November 15, 2020 GitHub DMCA Agent
Via E-Mail
Dear GitHub DMCA Agent,
Re: Takedown of the youtube-dl Repository
 The Electronic Frontier Foundation represents the current maintainers of the youtube- dl software utility, a free software project that uses GitHub as a home for development. As you are aware, GitHub disabled the youtube-dl repository in response to a demand from the Recording Industry Association of America sent on September 21, 2020.
We write to thank GitHub for striving to protect the rights of free and open source software developers, and to provide more information about youtube-dl to address the claims made in RIAA’s letter. First, youtube-dl does not infringe or encourage the infringement of any copyrighted works, and its references to copyrighted songs in its unit tests are a fair use. Nevertheless, youtube-dl’s maintainers are replacing these references. Second, youtube-dl does not violate Section 1201 of the DMCA because it does not “circumvent” any technical protection measures on YouTube videos. Similarly, the “signature” or “rolling cipher” mechanism employed by YouTube does not prevent copying of videos. Below we explain each of these points in more detail. It is our hope that, upon consideration of this information, GitHub will reactivate the youtube-dl repository.
About youtube-dl
youtube-dl is a command-line utility for streaming and downloading user-uploaded videos from various websites, including YouTube. First published in 2006, it has a vast, diverse, worldwide community of users. It is used by journalists and human rights organizations to save eyewitness videos, by educators to save videos for classroom use, by YouTubers to save backup copies of their own uploaded videos, and by users worldwide to watch videos on hardware that can’t run a standard web browser, or to watch videos in their full resolution over slow or unreliable Internet connections.
youtube-dl stands in place of a Web browser and performs a similar function with respect to user-uploaded videos. Importantly, youtube-dl does not decrypt video streams that are encrypted with commercial DRM technologies, such as Widevine, that are used by subscription video sites, such as Netflix.
815 EDDY STREET, SAN FRANCISCO, CA 94109 USA phone +1.415.436.9333 fax +1.415.436.9993 eff.org

GitHub DMCA Agent November 15, 2020 Page 2 of 4
 youtube-dl Unit Tests Referencing Commercial Music
The RIAA’s letter refers to a single file of youtube-dl’s source code which references several copyrighted songs. This file contains series of automated tests that verify the functionality of youtube-dl for streaming various types of video. The youtube-dl source code does not, of course, contain copies of these songs or any others. And the presence of several copyrighted song links in a large series of such tests does not induce or encourage copyright infringement, for several reasons. First, this file is not “prominent,” as RIAA contends. Second, the unit tests do not cause a permanent download or distribution of the songs they reference; they merely stream a few seconds of each song to verify the operation of youtube-dl. Streaming a small portion of a song in a non-permanent fashion to test the operation of an independently created software program is a fair use. Saving a copy of a requested stream is only one function of youtube-dl, and youtube-dl does not distribute videos. Thus, the unit tests do not “suggest[] its use to copy and/or distribute” the referenced songs. The youtube-dl maintainers do not encourage the use of the tool to infringe copyright, nor do they market the tool for that purpose.
While the presence of the automated tests referencing copyrighted songs in the youtube-dl code does not constitute copyright infringement, the maintainers are replacing those lines with references to other videos that don’t contain copyrighted music. We hope this will clear the way for GitHub to reactivate the repository.
YouTube’s “signature” Code
For a subset of videos, YouTube employs a mechanism it calls a “signature.” Here is our understanding of how it works: when a user requests certain YouTube videos, YouTube’s servers send a small JavaScript program to the user’s browser, embedded in the YouTube player page. That program calculates a number referred to as “sig.” That number then forms part of the Uniform Resource Locator that the user’s browser sends back to YouTube to request the actual video stream. This mechanism is completely visible to the user simply by viewing the source code of the player page. The video stream is not encrypted, and no secret knowledge is required to access the video stream. JavaScript is a ubiquitous technology found on millions of websites and understandable by numerous software programs. Any software capable of running JavaScript code can derive the URL of the video stream and access the stream, regardless of whether the software has been approved by YouTube. To borrow an analogy from literature, travelers come upon a door that has writing in a foreign language. When translated, the writing says “say ‘friend’ and enter.” The travelers say “friend” and the door opens. As with the writing on that door, YouTube presents instructions on accessing video streams to everyone who comes asking for it.
815 EDDY STREET, SAN FRANCISCO, CA 94109 USA phone +1.415.436.9333 fax +1.415.436.9993 eff.org

GitHub DMCA Agent November 15, 2020 Page 3 of 4
 youtube-dl works the same way as a browser when it encounters the signature mechanism: it reads and interprets the JavaScript program sent by YouTube, derives the “signature” value, and sends that value back to YouTube to initiate the video stream. youtube-dl contains no password, key, or other secret knowledge that is required to access YouTube videos. It simply uses the same mechanism that YouTube presents to each and every user who views a video.
We presume that this “signature” code is what RIAA refers to as a “rolling cipher,” although YouTube’s JavaScript code does not contain this phrase. Regardless of what this mechanism is called, youtube-dl does not “circumvent” it as that term is defined in Section 1201(a) of the Digital Millennium Copyright Act, because YouTube provides the means of accessing these video streams to anyone who requests them. As federal appeals court recently ruled, one does not “circumvent” an access control by using a publicly available password. Digital Drilling Data Systems, L.L.C. v. Petrolink Services, 965 F.3d 365, 372 (5th Cir. 2020). Circumvention is limited to actions that “descramble, decrypt, avoid, bypass, remove, deactivate or impair a technological measure,” without the authority of the copyright owner. “What is missing from this statutory definition is any reference to ‘use’ of a technological measure without the authority of the copyright owner.” Egilman v. Keller & Heckman, LLP., 401 F. Supp. 2d 105, 113 (D.D.C. 2005). Because youtube-dl simply uses the “signature” code provided by YouTube in the same manner as any browser, rather than bypassing or avoiding it, it does not circumvent, and any alleged lack of authorization from YouTube or the RIAA is irrelevant.
Similarly, youtube-dl does not violate section 1201(b) of the DMCA because the “signature” code does not “prevent[], restrict[], or otherwise limit[] the exercise of a right of a copyright owner”—in other words, the code does not prevent copying of video data. Any program capable of running JavaScript programs can run YouTube’s “signature” code, regardless of whether it can also save a copy of the video streams it receives. The YouTube code is entirely different from the CSS encryption used on DVD discs and described in Universal City Studios, Inc. v. Corley, 273 F. 3d 429 (2d Cir. 2001), or from the Widevine DRM owned and used by YouTube’s parent company Google. Although I express no opinion here about how the DMCA might apply to these technologies, I note that both CSS and Widevine require licensed players containing secret keys, which are distributed only to technology vendors who agree to limit their use and maintain secrecy. In contrast, the YouTube “signature” code, is distributed to all comers and contains no secrets. YouTube does not require Web browser vendors to accept a license or a commitment to secrecy in order to use the “signature” code, as it does with Widevine.
The 2017 decision of the Hamburg Regional Court in Germany that RIAA references, which refers to YouTube’s “signature” mechanism, was wrongly decided and is not binding nor even persuasive under U.S. law. The court in that case apparently reasoned that since the judge was not familiar with JavaScript, using the “signature” code was beyond the capabilities of the average user. It was on this basis that the court declared the code to be an effective technical measure under Germany’s analogue of Section 1201. The
815 EDDY STREET, SAN FRANCISCO, CA 94109 USA phone +1.415.436.9333 fax +1.415.436.9993 eff.org

GitHub DMCA Agent November 15, 2020 Page 4 of 4
 court’s analysis overlooks the ubiquity of JavaScript, which is embedded in every browser and similar software, making use of the “signature” mechanism well within the capabilities of the average user. The Hamburg court’s analysis sweeps too broadly: it would cause anti- circumvention law to apply to any web content except the simplest plain-text pages, because all such content can appear obscure to the average user in source-code form but is easily read and used in a browser. The Hamburg court’s decision is not consistent with the U.S. DMCA and would not be followed by a U.S. court.
In summary, youtube-dl does not violate either the Copyright Act or the DMCA. EFF and the youtube-dl maintainers thank GitHub for standing up for the rights of developers whose projects it hosts. We hope this explanation will allow you to restore the youtube-dl repository so that GitHub can continue to be the home for development of this popular and important tool.
With appreciation,
Mitchell L. Stoltz, Senior Staff Attorney ELECTRONIC FRONTIER FOUNDATION
 815 EDDY STREET, SAN FRANCISCO, CA 94109 USA
phone +1.415.436.9333 fax +1.415.436.9993 eff.org