Could a DMCA Takedown Break Your Open Source Software?
The discussion surrounding the Digital Millennium Copyright Act (DMCA) and its notice-and-takedown procedure usually focuses on traditional forms of media: video and music. Although these represent an important part of what the DMCA covers, code is just as susceptible to takedowns, and those types of takedowns can have a massive impact on open source software development and the open source community. Many developers already know to think about intellectual property licenses as they produce new products, but copyright takedowns are becoming a real concern too.
At a high level, the way the notice-and-takedown works is pretty straightforward: sites that host user-generated content are eligible for a safe harbor from monetary liability for copyright infringing hosted content as long as they comply with the statutory conditions, one of which being that they “expeditiously” take down any content when another party (claiming to be a copyright holder) submits a valid takedown request. That regime has allowed all kinds of sites driven by user-generated content to thrive and has encouraged their existence by lowering the risk profile for those who want to build them. For video or audio hosting services, the system means that if a major record label sees a song they own posted on the site, they issue a takedown notice and the site should honor it. That takedown does not bring down or destroy any other hosted videos or any files on the site. When code gets taken down, the impact is not nearly as localized.
For a site like GitHub, the implications of a takedown are a lot wider. Some open source projects dynamically link to another user’s repository. While a lot of libraries and projects are actually hosted on package indexes, or are forked, modified, and the new version is packaged into a new project, dynamic linking is still an important and easy method to use projects developed by other people. If you imagine that Repository A is the best or only open source version of a massively useful function, it would make sense that many other projects would want to incorporate Repository A into their code, and some of those would dynamically link to that repository. If another party issues a valid takedown notice to GitHub for Repository A, under the DMCA GitHub is obliged to take it down pretty much right away, thereby affecting all downstream users of the repository. That’s because the owner of Repository A does not get an opportunity to contest the takedown until after it’s already been taken down. While the DMCA does allow the subject of a takedown notice to issue a counter notice, which then requires the party that issued the original notice to either file a lawsuit or allow the content to go back online, the damage may have already been done by the time that exchange is over. If a whole group of projects had linked to Repository A, and it gets taken down, suddenly all of those projects could (at least temporarily) break, lose functionality, or even have new security gaps, depending on what Repository A’s function was.
That means the DMCA system creates a real risk for open source software development, especially as claiming copyright infringement becomes a more accepted method to assert intellectual property rights over code. For the people who are claiming to be the owners, all they have to do is issue a takedown notice claiming that they in good faith believe that the use is not authorized by them or by law, implicitly including taking into account potential fair use (which we know is quite vague in order to be flexible). Whether the use actually is fair, or presents some other defense to a claim of copyright infringement, is irrelevant to the fact that the content was taken down at the start of the dispute process. That means that a host of open source projects may get broken. If open source projects are more likely to break due to those takedown notices, that could incentivize developers to move to using closed source software to maintain the safety and integrity of their project.
GitHub, again as a useful example, has seen the number of takedown requests rise in the recent past and more notably has seen the number of mass takedown requests rise significantly, meaning one person or company issues notices for more than 100 repositories at one time. If that is the case, and if the takedowns are being issued through an automated system that just scans for particular code or functionality, the parties issuing takedown notices can miss fair use or report content that shouldn’t be included. The wide approach here means the incentive for users and developers to move to closed source alternatives, or risk that their project breaks as open source solutions are taken down.
One of the core reasons copyright owners can submit so many takedown notices is the uncertainty around the fair use exception. As was demonstrated in the Oracle v. Google series of cases, that exception is hard to understand and its application is hard to predict in the context of code. What amount of code is small enough to count as fair use? What constitutes parody of code? What kinds of modifications change it enough to be “transformative”? The uncertainty around those questions gives copyright holders a lot of leeway to claim, in good faith, that they believe someone’s open source repository is infringing, meaning more takedowns.
Services can try to help improve the landscape by publishing and sharing data about the takedown notices they receive, which can at least give us some metrics by which to judge and assess the impact the DMCA is having. That’s why companies like Mozilla publish transparency reports, it’s why the transparency reports of sites like GitHub are so important, and it’s why industry players use databases like Lumen. The availability of data on takedown requests helps us have conversations about this because we can (in some limited fashion) empirically assess how rampant mass takedowns are in the context of code repositories and sometimes even drill down to see what’s breaking. It turns out GitHub received almost twice as many takedown notices in 2015 as in 2014, and mass takedowns accounted for over 75% of the year’s takedowns.
While broken software projects certainly pose technical problems, there is also fundamentally a legal problem. The notice-and-takedown system was designed almost 20 years ago to balance the interests of copyright holders and the growth of the web. Its structure has allowed sites like Github to even exist by limiting secondary copyright liability, but it seems to be an imperfect solution to the problems that come along with that secondary liability as the online landscape changes and develops. If the growth and spreading of open source software is being disrupted despite its regime, the DMCA’s solution may not be as strong as intended. Maybe users need a chance to contest DMCA notices before the content is actually taken down or maybe we need to find a better way to factor fair use into the notice-and-takedown system, but the open source community can’t simply ignore the risk.
