China-based video-sharing site Bilibili has taken to the US courts in an effort to identify individuals who leaked its source code, usernames and passwords online. NASDAQ-listed Bilibili, which has more than 90 million monthly users, is using the DMCA to force Github to hand over the identities of several people who published the data on the platform.
Little known in the West, Bilibili is a China-based video-sharing platform with a focus on anime, comics and games.
Users are able to upload videos to the NASDAQ-listed platform for others to add their own commentary and subtitles. According to data released by Bilibili in February, the service enjoys in excess of 92 million monthly users. Shortly after, however, the site suffered a setback.
A report in April indicated that someone had uploaded a large trove of data to Github, reportedly culled from Bilibili, including source code, user names and passwords. The company played down the leak, stating that the data was from an old version of the site and “defensive steps” had been taken to ensure user security wasn’t compromised.
However, Bilibili also promised to investigate the source of the leak and there are now clear signs that it is doing so in the United States, using copyright law.
Documents obtained by TorrentFreak show a China-based law firm writing to Github on April 23, 2019, a letter which appears to indicate the problem may be more serious than it first appeared.
“On April 22, 2019 (GMT-8), a Github user (user ID: “openbilibili”) published a post with the subject of “openbilibili/go-common” in the Github website, which contained the comprehensive and detailed information of Bilibili’s source code and other trade secrets/confidential information,” the letter reads.
At least one other Github user posted the same information shortly after, which resulted in additional users forking that data. Bilibili’s law firm said these infringing acts meant that the individuals responsible for them could be held accountable under both civil and criminal law.
The letter indicates that Github had already taken measures to disable access to some of the infringing content. However, Bilibili’s legal team wanted the platform to go further, by handing over “any and all personal information” it holds on the individuals in question, including IP and email addresses, telephone numbers, browsing history, plus upload and download records.
What happened next isn’t clear but it seems likely that Github refused to comply with Bilibili’s demands in the absence of a legal document compelling it to cooperate. That probably being the case, this week Bilibili requested a DMCA subpoena at a San Francisco federal court to unmask the Github users.
It is not yet clear whether Github has already handed over the personal details of the alleged infringers but Bilibili is talking tough. Earlier documentation suggests that the company was preparing a report so that police in Shangai could “stop, investigate and punish the suspected crime immediately.”
Given that the company has used the DMCA to obtain Github users’ identities, it will be interesting to see if it actually pursues a copyright claim in the US or whether the DMCA subpoena route is simply an easy way to get things started in other areas of law.
Many thanks to TorrentFreak for the breaking news.