Update: youtube-dl reinstantiated thanks to EFF

In October, the popular and famous archivist tool youtube-dl was taken down by GitHub due to a DMCA request by the Recording Industry Association of America. I posted a detailed analysis explaining the relation between international, US, EU and German law, and showing why this request was very different from what most people know as the “classic” DMCA takedown request. I felt this was necessary since there were a lot of rumor and wrong claims out on the Internet (not just in forums or on the (anti)social media, but also on media offerings), which did not help the discussion at all. The repository is back now, thanks to the EFF and its team. They filed a counter-notice on behalf of the youtube-dl maintainers, which allowed GitHub to reinstantiate the repository.

EFF helps out by writing a counter notice

The Electronic Frontier Foundation, a non-governmental organization based in the U.S. dedicated to defending civil liberties and especially digital rights, helped out the youtube-dl maintainers by filing a very informative counter notice with GitHub. This notice explained why the request itself is an abuse of the DMCA and the takedown was not justified at all. It allowed GitHub to reinstantiate the repository and, more importantly, all the metadata (for example, issues and pull requests) that was posted on the platform by users, developers and maintainers. Such information is invaluable to a project, and a takedown of the entire repository with all this data can hurt a project very badly.

The takedown was widely regarded as abuse of the DMCA by the RIAA, given that the youtube-dl code repository did not contain any infringing material. The argumentation was made up by claiming that the primary purpose was to infringe copyright of some songs whose artists are apparently represented by the RIAA. They cited some automated unit tests for this, which do not download the entire songs, and would not be seen or executed by regular users. The EFF argues that these are likely a form of “fair use” and thus allowed legally.

The request also cited an obscure German court decision which considered YouTube’s “rolling cipher” an “effective technological measure”, whose bypassing would be prohibited by copyright laws around the world. The EFF explains that the decision was “wrongly decided and is not binding nor even persuasive under U.S. law”.

The EFF further questions the effectivity of the algorithm in general, given that YouTube delivers the code for decryption in a readable form (and also, the code can be executed outside browsers, too). On top of that, the streams are freely accessible once you have the URLs. YouTube only hides the URLs, but not in an effective way. Therefore, this algorithm cannot be considered a “technological measure”, and thus, the RIAA request is baseless.

In the context of this debate, the DeCSS controversy was mentioned a lot, as there’s been some similarities with how copyright holders reacted to the existence of software to bypass their (arguably not very secure) CSS protection. Their first actions focused on software hosting sites, pressurizing them to take down the software by threatening them with legal steps. This led to a mirroring campaign, due to what we call the Streisand effect nowadays. There’s been some litigation in the early 2000s, where judges ruled in favor of the copyright holders. However, this has little relevance to the case of youtube-dl, as the EFF explains. Reverse-engineering YouTube’s code doesn’t enable users to save copies of the material, they already can do so in many other ways. Also, youtube-dl doesn’t bypass DRM technologies like Google’s Widevine. Also, there’s many resources under free licenses on the video platform, which users are explicitly allowed to download and share. And in the U.S., the Library of Congress may even issue exemptions of Section 1201 of the DMCA, under which bypassing anti-circumvention is fine legally.

EFF’s notice summarizes the situation as follows:

In summary, youtube-dl does not violate either the Copyright Act or the DMCA. EFF and the youtube-dl maintainers thank GitHub for standing up for the rights of developers whose projects it hosts. We hope this explanation will allow you to restore the youtube-dl repository so that GitHub can continue to be the home for development of this popular and important tool.

EFF letter to GitHub on youtube-dl takedown

Thanks, EFF! You did not just helped a tool that is crucial to journalists, activists, lawyers and so many other people. You also destroyed the RIAA’s wrong claims, which will hopefully prevent similar attacks on other tools in the future.

GitHub’s reactions

Regarding GitHub, it is sad that they took down the repository at all. It’s a well-known pattern: platforms rather comply with such requests than risking litigation, requiring projects to invest time and money to fund lawyers themselves (or hope for an association such as the EFF to pick up their case). The moment they published the request and took down the repositories, many experts immediately raised concerns that the request itself is illegal. It remains questionable why GitHub’s legal team didn’t recognize this. They likely were not prepared well enough for such a situation. GitHub did not stand up for the community that made them the most popular hosting platform for software in the world.

Nat Friedman, CEO of GitHub, later apparently reached out to the youtube-dl team personally, expressing his sympathy, and offering some support. However, the damage was already done then. The team lost its primary communication channel to their users and each other, as well as the entire history.

It seems more likely that their PR department recognized they are criticised heavily for taking down the project in the first place, putting their (actually pretty good) relation to the open-source community at risk, and thus creating a serious threat to their business.

At least this case prompted them to rethink their strategy on future lawsuits. They posted a blog article, excusing their takedown with compliance, as expected. They promised changes for the benefit of projects threatened by similar requests in the future at least, such as donating to a “developer defense fund” dedicated to helping out projects threatened by such anti-circumvention takedown requests.

Furthermore, they recognized that there is a strong need for maintainers to access the issues and pull requests. They promised to ensure that developers can export those after a takedown (even if requests are valid). The real question however is why they wouldn’t just keep showing them, and just hide the code repository. Introducing such an option globally for every repository would be an even bigger improvement, allowing developers to always create backups of those data.

As GitHub state themselves, among all DMCA takedown requests, these circumvention ones are quite rare. We will have to see whether it is going to have a lot of effect. It would be better if they just donated money to defend developers of projects for which they receive any kind of unwarranted takedown request, rather than limiting it to this edge case.

By the way: in the end, it’s up to the people to request better copyright laws from the politics. They tend to get worse, not better. Make sure your voice is heard. Call your representatives (that’s better than sending a mail, as a phone call can hardly be ignored). Go on the streets and protest against changes and for improvements for you as a user. Support campaigns of civil rights organizations trying to change the laws.

Lessons learned

Maintainers who host their projects on large proprietary platforms like GitHub or GitLab’s cloud offering should always have a strategy for such situations. They should set up mirrors of the code proactively. Backing up metadata is significantly harder (especially if platforms don’t provide import/export tools, which most of the big ones do not). Some people use the project import features in tools like Gitea, but as those are one-off features, one would have to repeat the process every now and then. For the issues, there is an experimental tool called git-bug, which allows offline backups and migrations, and comes with bridges to import and export to a variety of tools (and is looking for contributors to add new bridges and extend the functionality).

It looks like the free software community should prepare themselves better in the future. We should develop better tools to back up our metadata, also allowing us to move between platforms more easily. If GitHub wants to remain the most popular hosting platform, they should consider adding such functionality out of the box (ideally in a standardized format). Offering such functionality doesn’t mean that projects would just leave for other platforms automatically. It would rather show that GitHub is really committed to the idea of open-source software, whose development can take place everywhere. After all, we are the ones who helped GitHub become the number one platform for software development in the world.

There is one thing that has been and is always going to be counterproductive, especially in such situations: blind actionism. Many people flooded the Internet (read: forums, Reddit, bug trackers of projects), inciting panic and suggesting to move to some other “free” hosted platform. This is clearly not a solution. Any hosting platform will sooner or later have to comply with such a request. It can become very expensive if you end up in court. The true solution, as we have seen in this situation, is to stay calm, analyze the situation, assess the threat to your own project and remove code and text that could be abused to justify such a request (e.g., if you are developing a similar project and also use such songs in a unit test, you can change your test to content under free licenses). Moving to another platform does not solve the root issue, and it risks dividing your community and leaving people behind. Many third-party client projects reviewed their tests, screenshots and other media, and replaced them with safer material. That way, an adversary like the RIAA has a lot less attack surface to justify their claims with.

I personally already have had some measures in place, but also started looking into how I can further improve the backup systems of the projects I am involved in. And I encourage every fellow maintainer to do the same. I also helped a few projects by analyzing the websites and the code and suggesting changes to reduce the attack surface. And I discouraged everyone who suggested any kind actionism to remain calm, because, as expected, the claims were proven wrong, so that there was nothing to be afraid of any more.

See also