Back in September, Microsoft made a big splash announcing that it would be offering a copyright indemnity to all paying customers of its various Copilot services, including GitHub Copilot. But, Microsoft didn’t update any of its contracts to reflect this new copyright indemnity. Lawyers everywhere were mystified (ok, maybe just my friends…). It was very strange for such a public official announcement, coming straight from the Chief Legal Officer himself, to not also be accompanied by new contracts which would instantiate the commitment being offered. Claiming to offer an indemnity is one thing, but indemnities can be written broadly or narrowly and can include exceptions big and small. Given that GitHub already had a history of publishing misleading information about its legal protections, which I detailed here, I was curious to see what Microsoft came up with.
Close to a month later, GitHub finally published some new indemnity-related language. Section 4 of the GitHub Copilot Product Specific Terms was updated from this:
To this:
The General Terms remain the same:
As before, the IP indemnity only applies to paying customers, but now it explicitly covers not just use of GitHub Copilot, but also any IP claims related to its Suggestions. But, this update of Section 4 seems a bit hasty. When GitHub says the Suggestions are “included,” does that also mean that the Suggestions are subject to the “unmodified as provided by GitHub and not combined with anything else” carveout? As discussed before, in the context of how developers use GitHub Copilot, those exceptions are so large they threaten to swallow the indemnity whole. It’s entirely up for debate whether or not those exceptions are meant to apply to Suggestions as well or not. Further, with respect to GitHub’s mitigation measures, is GitHub also offering to replace the Suggestions with a functional equivalent? Again, I think it’s entirely unclear.
But, let’s say for the sake of argument that GitHub is being generous and we should read these ambiguities as being resolved in favor of the customer. The big elephant in the room is that a lawsuit against a customer may or may not specify exact Suggestions that infringe the copyright holder’s IP rights. The plaintiffs in many of the existing class action lawsuits against various generative AI companies don’t allege any specific infringing output; they allege infringement generally, solely on the basis of their works being used to train the models. One alleges that the model itself ends up being a derivative work of the training data and goes so far as to say that all output infringes the copyright of the author of each piece of training data.
Lawsuits with that posture are much harder to bring against Copilot customers since the customers didn’t train the model and didn’t handle any of the training data, but there is some uncertainty around whether the courts will accept that a model is a derivative work of the training data (and therefore, to the extent models are offered for physical distribution, making copies of the model also infringes the copyrights of the training data authors) or that all model output is a de facto infringement of the training data’s copyrights. So, if the plaintiff doesn’t specify infringing output and the customer has no way to track what was and what wasn’t a Suggestion, what would it mean for the customer to stop infringing if they lose the case or GitHub settles it on their behalf? Would the customer just have to stop shipping its product entirely and rewrite it so that there’s certainty it doesn’t include any Copilot Suggestions? The likelihood of such a claim against a customer or its ultimate success is probably low, but it’s not zero, and the cost of such an outcome is extremely high. It’s likely higher than the related copyright statutory damages.
The issue here is that an injunction or agreement to stop infringing is an equitable remedy; it’s not monetary damages. That means that any revenue losses resulting from a customer needing to discontinue a product aren’t damages covered by the indemnity and are losses they would have to deal with alone. Such damages would be consequential damages for which Microsoft fully disclaims any liability. That potentially puts GitHub in a position where they make a settlement on a customer’s behalf that effectively ends their business, with no or limited financial repercussions for GitHub. Worse, GitHub would still be able to tell reporters that they “fulfilled their obligations to defend their customers against IP claims related to Copilot” and unless the customer is well-known, the customer’s ultimate immiseration may never become publicly known, especially if the settlement’s terms include confidentiality.
It’s also worth noting that the new indemnity provision is strictly for IP claims and does not cover other types of claims, like those that might arise from security vulnerabilities introduced by the Suggestions. It also doesn’t cover some of the claims already brought against GitHub such as those under the DMCA’s Section 1202 related to deleting copyright management information or related to violations of the California Consumer Privacy Act. Either of those could potentially be brought against GitHub customers as well.
Conclusion
Microsoft and GitHub’s new indemnity offer is an improvement over their previous offer, but the drafting leaves a lot of open questions about how it would apply in practice. Is that ambiguity intentional or just the result of drafting quickly under pressure? Overall, the specter of lawsuits against customers is likely overblown, but the worst case scenario I described here is quite bad. One remedy is obviously to ask GitHub for final approval over any settlement or any settlement that includes any conditions other than monetary damages. However, if that fails, customers might also consider something unusual: ban GitHub from making settlements subject to confidentiality obligations without the customer’s written consent so that GitHub will have its reputation to consider if it chooses to throw a customer under the bus in the name of a quick and cheap settlement.
