Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DMCA policy updates #395

Open
wants to merge 3 commits into
base: main
from
Open

DMCA policy updates #395

wants to merge 3 commits into from

Conversation

@vollmera
Copy link
Contributor

@vollmera vollmera commented Apr 26, 2021

We're opening this PR to incorporate our review process for takedown notices alleging violation of the DMCA related to circumvention technology into our DMCA takedown policies. Note, these changes are not new in practice -- we've been applying this process since announced.

In addition, we are adding an Acceptable Use Policies (AUP) restriction against sharing unauthorized product licensing keys, software for generating unauthorized product licensing keys, or software for bypassing checks for product licensing keys. Related to this, in our DMCA Takedown Policy, we

  • explain that the circumvention technology review process does not apply to content that would otherwise violate our AUP because these types of claims are typically straightforward and do not warrant additional technical and legal review process
  • note that where a claim is not straightforward, for example in the case of jailbreaks, the circumvention technology claim review process would apply.

We'll keep this PR open for 30 days and welcome your feedback. Updates to these policies will go into effect after the 30-day notice and comment period, on May 26, at 5pm US Pacific Time.

vollmera added 3 commits Apr 26, 2021

Please note, our review process for circumvention technology does not apply to content that would otherwise violate our Acceptable Use Policy restrictions against sharing unauthorized product licensing keys, software for generating unauthorized product licensing keys, or software for bypassing checks for product licensing keys. Although these types of claims may also violate the DMCA provisions on circumvention technology, these are typically straightforward and do not warrant additional technical and legal review. Nonetheless, where a claim is not straightforward, for example in the case of jailbreaks, the circumvention technology claim review process would apply.

As part of our commitment to developers’ rights, when GitHub processes a DMCA takedown under our circumvention technology claim review process, we will offer access to legal providers for the repository owners, to help protect open source developers on GitHub.

This comment has been minimized.

@KOLANICH

KOLANICH Apr 29, 2021

This sentence is unclear and needs reformulation.

@sickcodes
Copy link

@sickcodes sickcodes commented Apr 30, 2021

This is extremely broad and should be policed by the vendor the not @github.

Do not merge.

The term "jailbreaking" is usually associated with Apple products only and is extremely important for both keeping Apple products secure and the end-users. Most vulnerabilities in Apple are found using jailbroken products.

One such perfect example is the OpenCore bootloader: https://dortania.github.io/OpenCore-Install-Guide/

As a strict good-faith security researcher, who runs a powerful serial number generator for macOS related products that enables researchers to discover flaws in iMessage & Facetime, two critical communication protocols, https://github.com/sickcodes/osx-serial-generator, I have done extensive work in providing access to macOS virtual systems for independent security researchers, and those who can't afford a real mac, but still want to participate in Apple Bug Bounty ($X00,000 bounties).

Apple has very strict requirements: https://developer.apple.com/security-bounty/requirements/ that state,

You are entirely permitted to violate the EULA of Apple products, if you find and report bugs directly to Apple.

In fact, Apple ENCOURAGES you to break the EULA to report bugs to them.

  1. A participant in the Apple Security Bounty program (“ASB Participant”) will not be deemed to be in breach of applicable Apple license provisions which provide that a user of Apple software may not copy, decompile, reverse engineer, disassemble, attempt to derive the source code of, decrypt, modify, or create derivative works of such Apple software, for in scope actions performed by that ASB Participant where all of the following are met:

The actions were performed during good-faith security research, which was — or was intended to be — responsibly reported to Apple;
The actions were performed strictly during participation in the Apple Security Bounty program; and
Neither the actions nor the ASB Participants have otherwise violated these policies such as violating legal requirements 1, 2, and 3, above.

Therefore, @github should not be the one to police another company's EULA. A company's EULA is not the law. Moreover, this has nothing to do with DMCA.

In Apple's case, you are given explicit permission that supersedes all other EULAs, so as long as you report the bugs to Apple security team.

Another such cases are WordPress plugins which must be released under the GPLv3+ License, and hence, any such serial number generator is absolutely permitted under the license.

If GitHub feels like becoming the serial number police and hiring a bunch of lawyers to go through each EULA instead of letting the vendor make their own calls, this would limit productivity in security research and ultimately roll-back any current progress that has been made in bridging Developers with Security.

@github should not get involved in policing serial numbers and this should not be merged.

https://sick.codes/is-hackintosh-osx-kvm-or-docker-osx-legal/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants