How GitHub became the de facto automated supply chain for software Watch Now

Requests to GitHub to disclose user information more than doubled in 2018, but gag orders increased even faster, the Microsoft-owned code hosting repository has revealed in its 2018 transparency report.

The company received 112 requests to disclose user information last year, which included 81 subpoenas, 22 court orders, and seven search warrants.

Though the number of requests pales in comparison to the tens of thousands received by Google, Apple, and Facebook each year, GitHub's annual count for 2018 is more than twice the number it received in 2017, totaling just 51 requests. GitHub has about 31 million active developer accounts.

GitHub notes it requires a subpoena to disclose information such as a name, email address, billing information, or an IP address linked to an account, while it requires a court order or search warrant for other user information, like user access logs, private repository settings.

With a search warrant, it will provide private user account contents, such as source code, collaboration records, and documentation.

Of the 81 subpoenas it received, 68 related to criminal cases and 13 were part of civil litigation, which consisted of one request from a US government agency and 12 requests from civil litigants.

SEE: IT pro's guide to GDPR compliance (free PDF)

The Microsoft-owned code hosting repository has so far processed 78 of the 112 requests and has disclosed information 66 times. While the disclosures affected 3,673 accounts in total, two requests alone affected 3,582 accounts. The remaining 64 requests affected 91 accounts.

GitHub is finding it increasingly common to receive legal requests accompanied by a gag order, preventing it from following its policy to disclose requests to affected users.

In 2015 it was able to notify users in 42 percent of the year's total requests, which fell to 21 percent in 2016, 19 percent in 2017, and to just nine percent in 2018.

"It's probably not surprising that we're receiving more user information requests as the GitHub community grows," says GitHub policy manager Abby Vollmer.

"But what does stand out is how often those information requests are accompanied by gag orders. That's not something that we'd expect to increase faster than the number of requests we receive."

Image: GitHub

GitHub also received 1,799 DMCA takedown notices throughout the year, typically totaling between 125 to 172 takedown notices per month.

Though each takedown notice affects multiple projects, and over 2018 it took down 11,971 projects, but after reinstating 99 of them, 11,872 projects stayed down. The removed projects represent 0.012 percent of the 100 million-plus repositories on GitHub.

Previous and related coverage

GitHub to give users of its free plan access to unlimited private repositories

Microsoft is making GitHub's private repositories free to smaller developers and teams, which could help Microsoft go head-to-head with GitLab and BitBucket.

Microsoft's GitHub: 'Kotlin for Android now fastest-growing programming language'

The number of developers hosting projects built with Google-backed Kotlin is surging.

Microsoft finalizes its $7.5 billion GitHub acquisition

Microsoft's acquisition of GitHub has passed regulatory approval and is now official.

Microsoft open sources MS-DOS again, this time on GitHub

Microsoft has made the MS-DOS 1.25 and 2.0 source code available on GitHub for reference purposes only.

The 3 next big programming languages: GitHub's rising stars for 2018 TechRepublic

These are the languages with the largest growth in contributors to code repositories over the past year.

Google exec says it's OK Microsoft nabbed GitHub CNET

Countless programmers use GitHub to cooperate on projects. Google's cloud chief says she wouldn't have minded being the buyer.