[Members] using GitHub for XEPs - legal risks

Winfried Tilanus winfried at tilanus.com
Tue May 12 11:46:14 UTC 2015

On 08-05-15 14:04, Kurt Zeilenga wrote:


For the hasty people: my conclusion is that the liability risk for the
XSF when dealing with IP-infringement may even slightly improve when the
XSF editors workflow is done over github.

For the not so hasty people:

> GitHub terms of service has an indemnification clause.   The XSF
> should consider what the XSF is on the hook here for… and what their
> editor team members and employers are on the hook for… and what
> authors (and their employers) who choose to have GitHub accounts for
> XSF work on on a hook for.

Yes, I think it is good to make an analysis of the legal risks. So I
will try to make a start with that (without claiming to be complete etc,

The question I want to answer here is: "how will the legal risk for the
XSF change when the XSF XEP maintenance process moves to GitHub."
(Risk is defined here as:
'chance something goes wrong X damage when it goes wrong')

The clause this is about is, is:
Section "F. Copyright and Content Ownership" third article:

You shall defend GitHub against any claim, demand, suit or proceeding
made or brought against GitHub by a third-party alleging that Your
Content, or Your use of the Service in violation of this Agreement,
infringes or misappropriates the intellectual property rights of a
third-party or violates applicable law, and shall indemnify GitHub for
any damages finally awarded against, and for reasonable attorney’s fees
incurred by, GitHub in connection with any such claim, demand, suit or
proceeding; provided, that GitHub (a) promptly gives You written notice
of the claim, demand, suit or proceeding; (b) gives You sole control of
the defense and settlement of the claim, demand, suit or proceeding
(provided that You may not settle any claim, demand, suit or proceeding
unless the settlement unconditionally releases GitHub of all liability);
and (c) provides to You all reasonable assistance, at Your expense.

To summarize: In case a third party makes an IPR claim against GitHub
because of something published on the XSF GitHUb account, the XSF should
defend GitHub. Also, if XSF controls the defense against such a claim
and a claim against GitHub is awarded, then the XSF has to pay for the
claim against GitHub and has to pay GitHubs attorney's fees.

So the move to GitHub introduces new possible damages: the obligation to
defend GitHub and a claim by GitHub.

Now have a look at the editors work flow.
- An author submits a proto-XEP to editor at xsf.org
- The editorial team asks confirmation from the author that he or she is
the full owner of the XEP and unaware of any IPR claims.
- The XEP is published as proto-XEP.

When using GitHub the workflow will be:
- An author sends a pull request to the XSF
- The editorial team asks confirmation from the author that he or she is
the full owner of the XEP and unaware of any IPR claims.
- The XEP is published as proto-XEP.

Scenario's that generate IPR risks in the XSF XEP submission process are:
1) a XEP author unknowingly infringes somebodies IP, resulting a claim
2) a XEP author claims ownership of IP, knowing a third party also claims it
3) a XEP author retracts the submission when asked to confirm the IP
ownership by the editorial team.

Now the hard part: who liable in this process? That will also depend on
jurisdiction, so the answer to that question is a bit of a wild west. But:
* The author will be liable in all cases. To what extend will vary from
case to case.
* The XSF may become liable once they accept a XEP. The liability of the
XSF increases quite a bit if the XSF could have known about the
infringement. But up to that point, the liability of the XSF is quite
limited: in most cases it will be a 'notice and takedown' situation.
* Finally the most interesting case: a site publishing the (proto) XEP
may be liable for publishing IP infringing material. This is the
situation where GitHub indemnification clause may kick into action. The
common legal situation is that only if the site knowingly continues to
publish IP infringing material, the site is liable. This boils down to a
'notice and takedown'. So GitHub, or an other site publishing the XEP,
can become liable when:
- IP infringement is proven
- It keeps publishing the material despite of the infringement
GitHubs indemnification clause kicks in when the XSF controls the legal
defense against such a claim and the outcome of the claim is that GitHub
has to pay damages. This outcome is very unlikely as long as the XSF
does not knowingly keeps publishing an IP-infringing XEP on GitHub.

So how does using GitHub change, comparing to the submission by e-mail?
Well: when using GitHub a XEP author publishes the first drafts under
his or her own account and the XSF comes only in view when the
pull-request is accepted. When submitting by e-mail, the proto-XEP is
already published in the XSF mail archives before the author agrees to
the IP-statement. That makes it *much* harder for the XSF to prove it
didn't knew about the IP-infringement (and to wave away liability).

So IMHO using GitHub reduces legal risks for the XSF, because:
1) GitHubs workflow makes it easier to ask the author about the
IP-status of a proposed XEP before it is published by the XSF.
2) It is highly unlikely GitHubs indemnification clause kicks in, as
long as the XSF does not knowingly use GitHUb to publish IP-infringing
material. When the XSF publishes herself, the XSF is always in the line
of fire.

For XEP authors very little changes: the current practice of moving
liability to them keeps the same.


More information about the Members mailing list