Like most online services, GitHub occasionally receives legal requests relating to user accounts and content, such as subpoenas or takedown notices. You may wonder how often we receive such requests or how we respond to them, and how they could potentially impact your projects. Transparency and trust are essential to GitHub and the open-source community, and we want to do more than just tell you how we respond to legal notices. In that spirit, here is our first transparency report on the user-related legal requests we received in 2014.
We receive two categories of legal requests:
We occasionally receive legal papers, such as subpoenas, that require us to disclose non-public information about account holders or projects. Typically these requests come from law enforcement agencies, but they may also come from civil litigants or government agencies. You can see our Guidelines for Legal Requests of User Data to learn more about how we respond to these requests.
Since many of these requests involve ongoing criminal investigations, there are heightened privacy concerns around disclosing the requests themselves. Further, they may often be accompanied by a court order that actually forbids us from giving notice to the targeted account holder.
In light of these concerns, we do not publish subpoenas or other legal requests to disclose private information. Nonetheless, in the interest of transparency, we’d like to provide as much information about these requests as we can.
In the data below, we have counted every official request we have received seeking disclosure of user data, regardless of whether we disclosed the information or not.
There are several reasons why information may not be disclosed in response to a legal request. It may be that we do not have the requested data. It may be that the request was too vague such that we could not identify the data, or that it was otherwise defective. Sometimes the requesting party may simply withdraw the request. Other times, the requesting party may revise and submit another one. In cases where one request was replaced with a second, revised request, we would count that as two separate requests received. However, if we responded only to the revision, we would count that only as having responded to one request.
It is also our policy to provide notice to affected account holders whenever possible; however, as noted previously, we are often forbidden by law from providing notice to the account holder. The following chart shows the breakdown of how frequently we are actually allowed to provide notice to the affected account holders.
Some requests may seek information about more than one account. Of the ten information disclosure requests we received in 2014, only forty total accounts were affected. For comparison, forty accounts is only 0.0005% of the 8 million active accounts on GitHub as of December 2014.
In 2014, we only received a handful of subpoenas. We did not receive any court orders or search warrants requiring us to disclose user data:
To help understand the difference between the numbers above:
As noted above, many of the requests we receive are related to criminal investigations. We may also receive subpoenas from individuals involved in civil litigation or government agencies, such as the Federal Trade Commission, conducting a civil investigation. The following pie charts show the breakdown of the different types of requests we received in 2014.
There is another category of legal disclosure requests that we are not allowed to say much about. These include national security letters from law enforcement and orders from the Foreign Intelligence Surveillance Court. If one of these requests comes with a gag order—and they usually do—that not only prevents us from talking about the specifics of the request, but even the existence of the request itself. The courts are currently reviewing the constitutionality of these prior restraints on free speech, and GitHub supports the efforts to increase transparency in this area. Until such time, we are not even allowed to say if we’ve received zero of these reports—we can only report information about these types of requests in broad ranges:
In 2014, we started receiving a new kind of takedown request—requests from foreign governments to remove content. We evaluate such requests on a case-by-case basis; however, where content is deemed illegal under local laws, we may comply with such a request by blocking the content in that specific region.
Whenever we agree to comply with these requests, we are committed to providing transparency in at least two ways: by giving notice to the affected account holders, and also by posting the notices publicly. This is the approach we took, for example, when we were contacted last year by Roskomnadzor, the Russian Federal Service for Supervision of Communications, Information Technology and Mass Media. We reached out to each of the account holders to let them know we had received the request and, when we eventually blocked access to the content in Russia, we posted the notices to a public repository. Since that repository is public, anyone can view the notices to see what content was blocked. Here are the high-level numbers of content blocked in Russia:
To date, other than the Roskomnadzor notices, we have not blocked content at the request of any other foreign government. And because we are committed to transparency, if we agree to block content under similar circumstances in the future, we intend to follow the same protocol—providing notice to affected account holders and posting the requests publicly.
Many of the takedown requests we receive are notices submitted under the Digital Millenium Copyright Act, alleging that user content is infringing someone’s copyright. Each time we receive a complete DMCA takedown notice, we redact any personal information and post it to a public repository.
Here are the total number of complete notices that we received and processed in 2014. In the case of takedown notices, this is the number of separate notices where we disabled content or asked our users to remove content:
From time to time, we receive incomplete notices regarding copyright infringement. When we do, we ask the submitting party to revise it to comply with the legal requirements. Usually they will respond with a revised notice, but occasionally, they may resolve the issue on their own without resubmitting a revised notice. We don’t currently keep track of how many incomplete notices we receive, or how often folks are able to work out their issues without sending a takedown notice.
We also tabulated the total number of projects (e.g., repositories, Gists, Pages sites) affected by each notice. Here is a graph showing the total number of affected projects by month:
Note, however, that on October 16, 2014 we made a change to our DMCA Policy that impacted that number. Before the policy change we would have counted each reported link to a repository as a single affected repository, even though it would have actually affected the whole network of forks. After the policy change, however, since we require the notices to specify whether any forks are infringing, the “affected” number should more accurately reflect the actual number of repositories implicated by the takedown notice. Though it is too early to properly gauge the effect of this change, we noticed that the average number of repositories listed on a takedown notice increased from 2.7 (for the period of Jan 1 - Oct 15) to 3.2 (for the period from Oct 15 to Dec 31). The median number of affected projects remained the same for both periods: 1.0.
We want to be as open as possible to help you understand how legal requests may affect your projects. So we will be releasing similar transparency reports each year. If you have any questions, suggestions, or other feedback, please contact us.