Enlarge / A sign featuring the YouTube logo, outside the YouTube Space studios in London on June 4, 2019. (credit: Olly Curtis | Future | Getty Images )

GitHub has reversed its decision to boot YouTube-dl, a popular tool for archiving YouTube videos, from its platform. The company restored repositories this week after "additional information" convinced it that an archiving tool is not in and of itself a copyright violation—no matter what the music industry says.

The repositories in question got shut down in late October, before coming back yesterday. "We share developers' frustration with this takedown—especially since this project has many legitimate purposes," GitHub explained in a corporate blog post . "Our actions were driven by processes required to comply with laws like the DMCA that put platforms like GitHub and developers in a difficult spot. And our reinstatement, based on new information that showed the project was not circumventing a technical protection measure (TPM), was inline with our values of putting developers first."

The initial takedown occurred after the Recording Industry Association of America filed a claim with Microsoft-owned GitHub arguing that the code in those repositories was inherently illegal under US copyright law. At a high level, the law in question basically makes it illegal to crack or bypass DRM in any way, except for a handful of enumerated exemptions .

Read 10 remaining paragraphs | Comments

With more ways to stream online video than ever before, protecting video continues to be a key issue for copyright holders.

This is often achieved through Digital Rights Management, which is often referred to by the initials DRM. In a nutshell, DRM is an anti-piracy tool that dictates when and where digital content can be accessed.

Google is an important player in this area. The company owns the Widevine DRM technology which is used by many of the largest streaming services including Amazon, Netflix and Disney+. As such, keeping it secure is vital.

Widevine DRM

Widevine DRM comes in different levels. The L1 variant is the most secure, followed by L2 and L3. While the latter still protects content from being easily downloaded, it’s certainly not impossible to bypass, as pirates have repeatedly shown.

Despite its vulnerabilities, Google doesn’t want to make it too easy for the public at large. This became apparent a few hours ago when the company asked the developer platform GitHub to remove dozens of “Widevine L3 Decryptor” repositories.

The code, originally published by security researcher Tomer Hadad, is a proof-of-concept code Chrome extension that shows how easy it is to bypass the low-security DRM. Google was aware of this vulnerability and previously informed Krebs Security that it would address the issue.

Google Targets Widevine L3 Decryptor Code

One option would be to patch the security flaw but, for now, Google appears to be focusing on the takedown route. In a DMCA notice sent to GitHub, the company requests the immediate takedown of dozens of “Widevine L3 Decryptor” copies.

“The following git repository [sic] contain circumvention technology that enables users to illegally access video and audio works protected by copyright,” Google writes .

“This Chrome extension demonstrates how it’s possible to bypass Widevine DRM by hijacking calls to the browser’s Encrypted Media Extensions (EME) and decrypting all Widevine content keys transferred – effectively turning it into a clearkey DRM,” Google adds.

Google sees the code, which was explicitly published for educational purposes only, as a circumvention tool. As such, it allegedly violates section 1201 of the DMCA, an allegation that was also made against the youtube-dl code last month.

The takedown notice includes a long list of repositories that were all made unavailable by GitHub. This doesn’t cover the original code from Tomer Hadad, who already removed his version in late October, citing “ legal reasons .”

Google views this vulnerability as a serious matter and the company says that it has also filed a Sensitive Data takedown request to prevent the Widevine’s ‘secret’ private key from being publicly shared.

Sensitive Data Request

“In addition to this request, we have filed a separate Sensitive Data takedown request of this file: /widevine-l3-decryptor as it contains the secret Widevine RSA private key, which was extracted from the Widevine CDM and can be used in other circumvention technologies.”

That last mention is interesting as private keys, which are simply a string of characters, are not seen as copyrighted or private content by everyone.

“If you distribute your key with the software, then whatever form it is in, I would not consider it “private” at all,” a commenter on Hacker News points out.

Googling the AACS Key

This ‘key controversy’ is reminiscent of an issue that was widely debated thirteen years ago. At the time, a hacker leaked the AACS cryptographic key “09 F9” online which prompted the MPAA and AACS LA to issue DMCA takedown requests to sites where it surfaced.

This escalated into a censorship debate when sites started removing articles that referenced the leak, triggering a massive backlash.

At the time, the controversial AACS key was still readily available through Google’s search engine. In that regard very little has changed. Despite Google’s sensitive data takedown request, the Widevine RSA key is easy to find through its own search engine.

From: TF , for the latest news on copyright battles, piracy and more.

With 40 million users and over 100 million code repositories, GitHub is the largest online developer platform of its kind.

The site is used by individual coders and large organizations to host visually any piece of code imaginable. In addition, GitHub pages can also be used as a hosting service for websites.

While most projects are perfectly legitimate, there are some that attract negative attention. Every week, GitHub receives dozens of takedown notices from copyright holders who claim that their content is published or linked to without permission.

These complaints are often about copied code, but every now and then projects are accused of providing access to copyright-infringing content as well. This is what happened to the Android app “King Club X” which was hosted on GitHub .

King Club is a typical pirate app that scrapes third-party sources for movies and TV-shows, which are then made available to users through an intuitive interface. The app is not available in the official Google Play store but can be installed directly through the APK package.

MPA Targets King Club X

By advertising itself as the “best app to watch unlimited movies & tv-shows for free,” King Club attracted the attention of the MPA, which represents the major Hollywood studios and Netflix. The organization sees the app as a blatant pirate tool and asked GitHub to take action .

“King Club X – your customer – blatantly infringes the MPA Member Studios’ copyrights and countless other copyrights. Indeed, copyright infringement is so prevalent on King Club X that infringement plainly is its predominant use and purpose,” the MPA’s complaint reads.

“By this notification, we are asking for your immediate assistance in stopping your customer’s unauthorized activity. Specifically, we request that you cease providing all supporting services to King Club X, by removing or disabling access to the infringing Website and removing the APK.”

GitHub Takes Action

This notice had the desired effect as the site, which was hosted through GitHub pages, now returns a 404 error. In addition, the linked APK file is gone as well.

The swift removal is a small victory for the MPA and its members. However, these types of apps are very common and often reappear elsewhere, using a different host or a different name. For example, King Club X was previously advertised as Cerebrix TV, which was hosted on GitHub as well.

In addition, the app’s developer also has the option to have the content restored by filing a DMCA counter-notice. This is what a popular Popcorn Time fork did a few weeks ago when the MPA targeted its repository , after which GitHub restored the project .

From: TF , for the latest news on copyright battles, piracy and more.