2017 Transparency Report

At GitHub, we believe that maintaining transparency is an essential part of our commitment to our users. For the past three years we’ve published transparency reports to better inform the public about GitHub’s disclosure of user information and removal of content.

GitHub promotes transparency by:

  • Directly engaging our users in developing our policies
  • Explaining our reasons for making different policy decisions
  • Notifying users when we need to restrict content, with our reasons
  • Allowing users to appeal removal of their content
  • Publicly posting takedown requests (requests to remove content) in real time in a public repository

We hope our transparency report will interest GitHub users and contribute to broader discourse on platform governance. If you’re unfamiliar with GitHub terminology, please refer to the GitHub Glossary.

In this report, we fill you in on 2017 stats for:

  • Requests to disclose user information
    • Subpoenas
    • Court orders
    • Search warrants
    • National security orders
  • Requests to remove or block user content
    • Government takedown requests
    • Takedown notices for alleged copyright infringement under the U.S. Digital Millennium Copyright Act (DMCA)

New in 2017 are:

  • Cross-border data requests
  • Accounts and projects affected by government takedown requests

Requests

Requests to disclose user information

GitHub’s Guidelines for Legal Requests of User Data explain how we handle legally authorized requests, including law enforcement requests, subpoenas, court orders, search warrants, and national security orders.

A subpoena (a written order to compel someone to testify on a particular subject) does not require review by a judge or magistrate. By contrast, a search warrant or court order does require judicial review.

As we note in our guidelines:

  • We only release information to third-parties when the appropriate legal requirements have been satisfied
  • We require a subpoena to disclose certain kinds of user information, like a name, an email address, or an IP address associated with an account
  • We require a court order or search warrant for all other kinds of user information, like user access logs or the contents of a private repository
  • We will notify affected users about any requests for their account information, unless prohibited from doing so by law or court order

In 2017, GitHub received 51 legal requests to disclose user information, including 42 subpoenas (30 criminal and 12 civil), three court orders, and six search warrants. These include every request we received for user information, regardless of whether we disclosed information or not. Not all of these came from law enforcement; one came from a U.S. government agency, and 12 came from civil litigants requesting information about another party. We also received two cross-border data requests, as described in the next section. Of the 51 requests received, we produced information 43 times.

legal-requests-user-information-2017

Cross-border data requests

Governments outside the U.S. can make cross-border data requests for user information through the U.S. Department of Justice via a mutual legal assistance treaty (MLAT) or similar form of cooperation. Of the 51 requests for legal information described above, GitHub received two requests (one court order and one search warrant) from the U.S. Department of Justice on behalf of non-U.S. government agencies through the MLAT process.

Note legislative developments could lead to increased cross-border data requests and a need for more oversight.

Non-disclosure orders (gag orders)

In many cases, legal requests are accompanied by a court order that prevents us from notifying users about the request due to a non-disclosure order, commonly referred to as a gag order. In 2017, of the 43 requests for which we produced information, we did so without being able to notify users 35 times. This represents a considerable increase from last year and continues a rising trend, up from 27 non-disclosure orders in 2016, seven in 2015, and four in 2014.

user-notifications-legal-requests-2017

We did not disclose user information in response to every request we received. In some cases, the request was not specific enough, and the requesting party withdrew the request after we asked for some clarification. In other cases, we received very broad requests, and we were able to limit the scope of the information we provided.

disclosure-user-information-2017

National security orders

We are very limited in what we can say about national security letters and Foreign Intelligence Surveillance Act (FISA) orders. The U.S. Department of Justice has issued guidelines that only allow us to report information about these types of requests in ranges of 250, starting with zero. As the chart below shows, in 2017, we received 0-249 notices in 2017, affecting 0-249 accounts.

national-security-orders-2017

Requests to remove or block user content (takedowns)

Below, we describe two main categories of requests we receive to remove or block user content: government takedown requests and DMCA takedown notices.

Government takedowns

From time to time, GitHub receives requests from governments to remove content that they judge to be unlawful in their local jurisdiction (government takedown requests). When we block content at the request of a government, we post the official request that led to the block in a publicly accessible repository. Regarding our process, when we receive a request, we confirm whether:

  • The request came from an official government agency
  • An official sent an actual notice identifying the content
  • An official specified the source of illegality in that country

If we believe the answer is yes to all three, we block the content in the narrowest way we see possible. For instance, we would restrict the removal only to the jurisdictions where the content is illegal. We then post the notice in our government takedowns repository, creating a public record where people can see that a government asked GitHub to take down content.

In 2017, GitHub received eight requests—all from Russia—resulting in eight projects being taken down or blocked (all or part of six repositories, one gist, and one website taken down).

DMCA takedowns

Most content removal requests we receive are submitted under the DMCA, which provides a method by which copyright holders may request GitHub to take down content they believe is infringing. The user who posted the content can then send a counter notice to reinstate content when the alleged infringer states that the takedown was erroneous. Each time we receive a complete DMCA takedown notice, we redact any personal information and post it to a public DMCA repository.

Our DMCA Takedown Policy explains more about the DMCA process, as well as the differences between takedown notices and counter notices. It also sets out the requirements for complete requests, which include that the person submitting the notice take into account fair use.

Takedown notices received and processed

In 2017, GitHub received and processed 1,380 DMCA complete takedown notices and 55 complete counter notices or retractions, for a total of 1,435. In the case of takedown notices, this is the number of separate notices where we took down content or asked our users to remove content.

dmca-totals-table-2017

The notices, counter notices, retractions, and reversals we processed look like this (by month):

dmca-monthly-takedowns-counter-retract-2017

Incomplete DMCA takedown notices received

From time to time, we receive incomplete or insufficient notices regarding copyright infringement. Because these notices don’t result in us taking down content, we don’t currently keep track of how many incomplete notices we receive, or how often our users are able to work out their issues without sending a takedown notice.

Projects affected by DMCA takedown requests

Often, a single takedown notice can encompass more than one project. So, we looked at the total number of projects, such as repositories, gists, and Pages sites, that we had taken down due to DMCA takedown requests in 2017. The projects we took down, and the projects that remained down after we processed retractions and counter notices, looked like this (by month):

dmca-take-down-stay-down-2017

Based on DMCA data we’ve compiled over the last few years, we’ve seen an increase in DMCA notices received. This isn’t surprising given that the GitHub community also continues to grow over time. When we overlay the number of DMCA notices with the approximate number of registered users over the same period of time, we can see that the growth in DMCA notices correlates with the growth of the community.

increase-dmca-takedowns-2017

Conclusion

Transparency reports by internet platforms have served to shine a light on censorship and surveillance. The very first of the genre, Google’s 2010 Report, stated “greater transparency will lead to less censorship.” In 2018, platforms are under far greater pressure to censor than they were then, and transparency reports have potential to instead show how willing platforms are to cooperate with censors. More thorough transparency can mitigate this risk—particuarly if platforms, users, advocates, academics, and others interested in free speech, privacy, law enforcement, and more use the data to engage in shared conversations that acknowledge common goals.

As the beginning of this report reflects, GitHub sees transparency reports as necessary, but not sufficient, for good governance. We look forward to continuing to engage in discussions with those stakeholders, including our users, as we strive to promote transparency on our platform.

We hope you enjoyed this year’s report and encourage you to let us know if you have suggestions for additions to future reports.

Release Radar · April 2018

Release Radar April 2018 Edition

April showers bring May flowers, and they also bring a lot of exciting releases. Here are a few projects that made an impression in the last month!

Hyper 2.0

Hyper is an HTML, CSS, and JavaScript-based terminal emulator that’s built with Electron. The latest release, Hyper 2, has a new rendering engine (built on xterm.js 3.0) which allows it to better handle streaming output. Other Hyper 2 improvements include a command-line installer for plugins, clickable hyperlinks, and more. See the release announcement for details.

Hyper 2 screenshot

Did you know: Hyper supports a big collection of plugins and themes. Ever wish your terminal was a bit more like BB-8 in a galaxy far, far away? Or maybe you’d rather catch a command line Bulbasaur or Pikachu? Find these and other themes in the new Hyper store.

NetHack 3.6.1

NetHack is a role-playing, terminal-based game packed with procedurally-generated dungeons, monsters, and magic. If that piques your interest, then you might be feeling the call of the Amulet of Yendor. Originally released in 1987 and in ongoing development ever since, the game is celebrating its version 3.6.1 release. The release notes are technically spoilers, so consider yourself warned before you read them.

Hyper 2 screenshot showing NetHack 3.6.1

Did you know: NetHack is one of many roguelike games that trace their gameplay roots back to the 1980 video game, Rogue. We hosted the second annual Roguelike Celebration at GitHub HQ last October. All of the talks were recorded and included a live speedrun of NetHack by Mikko Joula (aka Adeon), who holds the record for fastest real-time ascension.

Flask 1.0

Flask is a small and flexible web framework for Python. Flask’s API has been stable for some time and version 1.0 brings exciting changes. Flask 1.0 improves the flexibility of the command-line interface, fixes a security issue with JSON encodings, adds support for loading environment variables from files, and more. See the announcement for a complete run down.

Did you know: Flask started out as an April Fool’s joke. (Not kidding.)

Nerd Fonts 2.0

Nerd Fonts brings together a bunch of icon sets—like Font Awesome, Devicons, and Material Design Icons—into one collection, and provides the tools to let you make your own. The latest release, version 2.0, adds new documentation translations and several new fonts, including OpenDyslexic and Noto. Read the release notes for details.

Nerd Fonts visualization using SankeyMATIC

Did you know: There are thousands of icons in Nerd Fonts. (How many do you recognize?)

Monica 2.0

Monica is a tool to help people strengthen their relationships by helping them with things like remembering birthdays, gift ideas, and names of relations. Monica 2.0 adds better support for more real-world relationships (like aunts and nieces), options for hiding unwanted features, support for right-to-left languages, and more. See the release announcement for more information.

Screenshot of Monica 2.0

React Styleguidist 7.0

React Styleguidist is a tool that helps your team document React components based on your own code and Markdown-formatted comments. Version 7 adds Webpack 4 support, fixes bugs, and makes Node.js 6 the lowest supported version, among other changes.

Screenshot of React Styleguidist 7.0

Did you know: Lots of people are sharing their React Styleguidist demos in this GitHub issue.

Hackathon Starter 5.0

The appropriately named Hackathon Starter is a boilerplate for getting up and running with a Node.js and Express application. It cuts through the process of choosing a language, web framework, and CSS framework; then, it gives you a bunch of examples for authentication and APIs to get hacking quickly. Hackathon Starter 5 upgrades to Node.js 8, switches to ES6 in lots more places, and fixes bugs in API examples. To see more of what’s changed in this release, take a look at the release notes.

Playcanvas 1.0

PlayCanvas is a visual development platform for building games and interactive web content. Both the tools and the web apps you build are powered by HTML5. The platform is entirely web hosted; you can access your work from any device that runs one of the supported web browsers. See the release announcement for more details.

PlayCanvas 1.0 screenshot showing the Titanfall 2 Experience

Did you know: Mozilla used PlayCanvas to create the interactive WebGL2 After the Flood demo, allowing viewers to take a walk through the fantastical environment of water, glass, and steel running entirely in the browser.

Chainer 4.0

Chainer is neural networks framework for Python and they’ve recently reached version 4.0. Version 4 improves performance with support for iDeep acceleration on Intel CPUs, adds better techniques for lower precision training, and reorganizes the documentation. Check out the release announcement for the project and its hardware acceleration companion, CuPy.

Handsontable 2.0

Handsontable is a JavaScript component for spreadsheets that can plug into popular frameworks like Angular and Vue. It’s been six years since the last time Handsontable had a major-version release! In version 2.0, they’re adopting Semantic Versioning to make way for combining their Pro and Community Edition codebases. Plus they’ve made a lot of bug fixes. See the release announcement for a full list of changes.

Screenshot of Handsontable

Did you know: Handsontable—or more accurately, their users—make a great argument for the adoption of open source tools. Check out these interesting case studies from teams that are using Handsontable.

Redux 4.0

Redux is a state container for JavaScript that helps developers write predictable, testable applications in different environments. Redux’s 4.0 release introduces a bunch of under-the-hood improvements, tons of documentation updates, and new bindings for TypeScript 2. Scope out the release notes for details.

Honorable mentions

It’s hard to cherry-pick from all the amazing releases each month, but there’s no way open-source giants are flying under our radar. The new MySQL 8 brings a broad range of changes. Node.js 10 unveils binary interface stability, modernized cryptography, and much more, while npm coordinated their npm 6 release to deliver security and performance improvements. Check them out!

These are just a handful of releases that were shipped last month—keep them coming! If you’ve got a release that should be on our radar, send us a note.

Introducing the Checks API, a better way to connect integrations and code

GitHub partners with Microsoft, Travis CI, and CircleCI using the Checks API

Over 600,000 repositories received statuses in January 2018 alone—more than a 50 percent increase from last year—and now statuses will provide you with more information than ever. Today we’re introducing the public beta release of the Checks API, a better way to get feedback from integrations on your code. The Checks API allows you to build sophisticated tools for continuous integration (CI), linting, and acceptance testing on GitHub. This new functionality currently works with the GitHub REST API, with GraphQL support coming soon.

What’s new

Instead of pass/fail build statuses, your integrations can now report richer results, annotate code with detailed information, and kick off reruns—all within the GitHub user interface.

a screenshot of the Checks user interface

Build outputs are now accessible with the new “Checks” tab on pull requests. Inline annotations are simple to find, too. They’ll appear right alongside the relevant code in the pull request, so you can identify and address failing checks even faster.

Learn more about the Checks API

Over the last several weeks, we’ve worked closely with partners on fine-tuning the Checks experience—and we’re excited to share several apps already using the API.

Microsoft Visual Studio App Center and Outlook integration

Microsoft maintains hundreds of open source projects on GitHub, including Visual Studio Code, which had the most community participants among any project last year, and TypeScript, one of the fastest growing languages in 2017. Now we’re partnering with Microsoft to integrate Azure’s DevOps services with GitHub, starting with Azure’s Mobile CI service. GitHub will detect mobile projects and suggest developers set up mobile CI using any one of our providers, including App Center.

With App Center installed, you can automate builds on every commit, test apps on real devices in the cloud, and monitor usage with crash and analytics data. And because the App Center integration uses the Checks API, mobile developers will be able to see the results directly within GitHub’s interface.

Screenshot of App Center integration

To provide you with simple, streamlined experiences for tools you already use, we’re also integrating GitHub with Microsoft Outlook using Adaptive Cards. Over the next several weeks, Outlook users will be able to comment on issues from their inbox—and soon after, be able to merge pull requests, too.

Screenshot of Outlook integration

Travis CI integration

As a leading provider of hosted CI, Travis CI has been helping build and test open source and private projects for more than seven years. Travis CI recently adopted GitHub Apps and now includes Checks as a way for your team to share the results of your project’s branch and pull request builds. View your build’s stages, jobs, and results, including the config associated with them to get a complete picture of the health of your projects directly from GitHub. You can also rerun builds from within the GitHub Checks UI.

Learn more about Travis CI integration with the Checks API

CircleCI integration

Speed up your test and development cycle without extra maintenance. Follow your GitHub project from CircleCI, and set up your first build in no time thanks to CircleCI’s automatically generated build and test steps and simple extensibility. Checks API compatibility with CircleCI is on the way.

Today’s announcement is just the start. We’ll continue shipping new ways for you to make the most of GitHub and build useful, powerful tools that work seamlessly with our platform. With easy access to an open ecosystem of applications, you can create fast and flexible workflows that help you focus on what matters most.

Introducing the GitHub Changelog

Today we’re introducing the GitHub Changelog–a chronological list of user-facing changes, large and small, made to the GitHub platform.

We regularly ship incremental improvements to make your GitHub experience even better. The changelog will supplement major release announcements on the GitHub Blog, encompassing smaller ships and enhancements you might not hear about otherwise. These include new features, security updates, deprecations, improvements, and more. Each entry will provide a short description of changes and direct you to additional resources, like documentation or blog posts.

Subscribe to the changelog or follow the official GitHub Changelog Twitter account to hear about updates as they happen.

GitHub open sources its Statement Against Modern Slavery and Child Labor

As part of our work to open source policies for other companies to adapt and use, and in accordance with the UK Modern Slavery Act, we’ve included our Statement Against Modern Slavery and Child Labor in the latest round of updates to our Site Policy repository.

While modern slavery (slavery, forced or compulsory labor, trafficking, servitude, and workers who are imprisoned, indentured, or bonded) and child labor are not typically associated with software, businesses in all industries are increasingly recognizing that there are possibilities for these abuses to occur in their own labor force or through their sourcing practices.

We have no reason to believe modern slavery or child labor is occurring in our business or supply chain, and we have outlined our policies and due diligence processes to help ensure it won’t happen in the future. Given the abhorrent nature of modern slavery and child labor, prohibiting these atrocities in our business and supply chain is a logical and important commitment for GitHub to make.

While publishing a statement is a requirement for certain businesses under UK law, our statement goes beyond the requirements of that law by holding our suppliers to our statement too. Our statement also highlights our partnership with the FairHotel Program, through which we encourage GitHub employees to choose hotels where workers are paid fair wages, receive adequate benefits, and have a voice on the job. To ensure our commitment to preventing modern slavery and child labor in our business and supply chain, we’ll publish a new statement annually, building on our previous statements.

GitHub is excited to participate in this year’s RightsCon on May 16-18, where we will discuss this statement and other human rights-oriented aspects of our work. Look for us there!

Changelog

Subscribe

Discover new ways to build better

Try Marketplace apps free for 14 days

Learn more