examplesGitHub Copilot Training Data

GitHub Copilot Training Data Reconstruction

This is a post-hoc reconstruction using ORP v0.2. The original dataset creators (Microsoft/GitHub/OpenAI) did not produce this documentation. This demonstrates what ORP would capture if applied prospectively to dataset creation.

Overview

GitHub Copilot (launched June 2021) is an AI pair programming tool trained on billions of lines of public code from GitHub repositories. Built on OpenAI Codex (a GPT-3 variant fine-tuned on code), Copilot has over 1 million users and generates $100M+ annual revenue.

This ORP document reconstructs the dataset’s constitution to demonstrate how constitutive decisions resulted in license violations, open source exploitation, and ecosystem harm.

Key Metadata

  • Dataset Size: Billions of lines of code from 100M+ GitHub repositories (estimated)
  • Languages: Python, JavaScript, TypeScript, Ruby, Go, Java, C++, C#, PHP, and more
  • Data Types: Source code files from public repositories
  • Collection Period: 2008-2021 snapshot
  • Training Model: OpenAI Codex (12B parameters, GPT-3 architecture)
  • Compliance Level: ORP-PostHoc (post-hoc reconstruction)
  • ORP Version: 0.2
  • Extensions Used: orp-ai-training-v1, orp-license-v1

Data Provenance Highlights

Sources

Primary: GitHub public repositories (2008-2021 snapshot, estimated 100M+ repositories) Languages: Python, JavaScript, TypeScript, Ruby, Go, Java, C++, C#, PHP (most represented)

Collection Methods

Training pipeline (inferred from OpenAI Codex paper and GitHub disclosure):

  1. Repository Selection: All public GitHub repositories, filtered by file size (>1KB), auto-generated code excluded
  2. Code Extraction: Extract all code files, strip comments and license headers
  3. License Filtering: NONE - No filtering by license type (GPL included alongside MIT, Apache, BSD)
  4. Quality/Security Filtering: MINIMAL - Auto-generated code filtered, but no security vulnerability filtering
  5. Training: GPT-3 architecture (12B parameters), fine-tuned on code for several months (2020-2021)

Key technical details:

  • Processing: Billions of lines of code from 100M+ repositories
  • Compute: Estimated $10-50M in training costs (Azure infrastructure)
  • Deduplication: Exact matches only (within-file and cross-file)
  • Preprocessing: License headers stripped (⚠️ DMCA § 1202 potential violation)

Critical Legal Issues

Tier 2 Legal Harm:

GPL Copyleft Violations:

  • GPL licenses require derivative works to be GPL-licensed (“viral” effect)
  • Copilot trained on GPL code but outputs not GPL-licensed
  • $1-10B lawsuit pending (Doe v. GitHub, filed November 2022)
  • Class action lawsuit alleges DMCA § 1202 violations (removing copyright management information)

Attribution Stripping:

  • MIT/Apache licenses require attribution (copyright notice preserved)
  • License headers stripped during preprocessing
  • Copilot outputs do not include original author attribution
  • Violates license terms of millions of repositories

DMCA § 1202 Violations:

  • Federal law prohibits removing copyright management information
  • License headers are copyright management information
  • Stripping headers during preprocessing potentially violates DMCA
  • Penalties: $2,500-25,000 per violation (could apply to millions of files)

Critical Economic Issues

Tier 3 Economic Harm (Labor Exploitation):

OSS Maintainers Receive $0:

  • 10 million+ open source maintainers contributed code used as training data
  • GitHub Copilot generates $100M+ annual revenue (GitHub subsidiary of Microsoft)
  • Zero compensation to original code authors
  • Labor exploitation: Unpaid OSS work commercially monetized without consent or compensation

Revenue Sharing Alternatives Never Evaluated:

  • 10% revenue sharing ($10M+/year) to OSS maintainers would improve sustainability
  • Retains 90% profit margin for Microsoft/GitHub
  • Would address ecosystem crisis (maintainer burnout, funding gaps)
  • Alternative never publicly documented or considered

Known Limitations

  1. License Violations: GPL copyleft potentially violated, MIT/Apache attribution stripped, DMCA § 1202 violations.

  2. Security Vulnerabilities: 40% of Copilot outputs contain security vulnerabilities (Pearce et al. 2021 study). Propagates SQL injection, path traversal, command injection patterns from training data.

  3. Memorization: Copilot can reproduce verbatim code from training data (up to 50+ lines). Violates copyright if code was proprietary or GPL-licensed.

  4. Quality Variance: Training data includes bad code, deprecated practices, security anti-patterns. No systematic quality filtering.

  5. Bias and Stereotypes: Code comments in training data include offensive language, stereotypes, and bias. Propagated to Copilot outputs.

Accountability Gaps

Critical gaps documented in this reconstruction:

  1. No License Compliance Analysis: Microsoft/GitHub/OpenAI did not publicly document license distribution of training data or analyze copyleft implications. Decision made for UNSTATED reasons (maximize training data? ignore legal risk?).

  2. OSS Maintainers Not Consulted: 10 million+ maintainers whose code was used had no governance voice. No representation in decision-making, no consent mechanism, no opt-out.

  3. Alternatives Not Evaluated: License-compliant training (permissive licenses only) eliminates legal risk at 10-20% performance cost. Revenue sharing to OSS maintainers ($10M+/year) improves sustainability. Neither alternative publicly documented.

  4. Opt-Out Mechanism Absent: Repository owners cannot prevent their code from being used in Copilot training. GitHub Terms of Service (updated 2021) retroactively authorized AI training, but no opt-out for existing repositories.

  5. Security Filtering Inadequate: 40% of outputs contain vulnerabilities, but no systematic security filtering during training. Known issue not addressed before launch.

  6. Disclosure Inadequate: GitHub/OpenAI have not disclosed:

    • Exact list of repositories used (trade secret?)
    • License distribution (% GPL vs MIT vs Apache)
    • Whether deleted repositories included
    • Whether private repositories accidentally included (data breach risk)

Key Findings

This post-hoc reconstruction reveals:

  1. No license compliance analysis before training - GPL, MIT, Apache code included without filtering

  2. License headers stripped during preprocessing - DMCA § 1202 potential violation

  3. 10 million+ OSS maintainers received $0 compensation - Despite $100M+ Copilot revenue

  4. $1-10B lawsuit pending - Class action for GPL violations and DMCA violations

  5. Open source ecosystem crisis accelerated - Unpaid labor commercially exploited, maintainers burn out

Why This Matters

GitHub Copilot demonstrates legal, economic, and ecosystem harm triad:

  • Legal: GPL violations, attribution stripping, DMCA violations ($1-10B lawsuit pending)
  • Economic: Labor exploitation (10M+ maintainers $0 compensation, $100M+ revenue)
  • Ecosystem: Open source sustainability crisis (unpaid labor commercially exploited)

Unlike other AI training datasets:

  • ImageNet: Bias and taxonomy issues (Tier 3-4 harm)
  • LAION-5B: CSAM and safety failures (Tier 1 harm, post-hoc remediation possible)
  • Common Crawl: Linguistic exclusion (Tier 1 harm, irreversible)
  • GitHub Copilot: Legal violations baked into model weights permanently (cannot “un-train” on GPL code)

ORP enables: Prospective license compliance analysis (Layer 1), economic impact simulation (Layer 2), and stakeholder consultation (Layer 3) before training.

Timeline

  • 2020-2021: Code collection and Codex training (Microsoft/OpenAI)
  • June 2021: GitHub Copilot launched (technical preview)
  • June 2022: GitHub Copilot generally available ($10/month subscription)
  • November 2022: Class action lawsuit filed (Doe v. GitHub, Microsoft, OpenAI)
  • 2023-2024: 40% of outputs found to contain security vulnerabilities (Pearce et al. 2021)
  • Present: Lawsuit ongoing, 1M+ users, $100M+ revenue

Legal Cases

Doe v. GitHub, Inc., Microsoft Corporation, and OpenAI, Inc. (November 2022)

  • Allegations: GPL violations, DMCA § 1202 violations, breach of contract, unjust enrichment
  • Plaintiffs: Class action representing open source maintainers
  • Damages: $1-10B estimated
  • Status: Ongoing

Related Research

  • Original paper: Chen et al. (2021) “Evaluating Large Language Models Trained on Code” (OpenAI Codex)
  • Security vulnerabilities: Pearce et al. (2021) “Asleep at the Keyboard? Assessing the Security of GitHub Copilot’s Code Contributions”
  • License analysis: Ziegler (2021) “GitHub Copilot and Open Source Licensing” (Software Freedom Conservancy)

Download

Related Examples

Note: This reconstruction is based on published papers (Chen et al. 2021), legal filings (Doe v. GitHub 2022), and technical analyses. It represents an external analyst’s best effort to document the dataset’s constitution and legal issues using available information. Microsoft/GitHub/OpenAI were not involved in producing this ORP document.

Common Crawl Training DataOverview