Why does Cloudflare need to police the traffic of whatever passes through it? That's the height of absurdity. As a pass through, Cloudflare is just a few steps up from a bare wire and can't be held legally responsible for all the information that passes through it.
Besides, there are multiple U.S. laws that already govern this, especially:
"No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider." (47 U.S.C. § 230(c)(1)).
This law is a bedrock, foundational law that helps the Internet grow by protecting ISPs and providers from liability.
Lastly, the U.S. is a sovereign country. A judgment from another country would need to be fully adjudicated here under U.S. law or any applicable treaties like the Berne Convention, not Moldovan law. Otherwise, chaos would reign. You would end up defending yourself from random judgments from foreign courts with radically different laws or even completely different ways of looking at IP protection that you might not even be aware of or be able to defend yourself from. This would be grotesquely unfair and manifestly unjust.
CDA 230 does not cover liability from copyright infringement which is what the underlying Moldovan court judgment is about. The relevant law is DMCA 512 (17 USC 512) which specifically requires those who want to disclaim liability to comply with properly-formatted takedown requests. DMCA 512 is annoying at best, censorious at worst. I have a personal disdain for it and other copyright laws. But it's clear Cloudflare has a legal obligation to remove infringing content.
Furthermore, the questions you raise about jurisdiction are already covered by a bevy of international trade treaties. Notably, Moldova is a party to the Berne Convention as well as the US, so the judgments are entirely compatible. Yes, being on the Internet subjects you to hundreds of countries' laws at once[0], and the only reason why we have an Internet is because we have lots of treaties governing what judgments made where can be ported to which countries' jurisdictions.
Suffice it to say, any argument based solely on "you have no jurisdiction because I've never heard of you before and can't point to your country on a map" is not getting far in a court of law.
[0] If you think this is crazy, let me introduce you to the "linguistic jurisdiction argument", in which courts argue jurisdiction from the fact that you spoke that country's official language.
None of what you just said about US law is relevant here. Yes, Cloudflare has to abide by international law where it operates. This is established and every company across the globe is subject to it.
Cloudflare operates in and has a physical data center presence in Moldova, serves content owned by Moldovan citizens, and serves content to Moldovan citizens. Thus, they are subject to Moldova law. If they don’t want to be subject to it, they can remove their operations from the country and remove any interactions with Moldovans.
The site in question is presumably not hosted in Moldova, so the thing you're suggesting is unworkable. Suppose country A has common carriage laws that prohibit a provider from denying service without a court order and the thing being hosted in country A is legal in country A but not country B. If the provider removes it they're in violation of the laws of country A, where it's being hosted. If they can now be found in violation of the laws of country B, where it isn't being hosted but is illegal, that's a catch 22.
Moreover, it's pointless to expect that to do any good because the customer could obviously just use a provider that operates in country A but not in country B. Therefore, a presence in country B should be irrelevant when that isn't where the customer is because you're otherwise just setting up a catch 22 for no benefit.
> Then they have to withdraw from one of those countries.
This is equivalent to saying that no company can have operations is more than one country. Countries have so many laws that there will be a conflict between them somewhere.
The obvious and longstanding solution is for the company to set up a foreign subsidiary and then the subsidiary in that country complies with that country's laws. But that's not the same thing as expecting the subsidiaries in other countries to comply with the laws of a country they're not in.
What's "they"? The Cloudflare subsidiary in Moldova is presumably a different entity than the one in the US. The issue is they're trying to enforce the law of Moldova against the US corporation for things it does in the US.
It's not surprising that Cloudflare both thinks it has no obligation to do anything to protect property owners, even when the infringement is blatant, and is also fighting an order from a court. They see themselves as above the law, as is evidenced by their desire to redefine words like "hosting" by fiat and via a huge quarrel of lawyers.
I started having a huge problem with them ages ago when I reported that they were hosting a Bank of America phishing site. They took no action, and when pressed, they said that they couldn't take action because they needed to protect the site owners' free speech. Imagine that! Fraud, even when it's 100% obvious and blatant, is protected by free speech!
Right now, for example, a phishing site is hosted via Cloudflare at "schwabs-wild dot com". Cloudflare replied to a complaint about it in less than a minute and a half to say:
"We were unable to confirm phishing at the URL(s) provided."
Visiting the phishing site shows a site that's clearly trying to pretend to be Charles Schwab and that asks for a person's social security number as part of the login!
So are Cloudflare employees so dumb that they can't tell that this clearly is NOT legitimate, and are they so quick that they respond to complaints in literally a minute and a half, or has Cloudflare automated their responses for complaints like these because they've already gotten so many of them?
HN has a lot of Cloudflare users who like Cloudflare, so sometimes comments like these get downvoted, but I genuinely wonder how even CF fans could justify CF not only hosting blatant phishing sites like this, but also how anyone could justify ignoring complaints about this illegal activity. They clearly will continue to do it until there's more pressure, whether Charles Schwab has to contact them directly or there's a court order from a court they care about (certainly not a Moldovan one).
Cloudflare wants to pretend they're doing good for the world by offering things like DNS-over-https, wanting everyone to use it and telling us to just trust them when they say they won't do anything nefarious with the data that's made available to them, but so long as they pick and choose their judicial jurisdictions, why would the rest of the world want to trust them?
Ironically Cloudflare blocks me from accessing the site.
"Sorry, you have been blocked
You are unable to access **.com"
But ye. Cloudflare's grip on access to different hosts have long since turned into a problem. Especially since their visitor abuse filter seem implicitly racist in which parts of the world they throw into endless captcha loops. And, no, I am not trying to be hyperbolic here. It plainly is. You can relive the experience of being from the wrong part of the world by using some privacy preserving browser settings, too.
Try manually adding "https" on to it. It was blocked for me, too, without https (and very slow with https).
Yes, putting rate limiting that's much slower than humans and CAPTCHAs that discriminate on to their abuse reporting pages just shows how much distain they have for people who want to report abuse.
A few months ago I received a phishing attempt in a Telegram message where they promised you untold riches if you'd just take part in their drawing, and to do that you were supposed to "log into Telegram" on a clone of the original web client hosted on a third-party site that was hidden behind Cloudflare. The best I could do was to use that form to send them a bunch of "fuck you"s instead of SMS confirmation codes, because Cloudflare completely ignored my reports -- there was no feedback, nothing, and the site was still up at least a month later.
There's a trend in civil libertarian circles that I like to call "braindead libertarianism". You see, rights are akin to mathematical axioms, except we have a habit of frequently championing sets of rights that are self-contradictory. In maths, if axioms generate contradictions, we throw them away. But rights aren't as strict as axioms, we can balance them against one another and take half-measures to avoid the contradiction. This is what liberal society normally does.
Braindead libertarianism refuses to compromise. It insists, for whatever reason, that A and !A both be made true, that two and two make five. Sometimes there is a good reason to do this; the mathematics behind, say, encryption and computer security are such that you really can't build encryption algorithms that respect valid court decryption orders but refuse the millions of people that really would like to snoop through your texts to stalk you. But just as equally, the braindead libertarian just doesn't want to compromise. They take idiot politicians shouting at us to "NERD HARDER" to mean that we should shout back "WONK HARDER".
The spicy packet loss theory of censorship asserts that all Internet censorship is fundamentally the result of network interference. This is the braindead libertarian's approach to free speech. And the response to this - the protection for your free speech rights - is to build a machine to ensure your packets never drop, and insist that society tolerate 100% of it's ills. Even if that means being a bulletproof crimeware hoster for blatantly fraudulent phishing pages.
Mathematical axioms that lead to contradictions get dropped because of a fun thing called the Principle of Explosion. Taking both A and !A implies all statements are true, meaning that a theory with such a contradictory set of axioms says literally nothing. Fraud on CloudFlare's network is bad, but the real kicker is DDoS vendors. All of whom reliably use... CloudFlare. DDoS doesn't exactly match the spicy packet loss theory of censorship, but it's close enough to packet loss to be compatible with it. In fact, that's CloudFlare's selling point - that it protects you from DDoS. Which is why DDoS vendors love using it to protect their sales page where you can pay to attack and tear down other people's speech.
Literally any other host - aside from actual criminals - would have dropped DDoS vendors the moment they found out what they were selling. It's an obvious abuse pattern. But in CloudFlare's twisted logic, they can't drop the DDoS vendors, because that would make them censors, because they're dropping packets. So they have to tolerate DDoS vendors doing the censorship job anyway, in the world's dumbest trolley problem meme.
> It's not surprising that Cloudflare both thinks it has no obligation to do anything to protect property owners, even when the infringement is blatant, and is also fighting an order from a court.
Private third parties are an inappropriate place to enforce the law. If you have a dispute with someone, you sue them, not their hosting provider. Then they have to pay you damages, the court will order them to stop, if they don't stop there are criminal penalties for contempt of court, etc. Why is the hosting provider even involved?
> a huge quarrel of lawyers
That's not... No, I'll allow it.
> Right now, for example, a phishing site is hosted via Cloudflare at "schwabs-wild dot com". Cloudflare replied to a complaint about it in less than a minute and a half to say:
> "We were unable to confirm phishing at the URL(s) provided."
Well yeah, because they're not law enforcement and they have no way to know if that site is a phishing site or a real or testing service by Charles Schwab or one of their subcontractors, or a honeypot or some law enforcement operation or the subject of an ongoing investigation the police don't want to spook etc. Meanwhile they get tons of fraudulent complaints from trolls and the competitors of their customers trying to take down their legitimate sites.
Stop expecting them to be a court. Go to a real court and get an injunction. Or report it to Charles Schwab or the police rather than Cloudflare so they can do it.
> Private third parties are an inappropriate place to enforce the law. If you have a dispute with someone, you sue them, not their hosting provider.
Sure. However, Cloudflare hide and protect the "them". The information in WHOIS, in the DNS SOA record, in the network hosting the content, in the servers hosting the DNS, in the registrar's abuse contact, all say "Cloudflare". Cloudflare'll "pass along" a message for you and will happily refuse to tell you who actually owns the site.
What's more, even when you can clearly show infringement, Cloudflare doesn't take action to stop it, even though they both can and should. Not taking action when you're informed that something is illegal is facilitation. Entities that host are not liable for the content of their clients, but entities that ignore illegal activities aren't (and shouldn't be) protected.
So there's literally no other option besides suing them, even if you want to go after the party that's using Cloudflare to do the illegal thing. You literally can't unless you sue Cloudflare and get a court (that Cloudflare actually listens to) to force Cloudflare to reveal the party they're hosting and protecting.
I'm not sure how you think "you sue them, not their hosting provider" is relevant in a discussion about Cloudflare unless you really didn't know all of this.
> The information in WHOIS, in the DNS SOA record, in the network hosting the content, in the servers hosting the DNS, in the registrar's abuse contact, all say "Cloudflare". Cloudflare'll "pass along" a message for you and will happily refuse to tell you who actually owns the site.
What does that matter? You can initiate a legal proceeding against a John Doe. And then the court would be able to subpoena Cloudflare for the information. That doesn't mean someone should sue Cloudflare for damages.
> What's more, even when you can clearly show infringement
How can you possibly "clearly show infringement" without a court proceeding? A service provider doesn't even have a reasonable mechanism to identify who the copyright holder is.
> I'm not sure how you think "you sue them, not their hosting provider" is relevant in a discussion about Cloudflare unless you really didn't know all of this.
There is a relevant distinction between issuing a subpoena for information and naming them as a defendant in a lawsuit.
Its reasonable to expect compliance without a court order at least in cases where every functional jurisdiction in the world agrees that the party so protected is engaging in immoral and illegal conduct.
Whereas many edge cases exist wherein conduct on the internet may have differing interpretations nothing stops anyone from handling the massive intersection where all reasonable parties agree.
Doing so in fact removes a lot of ammunition for arguments for more unworkable suggestions.
If "every functional jurisdiction in the world" agrees then you don't need to go to a court in Moldova and then try to have the foreign ruling enforced in the US because you could have just gone directly to the courts in the US, right?
The issue is that they're trying to sue the wrong party -- the provider instead of the customer -- which US law rightfully discourages, which is why they're trying to cheat through some convoluted cross-border jurisdictional shenanigans.
When receiving a credible support of a customer who is in every functional jurisdiction a criminal attacking the public they should act against that customer without a court case. They should block them from their service and forward the information they have available to the relevant authorities in jurisdictions which may be positioned to act against the user.
Nobody has any expectation of privacy in their crimes.
> When receiving a credible support of a customer who is in every functional jurisdiction a criminal attacking the public they should act against that customer without a court case.
Do you not realize the level of abuse this opens up? The company has no capacity to do thorough fact finding. They can't subpoena anyone or put them under oath. Trolls will send them complaints with plausible-sounding claims and their only practical options are to execute them without adequately investigating or to ignore them.
The only non-abusive option is to ignore them and leave the law enforcement to law enforcement.
Does it look like a bank of America login page and not belong to BOA oh look its crime. Not sure? Did officer friendly call to investigate? Give him the contact details right off and take action only pending litigation.
If you take only unambiguously correct actions it will be harder for the government to push for much less friendly options later.
> Does it look like a bank of America login page and not belong to BOA oh look its crime.
How do you know if it belongs to BOA? The name of the company/contractor on the bill is regularly different than the name of service being hosted. Even then, how do you know that it's crime rather than e.g. part of some computer security coursework or a research study on phishing or a misconfigured page where somebody was doing a copy and paste and accidentally pasted the wrong thing into their site?
The answer, of course, is that if it's crime then the people who think it's crime should report it to law enforcement to conduct an investigation. Then if it is crime, the perpetrators get arrested instead of just having their account closed (tipping them off that they've been discovered) and opening another one under a different name.
You can just ask BOA if your common sense is insufficient.
Most companies do due dilligence to avoid complicity with criminal activities. If Cloudflare doesn't believe they should now they can wait until a bunch of non-technical 65+ define their role for them in 35 different jurisdictions and hope that goes well.
So what's the problem? Sue Cloudflare and a "John Doe" defendant, and ask the court to compel Cloudflare to reveal their identity. Once you have that information you can amend the filing. This is done all the time, and there's no other reasonable way for the process to work.
And if they refuse to remove/block the content (as Cloudflare is accused of)? Germany presumably has some sanction in that case and this would be the equivalent
Besides, there are multiple U.S. laws that already govern this, especially:
"No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider." (47 U.S.C. § 230(c)(1)).
This law is a bedrock, foundational law that helps the Internet grow by protecting ISPs and providers from liability.
Lastly, the U.S. is a sovereign country. A judgment from another country would need to be fully adjudicated here under U.S. law or any applicable treaties like the Berne Convention, not Moldovan law. Otherwise, chaos would reign. You would end up defending yourself from random judgments from foreign courts with radically different laws or even completely different ways of looking at IP protection that you might not even be aware of or be able to defend yourself from. This would be grotesquely unfair and manifestly unjust.