And if Kiwifarms sending out bytes to the internet is free speech, then compelling cloudflare to send those same bytes is impernissible forced speech.
The problem is any organized body of people can start a similar pressure campaign against Cloudflare or Facebook or Reddit. It is now their job to be a complete legal system - listen to each complaint, adjudicate who is right and who is wrong, what is ethical or not, and respond. Which websites are allowed to exist, which subreddits, which ads and messages are okay and which aren't..
This is an incredibly dangerous & undemocratic precedent because those companies answer to stockholders not citizens. There is a reason the judicial system is set up the way it is, with elected lawmakers and juries of ordinary people.
• A data center refusing to host Kiwifarms.
• An ISP refusing to provide internet to the data center that hosts Kiwifarms.
• A power company refusing to provide electricity to the data center that hosts Kiwifarms.
• An ISP refusing to provide internet to the homes of Kiwifarms members.
• A power company refusing to provide electricity to the homes of Kiwifarms members.
• A water utility company refusing to provide running water to the homes of Kiwifarms members.
• A doctor refusing to treat Kiwifarms members.
I don't think I know the answer myself right now.
Supporting the economy of illegal DDOS-for-Hire by protecting them from attacks from rivals lowers the cost to launch the attacks. That forces many webmasters to use large DDOS migration providers for which Cloudflare is the only one affordable to them.
Cloudflare is stopping many from avoiding using them by allowing booter websites and if it wants to play gatekeeper, the website should face legal action as it non-neutral platforms (rather than carriers) are subject to S.230 and allowing illegal website under that would mean losing safe harbor and Cloudflare being sized and its top people thrown in prison.
I'm personally more on the side that these are utilities, because really, one cannot get by without an internet connection. I mean, why don't we get the electricity company to turn off electricity if a customer is a pornographer or something that they don't like.
As long as a person is paying their bills, a utility has to serve them.
That's how I see it.
This comes up a lot and makes me think I’ve misunderstood US free speech dynamics. I thought the USA traditionally limited the government’s ability to regulate free speech, leaving it to private / social regulation. In other words, it was up to individuals, communities, companies and so on to decide what was acceptable.
But perhaps that’s a misunderstanding. Can anyone recommend books or papers to better understand the history of free speech in the USA? I guess The Federalist Papers are often a good place to start?
In this context, the First Amendment is irrelevant - it doesn’t apply here; it says nothing about the actions of private companies. Instead, people are discussing the principle of freedom of speech, and in particular the extent to which private companies should be able to limit speech.
It's unfortunate that these two concepts are often lumped together in online discussions, because they are obviously very different, and many people who would agree with the First Amendment and the classical notion of "free speech" as a restriction on the government could have diverse opinions on the regulation of platforms and how they display content.
The government did not let it for private sector to regulate when it explicitly guaranteed the right in the constitution...
That approach is fairly easy to work around. Just make sure your site is in a country whose police cannot issue requests that Cloudflare is obligated to follow. For added protection pick a country that your victims are not in, ideally one that does not have good relations with the US or the countries of your victims so there is little law enforcement cooperation between them.
> A private company should not be making decisions on essentially freedom of speech
I'd much rather see private companies doing it than see just government doing it.
Consider a site that is not bad enough to be illegal under current law but bad enough that a solid majority of people think it should be stopped.
If it is only government that deals with these things eventually the law will be expanded to cover that site. We'll end up with an ever expanding boundary on what is illegal. A boundary that will probably be very hard to ever shrink. The law is unlikely to handle subtleties well and will catch sites that aren't actually bad but might appear to be so.
If private companies are also looking at what sites they facilitate are doing and dropping those that they think have gone too far it adds fuzziness that allows the system as a whole (private companies plus government) to deal with the bad sites in a way that isn't as blunt and permanent as making the sites illegal.
Government works best as the last level in a multilayered approach to problems.
On the other hand, a private company has limited obligation to uphold what is essentially a government concern ... Unless we start redefining a lot of things related to private obligation.
More importantly, this seems to have no good outcomes for us, the viewers. I also don't want Twitter mobs and DDoS-ers to have a say in what I can and can't read.
Police is executive, not legislative, they cant willy-nilly decide such things.
EDIT: shout out to all the techno libertarian hacker news bros downvoting my critique of techno libertarianism
No, it means Cloudflare was helping keep his website up, in a neutral manner.
In other words, exactly what Cloudflare have stated their policy is.
Now if Cloudflare allowed him to run DDoS code on its Workers, then yes, that's Cloudflare helping him.
Very false equivalence.
I think it's more subtle than that. It was keeping his website up to make a profit. It benefits Cloudflare to have powerful, well run bot networks out there ready take out any site which do not have Cloudflare's protection.
Yeah, it's a neutral manner on one level, but at a higher level it's bit more nuanced.
Would it be impossible to run DDoS as a service for profit without Cloudflare? People were doing fine at just that before Cloudflare ever existed.
[1] https://blog.cloudflare.com/cloudflares-abuse-policies-and-a...
It's just dumb.
This kind of pedantic reasoning could be applied to any forum: the forum software doesn't do any active harm to anyone. It "only" serves to coordinate the bad actors.
Just like the DDoS site does. So, how is it different?
Look at crime.to. They still send bomb threats [1], exchange stolen credit card data [2], harass people to the point where they lose their houses [3] (SWATing, breaking in into their house and much more included), and probably more on a daily basis.
Still protected by cloudflare. Pretty hypocritical if you ask me.
[2] just browse the forum
[3] https://www.merkur.de/bayern/nuernberg/drachenlord-youtube-w...
Kiwifarms just comes to mind for me because someone I know kill themselves and the site took a serious role in that. I'm sure I'd be disgusted, and advocate for the takedown of, many sites.
I've learned enough during stupid internet fights I have had on reddit to never continue a conversation with an avid gamer, no matter the subject. Stories like this one you linked to on merkur.de (read via Google Translate, but I think they got it right) confirm to me that that was the correct call.
Also, Drachenlord is being harassed from essentially every german speaking website that doesn't have good moderation policies (hi pr0gramm) or doesn't enforce them (hi twitter); crime.to is not really the flashpoint. He also has a thread on Kiwifarms that's quite active.
https://nitter.net/zelda_in_black
Let's disconnect Twitter from the Internet!
The same people gravely concerned about an infrastructure website being neutral are perfectly fine being on a social media platform that's used for coordinating all kinds of sketchy shit.
"Whataboutism!!!" is the only reply one usually gets when pointing it out.
I keep hearing this allegation but it seems to be supported only by a poorly sourced twitter thread[1] and some articles that dance around the issue. How do we know this, especially the swatting?
And why isn't law enforcement stepping in? The operator is an American afaict. It's not like he's some bond villain living in a cave on the other side of the world.
[1] https://twitter.com/oneunderscore__/status/15657972205318144...
You'll struggle to find swatting, organized harrassment and non-internet stalking, but you'll see plenty of extremely unpleasant comments. If you were a kiwifarm target... well... see my comment above.
Out of all things, I think the swatting is the most easily believable. Swatting is commonly done to streamers, such that I am not surprised at all that it would be used for targeted harassment.
Because 1) they have limited resources and must prioritise and 2) America law enforcement seems to have a distinct lean towards the transphobic / homophobic / white supremacist / right-wing, etc.
Just because something is not being actively policed does not mean it's not an actual crime (cf motorists running red lights for an easy example.)
https://www.radware.com/security/ddos-experts-insider/ert-ca...
Moderators get the worst backlash everywhere in the world. The only difference is that Cloudflare continues to refuse the fact that they have quite a lot of power over whose traffic they let through. When you, basically, govern 20% of internet traffic you must take the responsibility for it as well.
This article is a nonsensical shout in the air. Cloudflare, like Google, is not looking over every single request that goes through them. They take these actions after enough noise is raised to highlight the issue. The problem is that Cloudflare will become prone to bullying.
What I mean is that if I have a good number of fanatic followers, I can raise noise against a rival platform and get Cloudflare to, at least, scrutinize it and, at worst, deplatform it. Cloudflare will need to set in place some policies to protect themselves from this.
If Cloudflare does this kind of thing enough times, they will unintentionally become a policing force. That's really not a good place to be in for a business.
Cloudflare is a private company responsible for a product that they sell which they can choose not to sell to someone as is any company's rights.
The Fire department is a public sector entity, funded by our taxes, and we don't have any choice in which fire department we choose.
Anyone can come up with a cloudflare competitor for nazi materials, they have all the ability, money, and ability to build out data centers. All they need to do is to find people willing to build/fund it all. And it turns out those leading the charge don't know how to run a good business, and don't want to put money in, and can't find talent willing to work for them.
> Who interprets what qualifies as hate speech?
Exactly the issue. We should not give “activists” a free pass on this one. I wonder now which one(s) of them will commit the crime of actually DDoSing KiwiFarms. We probably will never know.
Vigilante “justice” is problematic because it leaves room for people to harm others without proper evidences of wrong doing. Mind you, I’m no way denying that Kiwifarms are reprehensible, but there are people out there claiming that KF is literally causing people to die, which I’m wondering where is the evidence of that? If someone is suicidal, one of the better ways to help them is to (among other things of course) make them understand that they have power over their circumstances by telling them that they are responsible for their actions. Claiming that some internet bullies can cause you to kill yourself is not helpful, nor is it true.
Isn’t this exactly what the people are KF were doing? Only instead of trying to get a website kicked off the internet, they were trying to get people fired from their jobs, weaponizing the police, trying to drive people to suicide. And not in the service of any sort of justice, but for entertainment. That is sick and it is evil.
They should absolutely be shunned and ostracized for their antisocial behavior. Free speech means that other people have the right to show you the door if you are acting like a jerk.
1. The internet is vast.
2. Figuring out what someone is doing on the internet even if you did somehow have full transparency over the data they send/receive is hard.
3. Any policy of intervention is going to leave behind a stream of poorly prioritised actions that are highly questionable.
4. Just because we see something doesn't mean it is there. It is usual for the first impressions to be wrong. Often even after researching an issue thoroughly.
I don't think there is a free speech issue here, but I do question whether Cloudflare has the motivation or capability to actually execute a policy of policing the internet fairly. All the pressure is going to be to police the internet for specific political goals.
If you can't figure out that one of your clients is doing this bad things, you shouldn't have so many clients
Agreed. It's very annoying that such services like ddos protection have an ever-growing scaling advantage (because the sizes of ddos attacks grow).
> If you can't figure out that one of your clients is doing this bad things, you shouldn't have so many clients
What kinds of entities would you extend this to? I would guess you wouldn't day the same thing about hardware stores (which sell dangerous tools).
Who are they?
Why are Cloudflare listening to this "they" instead of all the alternate "they" who object to alternate sites? There is someone group organised to go after every "bad" site and a lot more besides. How do you even know that they've correctly identified Kiwikarms as a problematic site? Are you a Kiwifarms regular to be so sure about what how it works?
Cloudflare have already banned the Daily Stormer and I can find people who are willing to call ~30% of any country neo-nazis with a straight face, so it isn't clear what they boundary is here. They certainly don't agree with your boundaries for what is "very clear", unless you happen to be posting on behalf of the Cloudflare CEO.
A bit of an odd take - it's like the fire department putting out the fire at the known arsonist-for-hire's house, and the police chief happens to run the fire department while doing nothing about the suspiciously wealthy arsonist.
The difference is that Cloudflare isn't an actual public service and has no obligation to DDOS protect anyone.
Now AWS does not realize this as they are large and have lots of operations.
However, one day a journalist asks Amazon directly about this website, and there is an official press release by Amazon made about it.
AWS has had this illegal activity brought to their attention, as well as the fact that they are facilitating this activity. They openly acknowledge the site existing.
Legally this is very different from not knowing about what is going on! Not only does Amazon in this hypothetical know, they have admitted publicly that they know!
So… now to Cloudflare. Did Cloudflare, experts in this domain, not know about these DDOS vendors? And did not realize they were offering protection to those? Maybe not! But maybe. And knowing makes things a lot worse for them. Especially if Cloudflare connected the dots internally about the usage for illegal activity. But! CF simply might not have known, or had a complete picture. Or anything in between.
Your aws story is completely irrelevant since AWS doesn't sell counterfeit luxury handbag insurance. Would you argue amazon webstore doesn't know about fake products in their marketplace?
I don't agree with the author because it is still early (and the author might be putting Cloudflare under pressure for some personal gain in some rhetoric), but these questions are interesting and is part of the cancel culture we are seeing more of.
By allowing the attackers to use their services, while deciding other websites are not allowed to. Cloudflare is removing others freedom of speech.
I note this one more time: almost no posts talking in favor of banning stuff here specify any objective limiting principle of where it should stop. It's like an exercise of deliberately creating a slippery slope.
This is like complaining, "if Apple removes hate speech from its app store, then next people will ask it to remove malware."
It would be nice if these attacks were blocked before they even get to a transit provider, but cheap server / VPN providers seem unmotivated to try to solve the problem (since they barely lose any money when they facilitate the DDOS, and/or the attacking devices are rogue IoT devices and booting them would mean booting legitimate customers who don't know the first thing about auditing their network for compromised devices).
Problem is, this is not what Big Tech actually wants.
But this would put Cloudflare out of business so...
It's not as broad and sophisticated as Cloudflare may be, but at least it's not one big centralized entity all the time, it's only activated as needed and run by a co-op, basically.
I remember maidsafe was working on this for many years without much success. Then they got into crypto for micropayments a decade later and it all got a bit messy. Not sure how the project is doing these days but it was a solid concept at heart.
> legitimate customers who don't know the first thing about auditing their network for compromised devices
An IoT device not suddenly working is a good signal to endusers that it is compromised and being used illegally.
And then hit them with massive bills if they have a device that gets hacked?
Seems unreasonable given the current state of security.
Given the overall quality of cheap electronics, if I had a camera on the fritz, even knowing what I do, the last thing I’d suspect is that it’s been compromised.
Cloudflare is like a fire department that still fights fires in the homes of known pyromaniacs. Whether or not they set the fires themselves is irrelevant to the job of the fire department, if someone needs to stop them it’s the police.
If the police never does anything about the firestarters for hire, it’s a bit hard to see how that would be the fire departments fault (and certaily not something they should solve by not fighting fires any more).
I do not understand this at all. If I run a business, and I see that unambiguously bad actors namely abusers, criminals, stalkers, harassers or whatever use my services to facilitate their actions I have a very clear ethical obligation to step in. I don't go "well the law isn't here, it's not my problem". Making money of unsavory individuals, metaphorically selling both shields and guns at the same time is unethical. Dodging that responsibility is moral cowardice.
The law isn't in every place, it's slow as hell and dysfunctional anyhow in some jurisdictions in particular but that's no excuse for inaction when it is within ones power to prevent harm. It should be that simple.
But that comes with the additional benefit of hiding the origin. This resembles a post-forwarder service or a bank that knows the customer's real identity, but provides a way for them to conduct business without exposing it. Is there a good-faith argument that this service is a public utility and should be provided even if the customer is using it for criminal activity?
If someone used FedEx to run a fake pharmacy and deliver fake medication to people while staying out of reach for law enforcement and regulators by using a FedEx-provided return address, would you say that FedEx should enforce their T&C and shut that customer down?
Note that this particular SWATing wasn't in the US, it was in Canada -- so it's not necessarily even a uniquely American problem.
How do you counter this weapon? Obviously you have to break the kill chain, but which part?
1. A target is geolocated; this is impossible to prevent if the target shares this information about themself freely.
2. The attacker makes a phone-call to emergency services, likely but not necessarily using a method they believe will anonymize them. Is it technologically feasible to close anonymity holes in the phone system? Should 911 calls from anonymous numbers be null-routed?
3. The attacker needs to persuade the emergency operator that an armed police response is necessary. This is theoretically possible in any country that believes armed police responses are sometimes needed, even those in which police normally patrol without weapons.
4. The armed police response will probably fail to kill the target. This seems to be the weakest part of the kill chain, where most murder-by-swatting attempts fail. Training police for this scenario could reduce the risk even more, but the possibility of an accident will always be non-zero if you have armed police responding to what might be some sort of murder in progress.
I think SWATings would probably continue to happen even if you completely resolved that third or fourth stages, eliminating the possibility of an accident completely. The anonymous troll probably still gets his rocks off at waking up the victim in the middle of the night by unarmed conflict resolution social workers banging on his door looking to resolve the [probable] misunderstanding. Breaking the kill chain at the second stage seems more promising for this reason, but I am not sure eliminating anonymous 911 calls is practical or ethical.
Energy companies are publicly traded companies as well, I don't see what difference this fact makes in the analogy and the argument.
Policing is the police's job, not that of infrastructure and utility companies, precicely because that would bring a lot of hairy questions that the author raises as well.
But you would expect them to turn off somebody's power if they were, e.g., using that power for a marijuana farm or torturing kittens with electrical shocks and standing outside their house shouting "I'M USING THIS ELECTRICITY FOR CRIMINAL MEANS, YOU KNOW".
A corporation deciding to cut off my power without due process because they think there may be a marijuana farm – which may or may not be true – does not sound like something that's desirable.
Either way, I don't think analogies like this are very helpful, because the situations are too different, and the analogy doesn't really help clarify anything IMO.
“This is not our stance, but we do it anyway for all the reasons we just said are bullshit.”
I have a ton of respect for Prince but this spineless double standards stuff is BS.
PS: I have no idea what the deal is with Kiwifarms and frankly I don’t care. If it’s really that bad then we need to have a judge order an injunction.
Honestly anything supporting the “there was an emergency and deplatforming kiwifarms just avoided it” claim would help.
They weren’t forced to do anything.
Does CF have to be an executive force in keeping the law of the US regarding non-US customers, or should the laws of the country the customer is in count instead, ...
You see the issue. The solution is that CF should remain as neutral as they can without breaking the law in their country themselves.
At Cloudflare's scale, providing service to one additional site costs exactly $0. It's actually beneficial because it spreads their fixed costs (hardware, staff) over more customers. Great (for Cloudflare and the site).
But that only works if they don't have to do any marginal work for each site. Actually investigating each new website, going through potentially each page on the website, making a judgement call on if there is sufficient moderation to allow it or they shouldn't - it could take several hours or days of a skilled worker for each website. Just putting an example out there - how long would it take you to evaluate if reddit.com adheres to all the terms in Cloudflare's TOS? There's a different standard for user generated content, but it gets a pass if there's a good faith attempt to moderate the site. This stuff is actually hard.
If they actually had to process every complaint, regardless of where it came from, the economics of their business might not make sense. And of course, they open themselves up to false positives. They might ban a forum that looks dodgy but ends up being a leukaemia support group, which spawns yet another #dropCloudflare. And lastly, if they're going to listen to outrage from Twitter, they don't have a leg to stand on if they receive lawful requests from sovereign governments in Turkey, Saudi Arabia etc.
They hoped to sidestep all of these issues - money, false positives and state sponsored takedown requests by saying "we don't take down anyone for any reason". Well, it didn't work out.
This community, by which I mean HN, likes to have its cake and eat it too. Perhaps they're not all the same people, but HN also gets upset that VISA polices what businesses are deserving of accepting credit card payments.
Regardless of which side you fall on, consistent and clear messaging is important. In that way, Cloudflare deserves some respect for attempting this, when every other corporation, be it VISA, or the FAANGs, simply do whatever is expedient to avoid negative attention, be it PR-wise, stock market wise, or regulatory wise.
1. A company can arbitrarily do whatever it wants within the confines of the law. Additionally a company's chief executive and/or leadership team can do whatever it wants so long is it is not in breach of their bylaws and/or they have the support of the board.
2. A company which is publicly traded is beholden to public perception if it affects current and future shareholders views on share price and health of the company. If shareholders believe being associated with potentially illegal activity means Cloudflare could be open to lawsuits, then leadership kicks off that activity. Leadership can't give an honest answer on this because it would admit they were worried about being complicit in illegal activity. This is why you see the response of 'we don't believe this is our responsibility, we're just a neutral entity' PR spin.
To return to OP's post, Cloudflare directly benefits by letting DDoS-for-hire operators use their service. They've been informed of this, this post is one of many on the topic. If you go a few comments back in my comment history you'll note I mentioned Cloudflare also pulled down sex worker sites in the fallout from SESTA being enacted. Why didn't they make the same argument then? Unlike SESTA at the time the caselaw on CFAA supports that DDoS-for-hire is illegal activity, going back a little over 10 years with plenty of prosecutions. The US prosecutor handbook on it was updated around 2010 to add it https://www.justice.gov/criminal/file/442156/download, the last time I remember anyone trying to claim it was legitimate protest was back in 2013 when some Anonymous indictments were handed out. Cloudflare also responds to DMCA takedowns even though they don't host the content, why would they do that if there's no liability?
Lets break it down a little more then: If my business is damaged because my website gets DDoS'd by a protected service Cloudflare knows will make me require the purchase of a service like theirs, why wouldn't I name them as a conspirator in a legal complaint?
Publicly traded? No, but fire depts in the US were commercial entities paid for by insurance companies. Arguably just as bad.
You had to be a paying member if you wanted them to put out the fire burning your house down.
Well documented that fire depts would stand idly by and do nothing for the neighbours.
But yeah, that's what you get with Cloudflare's shitty analogy.
Cloudflare's position is that they are neutral and will provide their services to anyone and everyone. They do not make those value judgements deciding who deserves their services or not.
The fact that they thus provide their service to booters isn't a flaw in Cloudflare's argument, in fact it's consistent with their position.
The author is implying that Cloudflare should independantly make that value judgement against a booter, rescind their services from the booter, thus allowing other booters to take that booter down? That's ridiculous. All the booters should be dealt with by some legal authority.
EDIT: So according to some comments cloudflare sometimes does decide independantly to rescind their services from some users? That would make them inconsistent in that case. The authors argument, that the solution to booting is more booting, still doesnt make sense tho imo. It's like the solution to too many guns is more guns.
"Our decision today was that the risk created by the content could not be dealt with in a timely enough matter by the traditional rule of law systems."
Booter services have been using CloudFlare for the better part of a decade, sure individual services come and go but the trend is persistent. So for booter services a decade is enough time for the rule of law to make the decision but another type of controversial platform follows it's own arbitrary timeline, and I would argue that is setting the most dangerous precedent of all, especially when the 'risk' created by a particular type of content doesn't outweigh any potential financial incentives.
It's an odd definition of neutrality that allows one to take decisive values positions.
We seem capable of recognizing certain actions and behaviors as universally abhorrent. Nobody can say “Cloudflare is neutral… Unless you are CSAM”, or “Cloudflare is neutral… Unless you are a live video feed of a mass murder event”, and call it an odd definition of neutrality.
There are a lot of sick individuals out there, an unfortunate number of people unable to discern trolling from legitimate discourse, people who may be convinced to commit abhorrent acts or think that they found like minded supporters of their abhorrent behavior. It is not neutral to actively defend and support the ability of a platform to take advantage of those people and or to allow the promotion of such abhorrent behaviors.
It seems like Cloudflare finds themselves walking a tightrope across a bottomless chasm. Any misstep will have dire consequences for the future of Cloudflare and the precedence it sets for the internet as a whole. It seems at this point they have taken a path of extreme caution and attempted to weigh that against collective voice of reason.
In my eyes, as long as they dont break any laws themselves, they are okay.
It seems rational for any partisan to think this way, no? People standing on opposite sides of the battlefield, shooting at each other with the same sort of weapons, both believing in the goodness of their cause.
You don’t see AWS or Microsoft having the same frequency of these sorts of reports. What am I missing?
AWS or Azure doing the same wouldn't make news because they would immediately drop a site like Kiwi Farms, and anything like it, after the first report or two. If you're routinely kicking people out, people don't scrutinize you when you do it. To bastardize Stalin's quote: three deplatformings is a tragedy, thousands is a statistic.
Still, I don’t understand why Cloudflare goes out of its way to be a white knight when its peers have far less mercy. What’s in it for them? Companies at this scale remove the “don’t be evil” slogans they adopted when they were smaller.
Cloudflare: - Makes a website available through their IP addresses - Resolves a site's DNS - Stores the content of the website on their servers, to serve to clients. The fact that there's an expiration on that content is of no consequence.
The fact that the final source-of-truth lies offsite makes no difference. If I rent a regular, run of the mill server and have it proxy all requests to a different server, does that suddenly make the first host bulletproof to any and all scrutiny?
Cloudflare likes to pretend they are a neutral entity, impartial, just like regular Internet Providers but they are decidedly not. They are being paid by their customers to store and serve their content from their servers and to perform traffic filtering.
If CloudFlare provided a way to find out the host of a website they run, and gave said host a way to find out what servers specifically are hosting it, they'd have a much better argument, because they'd make it easy for anyone to use the legal system to go after offenders.
I don't know how easy it is for US citizens or law enforcement to get that information from CF, but from what I've heard, it's very, very hard to do so from Europe, and will basically only be used for major crimes, but not for a common "scam a granny" operation. CF is essentially providing cover for these.
Surely they respond to subpoenas and warrants.
So, to continue the analogy, we are reading the post by (ex-)arsonist?
Using their own analogy, the real fire departments actively prevent fires by enforcing safety policies, not merely fighting existing ones. If fire department is paid only for the fires extinguished, they are strongly disincentivised to enforce safety policies.
The issue is not Cloudflare — it’s just the sad reality of the Internet in 2022.
Imagine a criminal pumps a full tank of gas into his vehicle and then uses that vehicle to commit crimes. Nobody goes out and blames the gas station or holds them accountable.
The owner of the vehicle should and would be held accountable in real life. And in any case related to the Internet or Cloudflare, the owner of the website should be held accountable.
If the gas station operator knows the criminal's identity and hides it, I'm pretty sure everyone would go after the gas station.
DDOS-protection is one of Cloudflare's services. The other one is hiding where you host your stuff, so people cannot contact your host to have them shut down the illegal operation.
Cloudflare isn't a protection racket, but doesn't have completely clean hands, either.
I strongly agree with the points made. What Cloudflare is doing is terrible. They should remove this protection and publish an apology to the victims before a court decides to think the same.
New conspiracy theory: all these drama about absolutely irrelevant websites like 8chan[1] and kiwifarms are to distract from the fact that cloudflare has killed anonymity on the internet. Since 2011 or so, browsing any website behind cloudflare over Tor or pretty much shared IP address got you essentially blocked. You would have to fill out a captcha to even see the front page, and not just any captcha, but the worst one which almost never works when on a shared connection: recaptcha. THEN you had to open up the cdn.myshitwebsite.com and repeat the same bullshit, and then you can see images, css, scripts, whatever on the site. ONLY in 2018 they fixed this (it was always possible to bypass it by changing your user agent to a specific string and such things, but almost nobody knew about this), and then broke it again, I'm not sure what the current state is. Then around 2020, a bunch of cloudflare imitators popped up, which includes having the pointless captcha at the front of pages. Cloudflare literally killed Tor, it was solely their fault.
1. "But oh no, a jihad thing was posted on it", same with facebook but 1000x worse
