Bloomberg Law
March 28, 2023, 4:21 PMUpdated: March 28, 2023, 9:06 PM

Twitter’s Legal Bid to Unmask Source Code Leaker: Explained (1)

Isaiah Poritz
Isaiah Poritz
Legal Reporter

Twitter Inc. has turned to copyright law to expose the identity of the person who leaked its platform’s source code on GitHub Inc.'s website, relying on a process the social media giant has fought in the past to protect its own users.

The San Francisco-based US District Court for the Northern District of California on Tuesday issued a subpoena requiring GitHub, a public software repository, to hand over information about the person behind the username FreeSpeechEnthusiast. GitHub has until April 3 to respond to the order, which Twitter requested last week.

The user appears to have created the account on Jan. 3 and doesn’t provide any additional information on their profile.

The leak, which Twitter says unveiled proprietary source code underlying the platform and internal tools, is being investigated by the company and could pose potential cybersecurity threats, The New York Times reported.

Other tech companies like Microsoft Corp. and Uber Technologies Inc. have also faced internal leaks or outside hacks involving their source code, which is often closely guarded and can be protected by copyright and trade secrets laws.

GitHub, which is owned by Microsoft, said it complied with Twitter’s copyright takedown request, but declined to provide additional comment.

It’s unclear exactly how long Twitter’s source code had been hosted on the repository, but GitHub moved quickly after being notified. Court documents show that GitHub had removed the source code less than an hour and a half after Twitter’s legal director Julian Moore sent a DMCA takedown request.

Twitter’s search for the leaker comes in a court with a long history of overseeing tech litigation, copyright disputes, and online anonymity.

1. How is this a copyright issue?

Courts and the US Copyright Office have long established that source code is a creative expression and therefore eligible for copyright protection, although the law doesn’t protect the functional aspects of a computer program like algorithms and system designs.

Twitter’s subpoena request came in the form of a special legal demand that gives copyright owners the ability to obtain the identity of users who post unauthorized copyrighted material on an internet platform.

The subpoena directs GitHub to turn over the names, addresses, phone numbers, and other identifying information of the user FreeSpeechEnthusiast and any users who downloaded the code.

2. What law allows Twitter to go after the leaker?

That subpoena power was created in the Digital Millennium Copyright Act of 1998, the last major overhaul of US copyright law for the internet age.

The DMCA requires online platforms that host user content to remove infringing material when requested by the copyright owner. The law also requires platforms to turn over the identity of infringers, who can easily mask their name with pseudonymous usernames.

While a rights holder could bring a traditional copyright lawsuit against a “John Doe” defendant, and then try to reveal the infringer during litigation, DMCA subpoenas are much more efficient.

The law says that a court clerk, not a judge, “must expeditiously” sign off on the subpoena if it has been filed properly. The subpoena petitioner needs to pay only a $47 filing fee, compared with a $402 fee for filing a lawsuit, plus the attendant legal costs.

3. Can GitHub fight Twitter’s demands?

While DMCA subpoenas are meant to provide a legal fast lane to reveal the identity of an alleged infringer, platforms receiving a subpoena can challenge it in court, especially if they feel that it will implicate the free speech rights of the user.

Courts have established that First Amendment protections apply to anonymous speakers, although the right to anonymity isn’t unlimited.

Digital rights groups have cautioned that the DMCA’s broad subpoena power can be abused by copyright holders to suppress legitimate online criticism. The Electronic Frontier Foundation and Public Citizen have argued before the Northern District of California that the subpoenas can be weaponized to out anonymous internet users, who could face retaliation outside of the judicial system.

Groups seeking stronger protections for copyright owners have taken the position that the platform doesn’t have the right to intervene and block the subpoena. The DMCA states that the platform “shall expeditiously” hand over the information, they argue.

4. Hasn’t Twitter usually been on the other side?

Twitter, as a major social media platform, has more often been the recipient of these subpoenas. It’s also moved to block DMCA subpoenas in the past.

Last year, before the company came under the control of Musk, Twitter successfully blocked a DMCA subpoena seeking the identity of an anonymous user that appeared to be trolling the private equity billionaire Brian Sheth.

The judge in that case agreed to adopt a legal test advocated by Public Citizen that first asks if the subpoena petition has established a viable legal claim, and then asks the court to balance that claim against the user’s right to anonymous speech.

5. Doesn’t tech’s liability shield protect GitHub?

Section 230 of the 1996 Communications Decency Act does generally protect websites from liability for content posted by their users.

That law—which has come under fire in recent years—contains a carve out, however, for intellectual property violations. In cases involving copyright infringement by an online platform’s users, the DMCA rules.

That law gives platforms a legal “safe harbor” from copyright lawsuits as long as they follow its defined takedown and unmasking procedures.

Section 230 probably will protect GitHub from other claims—like trade secrets appropriation—that might be brought against it.

Unlike the copyrights and the DMCA, the Defend Trade Secrets Act states that trade secrets don’t qualify as an intellectual property right in this context. Courts have generally held that Section 230 protects websites that host trade secrets posted by users.

Read More:

(Updated to reflect that the court issued the subpoena on Tuesday.)

To contact the reporter on this story: Isaiah Poritz in Washington at

To contact the editors responsible for this story: Adam M. Taylor at; Jay-Anne B. Casuga at

Learn more about Bloomberg Law or Log In to keep reading:

Learn About Bloomberg Law

AI-powered legal analytics, workflow tools and premium legal & business news.

Already a subscriber?

Log in to keep reading or access research tools.