Policy - page 4

2016 Transparency Report

Since 2014, we’ve posted transparency reports so everyone can see what keeps us busy on GitHub’s Legal and Support Teams. We hope you enjoy this year’s!

Similar to years past, we have continued to receive two main types of legal requests:

  1. Disclosures, requests to disclose user information, which include:
    • Subpoenas, court orders, and search warrants
    • National security orders
  2. Takedowns, requests to remove or block user content, which include:
    • Government takedown requests
    • DMCA takedown notices

Due to the nature of many of the disclosure requests, such as national security orders, we are prevented from sharing a lot of data about them. However, we can tell you quite a bit about takedowns. For instance, you can see exactly what we’re asked to take down because we publish all DMCA notices and government takedown requests that we process at the time we process them. That allows our users and the public to see why content is being removed.

For DMCA takedown notices, you can also see how many counter notices we process. The number of DMCA notices we’ve received and processed has risen dramatically in the past few years. We went from 258 takedown notices processed in 2014 to 505 in 2015 and 757 in 2016. Though the number of counter notices processed increased from 17 to 62 in the first two years, that number actually decreased to 20 in 2016. We thought that was interesting and wanted to highlight it for everyone. Below, we’ll get into a little more detail about DMCA notices and other requests we receive.

Disclosure requests for user data

In general: subpoenas, court orders, and search warrants

As you may have noticed in our guidelines for legal requests of user data, we require a subpoena for certain kinds of user information, like a name, an email address, or an IP address associated with an account, and a court order or warrant for all other kinds of user information, like user access logs or the contents of a private repository. A subpoena is a legal process that does not require review by a judge or magistrate. By contrast, a warrant or court order does require judicial review. These requests may be part of a criminal investigation or a civil dispute and may come from law enforcement, a government agency, or litigants in a civil trial.

Because some legal processes are part of ongoing criminal investigations, we may receive, along with them, a court order that forbids us from giving notice to the targeted account holder. Even when we do not receive that kind of order, there are often significant privacy concerns involved with these disputes. Therefore, we do not publish subpoenas or other legal requests for user information.

Requests received: subpoenas, court orders, and search warrants

In 2016, we received 34 requests for user data. Unlike in years past, we received both warrants and court orders in 2016. These 34 requests include every request we received for user data, regardless of whether we disclosed information or not. Not all of these came from law enforcement; some of these may have come from other government agencies, from civil litigants wanting information about another party, or from foreign government agencies through the Department of Justice via a mutual legal assistance treaty or similar form of cooperation. Twenty-six of these requests for user data came from federal grand jury subpoenas that can be seen below. The chart below shows the breakdown by percentage of the different types and sources of requests we received.

Chart - Types of Requests for User Data

In 2016, we noticed a significant increase in requests for user data from 2015, when we received 12 requests.

Gag orders

In addition, we have seen an increase in the number of non-disclosure orders (also known as gag orders) attached to these requests that prevent us from notifying our users about them, almost quadrupling from seven to 27 in 2016. The chart below shows the total number of gag orders received in 2014, 2015, and 2016.

User Notifications of Legal Requests

We did not disclose user information in response to every request we received. In some cases, this is because the request was not specific enough, and when we asked for clarification, the requesting party withdrew the request. In some cases, we received very broad requests, and we were able to limit the scope of the information we provided.

Requests Where Information Was Disclosed

National security orders

We are very limited in what we can say about national security letters and Foreign Intelligence Surveillance Act (FISA) orders. The US Department of Justice has issued guidelines that only allow us to report information about these types of requests in ranges of 250, starting with zero. The chart below shows the relevant ranges for national security orders received and affected accounts.

National Security Orders

Takedown requests

Government takedown requests

Although fairly limited, GitHub continued to see requests from foreign governments to block content. When we receive requests like this, we provide transparency in at least two ways: we notify the affected account holder before removing the content, and we post the notice publicly, to our government takedowns repository. In 2016, we received five takedown requests from Russia and one takedown request from China.

DMCA takedown requests

The most significant number of requests we receive for content removal are notices submitted under the Digital Millennium Copyright Act, or the DMCA. The DMCA provides a method by which copyright holders may request GitHub to take down content they believe is infringing. The user who posted the content can then send a counter notice to dispute the claim. Each time we receive a complete DMCA takedown notice, we redact any personal information and post it to a public DMCA repository. To learn more about our DMCA process, please take a look at our DMCA Takedown Policy.

DMCA takedown notices received

In 2016, we received a significant increase in takedown notices, but took down less content than we did in 2015. This is likely because of an anomalous singular notice which resulted in 5,564 projects being removed in 2015.

Below are the total number of complete notices that we received and processed in 2016. In the case of takedown notices, this is the number of separate notices where we took down content or asked our users to remove content. To learn more about the differences between takedown notices, counter notices, and notices of legal action filed, please check out our DMCA Takedown Policy.

DMCA Takedown Totals

In 2016, we processed something new called a “reversal.” A “reversal” occurs when we become aware of new information, following a DMCA notice, that shows the original DMCA was invalid at the time of submission. The result of a reversal is the restoration of any content that was disabled as a result of the faulty DMCA notice.

By month, the notices, counter notices, retractions, and reversals we processed look like this:

DMCA Takedown Totals by Month

Incomplete DMCA takedown notices received

From time to time, we do receive incomplete or insufficient notices regarding copyright infringement. Because these notices don’t result in us taking down content, we don’t currently keep track of how many incomplete notices we receive, or how often our users are able to work out their issues without sending a takedown notice.

Projects affected by DMCA takedown requests

Often, a single takedown notice can encompass more than one project. So, we looked at the total number of projects, such as repositories, Gists, and Pages sites, that we had taken down due to DMCA takedown requests in 2016. By month, the projects we took down, and the projects that remained down after we processed retractions and counter notices, looked like this:

DMCA Projects Taken Down and Remaining Down by Month

In contrast with 2015, there were no large spikes of projects taken down in 2016.

Increasing volume

With the benefit of having tabulated DMCA data for the past few years, we can now look at the trend. As might be expected, the volume of notices received by GitHub has been increasing. Of course, the GitHub community has also been growing. When we overlay the number of DMCA notices with the approximate number of registered users over the same period of time, we can see that the growth in DMCA notices is commensurate with the growth of the community.

Increase in DMCA Takedown Notices

Please note, the number of registered users noted above has been approximated to the nearest million registered users at the end of each calendar year.


We want to be as transparent as possible to help you understand how legal requests may affect your projects. We hope that each year we put out a transparency report, we’ll be able to improve it with more thorough analysis and more insight into our processes, so if there’s anything you’d like to see us include in the next year’s report, please let us know.

EU wants to require platforms to filter uploaded content (including code)

$ git push 
remote: Resolving deltas: 100% (2/2), completed with 2 local objects.
remote: error: GH013: Your push could infringe someone's copyright.
remote: If you believe this is a false positive (e.g., it's yours, open
remote: source, not copyrightable, subject to exceptions) contact us:
remote: https://github.com/contact
remote: We're sorry for interrupting your work, but automated copyright
remote: filters are mandated by the EU's Article 13.
To github.com/vollmera/atom.git
 ! [remote rejected] patch-1 -> patch-1 (push declined due to article 13 filters)

The EU is considering a copyright proposal that would require code-sharing platforms to monitor all content that users upload for potential copyright infringement (see the EU Commission’s proposed Article 13 of the Copyright Directive). The proposal is aimed at music and videos on streaming platforms, based on a theory of a “value gap” between the profits those platforms make from uploaded works and what copyright holders of some uploaded works receive. However, the way it’s written captures many other types of content, including code.

We’d like to make sure developers in the EU who understand that automated filtering of code would make software less reliable and more expensive—and can explain this to EU policymakers—participate in the conversation.

Why you should care about upload filters

Upload filters (“censorship machines”) are one of the most controversial elements of the copyright proposal, raising a number of concerns, including:

  • Privacy: Upload filters are a form of surveillance, effectively a “general monitoring obligation” prohibited by EU law
  • Free speech: Requiring platforms to monitor content contradicts intermediary liability protections in EU law and creates incentives to remove content
  • Ineffectiveness: Content detection tools are flawed (generate false positives, don’t fit all kinds of content) and overly burdensome, especially for small and medium-sized businesses that might not be able to afford them or the resulting litigation

Upload filters are especially concerning for software developers given that:

  • Software developers create copyrightable works—their code—and those who choose an open source license want to allow that code to be shared
  • False positives (and negatives) are especially likely for software code because code often has many contributors and layers, often with different licensing for different components
  • Requiring code-hosting platforms to scan and automatically remove content could drastically impact software developers when their dependencies are removed due to false positives

The EU Parliament continues to introduce new proposals for Article 13 but these issues remain. MEP Julia Reda explains further in a recent proposal from Parliament.

EU policymakers want and need to hear from developers

As part of our ongoing collaboration with others affected, GitHub will help represent developers at an upcoming breakfast in Parliament on Tuesday, March 20, intended to show the human impact of this copyright proposal.

EU policymakers have told us it would be very useful to hear directly from more developers. In particular, developers at European companies can make a significant impact.

How to reach EU policymakers

  1. Write to EU policymakers (MEPs, Council Members, or Commissioners) and ask them to exclude “software repositories” from Article 13. Please explain how important the ability to freely share code is for software developers and how important open source software is to the software industry and the EU economy

  2. Explain this :point_up: in person to EU policymakers

GitHub can help connect you with policymakers, provide additional background, or chat if you might be interested in representing software developers in defending your ability to share code and not have your builds break. Get in touch!

One more vote for net neutrality and beyond

Join us in the fight for net neutrality

The tech industry and internet users collectively made a ruckus, but the U.S. Federal Communications Commission (FCC) still voted to repeal net neutrality regulations. The FCC published its order in the Federal Register on February 22. That means the U.S. Congress now has 60 legislative days to reverse the FCC’s order, starting in the Senate. 50 of 100 Senators have committed to protecting net neutrality. We need your help once again to flip one vote in the Senate and to keep pressure on the House.

If you’re in the U.S., contact your representatives.

Why? As we wrote in December, it’s important:

Net neutrality gives developers the freedom to build and ship software without being potentially blocked, throttled, or tolled by internet service providers. The result has been vast opportunity for developers. It’s crucial that public policy support expands the opportunity to participate in the software revolution. Undermining net neutrality at a time of concern about consolidation and inequality is precisely the wrong move—directly harmful to developers’ ability to launch new products and eroding trust that the internet is a force for innovation and opportunity.

Not in the U.S.? American net neutrality regulations still matter. An end to them could limit your access to U.S. users and could give policymakers in your country cover to limit net neutrality for you—so help us spread the word. Let your U.S.-based collaborators know why they should act. You can also learn more about and get involved in internet policy in your country. If net neutrality isn’t a live issue where you are, it’s certain that other issues pertinent to protecting and expanding access to the open internet are, including:

  • Policies shown to drive down the cost of internet access such as streamlining infrastructure deployment and sharing, innovative use of spectrum, and effective management of access subsidies
  • Investment in network research and resilience
  • Policies impacting internet openness above physical infrastructure such as copyright and privacy

Of course these all are active issues in the U.S., too. If we sustain net neutrality regulation, getting other open internet policies right will still be necessary. If we fail, these adjacent, pro-competitive, policies will become even more important.

Right now, we still have a chance to sustain net neutrality regulation in the U.S. Let’s make the most of it.

Contact your representatives

Africa, Nigeria, and their growing tech communities

Growing tech communities across Africa will continue to push the continent’s digital revolution forward while powering societal and cultural changes, and a key part of moving this digital revolution forward is increased internet and mobile access across the continent.

In the last decade, mobile access, favorable tech policies, and improved infrastructure and education earned Kenya and South Africa reputations as startup havens. Now, we can add Nigeria—the continent’s largest economy—to the list as its young, growing population and entrepreneurial spirit attract tech investments.

We recently partnered with Ingressive—a Lagos-based tech integration firm with reach across Nigeria, Kenya, Ghana, and South Africa’s tech ecosystems—to explore Lagos’s growing tech sector.

Here’s what we learned.

Nigeria’s youth will play a key role in its technology revolution.

Similar to the rest of the continent, Nigeria has a young population and growing workforce to fuel its technological revolution. Half of the country’s 182 million people are under 30 years old—and the youth population is growing fast.

Nigeria’s young people are enterprising, with 82 percent of them viewing entrepreneurship as a good career. In cities like Lagos and Ibadan, their excitement for software development and tech is clear from packed meetups on the ground.

Developers and entrepreneurs in Nigeria and across Africa are creating a range of projects and contributing to others on GitHub. Check out Tanzanian developer Geofrey Ernest’s utron, a lightweight framework for building fast, scalable and robust database-driven web applications, and Nigerian user interface designer and front-end developer Ire Aderinokun who builds and contributes to tools that make web applications accessible and compatible across devices and web browsers.

While young people in Nigeria are eager to join the tech sector, they also need training. To build their skills, they’re seeking support from a growing number of developer community meetups, conferences, and tech hubs. As of 2016, Nigeria was home to 23 tech hubs—and we should expect to see even more in response to growing demand.

Startups are leading Nigeria’s tech sector growth.

Nigerian startups have grown across industries—including financial technology (fintech), job training, agriculture, travel, and ecommerce—and entrepreneurs are creating products and services that address the challenges of their country’s developing infrastructure. For example, although Nigeria still relies heavily on cash, fintech companies are streamlining banking, payments, and money transfers to help more Nigerians bank digitally and take advantage of the country’s advancing banking system.

Startups like Flutterwave, Paystack, and Paga are a few examples of companies leading the way. From 2015 to 2017, African fintech startups, with the inclusion of Flutterwave and Paystack, raised more than $100 million combined. Flutterwave, a startup that has raised $10 million in funding, and Paystack, the first Nigerian startup accepted into Y Combinator, are not the only Nigerian-centric startups getting attention from foreign investors. Andela, a developer training school that trains African developers for engineering jobs across the globe, has raised $81 million to date and $24 million in 2016 alone from the Chan Zuckerberg Initiative—the organization’s first-ever investment. This investment interest is spreading across other African tech ecosystems and reached a record high of about $195 million this year.

The growing attention and investment in Nigerian and African startups will continue to support local tech communities, but government policies are needed to continue their growth.

Tech-friendly policies will support growing investments and partnerships.

Through increased investments and partnerships, Nigerian tech communities can transform the country’s economy and impact others far beyond its borders. The Nigerian government’s support and implementation of tech-friendly policies will be critical in making sure the sector keeps growing.

Government officials know they’ll have a key role to play in the success of Nigerian tech. In a recent keynote for Harvard Business School’s “Africa Rising” course (the program’s first of its kind and yet another indicator of growing interest), Nigeria’s Vice President Yemi Osinbajo noted that “Africa Rising” is also about improving standards of governance, among other factors.

The Nigerian government sees technology as crucial to the continent’s future. Pro-innovation lawmakers can help guide key policy issues like broadband access, free expression, privacy, security, and more.

Bringing it all together

While no one country can represent an entire continent, Nigeria indicates that growing tech communities will be supported by continued investment, partnerships, and policies built specifically for tech ecosystems across Africa.

To learn more about how Nigerians and Africans are building tools and using open source technology, check out this Made in Nigeria compilation along with our Made in Africa collection.

GitHub joins amicus brief to protect sanctuary cities

Yesterday we filed an amicus brief alongside a group of other technology companies supporting San Francisco’s and Santa Clara County’s efforts to permanently block Executive Order 13768, which seeks to deprive sanctuary cities of federal funding. Sanctuary cities are jurisdictions that restrict local cooperation with federal immigration enforcement.

Why this matters

Nearly all U.S. technology hubs are in sanctuary cities. Sanctuary ordinances help local officials provide a safe environment for all residents, uphold human rights, and are one of a set of inclusive institutions that unlock increased wages across all income levels for both immigrants and non-immigrants in response to increased diversity.

Our amicus brief contributes three basic arguments from a technology and emerging company perspective:

  1. The order will encourage behavior that’s antithetical to the values of innovative companies and their communities
  2. The order threatens nearly every major U.S. innovation hub’s ability to provide basic services
  3. The order makes U.S. cities less safe

In other words, the order threatens many things that make Silicon Valley and other U.S. technology hubs attractive to the world’s best innovators and entrepreneurs, and undermines our ability to remain globally competitive.

The order is also bad for software developers worldwide, resulting in a net reduction of opportunity to collaborate and create great software—core parts of GitHub’s mission. We support inclusive communities on our platform, but developers live in communities on the ground. We think it’s critical to foster collaboration, empathy, and innovation among all people, regardless of where they may be. Technology’s challenges are increasingly global and interconnected, and so our solutions must be as well.

How to get involved

Join us by supporting organizations that are fighting for inclusive communities like the ACLU.

To learn about human rights and their connection to developer opportunities, take a look at our our brief and the studies linked above—and keep building inclusive communities, both online and wherever you live.



GitHub Universe logo

GitHub Universe

October 16-17 in San Francisco
Get tickets today

Discover new ways to build better

Try Marketplace apps free for 14 days

Learn more