It seems like EFF fought for youtube-dl and GitHub used their letter as legal firepower to bring the repo back online. If GitHub were fighting for the developer they would have funded the attorney, right? Though from their blog post it does look like they are taking steps to fund defense in the future as well as other steps to improve the situation.
Reading EFFs claim is pretty interesting, they state that saving a copy of a video is only one function of youtube-dl. I think the biggest problem is the name is called "youtube download", it is sort of difficult to downplay that saving a copy is only one function when the name implies it is the main purpose of the program.
AFAIU the argument is more that youtube-dl is effectively a web browser and doesn’t do anything that a web browser doesn’t do. Further, it does not include any “secret” key for DRM circumvention like might be bundled with e.g. Chrome in the case of Widevine, where browser vendors agree to protect the secret key.
Right, but the law makes no mention of secret keys, it just says you can't go around anything that controls access to a copyright work; and you can't provide tools to do so. The actual legal definition of tools covers both actual technical purpose as well as marketed purpose. Rebranding, say, OBS as "Recorder for YouTube" and talking about how you can use it to get around YouTube's downloading protections by screencapping the entire video would possibly constitute a 1201 violation.
There's also another question of law, though: does 1201 apply when only the intent of the DRM has been circumvented, as opposed to it's technical scope? In other words, does pointing a camera at a monitor constitute circumvention of DRM under section 1201? Most DRM can't actually validate, say, that a human is watching instead of a camcorder. (Let's ignore pesky things like Cinavia which are more akin to post-piracy frustration techniques, and easily circumvented with any kind of Free media player.) Likewise, YouTube's rolling cipher can't really validate that it's not sitting inside of an instrumented browser that will dump whatever URLs it grabs. Our hypothetical OBS rebrand wouldn't actually be a 1201 violation unless the law specifically covers things that DRM can't technically enforce but would like to.
The rebuttal to your reasoning is in the letter. Basically a federal judge has previously ruled that utilizing a publicly available password is not circumvention of a copyright protection mechanism. The code containing the "sig" (as google calls it) or "rolling cipher" (as RIAA calls it) is available to anyone by viewing the JavaScript. This sig / cipher being public means it is not a copyright protection mechanism.
> This sig / cipher being public means it is not a copyright protection mechanism.
I can see this as ending up with Youtube being forced to require sign-ins. Massive expense for Google. Then Youtube-dl adds one parameter for the password, and we're back to square one.
You already have to sign in to view some videos, don’t you? Does YT-dL not have a way to handle those right now?
It does, but it's broken.
https://github.com/ytdl-org/youtube-dl/issues/23860
The developers are not responding to the issue, and from what I understand it is borderline impossible to fix, because there is an entire security team behind the Google login protection. The only workaround is to login with a browser and copy the cookies from it to youtube-dl.