85 comments

[ 4.5 ms ] story [ 157 ms ] thread
FYI: The author, Aaron Meurer, is lead developer for SymPy.
It's really rare for someone to handle something like this as well as it appears Vivek at Hackerrank did. The apology was straightforward and took full ownership, they showed that they had changed a process so it wouldn't happen again, and they compensated SymPy for their time in a way that seems at least superficially very fair.

Hats off to Vivek.

Given that HackerRank has more than 1000 employees, I agree that it is surprising that they were able to react and apologize on the same day as the takedown and all the buzz on social media.

However, I still think it's a damn shame that HackerRank needed such a high-profile incident before reconsidering their shady arrangement involving probably-automated DMCA takedowns against GitHub repositories. Either they didn't know what that would incur on open source repositories hosted on GitHub and other platforms, or they just didn't care about it as long as it wouldn't cause a huge fuss for themselves (which it did in this case).

Former HackerRank Employee here, while I agree it seems like a very quick response, I just want to point out they have nowhere near 1000 employees. When I was there it was probably a quarter of that.

As a YC backed company, it seemed like almost everything on HackerNews was known about within the company when I was there.

The question that always remains in cases like this: Would they have handled it this well if their target wasn't as well known as SymPy?

This could just be another case of a problem being solved by hitting the news and making enough waves.

Sure they did the right thing, but it was still their active wrongdoing and I won't attribute their reaction to them being decent people. I'm tired of all the DMCA abuse, and reverting it for once isn't worthy of special praise. It makes HackerRank better than other DMCA abusers, but DMCA abusers they still are.

Vivek failed repeatedly to answer the question if they intend to address their unjustified DMCA strikes against other projects.

To me it looks like a well calculated PR action. I'll change my mind when they make it up to other teams they wronged.

Indeed, it felt more like damage control.

It felt like many on HN didn't buy it either, and it is a pattern seen so often with many a company.

Yes, this is definitely how I look at it. I have deleted my HackerRank account.
(comment deleted)
This is a great write-up, but I'll quibble with one small part of it:

> It’s important to understand, however, that GitHub’s hands are tied in many ways here. If they do not follow the notice and counter notice procedures exactly as outlined in the DMCA law, they risk losing their safe harbor status with the US Copyright Office. Were this to happen, it would be completely disastrous to GitHub as a business.

I believe this is a bit of an exaggeration, because there is no such thing as "safe harbor status with the US Copyright Office". (The author might be thinking of the fact that providers have to register a designated agent with the Copyright Office, for service of infringement reports, in order to benefit from the law.)

The DMCA safe harbor is a legal defense against copyright infringement, and it operates on a case-by-case basis. If GitHub fails to respond to a particular takedown request as it's required to, it loses the ability to assert the safe harbor defense for the allegedly infringing material identified in that request. It does not mean it somehow loses the DMCA protections for any other material that it hosts.

In practice, this means that GitHub employees can make mistakes, or the company can deliberately choose to stand up to superficially-valid DMCA takedowns that it thinks are frivolous, without necessarily posing an existential risk to the entire company.

> the company can deliberately choose to stand up to superficially-valid DMCA takedowns that it thinks are frivolous, without necessarily posing an existential risk to the entire company.

We all seen the Oracle vs Google lawsuit... sure they can choose to stand up to frivolous DMCA takedowns, but it doesn't means there won't be a frivolous lawsuit that follow.

It just not worth it, why takes that risk when taking something down protect you from it?

> It just not worth it, why takes that risk when taking something down protect you from it?

I mean, that's clearly the stance that most platforms are taking.

The "why take that risk" would be -- to stand up for your user's rights or interests, against takedown requests that are frivolous or invalid. Github actually has occasionally taken that stance.

@teraflop's point is that a company can choose to take that risk on a case-by-case basis -- say in cases you think are especially frivolous and thus also especially unlikely to be a legal liability -- and the risk borne is only with regard to that case, it does not imperil the ability to use the DMCA safe harbor defense in other cases.

(Github seems to be unusual in having already decided to take that risk a couple times on a case by case basis, I think? They can be commended for it, and encouraged to do it more, or have transparent standards for when they will do it, or whatever).

(Note that in the USA someone can file a frivolous lawsuit against you anytime. In this case, even if you respond to all takedown requests there's certainly no guarantee someone can't file a frivolous lawsuit against you anyway. It just shouldn't get very far, and will get thrown out quickly, if things work right, which certainly sometimes they don't, unjust things happen).

I believe that a real DMCA takedown (not the copyright notice used by youtube) needs the following two clauses:

"I have a good faith belief that use of the copyrighted materials described above on the infringing web pages is not authorized by the copyright owner, or its agent, or the law."

and

"I swear, under penalty of perjury, that the information in this notification is accurate and that I am the copyright owner, or am authorized to act on behalf of the owner, of an exclusive right that is allegedly infringed."

This takedown does not seem to have been in good faith or accurate, if only because of the following:

> The notice also stated “the infringing website is not willing to remove our client's work”, which came as a surprise to us since, at no point in time prior to receiving this notice had we received any communications from HackerRank or WorthIT Solutions.

Are there any consequences against whomever at WorthIT signed the DMCA request? If not, how come?

I can't speak for WorthIT but I've heard countless stories surrounding YouTube takedowns which are overturned because they just don't apply however Iv'e never heard of any repercussions for those making the claim.

They do seem to be given the benefit of the doubt, which is fine, but if they're not pushed towards improving their automation its just going to stay a nightmare for everyone else.

YouTube takedown requests are rarely DMCA requests. YouTube modelled their internal system after the DMCA but left out the perjury part.
You have your second clause wrong. Move "swear under penalty of perjury" to after the part about accuracy. Perjury only applies to the claim that you're authorized to act for the copyright that is being allegedly infringed.
You appear to be right. I copied these statements from the netfly website but the actual law seems to phrase it differently. It also matches the reading of the law.stackoverflow question quoted in a sibling comment to yours.
Everyone seems to have copy/pasted that set of incorrectly phrased clauses. I see them everywhere.
Because web sites would prefer the DMCA requestors to be careful, afraid, and face consequences for lying. That's why you should never use your opponent's forms.
Lyndsay Ellis documented the mis-use of the DMCA by an author, and attempts to invoke the perjury penalties for same, across a couple of hours of video that will teach you more about wolf porn fiction ("The Tiger King of wolf porn") than you wanted to know: https://www.youtube.com/watch?v=zhWWcWtAUoY and https://www.youtube.com/watch?v=K3v5wFMQRqs

If you choose to forego the entertainment therein, the TL;DR is essentially that the time and cost of pursing a case, and enforcing it, means that the threat is worthless as a counter-balance.

A simple thing Github could go, within the law, would be to require a takedown request to include that language, maybe?
I imagine the law requires Github to process all valid takedown requests. I don't think that Github gets to set extra conditions on what takedown requests they do and do no process.
I thought you were suggesting the law said those components were necessary to be a valid takedown request, but most providers were just being more lax and not requiring them. When you said "I believe that a real DMCA takedown needs the following two clauses." I guess I misunderstood!
Sorry for the misunderstanding. I said "I believe" because I wasn't sure about the law at time of writing. From what I have seen all providers do require the two clauses. Though YouTube is an exception because their internal takedown process isn't DMCA and does miss those two clauses. That means frivolous YouTube takedowns are even easier. Notably YouTube also still has an actual full DMCA process, but it is rarely used because the internal process is easier if available to you.
do they also DMCA strike replicated repositories hosted in other countries, like China/Russia or SEA countries?

I definitely won't tell you guys to copy the orignal HackerRank questions and solutions to other self-hosted git services once in a while

if its not US based the DMCA doesn't apply (since its US law) so even if they did, providers in other countries so not need to honour it.
If we REALLY want to reform DMCA there is relatevily simple way to do it: Organize a massive simultaneous DMCA takedowns of congressmen web pages... The reform will come in days.
Isn't there a consequence for making frivolous or baseless DMCA takedowns?

I mean there should be given the amount done on e.g. youtube, but if you obviously don't own copyright on something, it'll be considered malicious and you'd get prosecuted yourself.

People could just post hackerrank problem answers to congressmen's pages and wait.
> Isn't there a consequence for making frivolous or baseless DMCA takedowns?

In theory yes, in practice no

This is also a great way to get sued for perjury and be made as an example that citizens should not challenge their representatives in such ways.
That's the whole point, to get them to reform the law, or to set courtroom precedent against spurious claims, while they're forced to take the position of its victims instead of continuing to side with the more well-funded perpetrators.
Purposely filing notices as a protest is indisputably bad-faith. That's not going to set any precedent against bad-faith notices with a veneer of plausible deniability.
Nah, they'll just exempt "official government content" from the takedown process.
Sending a false DMCA takedown notice should prevent you from sending further notices to that platform for a year. (Or forever!)
This list of DMCA take-down at [1] is really extremely long and there are several universities that ask for instance to remove the solution of students' assignments [2]. I am wondering if a university can really claim copyright to a solution made by students and if a breach of "Georgia Tech Honor Code" (for example) is really a copyright issue. From [2] it does not seem that the assignment itself is copied to the repository. Should it be GitHub's responsibility that the students comply with their honor code?

[1] https://github.com/github/dmca [2] https://github.com/github/dmca/blob/master/2022/03/2022-03-1...

I'm fairly sure that there's some T's and C's these days when you go to a university, just to cover this legally. And they cover it legally to prevent cheating and copying answers, because that would seriously reduce the worth of a degree from that university.
A student breaching terms of a contract would still not constitute a copyright violation, which is the only thing DMCA can be used for (legally).
A student publishing code derived from starter code / skeleton developed by course faculty is indeed a copyright violation.
Copyright law has provisions to protect educational purposes.
If that were so then I would agree (although, depending on how much code is in the skeleton, it might not contain enough creativity to reach the threshold for copyrightability). But didn't sound like what's happening in this particular case (the wording is a bit ambiguous ... maybe deliberately?):

> I am part of the Georgia Tech [private], and I have found code solutions for a class at Georgia Tech. Whenever student turn into their code assignments they agree to the Georgia Tech Honor Code stating they are not cheating or allowing others to cheat by sharing Georgia Tech’s assessment materials. The assignment materials were provided to students so that they could complete their tasks and isn't to be shared with others.

I would agree that if the course faculty provide significant and non-trival starter code, then publishing the solution would be a copyright violation.

Some DMCA claims do indeed mention "The repository [from the student] contains code provided to complete assignments [georgia tech]" ([1]). But the claim at [2] does not mention this. It only says "This repository contains Georgia Tech class assignment solutions." under the section "Please provide a detailed description of the original copyrighted work".

[1] https://github.com/github/dmca/blob/master/2022/04/2022-04-0...

[2] https://github.com/github/dmca/blob/master/2022/03/2022-03-1...

If the solutions have been copied from a set of solutions published by the university, they will have copyright. If the solutions are the students own work, then they won't, and this is abuse of the DMCA.
For the sake of a mind game assume that assignments and solutions can be copyrighted.

The mind game is: The assignment is most likely produced with a solution, but published without (lets say else it would not be 'assignable'). For deterministic solutions, could you copyright it without publication?

In other words, can a connect the dots or color by number drawing book claim copyright on the solved version?
It depends on the contract - don't some universities have an IP clause (like many companies) where all work/research you perform there becomes the property of the university? They then give you limited rights to use this content for personal study, etc. This means that all work performed by the student for the purpose of the assignment is then under the university's copyright.

I suppose they could take this a step further by making students sign a confidentiality agreement for assignment solutions, which is legally stronger than a honor code agreement. I won't be surprised if this becomes a thing in the future.

My general sense is that the reason the hiring process at tech companies is so reliant on the kind of technical interview questions that HackerRank makes its money off of is largely due to the fact that students can indeed get solutions online to the various problems they're assigned, and thus many computer science degrees are due more to the student's abilities with Google and/or their reliance on private tutors/services to generate solutions.

Some teachers might check for plagiarism but it's not hard to make enough changes to any body of code to make something like a diff test in an automated submission pass. Automated solution testing seems to be the norm in computer science courses as well, so it has become relatively easy for students to pass courses with good grades using this approach. There are some ways to avoid some of this, for example having in-class tests where students have to write code out with pencil and paper under a time limit while being observed, but that's only part of the grade usually.

- "When a provider receives a counter notice, they must forward it to the original complainant, and restore the challenged material after 10-14 business days. At this point, if the complainant wishes to keep the material down, they must file a lawsuit against the alleged infringer."

In practice, the complainant probably finds it more cost-efficient to (0) ignore your counter-notice, and (1) refile their original complaint, unaltered, restarting the DMCA process from zero. If GitHub reinstated your work, they'll simply take it right back down again, like a yo-yo.

Much cheaper than lawyers.

https://github.com/github/dmca/search?q=TheRayTracer

This is what the process looks like when you're not HN-front-page support tier.

(I'm not affiliated with these parties; I stumbled on this set of DMCA interactions while reading the previous HN story last week).

Can't GitHub ignore the second complaint as a duplicate? The quoted text explicitly says "if the complainant wishes to keep the material down, they must file a lawsuit" so simply re-filing the original complaint should not take the material down again.
github (and other providers) have no obligation to host your content though, so the "restore the challanged material" part has no effect in a lot of cases and the material stays down regardless of sending a counter notice.
This is enraging. Would you please be willing to countersue HackerRank on behalf of:

(1) abusing the DMCA (2) lying in the DMCA message

I want that HackerRank is made an example and that this sets a precedent for all other DMCA trolls. Please follow through with this for all other open source projects that can be targeted the same way.

- "This is enraging."

Lawsuits are a mediocre vehicle for channeling rage.

Realistically (though I'm no lawyer), the $25,000 they've already accepted is far more than a court would plausibly award them, for the tangible damage of half a day's downtime on GitHub.

I agree. I'm always talking to people who are going to sue "for millions", but when I go through settlement agreements and jury awards they are generally much lower than headlines would lead you to believe.

Often they can even be zero. I had a district attorney send me a very rude letter recently (under non-disclosure) saying that he didn't give a fuck if I won a case against the county because he loses cases all the time. He said that even when he loses he gives zero shits because he'll get in front of the jury when it's time to figure out damages and paint the plaintiff as such an asshole that the jury will award zero damages. I believe him.

Why blame the dmca process and not HackerRank? I mean you blame the person who pulls tge trigger normally, wont you?
A large part of the world certainly feels like not having guns widely and easily available can help.

Keeping in line with your analogy, I mean.

No part of the world wont file murder charges to the guy pulling though.
The article blames both. I think the focus on DMCA makes sense from the point of view of preventing this from happening again. HackerRank likely will exercise more caution, given the PR and monetary cost of this episode, but the DMCA still exists and is prime for abuse by others.
There aren't many things that are more against "hacker culture" than taking down an open-source repository via a DMCA notice. The fact that HackerRank had to apologize due to public pressure cant' really excuse this, in my opinion.
Why not delete your HackerRank account and tell HackerRank the reason for this?
HackerRank is a terrible product. If any company I applied uses it I withdraw immediately.
Same. If they insist on HackerRank, that tells me they hire based on solving logic puzzles and not building software and systems. Not a place I'm interested in
It depends how you use it.

I've used it to pre-screen candidates with very basic code questions. It filters out a lot of people who are either lying or just don't believe they will have to ever write any code.

This allows me to consider a much wider range of candidates outside top tier schools and employers.

That's fair, and not at all the way I've seen it used
> One thing that confused us was that the support email came from a domain, githubsupport.com

And it was a real e-mail... Great way to train your customers to be phished in the future, GH.

Similar vein:

* PayPal's links go to paypal-communication.com

* 3DSecure, where random third party web sites ask for bank credentials

* Some banks call customers without being able to meaningfully accept a callback, with negative consequences if you don't react to their call

I just want to understand the problem: did HackerRank initiate the takedown? If so, that apology and $25K donation is not enough. They need to be sued with the help of NumFOCUS lawyers. My understanding is that they’ve done this many times in the past and used “third-party” as an excuse.

I’ve never used HackerRank but this made sure I will never use them in the future.

_They_ didn't _do_ it per se, it was done by a third party (probably for hire) and it seems to have been the result of automation gone wrong (not an excuse IMHO). Of course they bear responsibility for the work they contract out and the third party bears responsibility for their automation being worse than ineffective. But the facts do not seem to point to an evil person in a basement initiating the takedown themselves.

> They need to be sued with the help of NumFOCUS lawyers.

This seems like it could be costly and quickly easily eat away at the small amount of revenue they take in (something like $5MM, mostly from grants and donations) compared to supporting open source projects that are desperate for support.

They've been doing this for years, it's hardly "automation gone wrong". They willfully abuse the DMCA system because they can't sell their puzzles to employers if interviewees publish their algorithms online.

Notice in the words of the CEO how he still doesn't think it's wrong to submit takedowns to code they don't hold any copyright over. At least he's honest about his bad intentions, so that's better than the drivel some tech companies come up with when they reach the front page of HN.

These guys are exactly what's wrong with copyright law and nobody has the time, interest, and resources to fight them.

It's pretty clearly automation gone wrong. I didn't specify if it's a matter of neglect or abuse.
> They need to be sued with the help of NumFOCUS lawyers.

The damages in this case are probably less than $25K.

(comment deleted)
I love how clearly and objectively the OP wrote this up.
In short, Hackerrank people have no common sense and decided to take down content that looked like solutions to Hackerrank problems.

The affected content was the documentation of opensource projects, which is not even something they own.

That in itself should be illegal.

It technically is, because the statement is taken under perjury, but good luck enforcing the perjury clause of the DMCA against a company in Pakistan.
This seems like a solid case where Hacker Rank and their contractor filed bad-faith documents and lied under the penalty of perjury. Now that SymPy has $25k of found money, it might make sense to hire a lawyer and counter-sue for damages.
Damages would hardly exceed $25k
What I don't understand is that although there are a lot of non-profits in the US that are willing to help in these kinds of cases. Non of them ever tried or suggested going after the original notice giver for perjury as at least some of these notices would fall under 'willful ignorance' as defined in United States v. Fawley (1998). The notice giver is in a (unique) position to determine if they actually hold the copyright and which specific part of some digital information is indeed infringing on that as this is the entire basis of the take-down notice. The fact that they do not supply it when serving the notice, but later will have to rely on it in court makes them willful ignorant when serving the notice.

Getting the perjury clause of the DMCA upheld would of course have a chilling effect on sending take-down notices in such a frivolous manor.

Disclaimer: a) I am not a US citizen b) TGIANAL

Maybe such a predatory copyright law is the main problem.
> HackerRank did follow through with the $25k donation to SymPy.

I feel like it's important to raise the volume of this statement. Just how often does the "we will donate to X for our mistake" promises blow over? Inversely as frequently as is required for PR upkeep, most likely (and given that nobody keeps tabs on this: they always blow over).

We desperately need more DMCA countersuits. There is currently no practical downside for filing fraudulent claims (irrespective of what legal downside should exist). If SymPy/NumFOCUS are in the position to retaliate, I really hope that they do.

HackerRank should be sued, and that $25k hush-money is just sad.