before creating new ones.
My hope for the future is that we reduce copyright and patent periods to something reasonable like 5 or 10 years, only cover works by copyright (so physical records, books, paintings, movie reels, etc, not bits), invalidate all process patents (so no software, business or medical patents), make it illegal to create laws regarding DRM schemes (in other words, leave it up to the private sector to fight the arms race against cracking), and force worries about whether a work is fair use to be heard in court (judged by people, not metrics). Then I hope that we bring back the Fairness Doctrine to promote broadcasts that are in the public good (real news, not infotainment), more funding for public television and teaching art in school, and bar prosecution for using works for educational and nonprofit purposes.
I think this is a case of, what you are saying about protections for businesses (both producers and carriers) has some validity, but for me, democracy, personal freedom and liberty come first. I don’t want to live in a country where we can be shaken down by corporations because they are worried about their bottom lines.
The simplified version of the process:
1. The party claiming to own the rights to copied content submits a well-formed DMCA takedown notice to the listed DMCA agent contact information of the provider.
2. The provider blocks access to the content as soon as possible, and informs their customer/user about the takedown notice.
3. The user may then submit a counter-notice to the provider claiming that they do indeed have the rights.
4. The provider then re-enables access to the content and notifies the claiming party of the counter-notice.
5. If the claiming party disagrees, they file suit in court, notify the provider, and the provider generally again disables access.
As long as the provider takes these steps without delay, it is safe from any claims that it is itself in violation of the DMCA.
So here, GitHub is actually stating that they're delaying proceeding from step 1 to step 2. It's certainly customer-friendly, but I wonder if it causes any issues with the safe harbor.