Cloudflare: The “Now You See Me, Now You Don’t” of the Internet

If someone has infringed your copyright, you’d certainly like to be able to find out who they are and where they are. But since online pirates would rather not have you find out this information, various companies have sprung up that make quite a nice living in hiding people. The biggest is Cloudflare.

Cloudflare’s business is that of a Content Delivery Network or CDN. Normally, if you type in a web address, it goes directly to the website. With a CDN, it goes through the CDN network first. Blogger Franklin Veaux describes it thusly:

“The CDN…has a large number of servers, often spread all over the country (or the globe). These servers make a copy of the information on the Web server. When you visit a website served by a CDN, you do not connect to the Web server. You connect to one of the content delivery network servers, which sends you the copy of the information it made from the Web server.

There are several advantages to doing this:

  1. The Web server can handle more traffic. With a conventional Web server, if too many people visit the Web site at the same time, the Web server can’t handle the traffic, and it goes down.
  2. The site is protected from hacking and denial-of-service attacks. If someone tries to hack the site or knock it offline, at most they can affect one of the CDN servers. The others keep going.
  3. It’s faster. If you are in Los Angeles and the Web server is in New York, the information has to travel many “hops” through the Internet to reach you. If you’re in Los Angeles and the content delivery network has a server in Los Angeles, you’ll connect to it. There are fewer hops for the information to pass through, so it’s delivered more quickly.” 1

The by-product of this is that the IP address is attributed to Cloudflare, not to the real address of the web site.

“Cloudflare is not a hosting provider…. One of the functions of the network that we provide is to add security to the content providers that use us. Part of doing that inherently involves hiding the location of the actual hosting provider. If we didn’t do this, a malicious attacker could simply bypass Cloudflare by attacking the host directly.” 2

This handy by-product makes Cloudflare very attractive to copyright pirates, 3 neo-Nazi white supremacists, 4 ISIS, 5 and spammers. 6

Consider the plight of this writer:

“Why the hard-on for CloudFlare in particular? Because every time my book is pirated, their name comes up. Even after being reprimanded by the courts for aiding and abetting piracy sites they continue to facilitate the f*cks.” 7

Or consider this typical entry from the RIAA 2016 “Notorious Market Report:” 8

Domain: Albumkings.com (formerly albumkings.net and albumkings.co)

Registrant: Whois Privacy Corp., Nassau, Bahamas

Registrar: TLD REGISTRAR SOLUTIONS LTD

Hosting Provider: Obfuscated by Cloudflare, U.S.

Traffic: Global Alexa ranking of 37,978 and the new .com domain is averaging nearly

900,000 monthly visits

Revenue Sources: Advertising

If you’re a pirate site that gets 900,000 hits a month, it’s certainly nice to be able to hide who you are and where you are located.

Needless to say, Cloudflare was very unhappy with this report and immediately fired back:

“As both RIAA and MPAA are aware, Cloudflare has created a ‘Trusted Reporter’ program to permit identification of the website host in response to complaints of abuse or infringement…[b]oth the RIAA and MPAA participate in our trusted reporter program and are frequent users of the system.” 9

But what about our poor writer? Or what if I’m not the RIAA? What if I’m a small indie record label? How do I get in on this “Trusted Reporter” thing?

No clue. Because after searching the entire Cloudflare website, I could find no mention of anything resembling a “trusted reporter” program.

But, in the end, it doesn’t matter. Because the “trusted reporter” program really doesn’t work.

Because all that Cloudflare will give up is the IP address, not the identity of the client. 10 You have to go find them yourself. And, in the meantime, Cloudflare will report back to their client that you have inquired about them. 11 This “heads up” to the infringer will give them ample time to move their site to a new host and new IP address. And the process starts all over again.

And Cloudflare is more than happy to continue to service well known pirate sites, like The Pirate Bay. 12 Even after the sites have been ordered shut down by the Courts.

Take the case of Grooveshark, which this blog has reported on before. Cloudflare continued to service various clients using the “Grooveshark” name, which had been ordered transferred to the Plaintiffs in the case. 13

So, once the registration for “grooveshark.io” (British Indian Ocean) was disabled, it moved to “grooveshark.pw” (Republic of Palau). And then to “grooveshark.vc” (St, Vincent and Grenadines). And then to “grooveshark.li” (Lichtenstein), using a Swiss based domain registrar.

The domains grooveshark.pw, grooveshark.io and grooveshark.vc were all registered with Cloudflare by anonymous users using different email and IP addresses. Cloudflare received a copy of the restraining order on May 15, 2015, and despite actual notice of the TRO, nevertheless processed another anonymous request to redirect grooveshark.li using Cloudflare services.

The Court was not amused:

“There is no real dispute that CloudFlare had knowledge of the TRO at least as of May 14, 2015 and that it subsequently permitted an anonymous user to establish a free account that configured the domain name grooveshark.li to use CloudFlare’s services. CloudFlare’s authoritative domain name server translates grooveshark.li as entered in a search browser into the correct IP address associated with that site, thus allowing the user to connect to the site. Connecting internet users to grooveshark.li in this manner benefits Defendants and quite fundamentally assists them in violating the injunction because, without it, users would not be able to connect to Defendants’ site unless they knew the specific IP address for the site. Beyond the authoritative domain name server, CloudFlare also provides additional services that it describes as improving the performance of the grooveshark.li site… Going forward, however, CloudFlare is now aware that it is bound by the injunction so any future failure to comply might expose it to a contempt finding that could result in the award of attorney’s fees or other consequences.” 14

Despite this, in March of this year, Cloudflare was back to its old tricks, this time with the website MP3Skull. Here, Cloudflare argued that despite its continued statements that it was “not a hosting provider” and “simply an intermediary,” that it was nonetheless protected by the DMCA safe harbor rules in continuing to provide services to various MP3Skull entities. The Judge wasn’t buying it.

“…Section 512 concerns service providers that may otherwise be directly liable for copyright infringement due to the actions of others without their knowledge. (citation omitted). It does not blunt a court’s power to enforce a permanent injunction involving non-parties such as Cloudflare that may be ‘in active concert or participation’ with Defendants.” 15

Despite all of the above, Cloudflare risibly claims that “Cloudflare does not make the process of enforcing intellectual property laws and harder—or any easier.” 16 Hmmm. Only obeying court orders after being threatened with contempt of court and monetary sanctions does not exactly paint the picture of a good corporate citizen.

Further, just a few weeks ago, the website Pro Publica detailed how Cloudflare casually turned over identifying information about people who lodged complaints to one of their clients, the neo-Nazi website “The Daily Stormer.” 17 Predictably, the people who complained received abusive and threatening messages in return. So intimidated were these people that all but three refused to talk to Pro Publica for “fear of further harassment or a desire not to relive it.” 18

ProPublica asked Cloudflare’s top lawyer about its policy of sharing information on those who complain about racist sites. The lawyer, Doug Kramer, Cloudflare’s general counsel, defended the company’s policies by saying it is ‘base constitutional law that people can face their accusers.’ Kramer suggested that some of the people attacking Cloudflare’s customers had their own questionable motives.” 19

“Face their accusers?” This is from a company whose business model revolves around hiding people’s true identities.

But that’s not all.

“And, by The Daily Stormer’s account, advice and assurances. In a post, the site’s architect, Andrew Auernheimer, said he had personal relationships with people at Cloudflare, and they had assured him the company would work to protect the site in a variety of ways — including by not turning over data to European courts. Cloudflare has data centers in European countries such as Germany, which have strict hate speech and privacy laws.” 20

And then there’s the ISIS problem. According to The Mirror, Cloudflare has accounts for 50 ISIS related propaganda websites. 21 Aiding foreign terrorist groups is against Federal law, 18 U.S.C. § 2339B, to be precise.

“Whoever knowingly provides material support or resources to a foreign terrorist organization, or attempts or conspires to do so, shall be fined under this title or imprisoned not more than 20 years, or both, and, if the death of any person results, shall be imprisoned for any term of years or for life. To violate this paragraph, a person must have knowledge that the organization is a designated terrorist organization . . . , that the organization has engaged or engages in terrorist activity . . ., or that the organization has engaged or engages in terrorism. . .”

Cloudflare dismisses this point due to the fact that “it was not actually accepting money from terrorists, because the ISIS sites listed by Anonymous relied on its free service.” 22

Cloudflare would like to wrap itself in the cloak of “freedom of speech,” and in all fairness, did amend their reporting procedures after the Pro Publica post caused lots of unfavorable publicity. 23

But “free speech” is not limitless. Laws against libel and slander are proof enough of this principle. Remember that in certain European countries, particularly Germany, there are tough laws against the use of Nazi symbols, denying or trivializing the Holocaust and engaging in hate speech. 24 Yet, as reported by Pro Publica, Cloudflare is apparently assisting websites like The Daily Stormer in avoiding the effects of those laws. 25

And what about copyright infringement? Copyright infringement is not a case of “free speech.” Copyright infringement is a crime. Especially the type of infringement carried out by the likes of MP3Skull. 26 Yet, Cloudflare is happy to continue servicing these sites until they get hauled into court and threatened with contempt proceedings.

And what of Cloudflare’s own copyrights?

SECTION 2: COPYRIGHTS

All content included on Cloudflare.com, such as text, graphics, logos, button icons, images, audio clips, digital downloads, data compilations, and software, as well as the compilation of that content into one, coherent website, is the property of Cloudflare and protected by United States and international copyright laws. Reproduction of the content of Cloudflare.com without the written permission of Cloudflare is prohibited.” 27 (emphasis added)

That just about says it all, doesn’t it?

Notes:

  1. Cloudflare: The New Face of Bulletproof Spam Hosting
  2. Cloudflare Anonymity and Abuse Reports
  3. Elsevier wants CloudFlare to give up Digital Textbook Pirates
  4. How One Major Internet Company Helps Serve Up Hate on the Web
  5. Anonymous hacktivists target American tech firm accused of ‘protecting Islamic State’ extremist websites
  6. Cloudflare: The New Face of Bulletproof Spam Hosting
  7. CloudFlare And Associate-holes have earned their own category!
  8. RIAA Representing Music Docket No. USTR-2016-2013
  9. Cloudflare Rebuttal comments regarding the Request for public comment on the 2016 Special 301 Out of Cycle Review of Notorious Markets Docket. No. USTR-2016-2013
  10. Cloudflare Anonymity and Abuse Reports
  11. Cloudflare Anonymity and Abuse Reports
  12. RIAA Representing Music Docket No. USTR-2016-2013
  13. Courts in Canada, Germany and U.S. Order Website Blocking, Internet Fails to Spontaneously Self-Destruct
  14. Arista Records v. Tkatch et al Case 15-CV-3701 U.S. District Court for the Southern District of New York, 2015 Artista Records, LLC, et al. v. Vita Tkach, et al.
  15. Arista Records v. Vasilenko, Case no. 15-21450-Civ-COOKE/TORRES, U.S. District Court for the Southern District of Florida. Order dated March 23, 2017 at page 3.
  16. Cloudflare Rebuttal comments regarding the Request for public comment on the 2016 Special 301 Out of Cycle Review of Notorious Markets Docket. No. USTR-2016-2013
  17. How One Major Internet Company Helps Serve Up Hate on the Web
  18. How One Major Internet Company Helps Serve Up Hate on the Web
  19. Id.
  20. Id.
  21. Anonymous hacktivists target American tech firm accused of ‘protecting Islamic State’ extremist websites
  22. Id.
  23. Internet Company That Does Business With Hate Sites Alters Complaint Policies
  24. Censorship: Is Germany right to censor pro-Nazi speech?
  25. How One Major Internet Company Helps Serve Up Hate on the Web
  26. 18 U.S. Code § 2319 – Criminal infringement of a copyright
  27. Cloudflare Terms of Use

You can get my latest article in your email