On Oct 23, 2020, GitHub Inc. published a takedown notice after taking down youtube-dl’s main repository as well as a number of its forks.
youtube-dl is a Python library which can be used to decode stream URLs of a large variety of services. This allows third-party video players to stream videos, legitimately download copies and much more. It has been used as the basis for many other applications, but also ships with a CLI front end targeting advanced users.
The takedown request is justified with so-called anti-circumvention laws, as well as a German court decision. There are plenty of rumors on the Internet around this case, but a lot of them are apparently wrong. Therefore, in this blog post, we’ll have a glance at the request as well as the German laws and the court decision. We also discuss several third-party responses.
There is one important fact that needs to be stressed: This text was not written by lawyers and does not provide any legal advice. It simply provides a third-party analysis of the situation.
What are anti-circumvention laws?
To understand what “anti-circumvention” means and why such laws are implemented around the globe, we need to look into the WIPO Copyright Treaty of 1996. Its terms were implemented in laws in the countries which ratified it. For instance, in the US, the terms are codified via the DMCA. In the EU, multiple directives were passed, which subsequently were implemented in national law by the participating countries, the most relevant being the Information Society Directive of 2001.
The treaty aimed to create a global framework around copyright as a consequence of the rise of information technology. It is one of the so-called “internet treaties”, a nickname also assigned to the WIPO Performances and Phonograms Treaty.
In this context, Article 11 is the most interesting one. It forbids the circumvention of “effective technological measures” designed to restrict access to works. This is what is commonly referred to as “anti-circumvention”.
Contracting Parties shall provide adequate legal protection and effective legal remedies against the circumvention of effective technological measures that are used by authors in connection with the exercise of their rights under this Treaty or the Berne Convention and that restrict acts, in respect of their works, which are not authorized by the authors concerned or permitted by law.
Concrete national implementations of such anti-circumvention laws are (non-exhaustively):
In nearly any jurisdiction, you can assume that it is likely not legal to produce, e.g., algorithms which circumvent any kind of protective measure which is supposed to restrict access to copyrighted materials. This is showcased in the U.S. law:
(2) No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that—
- (A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title;
- (B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or
- (C) is marketed by that person or another acting in concert with that person with that person’s knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title.
“Effective technological measures”
The rules are pretty strict. Even just creating a tool circumventing such measures is apparently prohibited. But what on earth is an “effective technological measure”? To answer that question, we need to read a bit further:
(3) As used in this subsection–
- (A) to “circumvent a technological measure” means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner; and
- (B) a technological measure “effectively controls access to a work” if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work.
Established methods which are typically considered “circumvention” include tools which bypass software licensing (keygens, reverse-engineered passwords or serial numbers, tools which deactivate digital rights management (DRM), etc.).
The legally-inclined programmer could be tempted to interpret these words in a strict technological manner. But it is inadvisable to do so. If you want to know whether what you do (or your code does) is legal, consider consulting an actual lawyer. They’re the experts. They studied for many years to be able to provide you, the layman, with a competent answer.
Anyway, ultimately, it is the courts which are going to interpret the laws and decide whether a specific method qualifies as such a measure under that definition.
German court judgement
The complaint filed with GitHub specifically cited a decision made by a German court, Landgericht Hamburg (LG Hamburg). The judgement was made in a case filed by an association representing artists in Germany against a web portal that allowed users to download MP3 files converted from videos on YouTube. The association obtained a restraining order against the company operating the service, whose owners had apparently signed multiple declarations to cease and desist from providing this service for specific music videos before, but continued to operate the service in general.
The complaint this time didn’t focus on concrete violations of the German Urheberrecht (UrhG) (Germany doesn’t have “copyright” like, e.g., the U.S., but “authors' rights” instead). It argued that operating such a service would bypass such “effective technological measures” implemented by YouTube, and this is supposedly not allowed per § 95a UrhG.
YouTube does not provide direct access to the streams. It provides the URLs in some obfuscated (encoded) form, which the JavaScript code in their web front end is capable of decoding. The URLs themselves are freely accessible once decoded – no sessions, cookies or logins required. The “protective technological measure”, if you want to call it that, is this obfuscation.
Naturally, it’s not difficult to reverse engineer this obfuscation. Actually, it is rather easy, as the code executed in the browser is directly readable to programmers. They can inspect the behavior easily. Once you understand how the decoding works, you’re able to implement it in other programming languages as well.
The court, however, considered the obfuscation a “technological measure”. It indicated that this is partially due to the fact that YouTube apparently intends users to use their own web client, and doesn’t provide the stream URLs freely. Thus, it decided that the service violated the anti-circumvention laws.
So, even though you may be allowed to create a copy of the material (for example when the work is licensed under a Creative Commons license, used in compliance with “fair use” rules, or the user is in a country like Germany where they can create a legal “Privatkopie”), downloading the original streams might not be legal. The anti-circumvention laws don’t take into account whether creating a copy would be legal. They criminalize the entire method.
Analyzing the complaint sent to GitHub
The complaint sent to GitHub is not a typical DMCA takedown request. Usually, those cite a specific violation, e.g., an unauthorized copy of copyrighted material. Here, however, the complaint targets a tool which could be used to commit violations by downloading protected works. They claim that the tool’s “clear purpose” was, on the one hand, to circumvent technological measures, and, on the other hand, to allow for copyright violations subsequently.
Intriguingly, the complaint cites three (potential) copyright violations in software tests, which actually download some media of artists the plaintiff appears to represent. These might be considered a “Privatkopie” in other jurisdictions, but both the plaintiff and GitHub are located in the US, so they probably focus on their national legislation, where they might be considered “fair use”.
One thing that remains unclear is whether GitHub would be required to take down such a project immediately upon such a notification. Most companies usually comply with the request to make sure they won’t run into issues themselves, then consult their own lawyers and assess whether it’s lawful.
What is certainly annoying is that neither the RIAA nor GitHub allowed youtube-dl to consult lawyers themselves, nor gave them the chance to remove the offending code (even if just temporarily). They deactivated the entire repository, so that not even the issues (which are valuable information, and are rather unlikely to offend anti-circumvention laws) are accessible anymore. But chances are that they did so in line with their terms of service. It wouldn’t be unusual to have a clause that allows them to disable a project entirely and not just selectively.
Last but not least, there is one interesting detail that should be highlighted: the parties in this complaint are the hosting service, GitHub, and the association representing the artists. YouTube apparently is not a participant in this case. This makes sense if you recall the wording of the laws mentioned before, but is indeed a bit awkward when you think about it.
Reception
Many people on the Internet flooded forums like Reddit and Hacker News, as well as bug trackers and the (anti)social media with inaccurate statements, suggesting that the main issue here is that the tests cited use URLs of commercial songs. But it’s actually the circumvention that is targeted.
There are some very informative analyses by more experienced people. Parker Higgins, member of Freedom of the Press and former member of the Electronic Frontier Foundation, posted a few personal statements on Twitter. He put together an analysis of the complaint itself and later also posted a thread explaining the difference between a regular DMCA letter and this request. He called it a “throwback threat” analogous to the DeCSS controversy which took place in the late 1990s.
John Bergmayer, legal advocate of the Washington, D.C. based non-profit organization “Public Knowledge”, considers the request illegal.
On Monday, the Electronic Frontier Foundation posted a statement on Twitter, stating that RIAA’s move was “disappointing and counterproductive”.
On Law Stack Exchange, an informative analysis was posted by an unknown person which confirms the findings made in this blog post.
A lot of news media pages also reported about the case (non-exhaustive list):
- ZDNet (English): https://www.zdnet.com/article/riaa-blitz-takes-down-18-github-projects-used-for-downloading-youtube-videos/
- TechDirt (English): https://www.techdirt.com/articles/20201023/19035045569/riaa-tosses-bogus-claim-github-to-get-video-downloading-software-removed.shtml
- Heise Online (German): https://www.heise.de/news/US-Musikindustrie-laesst-Open-Source-Downloadtool-youtube-dl-bei-GitHub-sperren-4938148.html
Related legal actions
Philipp Hagemeister, a former maintainer of youtube-dl, recently revealed that he received a letter demanding a declaration to cease and desist from German lawyers on behalf of the RIAA. Interestingly, his maintainership had ended in 2016, but he is apparently facing legal action nevertheless. According to Hagemeister, the letter contained false claims and statements, so he signed a modified form.
Note that there is no objective proof that this letter was sent other than his word, at least for now. But attacking developers is quite a threatening approach.
Interpretation
In the past decades, legal copies like the mentioned Privatkopie were created by intercepting and recording the video feed sent by a player to the TV, for example using a VCR, or recording audio played on the radio using a microphone. Unfortunately, this always meant a degradation in quality. Modern, HDD-based digital VCRs usually don’t capture a receiver’s video feed, then send a duplicate to the TV, but are integrated inside those receivers. They’re able to record the received digital stream as-is, without having to re-encode, avoiding any degradation in quality compared to viewing the stream live. This is of course a great improvement, as even in the digital world, re-encoding data still means you lose quality, just like in the analog world.
In the digital world, it is often easy to get the original streams and avoid re-encoding. However, as shown, you may not be allowed to use those in any other way than intended by the provider. As soon as there’s a “technological measure” which protects the streams, you may not circumvent those. However, recording the playback (nowadays using screen recording, for example), may still be allowed, depending on the local laws.
Relevance
In the youtube-dl case, the reasoning follows the same idea: it manages to download the original streams, but there’s some (arguably, not very secure) protective technology that restricts direct access to some extent, so this specific way may be illegal. But, for example, creating a screen recording of the video as it is played back using the provider’s player (i.e., without bypassing a “technological measure”), is okay.
Remember the wording of the laws: with the permission of the copyright holders, bypassing such measures appears to be possible legally. However, creating tools whose main purpose is to bypass “effective technological measures” is prohibited. This is contradictory: on the one hand, bypassing is legal in some cases, but you may not create the tools which provide this functionality. The decision of the German court seems to be based on this inconsistency. They did not discuss whether there are lawful applications for bypassing such measures. Instead, they ruled that the existence of the methods is forbidden by German law. It seems like the creators of the treaty and the derived legislation were not aware of this conflict. Or maybe it’s intentional. You decide which theory sounds more plausible to you.
Questionable reasoning
It remains unclear whether the obfuscation technique described earlier is really an “effective technological measure”. As mentioned before, the streams are basically accessible freely, without any form of mandatory authentication. The URLs are just hidden with an easy-to-breach “encryption” scheme, which can’t really be called “effective”. This is clearly security-through-obscurity that is easy to reverse engineer. Nobody had to steal credentials or hack into YouTube’s system in any way. But in the end, the courts will have to decide.
Furthermore, it is strange that the RIAA uses software tests to prove their point. At the most, the tests can only show that (potentially) illegal activities may be carried out using this code. But that certainly doesn’t mean the tool is solely used for those activities, and doesn’t have legitimate use cases. Also, they ignored the fact that YouTube is just one of more than 100 supported services. At this point, the “youtube” in “youtube-dl” is just a legacy.
One famous case often cited in the context of the youtube-dl case is the Betamax case, a U.S. Supreme Court decision from 1984 (i.e., it was made before the WIPO treaty). It remains questionable how relevant it is, since this case focuses on the prohibition of creating and distributing bypassing techniques, not actual infringement by users.
What might be most intriguing about this complaint is that a U.S. based association had to cite German law and a German court decision in a lawsuit conducted against another U.S. based business. The only sensible explanation is that there haven’t been any court decisions in the U.S. in a similar context. Therefore, it would be interesting to hear whether the Electronic Frontier Foundation would be interested in starting a counter attack to help create case law in this domain. This could help developers of other projects understand whether what they do is legal or not and prevent them from being targeted by such organizations. Organizations in other countries might be interested in defending such a case, too, if the recording industry executes similar attacks elsewhere.
Targeting individual developers
Regarding Philipp Hagemeister’s case, seeing legal action against developers of tools is concerning, too. While the takedown of a project is surely annoying, it doesn’t necessarily cause personal harm to the developers. But the demand to sign a declaration to cease and desist is on another level. It requires the targeted person to basically admit that they’ve done something wrong. Furthermore, if they ever violate such a declaration, they might easily have to pay a vast amount of money. If they don’t have the money to hire a lawyer with whom they can discuss how to proceed, they might be tempted to sign whatever is being requested to avoid further consequences, such as a lawsuit. And it’s never a good idea to let the opponent choose the wording when it comes to legally binding documents.
Summary
The recording industry has always tried to intimidate its opponents. They have got a lot of resources and decades of experience. As explained, it is not clear whether this request was lawful in the first place. There is a lot of scepticism about whether this takedown notice was legitimate in the first place. Since this appears to be a new approach, there is little to no experience among free/open-source projects how to deal with these situations yet.
In any case, false or inaccurate statements, from any side, are counterproductive. Any form of panic or actionism is not a good idea. The question still remains if this approach is justified legally. It seems that there haven’t been a lot of judgements in this area, as they cited a court decision made in a foreign country. This makes it difficult for the compliance teams in companies to assess such requests, as you don’t just need to understand the foreign language, but also need a lawyer experienced in that foreign jurisdiction.
Additional resources
Scientific Services of the German Bundestag: Legal protection against the circumvention of effective technological measures. URL: https://www.bundestag.de/resource/blob/630142/e4a428e1cc312d2163149e50d6c6824b/WD-10-062-17-pdf-data.pdf
Peter Wand: Technische Schutzmaßnahmen und Urheberrecht; Vergleich des internationalen, europäischen, deutschen und US-amerikanischen Rechts. Verlag C.H. Beck, München, 2001.
Electronic Frontier Foundation: Seven Lessons from a Comparison of the Technological Protection Measure Provisions. URL: https://www.eff.org/de/pages/seven-lessons-comparison-technological-protection-measure-provisions