Context: we had discussed last month how GitHub had taken down the code and binaries for the youtube-dl project, a tool that can be used to download videos from YouTube and a variety of other sites, and how and why it was a travesty.
In a post written by the company’s director of platform policy, the code-hosting platform said the following:
The youtube-dl takedown notice fell into a more unusual category: anticircumvention—an allegation that the code was designed to circumvent technical measures that control access or copying of copyrighted material, in violation of Section 1201 of the DMCA.
Section 1201 dates back to the late 1990s and did not anticipate the various implications it has for software use today. As a result, Section 1201 makes it illegal to use or distribute technology (including source code) that bypasses technical measures that control access or copying of copyrighted works, even if that technology can be used in a way that would not be copyright infringement. Circumvention was the core claim in the youtube-dl takedown.
Establishing that, the post then goes on to state that in their opinion, the youtube-dl project did not circumvent technical measures:
Although we did initially take the project down, we understand that just because code can be used to access copyrighted works doesn’t mean it can’t also be used to access works in non-infringing ways.
Then, after we received new information that showed the youtube-dl project does not in fact violate the DMCA‘s anticircumvention prohibitions, we concluded that the allegations did not establish a violation of the law.
This new information came through a letter sent by the Electronic Frontier Foundation’s attorney [PDF] to GitHub. This is the highlight of the whole story for how well it explains what youtube-dl does and does not do. Quoting from the letter, not necessarily in the order in which they appear in the letter:
when a user requests certain YouTube videos, YouTube’s servers send a small JavaScript program to the user’s browser, embedded in the YouTube player page. That program calculates a number referred to as “sig.” That number then forms part of the Uniform Resource Locator that the user’s browser sends back to YouTube to request the actual video stream. This mechanism is completely visible to the user simply by viewing the source code of the player page. The video stream is not encrypted, and no secret knowledge is required to access the video stream… Importantly, youtube-dl does not decrypt video streams that are encrypted with commercial DRM technologies, such as Widevine, that are used by subscription video sites, such as Netflix
We presume that this “signature” code is what RIAA refers to as a “rolling cipher,” although YouTube’s JavaScript code does not contain this phrase. Regardless of what this mechanism is called, youtube-dl does not “circumvent” it as that term is defined in Section 1201(a) of the Digital Millennium Copyright Act, because YouTube provides the means of accessing these video streams to anyone who requests them.
To borrow an analogy from literature, travelers come upon a door that has writing in a foreign language. When translated, the writing says “say ‘friend’ and enter.” The travelers say “friend” and the door opens. As with the writing on that door, YouTube presents instructions on accessing video streams to everyone who comes asking for it.
youtube-dl does not violate Section 1201 of the DMCA because it does not “circumvent” any technical protection measures on YouTube videos.
This is wonderfully explained, and the analogy is spot-on.
I do not expect Github’s lawyers to have understood this mechanism when they first received the takedown request from the RIAA, but one would expect them to have discussed this with someone technical at GitHub, who either knew or could have asked the project about this mechanism, and this technical person and the lawyers could have determined that it did not circumvent technical measures. My guess is that in an effort to project neutrality, they did not initially take a stance one way or another. Indeed, the blog post has a short section at the beginning titled “Why did Github process this takedown in the first place?” which doesn’t really address why they went all the way to removing the youtube-dl project if they understood the issue:
As a platform, we must comply with laws—even ones that we don’t think are fair for developers. As we’ve seen, this can lead to situations where GitHub is required to remove code—even if it has a multitude of non-infringing uses—if it is in fact designed to circumvent a TPM. But this is exceedingly rare.
I think it’s the EFF’s advocacy, finally in the form of a legal document, that gave GitHub the confidence – or cover – it needed to do the right thing. That combined with the public outcry against this.