Apple tells GitHub to fork off: iGiant steps outside DMCA law in quest to halt iBoot leaks
Demands blanket rather than specific repo shutdowns
Apple's fruitless attempts to remove its leaked iBoot source code from the internet have escalated into requests to have community code site GitHub disable all downstream forks made from identified infringing repositories.
In a DMCA takedown notice sent to GitHub on Sunday and published on Monday – its sixth since the proprietary iBoot code surfaced on February 7 – Apple has directed GitHub to remove two more repos with copies of its confidential source, along with 10 more repos forked from the first two that disseminated it.
A forked repo is simply a clone of a repo with a pointer that refers to the original repository, stored within the Git version control system. Code can also be manually copied by downloading it and re-uploading it to a new GitHub repo, one that doesn't include a reference to its birth.
Since its initial takedown notice, Apple has been asking for forks of flagged iBoot repos to be shut down, and GitHub has been complying, at least for those repos and forks specifically cited, because not doing so could open the code-sharing site to legal liability. When GitHub is alerted to copyright-infringing repos on its platform, it has to take them down swiftly to avoid heavy penalties in court under America's DMCA system.
This amounts to a game of Whac-A-Mole: despite demanding the removal of over two hundred infringing copies of its iBoot code, duplications of the leaked code – both forks and uploaded copies – continue to be available on the website, to say nothing of elsewhere on the internet.
Apple's top-secret iBoot firmware source code spills onto GitHub for some insane reasonREAD MORE
Because GitHub's fork mechanism makes copies that point back to the parent repo, Apple wants GitHub to proactively disable any fork of an infringing repo, not just the ones it specifies.
"[B]ased on the representative number of forks we have reviewed... we believe that all or most of the forks in these networks are infringing to the same extent as the parent repositories," Apple's DMCA notice says. "Accordingly, and because there are a growing number of forks that contain the infringing content at issue, we respectfully request that GitHub disable the entire fork network(s)."
Now, it's fair to say all or most copies of the copyright-infringing material will also be infringing. We can't imagine someone forking the stolen iBoot blueprints, and then taking out all the Apple-eyes-only code – there wouldn't be much left, except maybe the source comments.
However, pedantically, Apple's approach doesn't quite follow the letter of the law, which states that a DMCA takedown notification must specifically identify the supposedly infringing work. Saying that you believe "all or most" of the forks are infringing falls short of certainty in every case.
"The DMCA requires people to identify specific infringing material," said Mitch Stoltz, senior staff attorney at the Electronic Frontier Foundation, a cyber liberties advocacy group, in an email to The Register. "There's no provision in the law for saying 'we see lots of infringement, so we want you to delete everything just in case.' Apple can ask, of course, but GitHub doesn't have to comply."
It's not clear whether GitHub is complying by removing forked repos not specifically called out by Apple. But the ones Apple has named have been removed.
Neither Apple nor GitHub responded to requests for comment.
For its next move, Apple may want to ask GitHub to disable its search functionality – simply searching for "iBoot" on GitHub turned up viewable copies of the unauthorized code at the time this story was filed.
Meanwhile, the closed-source bootloader software was leaked online after it was stolen from Apple by a rogue low-level employee, as opposed to hackers or similar miscreants, it was claimed last week. ®
Sponsored: Becoming a Pragmatic Security Leader