youtube-dl DMCA'd by the RIAA - RIAA and MPAA are on a mass takedown spree

  • 🐕 I am attempting to get the site runnning as fast as possible. If you are experiencing slow page load times, please report it.
It'd be more like using a handheld video camera to record a HDCP-encrypted movie. Maybe you want to play the movie on your Raspberry Pi media center, but you're circumventing a technological measure. They don't want you to do that.
There is no actual encryption that youtube-dl circumvents. The RIAA is full of shit.
EFF letter said:
youtube-dl works the same way as a browser when it encounters the signature mechanism: it reads and interprets the JavaScript program sent by YouTube, derives the “signature” value, and sends that value back to YouTube to initiate the video stream. youtube-dl contains no password, key, or other secret knowledge that is required to access YouTube videos. It simply uses the same mechanism that YouTube presents to each and every user who views a video.
 
So far as I remember (although I have not been ardently keeping up on it and may have missed something), the anti-circumvention part of the DMCA hasn't been litigated very much. It would seem there would have to be such an exception, or fair use could more or less be eliminated just by even the most trivial "copy protection" scheme. The closest the statutory language gets is stating: "(1)Nothing in this section shall affect rights, remedies, limitations, or defenses to copyright infringement, including fair use, under this title." There are other exceptions applying to librarians although the statutory language is incoherent.
Yeah, my understanding was that it hasn't been litigated very much at all. And yes... it would effectively nullify fair use. And yeah, the law actually does say that fair use is still a thing, but how reassuring is that when it's never really been tested in court and you'd be up against some high-paid lawyers saying that it's not.

It seems that everyone's much more comfy living with "quite possibly completely illegal (if you get caught)" rather than taking it to court and possibly losing.
There is no actual encryption that youtube-dl circumvents. The RIAA is full of shit.
It doesn't have to be encryption. It just has to be "a technological measure that ... in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work."
 
  • Thunk-Provoking
Reactions: ScatmansWorld
It doesn't have to be encryption. It just has to be "a technological measure that ... in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work."

More from the EFF lawyer said:
youtube-dl does not “circumvent” it as that term is defined in Section 1201(a) of the Digital Millennium Copyright Act, because YouTube provides the means of accessing these video streams to anyone who requests them. As federal appeals court recently ruled, one does not “circumvent” an access control by using a publicly available password. Digital Drilling Data Systems, L.L.C. v. Petrolink Services, 965 F.3d 365, 372 (5th Cir. 2020). Circumvention is limited to actions that “descramble, decrypt, avoid, bypass, remove, deactivate or impair a technological measure,” without the authority of the copyright owner. “What is missing from this statutory definition is any reference to ‘use’ of a technological measure without the authority of the copyright owner.” Egilman v. Keller & Heckman, LLP., 401 F. Supp. 2d 105, 113 (D.D.C. 2005). Because youtube-dl simply uses the “signature” code provided by YouTube in the same manner as any browser, rather than bypassing or avoiding it, it does not circumvent, and any alleged lack of authorization from YouTube or the RIAA is irrelevant.
 
There are two different arguments going on here though.

CDNs are mostly stateless so they can't authorise users and what you generally do is create a timed signature and the user then uses that to access the content. If you set the time too low (e.g. 1s) it causes problems where it times out before the user can connect so you have to set the signature to expire in say >10s which gives them time to share it. This is less true these days as CDN edge locations are more advanced but 5-10+ years ago this is how it was always done.

The EFF's argument seems to stem more from the fact that you don't need to pay or even login to generate a signature, not that the signature isn't a form of protection.

However, I do have to login to watch age gated videos in the browser so how does youtube-dl get round that?
 
Last edited:
Microsoft actually did something right for once, color me shocked. If only they could extend this to their software.
I imagine being backed by Microsoft also helped the situation. Scary stance to take if they were still flying solo.
Are people really naive enough to think Microsoft is the one who stood up to the RIAA? That Microsoft would ever take a moral stance over a financial one?
No, this springs from the remaining good in the github project. Microsoft only just acquired them. Give them another three years and some corporate restructuring and they'll be fully assimilated, the people there distanced from the effects of their work, willing to follow orders without care or say in the effects of it. Or worse, they'll be convinced they're obeying for the greater good, and the people remaining at the top will be cult leaders who feed in to that. I don't like sounding like a doomer, but git real. The incentives surrounding multinationals guarantees they are not your friend.
 
Last edited:
@garakfan69:

That's certainly the argument from one side of the fight, and the RIAA's lawyers would argue the opposite. They would argue that YouTube's video player includes technological measures that are designed to allow time-based access to the video streams. Sure, it might give access to anyone who wants to view it now, but when the raw video file is downloaded, it no longer includes those technological measures. They've been removed, and so has YouTube's ability (under the authority of the copyright owner) to control when you can watch it.

It'll be interesting to see how it plays out.
I do have to login to watch age gated videos in the browser so how does youtube-dl get round that?
If I remember correctly, replacing watch?v= with embed/ in the video URL will bypass YouTube's age verification. The only time it doesn't work is when the video also has embedding disabled. But even then I'm pretty sure all of the checks are client-side.
 
It seems that everyone's much more comfy living with "quite possibly completely illegal (if you get caught)" rather than taking it to court and possibly losing.
This cuts both ways. I don't think the RIAA really wants it clarified either because they can continue to use the ambiguity to raise this threat. I don't think they were particularly pleased with the outcomes in the DeCSS cases.
 
GitHub's blog entry on it
https://github.blog/2020-11-16-standing-up-for-developers-youtube-dl-is-back/ / https://archive.vn/aU9kB

November 16, 2020
Standing up for developers: youtube-dl is back
Abby Vollmer

Today we reinstated youtube-dl, a popular project on GitHub, after we received additional information about the project that enabled us to reverse a Digital Millennium Copyright Act (DMCA) takedown.
At GitHub, our priority is supporting open source and the developer community. And so we share developers’ frustration with this takedown—especially since this project has many legitimate purposes. Our actions were driven by processes required to comply with laws like the DMCA that put platforms like GitHub and developers in a difficult spot. And our reinstatement, based on new information that showed the project was not circumventing a technical protection measure (TPM), was inline with our values of putting developers first. We know developers want to understand what happened here, and want to know how GitHub will stand up for developers and refine our processes on these issues.
In this post, we provide answers to common questions about the DMCA and why GitHub handled this case the way we did, describe why circumvention claims deserve special treatment, and share how we’re updating our policies and fighting to improve the law.

Why did GitHub process this takedown in the first place?​

As a platform, we must comply with laws—even ones that we don’t think are fair for developers. As we’ve seen, this can lead to situations where GitHub is required to remove code—even if it has a multitude of non-infringing uses—if it is in fact designed to circumvent a TPM. But this is exceedingly rare.
Less than two percent of the DMCA takedowns we process are based on circumvention claims, and of those two percent, this was a particularly unusual case.
DMCA takedown claims based on circumvention are a growing, industry-wide issue for developers with far-reaching implications. We’ll get into this in more detail, but first, here’s some quick background.

Circumvention claims under the DMCA​

Most takedown notices we receive allege copyright infringement—that someone used their copyrighted work (often software code) in a way that infringes their rights. But as many people noticed, the youtube-dl takedown notice fell into a more unusual category: anticircumvention—an allegation that the code was designed to circumvent technical measures that control access or copying of copyrighted material, in violation of Section 1201 of the DMCA.
Section 1201 dates back to the late 1990s and did not anticipate the various implications it has for software use today. As a result, Section 1201 makes it illegal to use or distribute technology (including source code) that bypasses technical measures that control access or copying of copyrighted works, even if that technology can be used in a way that would not be copyright infringement. Circumvention was the core claim in the youtube-dl takedown.

GitHub’s developer-focused approach to the DMCA​

GitHub handles DMCA claims to maximize protections for developers, and we designed our DMCA Takedown Policy with developers in mind. Nearly every platform with user-generated content accepts and processes DMCA takedown notices to comply with the law. For GitHub, many of those notices come from developers wanting us to enforce the terms of their open source licenses, for example, when someone is using their code without the proper attribution required by the open source license they adopted. Here are ways our approach protects developers:
  • Given the cost to developers of an unwarranted takedown of code, we ensure we have a complete notice before we take action. We distinguish between code that merely can be used in an infringing way and code that is preconfigured to be used a certain way. We also recognize that code can provide access to copyrighted content without violating the law (for example, fair use). In some cases we can keep a project up because the content identified in the takedown notice is not in fact infringing or circumventing a TPM that controls access or copying of copyrighted works.
  • Our process sets a higher bar for 1201 claims than the infringement claims we typically get. We require complainants to provide additional information specific to circumvention, and to describe the technical measures and how the project is designed to circumvent them, for us to consider a notice complete. Below we explain how we’re further strengthening our process.
  • Whenever we process takedowns, we notify all the affected repository owners about the takedown and give them options to dispute it. We allow the repository owner to make changes to address the allegations in the notice and in many cases, we can keep projects up because they do.
  • We are transparent with the developer community about DMCA takedown notices. Every time we process a DMCA takedown notice or counter notice, we publish the text to our DMCA repository, dated on the date we process it (as opposed to when we receive it), so that anyone can see the notice and the basis for our action.
These are all steps we currently take to help developers, which go beyond our legal obligations and typical industry practice while still meeting the requirements of the DMCA.

youtube-dl​

As we explained, the key claim in the youtube-dl takedown is circumvention. Although we did initially take the project down, we understand that just because code can be used to access copyrighted works doesn’t mean it can’t also be used to access works in non-infringing ways. We also understood that this project’s code has many legitimate purposes, including changing playback speeds for accessibility, preserving evidence in the fight for human rights, aiding journalists in fact-checking, and downloading Creative Commons-licensed or public domain videos. When we see it is possible to modify a project to remove allegedly infringing content, we give the owners a chance to fix problems before we take content down. If not, they can always respond to the notification disabling the repository and offer to make changes, or file a counter notice.
That’s what happened in this case. First, we were able to reinstate a fork of youtube-dl after one of the fork owners applied a patch with changes in response to the notice.
Then, after we received new information that showed the youtube-dl project does not in fact violate the DMCA‘s anticircumvention prohibitions, we concluded that the allegations did not establish a violation of the law. In addition, the maintainer submitted a patch to the project addressing the allegations of infringement based on unit tests referencing copyrighted videos. Based on all of this, we reinstated the youtube-dl project and will be providing options for reinstatement to all of its forks.

What we’re changing​

Going forward, we are overhauling our 1201 claim review process to ensure that the following steps are completed before any takedown claim is processed:
  1. Every single credible 1201 takedown claim will be reviewed by technical experts, including when appropriate independent specialists retained by GitHub, to ensure that the project actually circumvents a technical protection measure as described in the claim.
  2. The claim will also be carefully scrutinized by legal experts to ensure that unwarranted claims or claims that extend beyond the boundaries of the DMCA are rejected.
  3. In the case where the claim is ambiguous, we will err on the side of the developer, and leave up the repository unless there is clear evidence of illegal circumvention.
  4. In the event that the claim is found to be complete, legal, and technically legitimate by our experts, we will contact the repository owner and give them a chance to respond to the claim or make changes to the repo to avoid a takedown. If they don’t respond, we will attempt to contact the repository owner again before taking any further steps.
  5. Only once these steps have been completed will a repository be taken down.
  6. After a repository is taken down due to what appears to be a valid and legitimate 1201 claim, we will continue to reach out to the repository owner if they have not already responded to us, in order to provide them the opportunity to address the claim and restore the repository.
  7. Even after a repository has been taken down due to what appears to be a valid claim, we will ensure that repository owners can export their issues and PRs and other repository data that do not contain the alleged circumvention code, where legally possible.
  8. We will staff our Trust and Safety frontline team to respond to developer tickets in such cases as a top priority, so that we can ensure that claims are resolved quickly and repositories are promptly reinstated once claims have been resolved.
All of this will be done at our own cost and at no cost to the developers who use GitHub. We believe this represents the gold standard in developer-first 1201 claims handling. Like we do with all of our site policies, we will document and open source this process so that other companies that host code or packages can build on it as well. And we will continue to refine and improve this process as our experience with these types of cases inevitably grows.

Developer defense fund​

Developers who are personally affected by a takedown notice or other legal claim rely on non-profits like the Software Freedom Law center and the Electronic Frontier Foundation (EFF) to provide them with legal advice and support in the event that they face an IP claim, under the DMCA or otherwise. These organizations provide critical legal support to developers who would otherwise be on their own, facing off against giant corporations or consortia.
Nonetheless, developers who want to push back against unwarranted takedowns may face the risk of taking on personal liability and legal defense costs. To help them, GitHub will establish and donate $1M to a developer defense fund to help protect open source developers on GitHub from unwarranted DMCA Section 1201 takedown claims. We will immediately begin working with other members of the community to set up this fund and take other measures to collectively protect developers and safeguard developer collaboration.
If you want to support developers facing legal challenges, you can consider supporting SFLC and EFF yourself as well.

How we’re working to improve the law​

No matter what we do to protect developer rights, we still must work within the boundaries of the law. And the DMCA’s current boundaries are hurting developers. One way to address the problems with the DMCA is to work to improve the law itself—and to prevent even worse laws from being enacted around the world. We were successful in a multi-year effort to stop the EU copyright directive from mandating upload filters for software development, and we’re taking lessons from that fight to the US as broader DMCA reform begins to be discussed.
We are also advocating specifically on the anti-circumvention provisions of the DMCA to promote developers’ freedom to build socially beneficial tools like youtube-dl. Right now, the U.S. Copyright Office is conducting its eighth triennial review process of exceptions to the anti-circumvention provisions of Section 1201. We will be saying more about that soon, but if you believe, like we do, that the DMCA is overly restrictive in its anti-circumvention provisions and want to change that, you can contact the Copyright Office directly too.
We will have more to say about how you can join the fight to make copyright law more developer-friendly soon–stay tuned.
Feels good to be wrong sometimes. The sun shall set well today!
 
Sure, it might give access to anyone who wants to view it now, but when the raw video file is downloaded, it no longer includes those technological measures. They've been removed, and so has YouTube's ability (under the authority of the copyright owner) to control when you can watch it.
And how is that different from recording something from radio or tv?
If a browser is a radio tuner, then youtube-dl is a just radio tuner with integrated tape deck - it doesn't do anything different than the browser to access videos on YouTube, no special tricks, no secret knowledge.
 
And how is that different from recording something from radio or tv?
1605650422900.png
 
I just hope Github wins honestly, I hope RIAA swan dives into a volcano.
GitHub isn't involved beyond this little PR move. If the RIAA goes further it will be the EFF handling things. Surprised that they actually got behind a legitimate legal matter for once, to be honest.
 
I'm surprised the EFF have this much pull.
It's more like they're choosing their battles carefully on high profile stuff that already has massive normie ball of outrage, so as to appear EFFective (please kill me), and keep the donation shekels coming in. Whenever this shit goes on with stuff that actually matters - such as reverse engineered Instagram API, they'll never touch it. EFF is very strategic so as to not chimp against certain actors, as they've a symbiotic relationship for virtue-signalling from the likes of Zuck. It's a mirror of feel-good liberalism you see IRL, with pervasive tokenism for the sake of optics, never touching the big icky, leaving it morally bankrupt. Still, better than nothing I guess.
 
Whenever this shit goes on with stuff that actually matters - such as reverse engineered Instagram API, they'll never touch it.
Wow- that's really something
Instagram/Facebook lawyers said:
Mgp25’s Instagram-API also permits other types of access to, and collection of, Instagram’s users’ copyrighted works in manners that exceed the scope of access and functionality that would be permitted by a user with a legitimate, authorized Instagram account.
"We have shit security, help us GitHub please"
 
"We have shit security, help us GitHub please"
The point is to avoid nightmare scenario of ICQ/MSN yore - the moment you allow people to write custom clients, you become an open platform, significantly affecting your bottomline as people are no longer held hostage to put up with your bullshit. Facebook and Google is especially notorious for this, with their APIs being deliberately obfuscated way past point it needs to be, and draconian TOS enforcement. The likes of Discord or Telegram ain't saints either, but those guys are still in the "don't be evil" mode pretending to be greatest ally (until you dig too deep) before the switch.
 
The point is to avoid nightmare scenario of ICQ/MSN yore - the moment you allow people to write custom clients, you become an open platform, significantly affecting your bottomline as people are no longer held hostage to put up with your bullshit. Facebook and Google is especially notorious for this, with their APIs being deliberately obfuscated way past point it needs to be, and draconian TOS enforcement. The likes of Discord or Telegram ain't saints either, but those guys are still in the "don't be evil" mode pretending to be greatest ally (until you dig too deep) before the switch.
Oh, I agree, but utilizing the anti-circumvention nonsense to attack people for, effectively, just documenting their stupid private API?

This seems like a huge reach that would have been a great test case for the EFF, if they weren't just tools of Silicon Valley faggotry.

It's one thing for RIAA to defend the copyrights of their member corporations, but FB/Instagram users retain their copyrights (though the TOS say that you assign a license to rape you for eternity to Zuckerberg). The Zuckerfag lawyers don't even cite any real 'victims' in their bullshit attack on the guy who did the Instagram API.
 
Back