It's really rare for someone to handle something like this as well as it appears Vivek at Hackerrank did. The apology was straightforward and took full ownership, they showed that they had changed a process so it wouldn't happen again, and they compensated SymPy for their time in a way that seems at least superficially very fair.
Given that HackerRank has more than 1000 employees, I agree that it is surprising that they were able to react and apologize on the same day as the takedown and all the buzz on social media.
However, I still think it's a damn shame that HackerRank needed such a high-profile incident before reconsidering their shady arrangement involving probably-automated DMCA takedowns against GitHub repositories. Either they didn't know what that would incur on open source repositories hosted on GitHub and other platforms, or they just didn't care about it as long as it wouldn't cause a huge fuss for themselves (which it did in this case).
Former HackerRank Employee here, while I agree it seems like a very quick response, I just want to point out they have nowhere near 1000 employees. When I was there it was probably a quarter of that.
As a YC backed company, it seemed like almost everything on HackerNews was known about within the company when I was there.
The question that always remains in cases like this: Would they have handled it this well if their target wasn't as well known as SymPy?
This could just be another case of a problem being solved by hitting the news and making enough waves.
Sure they did the right thing, but it was still their active wrongdoing and I won't attribute their reaction to them being decent people. I'm tired of all the DMCA abuse, and reverting it for once isn't worthy of special praise. It makes HackerRank better than other DMCA abusers, but DMCA abusers they still are.
This is a great write-up, but I'll quibble with one small part of it:
> It’s important to understand, however, that GitHub’s hands are tied in many ways here. If they do not follow the notice and counter notice procedures exactly as outlined in the DMCA law, they risk losing their safe harbor status with the US Copyright Office. Were this to happen, it would be completely disastrous to GitHub as a business.
I believe this is a bit of an exaggeration, because there is no such thing as "safe harbor status with the US Copyright Office". (The author might be thinking of the fact that providers have to register a designated agent with the Copyright Office, for service of infringement reports, in order to benefit from the law.)
The DMCA safe harbor is a legal defense against copyright infringement, and it operates on a case-by-case basis. If GitHub fails to respond to a particular takedown request as it's required to, it loses the ability to assert the safe harbor defense for the allegedly infringing material identified in that request. It does not mean it somehow loses the DMCA protections for any other material that it hosts.
In practice, this means that GitHub employees can make mistakes, or the company can deliberately choose to stand up to superficially-valid DMCA takedowns that it thinks are frivolous, without necessarily posing an existential risk to the entire company.
> the company can deliberately choose to stand up to superficially-valid DMCA takedowns that it thinks are frivolous, without necessarily posing an existential risk to the entire company.
We all seen the Oracle vs Google lawsuit... sure they can choose to stand up to frivolous DMCA takedowns, but it doesn't means there won't be a frivolous lawsuit that follow.
It just not worth it, why takes that risk when taking something down protect you from it?
No I meant Oracle vs Google. It's a copyright lawsuit, DMCA protect the middle man (Github here as they are the ones distributing the potentially copyrighted content) against being involved in copyright lawsuits.
> It just not worth it, why takes that risk when taking something down protect you from it?
I mean, that's clearly the stance that most platforms are taking.
The "why take that risk" would be -- to stand up for your user's rights or interests, against takedown requests that are frivolous or invalid. Github actually has occasionally taken that stance.
@teraflop's point is that a company can choose to take that risk on a case-by-case basis -- say in cases you think are especially frivolous and thus also especially unlikely to be a legal liability -- and the risk borne is only with regard to that case, it does not imperil the ability to use the DMCA safe harbor defense in other cases.
(Github seems to be unusual in having already decided to take that risk a couple times on a case by case basis, I think? They can be commended for it, and encouraged to do it more, or have transparent standards for when they will do it, or whatever).
(Note that in the USA someone can file a frivolous lawsuit against you anytime. In this case, even if you respond to all takedown requests there's certainly no guarantee someone can't file a frivolous lawsuit against you anyway. It just shouldn't get very far, and will get thrown out quickly, if things work right, which certainly sometimes they don't, unjust things happen).
I believe that a real DMCA takedown (not the copyright notice used by youtube) needs the following two clauses:
"I have a good faith belief that use of the copyrighted materials described above on the infringing web pages is not authorized by the copyright owner, or its agent, or the law."
and
"I swear, under penalty of perjury, that the information in this notification is accurate and that I am the copyright owner, or am authorized to act on behalf of the owner, of an exclusive right that is allegedly infringed."
This takedown does not seem to have been in good faith or accurate, if only because of the following:
> The notice also stated “the infringing website is not willing to remove our client's work”, which came as a surprise to us since, at no point in time prior to receiving this notice had we received any communications from HackerRank or WorthIT Solutions.
Are there any consequences against whomever at WorthIT signed the DMCA request? If not, how come?
I can't speak for WorthIT but I've heard countless stories surrounding YouTube takedowns which are overturned because they just don't apply however Iv'e never heard of any repercussions for those making the claim.
They do seem to be given the benefit of the doubt, which is fine, but if they're not pushed towards improving their automation its just going to stay a nightmare for everyone else.
You have your second clause wrong. Move "swear under penalty of perjury" to after the part about accuracy. Perjury only applies to the claim that you're authorized to act for the copyright that is being allegedly infringed.
You appear to be right. I copied these statements from the netfly website but the actual law seems to phrase it differently.
It also matches the reading of the law.stackoverflow question quoted in a sibling comment to yours.
Because web sites would prefer the DMCA requestors to be careful, afraid, and face consequences for lying. That's why you should never use your opponent's forms.
Lyndsay Ellis documented the mis-use of the DMCA by an author, and attempts to invoke the perjury penalties for same, across a couple of hours of video that will teach you more about wolf porn fiction ("The Tiger King of wolf porn") than you wanted to know: https://www.youtube.com/watch?v=zhWWcWtAUoY and https://www.youtube.com/watch?v=K3v5wFMQRqs
If you choose to forego the entertainment therein, the TL;DR is essentially that the time and cost of pursing a case, and enforcing it, means that the threat is worthless as a counter-balance.
I imagine the law requires Github to process all valid takedown requests. I don't think that Github gets to set extra conditions on what takedown requests they do and do no process.
I thought you were suggesting the law said those components were necessary to be a valid takedown request, but most providers were just being more lax and not requiring them. When you said "I believe that a real DMCA takedown needs the following two clauses." I guess I misunderstood!
Sorry for the misunderstanding. I said "I believe" because I wasn't sure about the law at time of writing. From what I have seen all providers do require the two clauses. Though YouTube is an exception because their internal takedown process isn't DMCA and does miss those two clauses. That means frivolous YouTube takedowns are even easier. Notably YouTube also still has an actual full DMCA process, but it is rarely used because the internal process is easier if available to you.
If we REALLY want to reform DMCA there is relatevily simple way to do it:
Organize a massive simultaneous DMCA takedowns of congressmen web pages...
The reform will come in days.
Isn't there a consequence for making frivolous or baseless DMCA takedowns?
I mean there should be given the amount done on e.g. youtube, but if you obviously don't own copyright on something, it'll be considered malicious and you'd get prosecuted yourself.
That's the whole point, to get them to reform the law, or to set courtroom precedent against spurious claims, while they're forced to take the position of its victims instead of continuing to side with the more well-funded perpetrators.
Purposely filing notices as a protest is indisputably bad-faith. That's not going to set any precedent against bad-faith notices with a veneer of plausible deniability.
This list of DMCA take-down at [1] is really extremely long and there are several universities that ask for instance to remove the solution of students' assignments [2]. I am wondering if a university can really claim copyright to a solution made by students and if a breach of "Georgia Tech Honor Code" (for example) is really a copyright issue. From [2] it does not seem that the assignment itself is copied to the repository. Should it be GitHub's responsibility that the students comply with their honor code?
I'm fairly sure that there's some T's and C's these days when you go to a university, just to cover this legally. And they cover it legally to prevent cheating and copying answers, because that would seriously reduce the worth of a degree from that university.
If that were so then I would agree (although, depending on how much code is in the skeleton, it might not contain enough creativity to reach the threshold for copyrightability). But didn't sound like what's happening in this particular case (the wording is a bit ambiguous ... maybe deliberately?):
> I am part of the Georgia Tech [private], and I have found code solutions for a class at Georgia Tech. Whenever student turn into their code assignments they agree to the Georgia Tech Honor Code stating they are not cheating or allowing others to cheat by sharing Georgia Tech’s assessment materials. The assignment materials were provided to students so that they could complete their tasks and isn't to be shared with others.
I would agree that if the course faculty provide significant and non-trival starter code, then publishing the solution would be a copyright violation.
Some DMCA claims do indeed mention "The repository [from the student] contains code provided to complete assignments [georgia tech]" ([1]). But the claim at [2] does not mention this. It only says "This repository contains Georgia Tech class assignment solutions." under the section "Please provide a detailed description of the original copyrighted work".
If the solutions have been copied from a set of solutions published by the university, they will have copyright. If the solutions are the students own work, then they won't, and this is abuse of the DMCA.
For the sake of a mind game assume that assignments and solutions can be copyrighted.
The mind game is: The assignment is most likely produced with a solution, but published without (lets say else it would not be 'assignable'). For deterministic solutions, could you copyright it without publication?
It depends on the contract - don't some universities have an IP clause (like many companies) where all work/research you perform there becomes the property of the university? They then give you limited rights to use this content for personal study, etc. This means that all work performed by the student for the purpose of the assignment is then under the university's copyright.
I suppose they could take this a step further by making students sign a confidentiality agreement for assignment solutions, which is legally stronger than a honor code agreement. I won't be surprised if this becomes a thing in the future.
My general sense is that the reason the hiring process at tech companies is so reliant on the kind of technical interview questions that HackerRank makes its money off of is largely due to the fact that students can indeed get solutions online to the various problems they're assigned, and thus many computer science degrees are due more to the student's abilities with Google and/or their reliance on private tutors/services to generate solutions.
Some teachers might check for plagiarism but it's not hard to make enough changes to any body of code to make something like a diff test in an automated submission pass. Automated solution testing seems to be the norm in computer science courses as well, so it has become relatively easy for students to pass courses with good grades using this approach. There are some ways to avoid some of this, for example having in-class tests where students have to write code out with pencil and paper under a time limit while being observed, but that's only part of the grade usually.
- "When a provider receives a counter notice, they must forward it to the original complainant, and restore the challenged material after 10-14 business days. At this point, if the complainant wishes to keep the material down, they must file a lawsuit against the alleged infringer."
In practice, the complainant probably finds it more cost-efficient to (0) ignore your counter-notice, and (1) refile their original complaint, unaltered, restarting the DMCA process from zero. If GitHub reinstated your work, they'll simply take it right back down again, like a yo-yo.
Can't GitHub ignore the second complaint as a duplicate? The quoted text explicitly says "if the complainant wishes to keep the material down, they must file a lawsuit" so simply re-filing the original complaint should not take the material down again.
github (and other providers) have no obligation to host your content though, so the "restore the challanged material" part has no effect in a lot of cases and the material stays down regardless of sending a counter notice.
This is enraging. Would you please be willing to countersue HackerRank on behalf of:
(1) abusing the DMCA
(2) lying in the DMCA message
I want that HackerRank is made an example and that this sets a precedent for all other DMCA trolls. Please follow through with this for all other open source projects that can be targeted the same way.
Lawsuits are a mediocre vehicle for channeling rage.
Realistically (though I'm no lawyer), the $25,000 they've already accepted is far more than a court would plausibly award them, for the tangible damage of half a day's downtime on GitHub.
I agree. I'm always talking to people who are going to sue "for millions", but when I go through settlement agreements and jury awards they are generally much lower than headlines would lead you to believe.
Often they can even be zero. I had a district attorney send me a very rude letter recently (under non-disclosure) saying that he didn't give a fuck if I won a case against the county because he loses cases all the time. He said that even when he loses he gives zero shits because he'll get in front of the jury when it's time to figure out damages and paint the plaintiff as such an asshole that the jury will award zero damages. I believe him.
The article blames both. I think the focus on DMCA makes sense from the point of view of preventing this from happening again. HackerRank likely will exercise more caution, given the PR and monetary cost of this episode, but the DMCA still exists and is prime for abuse by others.
There aren't many things that are more against "hacker culture" than taking down an open-source repository via a DMCA notice. The fact that HackerRank had to apologize due to public pressure cant' really excuse this, in my opinion.
Same. If they insist on HackerRank, that tells me they hire based on solving logic puzzles and not building software and systems. Not a place I'm interested in
I've used it to pre-screen candidates with very basic code questions. It filters out a lot of people who are either lying or just don't believe they will have to ever write any code.
This allows me to consider a much wider range of candidates outside top tier schools and employers.
I just want to understand the problem: did HackerRank initiate the takedown? If so, that apology and $25K donation is not enough. They need to be sued with the help of NumFOCUS lawyers. My understanding is that they’ve done this many times in the past and used “third-party” as an excuse.
I’ve never used HackerRank but this made sure I will never use them in the future.
_They_ didn't _do_ it per se, it was done by a third party (probably for hire) and it seems to have been the result of automation gone wrong (not an excuse IMHO). Of course they bear responsibility for the work they contract out and the third party bears responsibility for their automation being worse than ineffective. But the facts do not seem to point to an evil person in a basement initiating the takedown themselves.
> They need to be sued with the help of NumFOCUS lawyers.
This seems like it could be costly and quickly easily eat away at the small amount of revenue they take in (something like $5MM, mostly from grants and donations) compared to supporting open source projects that are desperate for support.
They've been doing this for years, it's hardly "automation gone wrong". They willfully abuse the DMCA system because they can't sell their puzzles to employers if interviewees publish their algorithms online.
Notice in the words of the CEO how he still doesn't think it's wrong to submit takedowns to code they don't hold any copyright over. At least he's honest about his bad intentions, so that's better than the drivel some tech companies come up with when they reach the front page of HN.
These guys are exactly what's wrong with copyright law and nobody has the time, interest, and resources to fight them.
This seems like a solid case where Hacker Rank and their contractor filed bad-faith documents and lied under the penalty of perjury. Now that SymPy has $25k of found money, it might make sense to hire a lawyer and counter-sue for damages.
What I don't understand is that although there are a lot of non-profits in the US that are willing to help in these kinds of cases. Non of them ever tried or suggested going after the original notice giver for perjury as at least some of these notices would fall under 'willful ignorance' as defined in United States v. Fawley (1998). The notice giver is in a (unique) position to determine if they actually hold the copyright and which specific part of some digital information is indeed infringing on that as this is the entire basis of the take-down notice. The fact that they do not supply it when serving the notice, but later will have to rely on it in court makes them willful ignorant when serving the notice.
Getting the perjury clause of the DMCA upheld would of course have a chilling effect on sending take-down notices in such a frivolous manor.
> HackerRank did follow through with the $25k donation to SymPy.
I feel like it's important to raise the volume of this statement. Just how often does the "we will donate to X for our mistake" promises blow over? Inversely as frequently as is required for PR upkeep, most likely (and given that nobody keeps tabs on this: they always blow over).
We desperately need more DMCA countersuits. There is currently no practical downside for filing fraudulent claims (irrespective of what legal downside should exist). If SymPy/NumFOCUS are in the position to retaliate, I really hope that they do.
85 comments
[ 4.5 ms ] story [ 157 ms ] threadHats off to Vivek.
However, I still think it's a damn shame that HackerRank needed such a high-profile incident before reconsidering their shady arrangement involving probably-automated DMCA takedowns against GitHub repositories. Either they didn't know what that would incur on open source repositories hosted on GitHub and other platforms, or they just didn't care about it as long as it wouldn't cause a huge fuss for themselves (which it did in this case).
As a YC backed company, it seemed like almost everything on HackerNews was known about within the company when I was there.
This could just be another case of a problem being solved by hitting the news and making enough waves.
Sure they did the right thing, but it was still their active wrongdoing and I won't attribute their reaction to them being decent people. I'm tired of all the DMCA abuse, and reverting it for once isn't worthy of special praise. It makes HackerRank better than other DMCA abusers, but DMCA abusers they still are.
To me it looks like a well calculated PR action. I'll change my mind when they make it up to other teams they wronged.
It felt like many on HN didn't buy it either, and it is a pattern seen so often with many a company.
> It’s important to understand, however, that GitHub’s hands are tied in many ways here. If they do not follow the notice and counter notice procedures exactly as outlined in the DMCA law, they risk losing their safe harbor status with the US Copyright Office. Were this to happen, it would be completely disastrous to GitHub as a business.
I believe this is a bit of an exaggeration, because there is no such thing as "safe harbor status with the US Copyright Office". (The author might be thinking of the fact that providers have to register a designated agent with the Copyright Office, for service of infringement reports, in order to benefit from the law.)
The DMCA safe harbor is a legal defense against copyright infringement, and it operates on a case-by-case basis. If GitHub fails to respond to a particular takedown request as it's required to, it loses the ability to assert the safe harbor defense for the allegedly infringing material identified in that request. It does not mean it somehow loses the DMCA protections for any other material that it hosts.
In practice, this means that GitHub employees can make mistakes, or the company can deliberately choose to stand up to superficially-valid DMCA takedowns that it thinks are frivolous, without necessarily posing an existential risk to the entire company.
We all seen the Oracle vs Google lawsuit... sure they can choose to stand up to frivolous DMCA takedowns, but it doesn't means there won't be a frivolous lawsuit that follow.
It just not worth it, why takes that risk when taking something down protect you from it?
https://en.wikipedia.org/wiki/Viacom_International_Inc._v._Y....
https://en.wikipedia.org/wiki/Google_LLC_v._Oracle_America,_....
I mean, that's clearly the stance that most platforms are taking.
The "why take that risk" would be -- to stand up for your user's rights or interests, against takedown requests that are frivolous or invalid. Github actually has occasionally taken that stance.
@teraflop's point is that a company can choose to take that risk on a case-by-case basis -- say in cases you think are especially frivolous and thus also especially unlikely to be a legal liability -- and the risk borne is only with regard to that case, it does not imperil the ability to use the DMCA safe harbor defense in other cases.
(Github seems to be unusual in having already decided to take that risk a couple times on a case by case basis, I think? They can be commended for it, and encouraged to do it more, or have transparent standards for when they will do it, or whatever).
(Note that in the USA someone can file a frivolous lawsuit against you anytime. In this case, even if you respond to all takedown requests there's certainly no guarantee someone can't file a frivolous lawsuit against you anyway. It just shouldn't get very far, and will get thrown out quickly, if things work right, which certainly sometimes they don't, unjust things happen).
"I have a good faith belief that use of the copyrighted materials described above on the infringing web pages is not authorized by the copyright owner, or its agent, or the law."
and
"I swear, under penalty of perjury, that the information in this notification is accurate and that I am the copyright owner, or am authorized to act on behalf of the owner, of an exclusive right that is allegedly infringed."
This takedown does not seem to have been in good faith or accurate, if only because of the following:
> The notice also stated “the infringing website is not willing to remove our client's work”, which came as a surprise to us since, at no point in time prior to receiving this notice had we received any communications from HackerRank or WorthIT Solutions.
Are there any consequences against whomever at WorthIT signed the DMCA request? If not, how come?
[1]: https://law.stackexchange.com/questions/51541/has-anyone-bee...
They do seem to be given the benefit of the doubt, which is fine, but if they're not pushed towards improving their automation its just going to stay a nightmare for everyone else.
If you choose to forego the entertainment therein, the TL;DR is essentially that the time and cost of pursing a case, and enforcing it, means that the threat is worthless as a counter-balance.
I definitely won't tell you guys to copy the orignal HackerRank questions and solutions to other self-hosted git services once in a while
I mean there should be given the amount done on e.g. youtube, but if you obviously don't own copyright on something, it'll be considered malicious and you'd get prosecuted yourself.
In theory yes, in practice no
[1] https://github.com/github/dmca [2] https://github.com/github/dmca/blob/master/2022/03/2022-03-1...
> I am part of the Georgia Tech [private], and I have found code solutions for a class at Georgia Tech. Whenever student turn into their code assignments they agree to the Georgia Tech Honor Code stating they are not cheating or allowing others to cheat by sharing Georgia Tech’s assessment materials. The assignment materials were provided to students so that they could complete their tasks and isn't to be shared with others.
Some DMCA claims do indeed mention "The repository [from the student] contains code provided to complete assignments [georgia tech]" ([1]). But the claim at [2] does not mention this. It only says "This repository contains Georgia Tech class assignment solutions." under the section "Please provide a detailed description of the original copyrighted work".
[1] https://github.com/github/dmca/blob/master/2022/04/2022-04-0...
[2] https://github.com/github/dmca/blob/master/2022/03/2022-03-1...
The mind game is: The assignment is most likely produced with a solution, but published without (lets say else it would not be 'assignable'). For deterministic solutions, could you copyright it without publication?
I suppose they could take this a step further by making students sign a confidentiality agreement for assignment solutions, which is legally stronger than a honor code agreement. I won't be surprised if this becomes a thing in the future.
Some teachers might check for plagiarism but it's not hard to make enough changes to any body of code to make something like a diff test in an automated submission pass. Automated solution testing seems to be the norm in computer science courses as well, so it has become relatively easy for students to pass courses with good grades using this approach. There are some ways to avoid some of this, for example having in-class tests where students have to write code out with pencil and paper under a time limit while being observed, but that's only part of the grade usually.
In practice, the complainant probably finds it more cost-efficient to (0) ignore your counter-notice, and (1) refile their original complaint, unaltered, restarting the DMCA process from zero. If GitHub reinstated your work, they'll simply take it right back down again, like a yo-yo.
Much cheaper than lawyers.
https://github.com/github/dmca/search?q=TheRayTracer
This is what the process looks like when you're not HN-front-page support tier.
(I'm not affiliated with these parties; I stumbled on this set of DMCA interactions while reading the previous HN story last week).
(1) abusing the DMCA (2) lying in the DMCA message
I want that HackerRank is made an example and that this sets a precedent for all other DMCA trolls. Please follow through with this for all other open source projects that can be targeted the same way.
Lawsuits are a mediocre vehicle for channeling rage.
Realistically (though I'm no lawyer), the $25,000 they've already accepted is far more than a court would plausibly award them, for the tangible damage of half a day's downtime on GitHub.
Often they can even be zero. I had a district attorney send me a very rude letter recently (under non-disclosure) saying that he didn't give a fuck if I won a case against the county because he loses cases all the time. He said that even when he loses he gives zero shits because he'll get in front of the jury when it's time to figure out damages and paint the plaintiff as such an asshole that the jury will award zero damages. I believe him.
Keeping in line with your analogy, I mean.
I've used it to pre-screen candidates with very basic code questions. It filters out a lot of people who are either lying or just don't believe they will have to ever write any code.
This allows me to consider a much wider range of candidates outside top tier schools and employers.
And it was a real e-mail... Great way to train your customers to be phished in the future, GH.
* PayPal's links go to paypal-communication.com
* 3DSecure, where random third party web sites ask for bank credentials
* Some banks call customers without being able to meaningfully accept a callback, with negative consequences if you don't react to their call
I’ve never used HackerRank but this made sure I will never use them in the future.
> They need to be sued with the help of NumFOCUS lawyers.
This seems like it could be costly and quickly easily eat away at the small amount of revenue they take in (something like $5MM, mostly from grants and donations) compared to supporting open source projects that are desperate for support.
Notice in the words of the CEO how he still doesn't think it's wrong to submit takedowns to code they don't hold any copyright over. At least he's honest about his bad intentions, so that's better than the drivel some tech companies come up with when they reach the front page of HN.
These guys are exactly what's wrong with copyright law and nobody has the time, interest, and resources to fight them.
The damages in this case are probably less than $25K.
The affected content was the documentation of opensource projects, which is not even something they own.
That in itself should be illegal.
Getting the perjury clause of the DMCA upheld would of course have a chilling effect on sending take-down notices in such a frivolous manor.
Disclaimer: a) I am not a US citizen b) TGIANAL
I feel like it's important to raise the volume of this statement. Just how often does the "we will donate to X for our mistake" promises blow over? Inversely as frequently as is required for PR upkeep, most likely (and given that nobody keeps tabs on this: they always blow over).
We desperately need more DMCA countersuits. There is currently no practical downside for filing fraudulent claims (irrespective of what legal downside should exist). If SymPy/NumFOCUS are in the position to retaliate, I really hope that they do.