Does GitHub Copilot steal code?
Copilot doesn't copy files, but it was trained on public code and can occasionally reproduce snippets that match existing code without attribution — a real concern critics call 'code laundering.' GitHub offers a duplication-detection filter that blocks suggestions matching public code, and Business/Enterprise plans include IP indemnity. Whether it 'steals' is legally unsettled.
Why — the first-principles explanation
The controversy hinges on how Copilot learned. It was trained on billions of lines of public code, much of it open-source under licenses that require credit or share-alike terms. Copilot does not store or paste those files; instead it absorbed statistical patterns. But because popular code appears so often in the training data, the model can sometimes regenerate a recognizable chunk of it — stripped of the original author's name and license. Critics argue this launders licensed code into 'suggestions' that ignore the license terms.
Defenders counter that this is how learning works: humans also read open-source code and internalize patterns, and short, common snippets aren't really anyone's property. The legal question — whether training on and emitting such code is fair use or infringement — is genuinely unsettled, and lawsuits have tested it without producing a clean, universal answer as of 2026.
GitHub's practical response is a duplication-detection filter. When enabled, Copilot checks a suggestion against public code and suppresses matches of roughly 150 characters or more, reducing the chance of verbatim regurgitation. It is a probabilistic guardrail, not a guarantee, so unusual edge cases can still slip through.
For businesses worried about liability, GitHub adds a second layer: IP indemnification on Business and Enterprise plans, meaning GitHub agrees to defend customers against certain copyright claims arising from Copilot's suggestions, provided the duplication filter is on. So the honest summary is: it doesn't 'steal' files, it can occasionally echo training code, and both technical filters and legal protections exist to manage that risk.
An example that makes it click
Imagine a chef who trained by tasting thousands of restaurant dishes. Most of the time they cook something new in the style they absorbed. But once in a while, without realizing, they plate a dish that's almost identical to a famous restaurant's signature — no credit given. Did they steal it? They didn't photocopy the recipe card, yet the result looks copied.
Copilot is that chef. GitHub's duplication filter is like a taster who stops the chef and says, 'That's too close to someone's signature dish — try again.' It catches the obvious matches, but the debate over whether the whole approach is fair is still cooking.
How to do it
- In your Copilot settings (or your org's policy), enable the 'suggestions matching public code' block, also called the duplication-detection filter.
- For teams, use a Business or Enterprise plan to get GitHub's IP indemnity, which requires the filter to be on.
- Treat generated code like any third-party code: review it and check licenses before shipping.
- If a suggestion looks like a recognizable well-known algorithm or snippet, verify its license independently.
Key facts
- Copilot was trained on large amounts of public code; it generates patterns rather than copying stored files.
- It can occasionally reproduce snippets matching existing public code without attribution.
- GitHub's duplication-detection filter blocks suggestions that match public code (matches of ~150 characters or more).
- Copilot Business and Enterprise include IP indemnification against certain copyright claims when the filter is enabled.
- The legal status of training on and emitting licensed code was still unsettled as of 2026.
The AI pair-programmer built into your editor.
Affiliate link — we may earn a commission at no cost to you.▶ The 60-second explainer (script)
Does GitHub Copilot steal code? The honest answer is: it's complicated. Copilot doesn't copy and paste files. It was trained on billions of lines of public code, and it learned patterns from all of it. But because popular open-source code shows up so often in that training data, Copilot can occasionally spit out a recognizable snippet — without the original author's name or license. Critics call that 'code laundering.' Defenders say it's no different from a human who reads open-source projects and picks up habits. And legally? It's genuinely unsettled — lawsuits have tested it without a clean answer. So what can you do? GitHub built a duplication-detection filter. Turn it on, and Copilot blocks suggestions that match public code — roughly 150 characters or more. It's a strong guardrail, not a perfect one. And for companies, Business and Enterprise plans add IP indemnity, meaning GitHub will defend you against certain copyright claims, as long as that filter is enabled. Bottom line: it doesn't steal files, it can sometimes echo training code, and both filters and legal protections exist to manage the risk. Always review generated code before you ship it.
What authoritative sources say
People also ask
Does Copilot copy code word-for-word?
Usually no. It generates patterns, but it can occasionally reproduce a recognizable public snippet, which the duplication filter is designed to block.
How do I avoid getting matched public code?
Enable the duplication-detection filter in Copilot settings, which suppresses suggestions matching public code of about 150 characters or more.
Am I legally protected?
Business and Enterprise plans include IP indemnification for certain copyright claims when the filter is on. Individual plans do not carry the same indemnity.
Is training on public code legal?
It's legally unsettled as of 2026. Courts and lawsuits have examined it without producing a single, universal ruling.