Who Owns the Code an AI Writes for You?
As Copilot and Codex go live in preview, developers and lawyers are fighting over whether AI-generated code exposes companies to copyright risk.
Both Copilot and OpenAI’s Codex are now live in preview, and the novelty of “the AI just wrote that function for me” is starting to wear off enough that people are asking a much less fun question: whose code is it, actually?
Here’s the uncomfortable part. These models were trained on enormous amounts of public GitHub code, plenty of which carries licenses — GPL, MIT, whatever — that come with strings attached. When a model has been trained on that corpus and then outputs a chunk of code that looks suspiciously like something it memorized, is that a new work, or is it a derivative of someone else’s licensed code with the license silently stripped off? Nobody has a clean answer, and that’s exactly the problem for any company thinking about shipping AI-assisted code in a commercial product.
GitHub’s CEO Nat Friedman has been out front on this, arguing that training a model on public code is fair use — the model is learning patterns, not storing and replaying files. That’s a reasonable position and it’s probably where most of the legal reasoning eventually lands. But it doesn’t fully settle the output side of the question. Training being fair use doesn’t automatically mean every output is clean, and critics have already been posting examples of Copilot spitting out recognizable snippets close to verbatim, sometimes including comments or variable names lifted straight from a specific repo. That’s a different claim than “the model learned from GPL code” — it’s closer to “the model reproduced GPL code,” and reproduction is exactly what license terms are written to control.
Why this matters beyond Twitter arguments
If you’re an engineering lead evaluating Copilot for your team right now, this isn’t an abstract debate. You need an actual policy: can engineers accept suggestions verbatim, do you require review for anything over some line count, do you scan outputs against public code before merging? Most companies don’t have that policy yet because the tooling is brand new, but “we’ll figure it out later” is a bad plan when the thing you’re building is your product’s codebase.
My honest take: I don’t think this kills AI pair programming, and I don’t think Copilot is going to disappear over it. The productivity upside is real and people aren’t going to give that up. But I’d bet money that within a year we see either GitHub add stronger filtering to suppress verbatim matches to public code, or some kind of formal legal challenge that forces the issue. Right now it’s mostly forum threads and hot takes. That won’t last — the incentives on both sides are too big for this to stay informal for long.
If you’re using Copilot today, at minimum keep an eye on suggestions that feel oddly specific or idiomatic in a way that doesn’t match the rest of your codebase. That’s usually a sign it’s echoing something it saw during training, and it’s worth a second look before you merge it.