How FOSS Projects Handle Legal Takedown Requests
6 comments
·September 12, 2025politelemon
This seems like a well balanced approach. I do love the abuse mitigation measures in place to dissuade casually malicious actors. The fact that providing evidence itself is a deterrent just goes to show how ill intentioned most of them are.
its-summertime
How does it make sense to ask an app developer to appeal on behalf of a platform they have zero control over?
vetrom
It doesn't, but platforms basically do everything they can to claim the various common-carrier liability shields in DMCA-like laws. In the U.S. that means they forward the takedown request to whomever generated the content, and in theory should allow that generator to comply, or publish a counterclaim.
The whole system falls on the floor though when the common carriers aren't, and have low quality processes that don't actually enable the counterclaim half of this process.
behringer
Don't be fooled. These so called low quality processes are designed by large corporations in order to abuse their positions and retain control over all content being shown. The providers have no interest in providing legal protections to their small content creators. They want to focus on pleasing the big players.
SpicyLemonZest
The entire concept of a "takedown request" is a compromise solution. Platforms would ideally like to be a public square, where third parties can say whatever they want and the platform doesn't have to do much about it. Copyright holders, revenge porn victims, etc. would prefer to hold the platforms strictly liable, because on the Internet it's extremely hard to actually find the third parties. So in a variety of contexts we've found it's useful to meet in the middle: platforms are exempt from liability, but in return they have to process takedown requests, unless the third party challenges the takedown and makes themselves available for possible legal proceedings.
I typically get a takedown notice a couple times a week, usually from my registrar (Namecheap) or from Netcraft, about 100 so far.
I keep a public (transparent) list of takedowns, on a public repo on GitHub. The commit messages are the logs. [0]
I have a way to dispute: raise a GitHub issue. I've only had two people dispute: one was legit, and I unblocked him, and the other ran a WordPress site which he didn't know was compromised. I did not unblock him. [1]
Please don't judge me harshly for honoring the takedowns immediately, but I do so because the remedy is simple: register your own domain, and don't rely on my nip.io / sslip.io service (which maps IP addresses to hostnames as a convenience for developers, e.g. 127.0.0.1.nip.io → 127.0.0.1).
Dealing with takedown requests is the least pleasant aspect of running FOSS project. I want to spend my free time coding, not blocking phishers, scammers, and grifters.
[0] https://github.com/cunnie/sslip.io-blocklist [1] https://github.com/cunnie/sslip.io/issues/100