GitHub, EFF Push Back Against RIAA, Reinstate Youtube-dl Repository
A few weeks ago, the RIAA hurled a DMCA takedown notice at an unlikely target: GitHub. The code site was ordered to take down its repositories of youtube-dl, software that allowed users to download local copies of video and audio hosted at YouTube and other sites.
The RIAA made some noise about copyright infringement (citing notes in the code pointing to Vevo videos uploaded by major labels) before getting down to business. This was a Section 1201 complaint -- one that claimed the software illegally circumvented copyright protection schemes applied to videos by YouTube.
The takedown notice demanded removal of the code, ignoring that fact there are plenty of non-infringing uses for a tool like this. It ignored Supreme Court precedent stating that tools with significant non-infringing uses cannot be considered de facto tools of infringement. It also ignored the reality of the internet: that targeting one code repository wouldn't erase anything from dozens of other sites hosting the same code or the fact that engaging in an overblown, unjustified takedown demand would only increase demand (and use) of the software.
Youtube-dl is a tool used by plenty of non-infringers. It isn't just for downloading Taylor Swift videos (to use one of the RIAA's examples). As Parker Higgins pointed out, plenty of journalists and accountability activists use the software to create local copies of videos so they can be examined in far more detail than YouTube's rudimentary tools allow.
John Bolger, a software developer and systems administrator who does freelance and data journalism, recounted the experience of reporting an award-winning investigation as the News Editor of the college paper the Hunter Envoy in 2012. In that story, the Envoy used video evidence to contradict official reports denying a police presence at an on-campus Occupy Wall Street protest.
“In order to reach my conclusions about the NYPD’s involvement... I had to watch this video hundreds of times—in slow motion, zoomed in, and looping over critical moments—in order to analyze the video I had to watch and manipulate it in ways that are just not possible” using the web interface. YouTube-dl is one effective method for downloading the video at the maximum possible resolution.
At the time, GitHub remained silent on the issue, suggesting it was beyond its control. Developers who'd worked on the youtube-dl project reported being hit with legal threats of their own from the RIAA.
There's finally some good news to report. The EFF has taken up GitHub/youtube-dl's case and is pushing back. A letter [PDF] from the EFF to GitHub's DMCA agent gets into the tech weeds to contradict the RIAA's baseless "circumvention" claims and the haphazard copyright infringement claims it threw in to muddy the waters.
First, youtube-dl does not infringe or encourage the infringement of any copyrighted works, and its references to copyrighted songs in its unit tests are a fair use. Nevertheless, youtube-dl’s maintainers are replacing these references.
Second, youtube-dl does not violate Section 1201 of the DMCA because it does not “circumvent” any technical protection measures on YouTube videos. Similarly, the “signature” or “rolling cipher” mechanism employed by YouTube does not prevent copying of videos.
There's far more in the letter, but this explains it pretty succinctly in layman's terms:
youtube-dl works the same way as a browser when it encounters the signature mechanism: it reads and interprets the JavaScript program sent by YouTube, derives the “signature” value, and sends that value back to YouTube to initiate the video stream. youtube-dl contains no password, key, or other secret knowledge that is required to access YouTube videos. It simply uses the same mechanism that YouTube presents to each and every user who views a video.
We presume that this “signature” code is what RIAA refers to as a “rolling cipher,” although YouTube’s JavaScript code does not contain this phrase. Regardless of what this mechanism is called, youtube-dl does not “circumvent” it as that term is defined in Section 1201(a) of the Digital Millennium Copyright Act, because YouTube provides the means of accessing these video streams to anyone who requests them. As a federal appeals court recently ruled, one does not “circumvent” an access control by using a publicly available password. Digital Drilling Data Systems, L.L.C. v. Petrolink Services, 965 F.3d 365, 372 (5th Cir. 2020). Circumvention is limited to actions that “descramble, decrypt, avoid, bypass, remove, deactivate or impair a technological measure,” without the authority of the copyright owner… Because youtube-dl simply uses the “signature” code provided by YouTube in the same manner as any browser, rather than bypassing or avoiding it, it does not circumvent, and any alleged lack of authorization from YouTube or the RIAA is irrelevant.
GitHub's post on the subject explains the situation more fully, breaking down what the site's obligations are under the DMCA and what it does to protect users from abuse of this law. It also states that its overhauling its response process to Section 1201 circumvention claims to provide even more protection for coders using the site. Going forward, takedown notices will be forwarded to GitHub's legal team and if there's any question about its legitimacy, GitHub will err on the side of USERS and leave the targeted repositories up until more facts are in. This puts it at odds with almost every major platform hosting third-party content which almost always err on the side of the complainant.
And the cherry on top is the establishment of a $1 million legal defense fund for developers by GitHub. This will assist developers in fighting back against bogus claims and give them access to legal advice and possible representation from the EFF and the Software Freedom Law Center.
Youtube-dl is back up. And the RIAA is now the one having to play defense. It will have to do better than its slapdash, precedent-ignoring, deliberately-confusing takedown notice to kill a tool that can be used as much for good as for infringement,