This is actually a good thing because dmca in other areas like package registries are usually behind email and you never have an idea of repeat infringers.
This community oriented approach really provides enough transparency so the community can hold companies and infringers to a higher standard.
I work on one of the biggest registries and this is a huge problem for us and we are thinking of adopting this approach. Any reasons we shouldn’t?
I think people need to separate the dmca process and the ledger of dmca requests to separate criticism points.
No cookie for you, MS/GitHub. You're redacting so much information this is a nearly worthless, token effort. Lumen will provide at least some info, enough to identify DMCA abuse. For example, I clicked on one of the most recent DMCA requests in Lumen, filled out the captcha, and then clicked on the submitter's name and...oh hey, they've submitted 100,000 DMCA notices (!)...it's a DMCA mill, specializing in online porn.
With how Github is doing this, there's no way to tell who or what was actually involved, thus impossible to verify if the DMCA claim is BS or not:
If you're making a claim of copyright infringement, your name / who you represent and the nature of the violation is not "private." And further, that redacting is purely Github's decision; nothing in the DMCA requires any redaction or limits publishing of DMCA notices in any way.
...and hilariously, GitHub rejected the counter-notice because...it didn't have the right kind of contact info?
The notice repo started before they got acquired, and was better back then. It went from "open source almost everything" (which was a half-truth, anyway) to typical BigCo stuff.
Considering the abundance of porn piracy, a company specializing in DMCAing porn sites wouldn't be surprising to have notices ranking in hundreds of thousands.
They've had this before Microsoft had bought them out. I think its fine the way its been.
I will note, I do know of one instance where a repository was taken down via false DMCA someone else sent in, though I forgot which one, I knew people who knew the person who sent it in. It was regarding a "Private Game Server" so GitHub probably thought, its probably easier to comply and move on.
AFAIK your real name wouldn't be published (unless you wanted it published).
For example where they said:
> it's a DMCA mill, specializing in online porn
DMCA doesn't require copyright owners to give their name or contact info for notices. It just requires an authorized person's information.[1]
So any copyright holder who wants to preserve their anonymity can use a friend, pay one of the many DMCA takedown services online, etc.
Users have to give their real info when counter-claiming though. So it's definitely nice to redact that information, especially when they're innocent and being targeted by fraudulent takedown notices.
By filing a DMCA notice, you are engaging in a system that assumes guilt until proven innocent, a system that is regularly abused to take down completely legal content without any kind of trial.
Ideally, such a system shouldn't exist. But if it does, I think it is only fair that people who use it must reveal their identity.
There is no court involved in DMCA takedown notices, unless the hosting service fails to comply. That's the problem.
Maybe, you could sue back for a bad faith incorrect takedown notice. But that's really hard to do if you don't even know who sent the takedown request.
You can get a court involved. Or you, the accused, could simply ask Github for the identity of the claimant. Publishing private details of everyone involved on some website, for everyone to see, is not a prerequisite for due legal process.
Maybe the person who infringed on my rights can know. In some cases, as long as my right to privacy is guaranteed to be respected. That doesn't mean that the entire world is entitled to know my real name via Github's issue tracker.
The perpetrator remains anonymous while the victim will be doxxed, what a great sense of fairness you have.
I'm in the US. Your idea violates our justice system's notion of transparency, and it's one I agree with wholeheartedly. Things are different sometimes in cases where the charges involve sexual violence and/or minors, where courts have upheld that the potential damage of publicly naming the victims was worse than the potential damage of not allowing the defendant to publicly counter the accusations. See for example: https://www.gdnlaw.com/blog/internet-law/anonymous-lawsuit-t...
So in the US, at least, if you're going to sue someone over IP violations, you should plan on your identity being made part of the public record. As a country we're pretty adamant about that. It's a feature, not a bug.
I'm including DMCA notices in things I believe should be -- must be -- transparent. They're legal filings after all, strongly implying that if you don't comply, you're about to be sued. Your proposal would allow, say, Oracle to hide their identity if they were filing a complaint against the Linux kernel so that they could get the benefit of launching a legal salvo without the reputation hit for having done so. I believe that's far more unfair, and more likely, than your scenario.
I'm not in the US, and we do not punish victims by publishing their names for everyone to see while keeping the perpetrator unnamed. Our system is much better than yours, we still have a basic notion of privacy and victim protection.
No need. Github is already doing the right thing by protecting the victims by not publicly doxxing them by default, because that would be insane. Sucks for you guys I guess.
I am happy that you're happy with your system. Conversely, I hate the idea that someone could publicly accuse me of something and I couldn't give a similarly public reply. I would say that our system is much better than yours, you can't defame someone and hide behind legal motions because we still have a basic notion of the rights of the accused.
If a takedown notice is sent, maybe it is because someone's rights are being infringed, or maybe someone is just trying to censor something they don't like, or falsely claim authorship. You seem to be assuming that the fact that the notice was sent means that the sender is definitely a victim and the owner of the repository is definitely the perpetrator. Not always.
The notice and takedown part of DMCA was a reasonable attempt to address a real problem. The main flaw seems to be that bogus takedown notices are never prosecuted, so there's a lot of abuse.
You keep using the words "perpetrator" and "victim" as if it's a given that a person filing a DMCA is always doing so truthfully against an actually-violating project.
I don't have as much faith in the system as you, apparently.
Sometimes the DMCA'd person is the victim, and the complainant is the perpetrator. What is your response to those situations?
I think the privacy-preserving solution here is to hash the names. That way patterns and abuse can be studied without revealing the identities. Sure, with enough submissions someone can narrow down the identity but it's a good compromise I think.
Microsoft is hyper afraid of "PII". When they ported a bunch of blogs (including Raymond Chen's) to a new platform, they did not bring the comments along because GDPR would have required them to associate accounts on the old platform with those on the new, to comply with the deletion requirement.
This reminded me of HackerRank’s SymPy incident (HackerRank (YC S11) DMCA'ed the SymPy Docs [fixed] | https://news.ycombinator.com/item?id=31087175). They had taken down SymPy documentation claiming SymPy plagiarized their code snippets but in reality it was them using SymPy docs in their questions. The request for takedown is at https://github.com/github/dmca/blob/6f752b45efb10be0cb576321....
This is actually a good thing because dmca in other areas like package registries are usually behind email and you never have an idea of repeat infringers.
This community oriented approach really provides enough transparency so the community can hold companies and infringers to a higher standard.
I work on one of the biggest registries and this is a huge problem for us and we are thinking of adopting this approach. Any reasons we shouldn’t?
I think people need to separate the dmca process and the ledger of dmca requests to separate criticism points.
No cookie for you, MS/GitHub. You're redacting so much information this is a nearly worthless, token effort. Lumen will provide at least some info, enough to identify DMCA abuse. For example, I clicked on one of the most recent DMCA requests in Lumen, filled out the captcha, and then clicked on the submitter's name and...oh hey, they've submitted 100,000 DMCA notices (!)...it's a DMCA mill, specializing in online porn.
With how Github is doing this, there's no way to tell who or what was actually involved, thus impossible to verify if the DMCA claim is BS or not:
https://github.com/github/dmca/blob/master/2024/06/2024-06-1...
If you're making a claim of copyright infringement, your name / who you represent and the nature of the violation is not "private." And further, that redacting is purely Github's decision; nothing in the DMCA requires any redaction or limits publishing of DMCA notices in any way.
...and hilariously, GitHub rejected the counter-notice because...it didn't have the right kind of contact info?
> ...and hilariously, GitHub rejected the counter-notice because...it didn't have the right kind of contact info?
I noticed that, too.
I'll take "Irony," for $100, Alex...
The notice repo started before they got acquired, and was better back then. It went from "open source almost everything" (which was a half-truth, anyway) to typical BigCo stuff.
>specializing in online porn
Considering the abundance of porn piracy, a company specializing in DMCAing porn sites wouldn't be surprising to have notices ranking in hundreds of thousands.
They've had this before Microsoft had bought them out. I think its fine the way its been.
I will note, I do know of one instance where a repository was taken down via false DMCA someone else sent in, though I forgot which one, I knew people who knew the person who sent it in. It was regarding a "Private Game Server" so GitHub probably thought, its probably easier to comply and move on.
>If you're making a claim of copyright infringement, your name [...] is not "private."
I can release stuff under a pseudonym. I don't see why my real name should be published just because someone else is infringing on my rights.
AFAIK your real name wouldn't be published (unless you wanted it published).
For example where they said: > it's a DMCA mill, specializing in online porn
DMCA doesn't require copyright owners to give their name or contact info for notices. It just requires an authorized person's information.[1]
So any copyright holder who wants to preserve their anonymity can use a friend, pay one of the many DMCA takedown services online, etc.
Users have to give their real info when counter-claiming though. So it's definitely nice to redact that information, especially when they're innocent and being targeted by fraudulent takedown notices.
[1] https://www.law.cornell.edu/uscode/text/17/512#c_3
[2] https://www.law.cornell.edu/uscode/text/17/512#g_2_C
By filing a DMCA notice, you are engaging in a system that assumes guilt until proven innocent, a system that is regularly abused to take down completely legal content without any kind of trial.
Ideally, such a system shouldn't exist. But if it does, I think it is only fair that people who use it must reveal their identity.
They do reveal their identity to the court, just not to any Joe Shmoe who stole their work, or to any rando who's looking at a Github repo.
There is no court involved in DMCA takedown notices, unless the hosting service fails to comply. That's the problem.
Maybe, you could sue back for a bad faith incorrect takedown notice. But that's really hard to do if you don't even know who sent the takedown request.
You can get a court involved. Or you, the accused, could simply ask Github for the identity of the claimant. Publishing private details of everyone involved on some website, for everyone to see, is not a prerequisite for due legal process.
When you’re filing a legal claim against someone, they get to know who’s accusing them. That’s only fair.
Maybe the person who infringed on my rights can know. In some cases, as long as my right to privacy is guaranteed to be respected. That doesn't mean that the entire world is entitled to know my real name via Github's issue tracker.
The perpetrator remains anonymous while the victim will be doxxed, what a great sense of fairness you have.
I'm in the US. Your idea violates our justice system's notion of transparency, and it's one I agree with wholeheartedly. Things are different sometimes in cases where the charges involve sexual violence and/or minors, where courts have upheld that the potential damage of publicly naming the victims was worse than the potential damage of not allowing the defendant to publicly counter the accusations. See for example: https://www.gdnlaw.com/blog/internet-law/anonymous-lawsuit-t...
So in the US, at least, if you're going to sue someone over IP violations, you should plan on your identity being made part of the public record. As a country we're pretty adamant about that. It's a feature, not a bug.
I'm including DMCA notices in things I believe should be -- must be -- transparent. They're legal filings after all, strongly implying that if you don't comply, you're about to be sued. Your proposal would allow, say, Oracle to hide their identity if they were filing a complaint against the Linux kernel so that they could get the benefit of launching a legal salvo without the reputation hit for having done so. I believe that's far more unfair, and more likely, than your scenario.
I'm not in the US, and we do not punish victims by publishing their names for everyone to see while keeping the perpetrator unnamed. Our system is much better than yours, we still have a basic notion of privacy and victim protection.
Curiously, Github seems to understand that.
So don't use an American git host then. Find one in a legal jurisdiction that better suits you.
More like: hope your code doesn't get illegally uploaded to GitHub.
No need. Github is already doing the right thing by protecting the victims by not publicly doxxing them by default, because that would be insane. Sucks for you guys I guess.
> I'm not in the US
But DMCA is a US law.
And Github does not seem to be violating DMCA when they redact the claimant's real name for good reasons. So all is well, I guess?
You can request the data from the courts, or whatever. It's not Github's job.
I am happy that you're happy with your system. Conversely, I hate the idea that someone could publicly accuse me of something and I couldn't give a similarly public reply. I would say that our system is much better than yours, you can't defame someone and hide behind legal motions because we still have a basic notion of the rights of the accused.
If a takedown notice is sent, maybe it is because someone's rights are being infringed, or maybe someone is just trying to censor something they don't like, or falsely claim authorship. You seem to be assuming that the fact that the notice was sent means that the sender is definitely a victim and the owner of the repository is definitely the perpetrator. Not always.
The notice and takedown part of DMCA was a reasonable attempt to address a real problem. The main flaw seems to be that bogus takedown notices are never prosecuted, so there's a lot of abuse.
You keep using the words "perpetrator" and "victim" as if it's a given that a person filing a DMCA is always doing so truthfully against an actually-violating project.
I don't have as much faith in the system as you, apparently.
Sometimes the DMCA'd person is the victim, and the complainant is the perpetrator. What is your response to those situations?
My response remains the same: There's no need to publish the victim's name on a website for the whole world to see.
I think the privacy-preserving solution here is to hash the names. That way patterns and abuse can be studied without revealing the identities. Sure, with enough submissions someone can narrow down the identity but it's a good compromise I think.
If you submit often enough that people can determine who you are from the hash, you're probably big enough that you don't really need privacy.
Microsoft is hyper afraid of "PII". When they ported a bunch of blogs (including Raymond Chen's) to a new platform, they did not bring the comments along because GDPR would have required them to associate accounts on the old platform with those on the new, to comply with the deletion requirement.
Fascinating. Would be interesting to clone and look at some of the patterns here.