Client claims they own code written with GitHub Copilot - do they have a case?

I'm a freelance software developer and I'm in a weird dispute with a client about code ownership.

Background: I built a custom web application for a client. Contract says I retain copyright to the code and they get an exclusive license to use it. Standard freelance developer setup.

I used GitHub Copilot extensively while writing the code - probably 30-40% of the codebase was generated or heavily assisted by Copilot. I'd write a comment describing what I needed, and Copilot would generate the function. I'd review it, modify it, integrate it. Normal Copilot usage.

Now the client wants to acquire the company and the acquirer is doing IP due diligence. They discovered I used Copilot and are claiming:

1. I don't actually own the copyright because AI-generated content isn't copyrightable
2. GitHub/Microsoft might own the code because Copilot generated it
3. The code might be derived from GPL-licensed code that Copilot was trained on
4. They want me to rewrite all the Copilot-assisted code or they're walking away from the deal

This seems insane to me. Copilot is just a tool, like an IDE or Stack Overflow. Do they actually have a point here legally? Am I going to have to rewrite 40% of a codebase I spent 6 months building?

IP attorney specializing in software. This is a genuinely unsettled area of law, but I'll break down each concern:

1. AI-generated content and copyright:

The Copyright Office has stated that purely AI-generated content (where a human provides minimal creative input) is not copyrightable. However, if you're using Copilot as a tool - writing prompts, selecting suggestions, modifying output, integrating it into your architecture - there's a strong argument you have sufficient human authorship for copyright protection.

Think of it like using autocomplete or a sophisticated code snippet library. The creative decisions (what to build, how to architect it, which suggestions to use, how to modify them) are still yours.

2. GitHub/Microsoft ownership:

GitHub's Copilot terms are actually pretty clear on this. They state: "GitHub Copilot is a tool. You are responsible for the code you write, including code generated by GitHub Copilot." And: "You retain all rights to your code." They explicitly disclaim ownership of Copilot's output.

3. GPL contamination risk:

This is the most legitimate concern. There have been documented cases of Copilot reproducing copyrighted code verbatim. If Copilot suggested code that's substantially similar to GPL-licensed code, and you used it, you might have GPL obligations.

The GPL contamination thing is real. I've seen Copilot suggest code that was clearly from specific open-source projects, including comments and variable names that were identical to the source.

There are tools you can use to check if code matches existing open-source repositories:

• GitHub's own "code search" can find similar code
• Black Duck or Snyk have commercial tools for detecting open-source code
• You can manually search for unique strings from your code to see if they appear in public repos

If you can demonstrate that your Copilot-generated code doesn't substantially match any GPL (or other copyleft) licensed code, you're probably in the clear on that concern.

Thanks for the detailed response. A few follow-ups:

1. How do I prove "sufficient human authorship"? Do I need to document every decision I made? That seems impossible after the fact.

2. Even if GitHub's terms say I own the output, doesn't the Copyright Office's position on AI-generated content override that? GitHub can't grant me copyright that doesn't legally exist, right?

3. I'll definitely run the code through some detection tools, but what's the threshold? If 5% of my code matches some MIT-licensed project, is that a problem? What about if it's just common patterns that lots of code shares?

The acquirer's law firm is being really aggressive about this and my client is panicking because the deal is worth $3.2M and they're threatening to walk.

Good questions. Let me address each:

Proving human authorship:

You don't need to document every keystroke. Evidence of human authorship includes:

• Your git commit history showing iterative development
• Code reviews, refactoring, debugging (shows creative decision-making)
• Architecture decisions, design documents, technical specifications
• Custom business logic that couldn't have been generated by Copilot
• Integration decisions about how different components interact

If you have a normal git history with incremental commits, that's pretty good evidence you were actively developing, not just accepting AI output blindly.

Copyright Office position vs. GitHub terms:

You're right that GitHub can't grant copyright that doesn't exist. But the Copyright Office's guidance on AI isn't as absolute as people think. They've said:

• Purely machine-generated content (no human involvement) is not copyrightable
• Content created with AI assistance WHERE THERE IS SUFFICIENT HUMAN AUTHORSHIP is copyrightable
• The human must have "creatively produced" the work

This is actually similar to photography (where you're using a tool) or computer-assisted design. The tool doesn't negate authorship if a human is making creative decisions.

Code matching threshold:

There's no bright line, but generally:

• Common patterns, algorithms, data structures: Not copyrightable (ideas vs. expression)
• Identical variable names, comments, unique implementations: Problematic
• MIT/Apache licensed code: Usually fine (permissive licenses allow reuse)
• GPL licensed code: Must comply with GPL terms (share source, same license)

M&A attorney here. I've seen this issue come up in several deals recently. The acquirer's concerns aren't unreasonable from a risk perspective, even if they're legally overstated.

In an acquisition, buyers want "clean" IP with no potential clouds on title. AI-generated code creates uncertainty, and uncertainty kills deals (or reduces valuations).

Practical solutions I've seen work:

1. IP indemnification: You provide a specific indemnity for IP claims related to the Copilot-generated code. This shifts risk to you but lets the deal proceed.
2. License audit: Run the code through commercial scanning tools (Black Duck, Snyk) to verify no GPL contamination. Provide the clean report to the acquirer.
3. Escrow holdback: Put 10-20% of purchase price in escrow for 18-24 months to cover potential IP claims. Released if no claims materialize.
4. Reps & warranties insurance: Get an insurance policy that covers IP infringement claims. Buyers like this because it gives them a deep-pocket defendant if issues arise.

Rewriting 40% of the codebase is probably unnecessary and would be extremely expensive. Push back on that and offer one of these alternatives instead.

This is going to become a huge issue in the industry. Probably 80%+ of developers are using Copilot, Cursor, or other AI coding tools now.

Are we really saying that every acquisition is going to have this fight? That seems untenable.

I'd argue that code written with AI assistance is no different than code written with any other development tool. We don't have "IntelliJ contamination risk" or "Stack Overflow ownership concerns" even though developers use those tools constantly.

The industry needs to develop standard practices around this. My prediction: within 2 years this will be a non-issue because everyone will accept that AI coding tools are just tools.

Update: I ran the entire codebase through Snyk and Black Duck (free trials). Results:

• Found matches to 14 different open-source projects
• 12 were MIT/Apache licensed (permissive, no problem)
• 2 were GPL licensed

The GPL matches were both small utility functions (maybe 15 lines each) that are essentially standard implementations of common algorithms. I rewrote both functions from scratch in about 30 minutes - honestly they probably should have been written differently anyway.

Ran the scan again: clean.

I sent the clean scan report to the acquirer along with an explanation of my development process and evidence of human authorship (git history, design docs, code reviews).

Waiting to hear back but feeling more confident this can be resolved.

That's exactly the right approach. You identified the actual risk (GPL contamination), remediated it, and can now provide evidence the code is clean.

The human authorship evidence (git history, design docs) is also important. It shows you weren't just blindly accepting AI output - you were actively developing software and using Copilot as a tool in that process.

One more suggestion: Have your client's attorney draft a short legal opinion or memo summarizing:

• Copilot usage is analogous to other development tools
• Sufficient human authorship exists for copyright protection
• Code audit shows no GPL or copyleft contamination
• GitHub's terms confirm you own the output

This gives the acquirer's attorneys something to point to when explaining to their client why the risk is acceptable.

Corporate development person here (I'm on the buy-side of these deals). Our legal team has started flagging AI-generated code as a risk factor in every deal.

Honestly, most of the time it's not a dealbreaker - it's a negotiating tactic. We're trying to:

• Get a discount on valuation ("AI risk")
• Get stronger IP reps and warranties
• Push some risk back on the seller through indemnities or escrow

What makes us comfortable:

• Clean license scan (exactly what you did)
• Evidence of human authorship
• IP indemnification from the seller
• Maybe a modest escrow holdback (5-10%)

What makes us walk away:

• GPL contamination that can't be easily fixed
• Code that's clearly just copy-pasted from somewhere with no original authorship
• Seller who's defensive and won't provide any assurances

Sounds like you're handling this correctly. Be cooperative, show your work, provide evidence, and this will probably resolve.

RESOLVED! The acquirer accepted the clean license scan and asked for a 5% escrow holdback (released after 12 months if no IP claims).

My client agreed to the escrow. Deal is back on track.

Total cost to resolve this:

• ~$400 for scanning tools (Snyk + Black Duck trials, then paid for one month)
• 2 hours rewriting the GPL-contaminated functions
• $1,200 for my attorney to draft the IP opinion memo
• 5% escrow ($160K held back from purchase price temporarily)

Lessons learned for other freelance devs:

1. Document your development process (git commits, design docs, code reviews)
2. Periodically scan your code for license contamination if you're using AI tools
3. Be prepared to provide evidence of human authorship in M&A scenarios
4. Don't panic - this is solvable with the right approach

Thanks everyone for the advice. This thread literally saved the deal.

Great outcome. The 5% escrow is very reasonable - I've seen buyers ask for 20-30% on AI code concerns.

One final tip for everyone: If you're building software that might be part of an acquisition someday, consider adding language to your development contracts NOW that explicitly addresses AI tool usage.

Something like: "Developer may use AI-assisted coding tools (including but not limited to GitHub Copilot) in creating the Work. Developer represents that they will exercise creative judgment in using such tools and that all Work will constitute sufficient human authorship to qualify for copyright protection."

This won't eliminate buyer concerns but it shows you were thinking about it from the start and taking responsibility for the output.