Site icon Tattoo Games News

GitHub Copilot’s Unauthorized Use of Private Code: A Deep Dive into AI Training Ethics and the FTC Anti-Trust probe.

Wren Crowe
FTC kicking the shit out of microsoft

FTC kicking the shit out of microsoft

GitHub Copilot, Microsoft’s AI-powered coding assistant, has been embroiled in controversy regarding its training methodologies and potential misuse of private code. Recent developments have brought renewed attention to longstanding concerns about the ethical and legal implications of training AI on copyrighted code without explicit permission from developers. This report examines the multiple facets of this issue, from potential data leaks to legal challenges and their implications for the broader tech industry.

The Exposure of Private Repositories Through Copilot

In a troubling development reported in February 2025, Microsoft’s Copilot AI assistant was found to be exposing the contents of more than 20,000 private GitHub repositories belonging to major technology companies including Google, Intel, Huawei, PayPal, IBM, Tencent, and ironically, Microsoft itself1. These repositories, owned by over 16,000 organizations, had initially been public but were later designated as private, often after developers realized they contained sensitive information such as authentication credentials1. Despite this change in status, these repositories remained accessible through Copilot months after being made private.

The security firm Lasso discovered this vulnerability in late 2024 and conducted further investigations to understand its scope. Their research revealed that the issue stemmed from Bing’s caching mechanism, which had indexed these pages during their public phase but failed to remove the entries once the repositories were made private on GitHub1. Since Copilot utilizes Bing as its primary search engine, this cached data remained accessible through the AI chatbot, creating a significant security vulnerability.

This phenomenon of “zombie repositories” – those that were once public but are now private yet still accessible through AI tools – highlights the persistent nature of data exposure in digital environments3. Even brief public exposure of code can lead to long-term accessibility through AI systems trained on that data, raising serious concerns about data privacy and the challenges of completely retracting information once it has been exposed online3.

Copyright Infringement and Licensing Concerns

Beyond the issue of private repositories, GitHub Copilot has faced accusations of reproducing copyrighted code without proper attribution or adherence to original licensing terms. In 2022, Tim Davis, a professor of Computer Science and Engineering at Texas A&M University, publicly claimed that GitHub Copilot was emitting substantial portions of his copyrighted code without attribution or respect for its LGPL license5. Davis demonstrated that by simply typing a comment like “//sparse matrix transpose” in a C++ file, Copilot would generate code and comments that closely matched his previously published work5.

This incident raised alarming concerns about what some developers have termed “illegal source code laundering, automated by GitHub”5. The concern is that developers could potentially use Copilot to find and reproduce code under incompatible licenses while maintaining plausible deniability, claiming that “Copilot gave me that code”5. While Copilot does implement a public code filter designed to detect suggestions matching public code, this protection appears insufficient to prevent all instances of copyright infringement.

The DOE v. GitHub Legal Challenge

The controversy has escalated to legal proceedings, as evidenced by the DOE v. GitHub case, where plaintiffs allege that GitHub, Microsoft, and OpenAI never sought permission to use others’ code to train the Codex AI model that powers Copilot7. According to the legal filing, “Plaintiffs and members of the Class own the copyrights to Licensed Materials used to train Codex and Copilot,” and the defendants failed to contact copyright holders to obtain authority to remove or alter Copyright Management Information (CMI) from the licensed materials7.

The plaintiffs specifically note that they included various forms of CMI in their code, including copyright notices, author information, terms and conditions for use, and license specifications7. The legal challenge represents a significant test case for how copyright law applies to AI training data and could have far-reaching implications for the development of AI coding assistants.

Privacy Concerns and Data Handling Practices

Questions about how GitHub Copilot handles private code extend beyond the zombie repository issue. According to information available on Stack Overflow, the handling of private code varies depending on the version of Copilot and user settings8. While Copilot for Business claims not to retain code snippets used for context and discards them immediately after returning suggestions, Copilot for individuals may retain these snippets depending on user settings8.

This distinction becomes crucial when considering enterprise code development scenarios where code must remain strictly confidential. Even though Copilot is primarily trained on public code repositories, it uses local file contents to provide context for its suggestions, raising concerns about sensitive information like connection parameters or passwords potentially being captured and stored8. For business users, GitHub has introduced Content Exclusion features that allow organization owners to set up file exclusions to prevent certain files from being processed by Copilot8.

Recent Security Breaches

Adding to these concerns, in early March 2025, reports emerged of a GitHub Copilot AI security breach that exposed private repositories9. This incident reportedly involved leaked code potentially being introduced into other projects, leading security experts to recommend immediate rotation of keys and credentials that might have been exposed9. This recent breach underscores the ongoing security challenges associated with AI coding assistants and the potential for cascading security issues when private code is compromised.

Microsoft’s Broader Antitrust Scrutiny

The concerns about Copilot’s use of private code exist within a broader context of regulatory scrutiny facing Microsoft. The Federal Trade Commission (FTC) is conducting a wide-ranging antitrust probe into Microsoft’s business practices, with particular focus on how the company packages Office products with cybersecurity and cloud computing services4. While this investigation appears more focused on bundling practices than AI ethics, it represents part of the mounting regulatory pressure on large technology companies regarding competition and data practices.

In September 2024, Microsoft patched a critical vulnerability in Microsoft 365 Copilot that could have allowed attackers to steal sensitive user information, including emails and multi-factor authentication codes2. The vulnerability involved ASCII smuggling and prompt injection techniques, highlighting the security challenges inherent in AI-powered productivity tools2.

Implications for AI Training Ethics

The issues surrounding GitHub Copilot raise fundamental questions about AI training ethics and the responsibilities of technology companies when developing AI systems. The practice of training AI on publicly available code without explicit permission from copyright holders creates tensions between technological innovation and intellectual property rights. When this extends to potentially including private code that was temporarily public, these tensions are further amplified.

The controversy highlights a critical aspect of AI development: the distinction between what is technically possible and what is ethically appropriate. While AI systems can be trained on vast datasets collected from the internet, the legal and ethical implications of doing so without proper permissions remain contested. This is particularly relevant for code, which unlike many other forms of content, often comes with explicit licenses specifying how it can be used.

Conclusion

The controversy surrounding GitHub Copilot’s use of private repositories and copyrighted code without explicit permission represents a significant challenge for Microsoft and the broader AI industry. The recent exposure of private repositories through Copilot, along with ongoing legal challenges like DOE v. GitHub, highlight the complex intersection of AI advancement, data privacy, and intellectual property rights.

As AI coding assistants become increasingly integrated into software development workflows, establishing clear ethical and legal frameworks for training these systems becomes essential. The outcome of current legal challenges and regulatory scrutiny may shape how future AI systems are developed and trained, potentially requiring more transparent consent mechanisms for using developers’ code in training data. For organizations and individual developers, these issues underscore the importance of carefully considering the privacy implications of code sharing and the potential long-term consequences of even temporary public exposure of proprietary code.

Citations:

  1. https://arstechnica.com/information-technology/2025/02/copilot-exposes-private-github-pages-some-removed-by-microsoft/
  2. https://technijian.com/microsoft-365/microsoft-patches-critical-vulnerability-enabling-data-theft-in-365-copilot/
  3. https://www.ghacks.net/2025/02/26/private-github-repos-still-reachable-through-copilot-after-being-made-private/
  4. https://www.propublica.org/article/ftc-investigating-microsoft-antitrust-cloud-computing
  5. https://devclass.com/2022/10/17/github-copilot-under-fire-as-dev-claims-it-emits-large-chunks-of-my-copyrighted-code/
  6. https://cseducators.stackexchange.com/questions/7717/is-github-copilot-constantly-training-on-private-data
  7. https://hackernoon.com/doe-v-github-defendants-never-sought-permission-to-use-others-code-to-train-codex-or-copilot
  8. https://stackoverflow.com/questions/76075204/github-copilot-and-privacy-does-github-copilot-save-locally-developed-code
  9. https://www.youtube.com/watch?v=ucsMgByFwgo
  10. https://thehackernews.com/2024/08/microsoft-fixes-ascii-smuggling-flaw.html
  11. https://www.techradar.com/pro/security/thousands-of-github-repositories-exposed-via-microsoft-copilot
  12. https://petri.com/ftc-antitrust-probe-microsoft-cloud-ai/
  13. https://www.courthousenews.com/github-mounts-second-attempt-to-toss-anonymous-code-writers-claims-of-software-piracy/
  14. https://www.saverilawfirm.com/our-cases/github-copilot-intellectual-property-litigation
  15. https://www.reddit.com/r/github/comments/1clua7q/does_microsoft_use_your_private_repo_as_data_to/
  16. https://www.lasso.security/blog/lasso-major-vulnerability-in-microsoft-copilot
  17. https://rewterz.com/threat-advisory/microsoft-addresses-ascii-smuggling-bug-that-allowed-data-theft-from-microsoft-365-copilot
  18. https://www.cnn.com/2024/11/27/business/microsoft-ftc-investigation/index.html
  19. https://news.ycombinator.com/item?id=27890562
  20. https://www.bleepingcomputer.com/news/security/microsoft-sued-for-open-source-piracy-through-github-copilot/
  21. https://windowsforum.com/threads/microsoft-copilot-exposes-thousands-of-private-github-repositories-a-cybersecurity-alarm.354002/?amp=1
  22. https://www.theregister.com/2024/12/04/microsoft_ftc_antitrust_leak/
  23. https://www.developer-tech.com/news/microsoft-copilot-continues-to-expose-private-github-repositories/
  24. https://doublepulsar.com/recall-stealing-everything-youve-ever-typed-or-viewed-on-your-own-windows-pc-is-now-possible-da3e12e9465e
  25. https://www.techzine.eu/news/privacy-compliance/126609/after-google-microsoft-is-now-also-facing-an-ftc-antitrust-probe/
  26. https://law.stackexchange.com/questions/74137/who-owns-the-right-to-the-code-generated-by-github-copilot
  27. https://yro.slashdot.org/story/25/02/27/2129241/thousands-of-exposed-github-repositories-now-private-can-still-be-accessed-through-copilot
  28. https://www.fsf.org/licensing/copilot/copyright-implications-of-the-use-of-code-repositories-to-train-a-machine-learning-model
  29. https://news.ycombinator.com/item?id=36773515
  30. https://www.techtarget.com/searchsoftwarequality/news/252526359/Developers-warned-GitHub-Copilot-code-may-be-licensed
  31. https://georgetownlawtechreview.org/the-suit-against-copilot-and-what-it-means-for-generative-ai/GLTR-01-2023/
  32. https://www.vbforums.com/showthread.php?909513-Can-github-copilot-be-used-WITHOUT-exporting-your-code-to-github
  33. https://www.reddit.com/r/linux/comments/vidjop/github_copilot_legally_stealingselling_licensed/
  34. https://www.newscientist.com/article/2283136-githubs-programming-ai-may-be-reusing-code-without-permission/
  35. https://news.ycombinator.com/item?id=27736814

Exit mobile version