IP, Licensing, and AI-Generated Code

background-shape
IP, Licensing, and AI-Generated Code
December 21, 2022 · 5 min read · by Muhammad Amal ai

TL;DR — Late 2022 legal status: Copilot class-action lawsuit ongoing. Generated code can occasionally reproduce training-set snippets verbatim — license-risky. Microsoft offers indemnification for Copilot Business customers. Most companies treat AI-generated code as “human-authored” in practice; large companies have written policy. This post is not legal advice.

After the AI tools landscape, the legal question that won’t go away. As an engineer, not a lawyer; this is what I’ve understood from the public state.

The lawsuit

November 2022: class-action filed against GitHub, Microsoft, OpenAI alleging Copilot’s training on public GitHub code constitutes a license violation. Specifically:

  • Copilot trains on code under licenses (MIT, GPL, AGPL, etc.)
  • Some licenses require attribution; copyleft requires reciprocal licensing
  • Copilot strips license info when generating
  • Generated output sometimes resembles training data closely

Plaintiffs argue: this is unlicensed redistribution of training data.

Defendants argue: training is fair use; outputs are transformations.

As of December 2022: case is in early motions. Resolution probably 2023-2025. No injunction; Copilot still operates.

What this means practically

Three scenarios:

Scenario 1: court rules training is fair use. Status quo. Models stay; no licensing restrictions on output.

Scenario 2: court rules training violates licenses. Models retrained on permissive-only code; possibly retroactive damages. Likely a 2024-2025 outcome at earliest.

Scenario 3: settlement. Microsoft pays; modifies Copilot to attribute / filter. Code in your repo isn’t affected retroactively.

For most engineers, the practical risk in December 2022 is low. The lawsuit will move slowly; outcomes uncertain; output code is rarely a verbatim copy of training data.

Verbatim reproduction risk

The clearest legal risk: Copilot occasionally outputs near-identical code from training. Documented examples in the lawsuit show ~150 lines of GPL-licensed code reproduced near-verbatim.

When does this happen?

  • Generic boilerplate (unique enough to be problematic, common enough that many devs have written it)
  • Famous algorithms reproduced one specific way (fast inverse square root, sample sorts)
  • Tutorial code that everyone copy-pastes

When it doesn’t:

  • Domain-specific business logic (no near-identical training data)
  • Code following your project’s specific patterns (deviation from training)
  • Tests for your specific code

Mitigation: visual scan generated code for “this looks suspiciously complete.” If a 50-line function appeared in 1 second from a 1-line prompt, it might be reproduction.

Microsoft’s indemnification (2022)

For Copilot Business ($19/user/month), Microsoft offers IP indemnification — they’ll defend you legally if a customer sues over Copilot-generated output.

Terms of the indemnification:

  • You’re using Copilot Business (not Individual)
  • The output you’re being sued over was generated through Copilot
  • You haven’t deliberately tried to reproduce specific copyrighted work

For commercial use: Copilot Business is meaningful protection. Worth the cost beyond just the better privacy posture.

Company policies in 2022

Three patterns I’ve seen:

Permissive: “Use AI tools; review output normally.” Most US tech companies.

Cautious: “Use Copilot Business or Tabnine Pro only; document AI usage in PRs.” Some financial / healthcare.

Restrictive: “No AI code generation tools.” Some defense, government, strict open-source compliance shops.

Check your employer’s policy. Don’t assume.

License contamination concerns

A specific risk: if Copilot reproduces GPL code, your codebase might be “contaminated” — distributing it could trigger GPL’s reciprocal requirements (must release source).

For a commercial closed-source product, this is bad. The mitigation:

  • Don’t use Copilot for code where contamination is a risk
  • Use Copilot Business (Microsoft’s indemnification + safer training-data filtering)
  • For very high-stakes code, write from scratch

For internal-only tools (not distributed): GPL contamination matters less. The risk is more about future use; cautious teams write internal tools fresh anyway.

Your code in training data

The reverse question: if you publish open source code, will it be used to train future AI models?

Answer (Dec 2022): probably yes. GitHub claims they’ve added opt-out for Copilot training; OpenAI / others don’t explicitly opt you in or out from public web content.

To minimize exposure:

  • Add a robots.txt-style “do not train” file (no standard exists yet; emerging conventions)
  • License your code under terms that prohibit AI training (CC BY-SA-NC variants — uncertain enforceability)
  • Don’t publish what you don’t want trained on

Practical reality: published code is training data. Plan accordingly.

Attribution generation

A workflow some teams adopt: log which AI assistant generated which code, in commit messages or a separate file.

git commit -m "Add subscription validation

Co-authored-by: GitHub Copilot <copilot@github.com>"

Not a legal requirement; helps if audit comes later.

Some teams require this; most don’t.

What I do personally

  • Copilot Business (employer pays)
  • Default trust mode: review every line; reject anything that looks “too complete”
  • For permissively-licensed open source I publish: no AI tool restrictions (output’s mine to use)
  • For commercial / paid client work: AI assistance OK, output reviewed, attribution in commit (not required by clients, but my policy)
  • Avoid Copilot for security-critical code (review cost too high)

For shops with stricter policies, scale up the restrictions. The baseline is “review with the assumption that AI output has slight legal risk.”

Common Pitfalls

Assuming AI code has no licensing risk. It has some; small for most code, larger for reproductions.

Using AI for code your employer prohibits. Career-ending in some cases.

Believing the lawsuit will be resolved soon. US class actions take years.

Distributing AI-generated GPL code in closed-source product. Specific contamination risk.

Not reading Copilot Business indemnification fine print. Real protection but with conditions.

Treating my words as legal advice. I’m not a lawyer. Engage one if it matters.

Wrapping Up

Legal landscape is unsettled; risk is low for typical commercial use; verify your employer’s policy; pay for indemnified plans if commercial. Friday: productivity metrics that actually matter.

Related posts

Beyond Copilot, Tabnine, Codeium, Amazon CodeWhisperer
Dec 19, 2022 · 4 min ai

Beyond Copilot, Tabnine, Codeium, Amazon CodeWhisperer
Copilot for Tests, TDD or Anti-TDD?
Dec 14, 2022 · 5 min ai

Copilot for Tests, TDD or Anti-TDD?
Pair Programming With an AI Assistant
Dec 12, 2022 · 4 min ai

Pair Programming With an AI Assistant
Reviewing AI-Suggested Code
Dec 9, 2022 · 4 min ai

Reviewing AI-Suggested Code
Prompt-Style Comments to Steer Copilot
Dec 7, 2022 · 4 min ai

Prompt-Style Comments to Steer Copilot
What Copilot Is Good At (and What It Isn't)
Dec 5, 2022 · 4 min ai

What Copilot Is Good At (and What It Isn't)
A Year With GitHub Copilot in Production
Dec 2, 2022 · 4 min ai

A Year With GitHub Copilot in Production
Few-Shot Prompting and In-Context Learning
Jan 17, 2023 · 4 min ai

Few-Shot Prompting and In-Context Learning