Skip to content Skip to footer
0 items - $0.00 0
Menu

2021 Transparency Report by todsacerdoti

0CommentsShare Post
2021 Transparency Report by todsacerdoti
News

2021 Transparency Report by todsacerdoti

January 27, 2022
0Comments
Share This Article
Share Post
Newsletter

Sed ut perspiciatis unde.

Subscribe

Send to HN

At GitHub, we put developers first and work hard to provide a safe, open, and inclusive platform for code collaboration. This means we are committed to minimizing the disruption of software projects, protecting developer privacy, taking action on abusive content, and being transparent with developers about content moderation and disclosure of user information. This kind of transparency is vital because of the potential impacts to people’s privacy, access to information, and ability to dispute decisions that affect their content. With that in mind, we’ve published transparency reports going back seven years to inform the developer community about GitHub’s content moderation and disclosure of user information.

A key development in the transparency reporting space was the 2021 update of the Santa Clara Principles on Transparency and Accountability in Content Moderation. GitHub was honored to contribute to the updated principles, and we’ve made significant changes to our reporting forms, clarifications to our policies, and additions to our reporting in several categories as we work to ensure that our transparency reporting continues to reflect the spirit of the Santa Clara Principles. We also continue to follow the guidelines related to promoting transparency and taking the most narrow approach possible when restricting content, set forth in the United Nations report on content moderation.

We promote transparency by:

  • Developing our policies in public by open sourcing them so that our users can provide input and track changes
  • Explaining our reasons for making policy decisions
  • Notifying users when we need to restrict content, along with our reasons, whenever possible
  • Allowing users to appeal removal of their content
  • Publicly posting all Digital Millennium Copyright Act (DMCA) and government takedown requests we process in a public repository in real time, and sending DMCA notices to the Lumen database

We limit content removal, in line with lawful limitations, as much as possible by:

  • Aligning our Acceptable Use Policies with restrictions on free expression, for example, on hate speech, under international human rights law
  • Providing users an opportunity to remediate or remove specific content rather than blocking entire repositories, when we see that is possible
  • Restricting access to content only in those jurisdictions where it is illegal (geoblocking), rather than removing it for all users worldwide
  • Before removing content based on alleged circumvention of copyright controls (under Section 1201 of the US DMCA or similar laws in other countries), we carefully review both the legal and technical claims, and we sponsor a Developer Defense Fund to provide developers with meaningful access to legal resources.

Focus areas for this year’s reporting, including what’s new

In this year’s numbers-based reporting, which includes our January-June 2021 report, GitHub continued to focus on areas of strong interest from developers and the general public, such as requests we receive from governments—whether for information about our users or to take down content posted by our users—and copyright-related takedowns. Copyright-related takedowns (which we often refer to as DMCA takedowns) are particularly relevant to GitHub because so much of our users’ content is software code and can be eligible for copyright protection. That said, only a tiny fraction of content on GitHub is the subject of a DMCA notice (under one in 10 thousand repositories).

This year, we’re increasing transparency by adding reporting on automated detection for some of the most egregious categories of Terms of Service violations: child sexual exploitation and abuse imagery, as well as terrorist and violent extremist content.

Requests to disclose user information

GitHub’s Guidelines for Legal Requests of User Data explain how we handle legally authorized requests, including law enforcement requests, subpoenas, court orders, and search warrants, as well as national security letters and orders.

We follow the law and also require adherence to the highest legal standards for user requests for data. Some kinds of legally authorized requests for user data, typically limited in scope, do not require review by a judge or a magistrate. For example, both subpoenas and national security letters are written orders to compel someone to produce documents or testify on a particular subject, and neither requires judicial review. National security letters are further limited in that they can only be used for matters of national security.

By contrast, search warrants and court orders both require judicial review. A national security order is a type of court order that can be put in place, for example, to produce information or authorize surveillance. National security orders are issued by the Foreign Intelligence Surveillance Court, a specialized US court for national security matters.

As we note in our guidelines:

  • We only release information to third parties when the appropriate legal requirements have been satisfied, or where we believe it’s necessary to comply with our legal requirements or to prevent an emergency involving danger of death or serious physical injury to a person.
  • We require a subpoena to disclose certain kinds of user information, like a name, an email address, or an IP address associated with an account, unless under rare, exigent circumstances. Exigent circumstances refers to cases where we determine that disclosure is necessary to prevent an emergency involving danger of death or serious physical injury to a person, and we keep disclosure as limited as possible in relation to the emergency.
  • We require a court order or search warrant for all other kinds of user information, like user access logs or the contents of a private repository.
  • We notify all affected users about any requests for their account information, except where we are prohibited from doing so by law or court order.

In 2021, GitHub received and processed 335 requests to disclose user information, as compared to 303 in 2020. Of those 335 requests, 195 were subpoenas (183 criminal and 12 civil), 94 were court orders, and 22 were search warrants. These requests also include six requests made under exigent circumstances, and 18 cross-border data requests, which we’ll share more about later in this report. These numbers represent every request we received for user information, regardless of whether we disclosed information or not, with one exception: we are prohibited from even stating whether or how many national security letters or orders we received. More information on that below. We’ll cover additional information about disclosure and notification in the next sections.

The large majority (96.4%) of these requests came from law enforcement. The remaining 3.6% were civil requests, all of which came from civil litigants wanting information about another party.

Pie chart showing the different types of legal requests for user information processed: criminal subpoena (54.6%; 183 requests), criminal court order (28.1%; 94 requests), criminal search warrant (6.57%; 22 requests), civil subpoena (3.58%; 12 requests), cross-border request (5.37%; 18 requests), and exigent circumstances (1.79%; 6 requests). Green indicates criminal requests, and blue indicates civil requests.

Disclosure and notification

We carefully review all requests to disclose user data to ensure they adhere to our policies and satisfy all appropriate legal requirements, and we push back where they do not. As a result, we didn’t disclose user information in response to every request we received. In some cases, the request was not specific enough, and the requesting party withdrew the request after we asked for clarification. In other cases, we received very broad requests, and we were able to limit the scope of the information we provided.

When we do disclose information, we never share private content data, except in response to a search warrant. Content data includes, for example, content hosted in private repositories. With all other requests, we only share non-content data, which includes basic account information, such as username and email address, metadata (such as information about account usage or permissions), and log data regarding account activity or access history.

Of the 335 requests we received in 2021, we disclosed information in response to 269 of those. We disclosed information in response to 178 subpoenas (170 criminal and 8 civil), 64 court orders, 22 search warrants, and five requests made under exigent circumstances.

Pie chart showing the user information disclosed by different types of legal requests: criminal subpoena (63.2%; 170 requests), criminal court order (23.8%; 64 requests), criminal search warrant (8.18%; 22 requests), civil subpoena (2.97%; 8 requests), and exigent circumstances (1.86%; 5 requests). Green indicates criminal requests, and blue indicates civil requests.

Those 269 disclosures affected 1,671 accounts.

Table showing the number of total requests for disclosure of user information processed (335), accounts affected (1,671), total requests where information was disclosed (269), and percentage of requests where information was disclosed (80.3%).

We notify users when we disclose their information in response to a legal request, unless a law or court order prevents us from doing so. In many cases, legal requests are accompanied by a court order that prevents us from notifying users, commonly referred to as a gag order.

Of the 269 times we disclosed information in 2021, we were only able to notify users nine times. Gag orders prevented us from notifying users in 255 of the other requests. The other five were processed under exigent circumstances, where we delay notification if we determine it is necessary to prevent death or serious harm or due to an ongoing investigation.

Combined bar chart of user notifications of legal request disclosures broken out by notification sent and gag order (no notification sent) over time. The 2021 bar shows 255 gag orders, 9 notifications, and 5 requests where notification is delayed due to exigent circumstances. Note: prior to 2021, we tracked exigent circumstances requests as part of requests where we disclosed but could not notify.

While the number of requests with gag orders continues to be a rising trend as a percentage of overall requests, it correlates with the number of criminal requests we processed. Legal requests in criminal matters often come with a gag order, since law enforcement authorities often assert that notification would interfere with the investigation. On the other hand, civil matters are typically public record, and the target of the legal process is often a party to the litigation, obviating the need for any secrecy. None of the civil requests we processed this year came with a gag order, which means we notified each of the affected users.

In 2021, we continue to see a correlation between civil requests we processed (3.0%) and our ability to notify users (3.3%). Our data from past years also reflects this trend of notification percentages correlating with the percentage of civil requests:

  • 3.3% notified and 3.0% civil requests in 2020
  • 3.7% notified and 3.1% civil requests in 2019
  • 9.1% notified and 11.6% civil requests in 2018
  • 18.6% notified and 23.5% civil requests in 2017
  • 20.6% notified and 8.8% civil requests in 2016
  • 41.7% notified and 41.7% civil requests in 2015
  • 40% notified and 43% civil requests in 2014

National security letters and orders

We’re very limited in what we can legally disclose about national security letters and Foreign Intelligence Surveillance Act (FISA) orders. The US Department of Justice (DOJ) has issued guidelines that only allow us to report information about these types of requests in ranges of 250, starting with zero. As shown below, we received 0–249 notices in 2021, affecting 0–249 accounts.

Table of national security and orders received (0-249) and affected accounts (0-249)

Cross-border data requests

Governments outside the US can make cross-border data requests for user information through the DOJ via a mutual legal assistance treaty (MLAT) or similar form of international legal process. Our Guidelines

Read More

Tags:
0Likes
Leave a comment

Leave a comment

In the Shadows of Innovation”

© 2025 HackTech.info. All Rights Reserved.

Sign Up to Our Newsletter

Be the first to know the latest updates

Whoops, you're not connected to Mailchimp. You need to enter a valid Mailchimp API key.