Today is Veteran’s Day here in the United States, or Remembrance Day in many places around the world, when we recognize those who have served in the military. Today many businesses will offer veterans a cup of coffee or a meal, but one organization goes further.
You might have watched ex-Army Captain David Molina speak at CodeConf LA, or GitHub Universe about Operation Code, a nonprofit he founded in 2014 after he couldn’t use the benefits of the G.I. Bill to pay for code school. Operation Code lowers the barrier of entry into software development and helps military personnel in the United States better their economic outcomes as they transition to civilian life. They leverage open source communities to provide accessible online mentorship, education, and networking opportunities.
The organization is also deeply invested in facilitating policy changes that will allow veterans to use their G.I. Bill benefits at coding schools and boot camps, speeding up their re-entry to the workforce. Next week Captain Molina will testify in Congress as to the need for these updates. The video below explains more about their work.
Although Operation Code currently focuses on the United States, they hope to develop a model that can be replicated throughout the world.
Operation Code is working to address a problem that transcends politics. Here’s a look into the reality U.S. veterans face:
Building software should be safe for everyone. The GitHub community is made up of millions of developers around the world, ranging from the new developer who created their first “Hello World” project to the most well-known software developers in the world. We want the GitHub community to be a welcoming environment where people feel empowered to share their opinion and aren’t silenced by fear or shouted down.
Beginning today, we will be accepting feedback on proposed GitHub Community Guidelines. By outlining what we expect to see within our community, we hope to help you understand how best to collaborate on GitHub and what type of actions or content may violate our Terms of Service. The policy consists of four parts:
As always, we will continue to investigate any abuse reports and may moderate public content on our site that we determine to be in violation of our Terms of Service. To be clear, GitHub does not actively seek out content to moderate. Instead, we rely on community members like you to communicate expectations, moderate projects, and report abusive behavior or content.
Additionally, we are releasing the guidelines under the Creative Commons Zero License in hopes of encouraging other platforms to establish similar norms to govern their respective communities.
These guidelines are first and foremost community guidelines and we’d like to hear your thoughts on them before they’re finalized. Please get in touch with us with any feedback or questions prior to November 20th, 2016. Together, we can make the open source community a healthy, inclusive place we can all be proud of.
When you check your GitHub account today, you’ll see an announcement letting you know that we’ve updated our Privacy Statement. Check it out!
Before we get into what’s new, rest assured that your information is still safe and sound. We have not made any substantive changes to the way we handle your information. For example, we still . . .
The new Privacy Statement clarifies quite a few things about how GitHub uses data, and how we permit third parties to use your information. For example, the new Privacy Statement describes how people such as researchers or archivists can use your public information on GitHub.com, and it explains that third parties using public information must respect our users’ choices. The new Privacy Statement now also includes a statement regarding tracking—we don’t track your web browsing off our site, and we don’t let third parties track you on GitHub.
With this updated Privacy Statement, we’ve also applied for certification with the new EU–US Privacy Shield Framework. Privacy Shield is an agreement between the US Department of Commerce and the European Commission that provides companies in both the United States and the European Union a mechanism to comply with EU data protection requirements when transferring personal data from the EU to the US. We expect to receive our certification shortly, and we currently comply with the Privacy Shield Principles to protect all our users’ information.
Although the Privacy Shield is only directed to users in the European Union, GitHub is committed to protecting all our users equally, regardless of where you live. So we are extending Privacy Shield’s benefits to all our users, including access to a free independent arbitration provider for privacy disputes.
Last year, we wrote up our 2014 Transparency Report, the first report of its kind we’ve been able to do. It’s important to continue to update our community on the kinds of legal requests we receive and respond to, so we’re happy to be able to offer our 2015 Transparency Report to follow up.
The kinds of legal requests we received in 2015 were very similar to the requests we received in 2014. As in 2014, we received subpoenas but no court orders or warrants, and the number of subpoenas we received did not increase significantly. However, the number of gag orders we received nearly doubled in 2015. On a happier note, the number of removal requests we received from foreign governments went down notably: we only received one takedown request from a foreign government in 2015. Other takedown statistics are not as rosy. The number of DMCA takedown notices we received in 2015 nearly doubled, and we processed more than 3.5 times the number of retractions and counter notices we processed in 2014. Many of these notices were either mass removals or notices sent by a few organizations that frequently asked us to take down content. In all, fewer than twenty notice senders asked us to remove more than 90% of the repositories we took down under the DMCA in 2015.
This 2015 report details the types of requests we receive for user accounts, user content, information about our users, and other such information, and how we process those requests. Transparency and trust are essential to GitHub and to the open source community, and giving you access to information about these requests can protect you, protect us, and help you feel safe as you work on GitHub.
We notify our users before sending their information to a third party in response to a legal request, whenever possible. We also provide clear, thorough guidelines to law enforcement that describe how to request information about our users, and what legal process we require to obtain certain user information. We provide these guidelines both for the protection and education of our users and for the benefit of law enforcement.
This report will discuss the two main categories of legal requests we receive:
As you may have noticed in our guidelines to law enforcement, we require a subpoena for certain kinds of user information, like a name, an email address, or an IP address associated with an account, and a court order or warrant for all other kinds of user information, like access logs or the contents of a private repository. A subpoena is a legal process that does not require review by a judge or magistrate. By contrast, a warrant or court order does require judicial review. These requests may be part of a criminal investigation or a civil dispute, and may come from law enforcement, a government agency, or litigants in a civil trial.
Because some legal processes are part of ongoing criminal investigations, we may receive, along with them, a court order that forbids us from giving notice to the targeted account holder. Even when we do not receive that kind of order, there are often significant privacy concerns involved with these disputes. Therefore, we do not publish subpoenas or other legal requests for user information.
In 2015, we received twelve subpoenas for user data. This includes every request we received for user data, regardless of whether we disclosed information or not. Not all of these came from law enforcement; some of these may have come from civil litigants wanting information about another party.
We did not disclose user information in response to every request we received. In some cases, this is because the request was not specific enough, and when we asked for clarification, the requesting party withdrew the subpoena. In some cases, we received very broad requests, and we were able to limit the scope of the information we provided.
This is not a significant increase from 2014, when we received ten requests for user information. However, we have seen an increase in the number of orders preventing us from notifying our users about legal requests, nearly doubling from four to seven in 2015.
As in 2014, we did not receive any warrants or court orders.
As noted above, many of the requests we receive pertain to criminal investigations. We may also receive subpoenas from individuals involved in civil litigation or arbitration. We may also receive requests from foreign government agencies through the Department of Justice, via a mutual legal assistance treaty or similar form of cooperation. The following chart shows the sources of the subpoenas we received in 2015 (note that some federal agencies may have issued subpoenas through a grand jury):
We are not allowed to say much about this last category of legal disclosure requests, including national security letters from law enforcement and orders from the Foreign Intelligence Surveillance Court. If one of these requests comes with a gag order—and they usually do—that not only prevents us from talking about the specifics of the request, but even the existence of the request itself. The courts are currently reviewing the constitutionality of these prior restraints on free speech, and GitHub supports the efforts to increase transparency in this area. Until such time, we are not even allowed to say if we’ve received zero of these reports—we can only report information about these types of requests in broad ranges:
In 2014, for the first time, we started seeing requests from foreign governments to remove content. These requests continued in 2015, but as in 2014, they were very uncommon and limited to one particular country.
When we receive requests like this, we provide transparency in at least two ways: we notify the affected account holder before removing the content, and we post the notice publicly, to our government takedowns repository. In 2015, we only received one takedown request from a foreign government.
In 2015, other than that takedown request, we did not block content at the request of any foreign government. Because of our commitment to transparency, if we agree to block content under similar circumstances in the future, we intend to follow the same protocol—providing notice to affected account holders and posting the requests publicly.
The most significant number of requests we receive for removal of content are notices submitted under the Digital Millennium Copyright Act, or the DMCA. The DMCA provides a process by which a copyright holder can request that GitHub take down content the holder believes is infringing, and the user who posted the content can send a counter notice disputing the claim. Each time we receive a complete DMCA takedown notice, we redact any personal information and post it to a public DMCA repository.
In 2015, we received significantly more takedown notices, and took down significantly more content, than we did in 2014. Here are the total number of complete notices that we received and processed in 2015. In the case of takedown notices, this is the number of separate notices where we took down content or asked our users to remove content:
By contrast, in 2014, we received 258 notices, and only received 17 counter notices or retractions. In late 2014, we changed the way we processed DMCA takedown requests for forked repositories, so our comparison of the number of projects affected by takedown notices in 2014 to the number affected in 2015 is not exact. However, even a rough estimation based on the number of notices we received shows a remarkable increase.
By month, the notices we received, and counter notices or retractions received, looks like this:
From time to time, we do receive incomplete or insufficient notices regarding copyright infringement. Because these notices don’t result in us taking down content, we don’t currently keep track of how many incomplete notices we receive, or how often our users are able to work out their issues without sending a takedown notice.
Often, a single takedown notice can encompass more than one project. We wanted to look at the total number of projects, such as repositories, Gists, and Pages sites, that we had taken down due to DMCA takedown requests in 2015. By month, the projects we took down, and the projects that remained down after we processed retractions and counter notices, looks like this:
That large spike in September had us wanting to look more closely. What happened there?
Usually, the DMCA reports we receive are from people or organizations reporting a single potentially infringing repository. However, every now and then we receive a single notice asking us to take down many repositories. We classified “Mass Removals” as any takedown notice asking us to remove content from more than one hundred repositories, counting each fork separately, in a single takedown notice.
If we look at the same graph as above, of the projects we took down, and the projects that remained down after we processed retractions and counter notices, but exclude all incidents of Mass Removals, the graph looks very different:
The activity over the year normalizes significantly when we don’t consider those anomalous mass removals.
In contrast to the Mass Removals, which are notices that contain many removal requests in one notice, we also noticed that some notice senders spread out their notices: they may send many over time. In some cases, this may be because they maintain projects that are frequently infringed, or in others, it may be because it takes several notices over time to take down all the forks of an infringing repository. For the purposes of our measurements, a “Frequent Noticer” is one notice sender who sends more than four DMCA takedown notices over the course of a year. In one case, a Frequent Noticer also sent us several Mass Removals.
Looking at our takedown notices over the year in this light gives us a lot of information. For example, while 83% of our 505 DMCA takedown notices came in from individuals and organizations sending requests to take down small numbers of repositories, the remaining 17% of notices accounted for the overwhelming majority of the content we actually removed. In all, fewer than twenty individual notice senders requested removal of over 90% of the content GitHub took down in 2015.
We can’t draw any conclusions about what this means for GitHub or our users. Additionally, because we did not expect to be doing this kind of analysis on our data this year, there may be some inconsistencies in the data we compiled; we hope to be correcting those as we go forward. We do make all the notices we receive publicly available at https://github.com/github/dmca and you can also view the data we compiled to create this report in our DMCA repository.
We want to be as open as possible to help you understand how legal requests may affect your projects. We hope that each year we put out a transparency report, we’ll be able to improve it with more thorough analysis and more insight into our processes, so if there’s anything you’d like to see us include in next year’s report, please let us know.
In May, we shared a report which measures our progress in the necessary work of diversifying our workforce. As we stated then, “we must create a company where anyone, regardless of what they look like or where they come from, can grow and thrive.” For GitHub to be the best version of itself, a diverse workforce is an imperative.
In the ongoing effort to make good on that promise, GitHub is joining our peers in the tech industry in signing the Tech Inclusion Pledge—an effort spearheaded by President Obama to “take action to make the technology workforce at each of our companies fully representative of the American people, as soon as possible.”
By signing this pledge, we are committing to:
As an industry, we will only be able to build products that change the world when we have more of the world at the table, engaged in their creation. We encourage our friends in tech to join in on this important pledge.