GitHub agrees RIAA claim is bunk, restores popular YouTube download tool

  News
image_pdfimage_print
A sign in the shape of the YouTube logo juts out over a glass wall.
Enlarge / A sign featuring the YouTube logo, outside the YouTube Space studios in London on June 4, 2019.

GitHub has reversed its decision to boot YouTube-dl, a popular tool for archiving YouTube videos, from its platform. The company restored repositories this week after “additional information” convinced it that an archiving tool is not in and of itself a copyright violation—no matter what the music industry says.

The repositories in question got shut down in late October before coming back yesterday. “We share developers’ frustration with this takedown—especially since this project has many legitimate purposes,” GitHub explained in a corporate blog post. “Our actions were driven by processes required to comply with laws like the DMCA that put platforms like GitHub and developers in a difficult spot. And our reinstatement, based on new information that showed the project was not circumventing a technical protection measure (TPM), was inline with our values of putting developers first.”

The initial takedown occurred after the Recording Industry Association of America filed a claim with Microsoft-owned GitHub arguing that the code in those repositories was inherently illegal under US copyright law. At a high level, the law in question basically makes it illegal to crack or bypass DRM in any way, except for a handful of enumerated exemptions.

The RIAA’s takedown filing argued not that YouTube-dl was itself infringing content. Instead, the filing alleges that the code violated that section of copyright law because, in the RIAA’s eyes, “the clear purpose of this source code is to… circumvent the technological protection measures used by authorized streaming services such as YouTube, and [to] reproduce and distribute music videos and sound recordings owned by our member companies without authorization for such use.”

Not exactly

The “additional information” GitHub received about the RIAA’s claim came from the Electronic Frontier Foundation, which filed a response to GitHub on behalf of the developers maintaining YouTube-dl.

First of all, the EFF pointed out, the RIAA’s claim that YouTube-dl only exists for piracy is flat-out wrong—the utility has a host of legal, fair-use applications:

[YouTube-dl] has a vast, diverse, worldwide community of users. It is used by journalists and human rights organizations to save eyewitness videos, by educators to save videos for classroom use, by YouTubers to save backup copies of their own uploaded videos, and by users worldwide to watch videos on hardware that can’t run a standard web browser, or to watch videos in their full resolution over slow or unreliable Internet connections.

Secondly, and even more pertinent to the RIAA’s claim: YouTube-dl does not in fact circumvent DRM in place on videos. Instead, the utility does roughly the same thing any Web browser would, the EFF explains: “It reads and interprets the JavaScript program sent by YouTube, derives the ‘signature’ value, and sends that value back to YouTube to initiate the video stream.” (The EFF creatively compares this to the Doors of Durin in The Lord of the Rings, which say, “speak, friend, and enter.” Providing the signature is, in this case, analogous to knowing the Sindarin word for “friend.”)

This mechanism, the EFF argues, is not “circumvention” in legal terms. YouTube-dl merely accesses the “signature” code, rather than bypassing or avoiding it, and “any alleged lack of authorization from YouTube or the RIAA is irrelevant.”

GitHub found the EFF’s arguments compelling. After reading over the filing, GitHub determined that the RIAA’s claims “did not establish a violation of the law.”

Doing better next time

As a result of the YouTube-dl fiasco, GitHub has promised changes to its claim-review process going forward. For starters, new claims will be reviewed by both technical and legal experts—the techies to determine if the code actually does what the claimant says it does, and the lawyers to determine if the claim does in fact fall within the boundaries of the law.

When the claim is ambiguous, “We will err on the side of the developer,” GitHub says. And even if a claim is found to be accurate, legal, and technically legitimate, the repository owner will get a chance to make changes or respond to the claim before their repository is taken down.

Perhaps most interestingly, GitHub is putting its money where its proverbial mouth is: the company is donating $1 million to establish a “developer defense fund” to help developers fight against unwarranted legal claims.

GitHub CEO Nat Friedman added in a Twitter thread that GitHub “will have more to say about this, and other things we are doing to protect developers and their freedom to tinker, in the coming weeks.”

https://arstechnica.com/?p=1723734