Doe v. GitHub Copilot November 2022: When the Open-Source Code Licensing Question Met an AI Coding Assistant

Incident summary

On 3 November 2022 a class-action lawsuit was filed in the United States District Court for the Northern District of California (Doe v. GitHub Inc., Case No. 4:22-cv-06823) against GitHub, Microsoft, and OpenAI. The complaint, brought by anonymous open-source software developer plaintiffs (Doe 1 through Doe N) and represented by the Joseph Saveri Law Firm with attorney Matthew Butterick, alleged that GitHub Copilot trained on public GitHub repositories including substantial open-source code under licenses (GPL, MIT, Apache 2.0, BSD, others) that require attribution and license preservation.

The complaint alleged that Copilot's code completions reproduced training-code patterns without preserving the attribution and license information the original code required. Claims included violation of the Digital Millennium Copyright Act (DMCA) Section 1202 (preservation of copyright management information), tortious interference with open-source contributor agreements, breach of contract with the GitHub Terms of Service, and unjust enrichment.

The case proceeded through 2023 and 2024 with motions to dismiss and amended complaints. Most claims (including DMCA, fraud, tortious interference, and California unfair competition) were dismissed across the docket; the breach-of-contract claim (specifically against GitHub for alleged violation of GitHub's own Terms of Service obligations to repository owners) survived 2024 motion practice. Certain claims and parties have been the subject of partial settlement; the broader question of AI-coding-assistant training-data legal exposure remains substantially open.

Failure technique

The legal-technical pattern is reuse of permissively-licensed open-source code in foundation-model training where the model's outputs reproduce code patterns without preserving the attribution and license requirements the original code carried. Most permissive open-source licenses (MIT, BSD, Apache 2.0) do not restrict reuse but do require attribution and preservation of license text; copyleft licenses (GPL variants) carry stronger requirements.

The technical question is whether the model's output (a code completion) is a derivative work of the training code (which would require license-compliance), an independent expression (which would not), or something between. Per the US Copyright Office July 2024 report on Generative AI Training, the legal questions are open across multiple dimensions. The specific case-law trajectory of Doe v. GitHub is foundational for the coding-assistant subcategory.

GitHub Copilot's product has continued evolving through the litigation period. GitHub added a duplication-detection filter (released 2023) that suppresses code completions that match training code above a threshold. The filter is GitHub's operational response to the memorization concern; the legal-defense scope is broader than the filter alone.

Impact and consequences

Direct commercial impact on GitHub, Microsoft, and OpenAI has been operationally manageable but legally distracting. GitHub Copilot has continued growing substantially through the litigation period (the one-million-paying-subscribers milestone in October 2024 followed the litigation start by nearly two years). The legal cost and operational distraction is the steady-state expense rather than an existential issue.

Industry impact: the case is the foundational AI-coding-assistant training-data litigation. Subsequent AI coding assistants (Cursor, Codeium / Windsurf, Sourcegraph Cody, Tabnine, Replit Ghostwriter / AI Agent) have all addressed training-data sourcing, attribution-preserving outputs, and duplication-detection more explicitly than 2022-era products did. Per-product behavior varies substantially; the legal-defense surface has converged toward (1) attribution preservation in code-block outputs where appropriate, (2) duplication-detection filters, and (3) explicit user-facing licensing terms.

Open-source community impact: the Doe v. GitHub case is the most-cited 2022-2024 legal event in the open-source community's conversation about AI training on open-source code. The Open Source Initiative, the Free Software Foundation, and Creative Commons have all engaged with the question. The conversation feeds into subsequent permissive-license updates and open-source AI training-data norms.

Lessons for builders

Treat open-source-code license terms as binding when training AI coding assistants on the code. Permissive licenses are not 'no license' — they impose attribution and license-preservation obligations. AI Strategy Lead owns the regulatory-engagement posture; AI Engineer owns the operational implementation of attribution-preserving outputs.

Build duplication-detection filters as a baseline feature for AI coding assistants. GitHub Copilot's duplication-detection filter is the operational model; per the Doe litigation precedent, the filter is now a defensive expectation rather than a differentiating feature.

Distinguish copilot/completion output from generated-code-block output in attribution handling. A short tab-completion that matches a common pattern is different from a multi-line code block that reproduces a specific algorithm with structure; the attribution-preservation obligation scales accordingly.

Engage with the open-source community deliberately. The Doe v. GitHub case grew out of the open-source community's response to Copilot's launch; subsequent AI coding assistants have explicitly engaged with open-source community concerns to manage the legal and reputational surface.

Mitigations

What builders should put in place to address the failure pattern. Each mitigation maps to operational practice the relevant Applied AI roles own.

Related Applied AI roles

The Applied AI roles whose day-to-day work would have prevented, detected, or contained this incident.

• AI Strategy Lead: An AI Strategy Lead owns organizational AI strategy and prioritization at the company level.
• AI Engineer: An AI Engineer builds production cybersecurity-relevant AI systems integrating LLMs, embeddings, and retrieval pipelines.
• Senior AI Product Manager: A Senior AI Product Manager owns AI product strategy across multiple feature areas.
• AI Product Manager: An AI Product Manager owns AI-powered product features and the roadmap that ships them.

Companies central to this incident

Read the DecipherU Applied AI company profiles for the organizations whose decisions, products, or research shaped this incident.

• GitHub Copilot (Microsoft / GitHub): AI pair-programmer integrated into GitHub, VS Code, JetBrains, and CLI workflows
• OpenAI: Frontier large language models and consumer + API AI products

Related AI Decipher Files

• New York Times v. OpenAI (Dec 2023): The Copyright Case That Defines AI Training Liability
• Authors Guild v. OpenAI September 2023: When the Major Book-Author Class Action Joined the Generative-AI Training-Data Copyright Docket
• Stability AI v. Getty Images February 2023: When Image Generators Faced Their First Major Training-Data Copyright Lawsuit

Frequently asked questions