Senk immediately felt the takedown was bogus. His site was obviously parody, which he felt should have made his use of the CrowdStrike logos—altered or not—fair use. He immediately responded to Cloudflare to contest the notice, but Cloudflare did not respond to or even acknowledge receipt of his counter notice. Instead, Cloudflare sent a second email warning Senk of the alleged infringement, but once again, Cloudflare failed to respond to his counter notice.
I am generally a fan of Cloudflare and I think they are good players and good people, but this is something they really need to fix. The DMCA system is already heavily stacked against the little guy. The least Cloudflare (or any host) can do is listen to both parties. Ideally they should be a neutral arbiter.
I use Cloudflare extensively and spend a lot per month with them, but this really gives me pause about whether I want to have CF hosting my actual content. I've never had a DMCA takedown claim against me, but I know people who have been abused by that process. It can really happen to anyone.
Cloudflare, please don't be part of the problem. You've long been a champion of a more open web, one in which little people can operate. You've done more to enable creators like that than just about anyone I can think of. Please, don't be a facilitator or enabler for the DMCA bullies.
Funny how companies (not only Cloudflare) are super-responsive when it comes to forwarding takedown notifications from other companies, but drag their feet and "forget" when it comes to doing the same for counter notifications, even though both are required by the DMCA. Also, funny how (to my knowledge) no company has been criminally prosecuted for filing a false DMCA takedown notice. Likely because you have to prove intent. The law is comically stacked against the little guy.
I regularly receive DMCA outside of America, which I wished I could reply to "your law doesn't apply to me, cite the right one in my jurisdiction or get lost".
But I can't.
Because my hosting will process those by default and shut my sites down unless I just comply to the take down, no matter how legitimate it is.
It can be even a bogus take down from a US point of view, or even a take down for a non existing content.
Doesn't matter. I have to show that I comply, or 48h later, my server is shut down.
That's seriously messed up.
If your hosting provider is a US company, you might be wrong about this law not applying to you.
Of course it's not.
Check the terms of service and the acceptable use policy of your host; even if the DMCA doesn't apply to you directly, it would apply to a U.S. based host, and you agreed to their terms when you became their customer.
US based host? Their terms?
You're aware hosting companies can have locations in multiple countries but still be controlled by a parent company in the US? So if the US parent company doesn't play ball, that has the potential for downstream issues in the other hosting locations. Easier/safer as the company to just play ball. If you're so concerned about this, find a host based and run solely from a safe country and not controlled by a US-based entity.
It's not.
I have selected my hosting specifically for this.
In that case, you might just email your host's support team and ask them directly.
I did of course. They don't care.
I tried several different hostings as well.
It's unfortunately a prevalent strat in the industry: if the client is too small, one should spend minimum money on it, so they default to that.
Your hosting company is bound by US laws. Their defense for hosting illegal content is the DMCA, which allows them to claim that it is your responsibility (the end-user's).
This is the entire point of DMCA: exempt service providers from indirect liability for content on their network (at the cost of taking action for that content upon receiving notice).
If DMCA applied to them but not to you, how could that possibly work? A US company could host content that no one is responsible for?
In other words: this is not about you but about your hosting company. They are the ones the DMCA apply to, and was written for. This is true no matter where you live, if your hosting company is US.
You think it's reasonable for companies worldwide to be bound by US law? Companies doing business in the US, sure, but random hosting companies? Do you also expect US companies to honor takedown requests according to North Korean law?
We are talking about a US company here.
No, I'm definitely not a US company.
The DMCA is the United States implementation of the World Intellectual Property Organizations treaties. So there likely is an equivalent statute in your jurisdiction.
Not really sure what the point of this comment is to be honest. Other jurisdictions didn’t simply copy and paste the DMCA. OP’s desire to be threatened in terms of the regulations that they’re actually beholden to is completely valid. Because, spoiler alert, international treaties aside, not every implementation is as terrible as the DMCA.
It doesn't matter. DMCA is an implementation of the IP protection (and a very biased one). While the treaties might agree on the principles, fortunately most other countries don't have an equivalent mechanism. "Yet.", a pessimist would add.
Is this actually true? I was under the impression that the DMCA came first and then similar stuff was put into WIPO treatries but not necessarily ratified or fully implemented in the domestic copyright law of other countries.
If your hosting provider is in the EU, the Digital Services Act shields them from liability for hosting illegal content, provided they respond swiftly to takedowns, which is why they do.
I disagree that Cloudflare is super-responsively following the DMCA takedown notice requirements. The DMCA requires them to respond to a takedown notice by expeditiously taking down the content, and to a counter-notice by restoring the content. Instead, they responded to a takedown notice by forwarding it to their customer, along with a commitment to wait for 72 hours before taking anything down.
The original notice was not a DMCA takedown even if Buttflare's email describes it as such. DMCA is for copyright infringement, but this is a (claimed) trademark dispute.
Upon receipt of a counter notification, the DMCA obligates them to wait at least 10 business days before restoring the content to give the original party an opportunity to sue first.
Which is one of the big problems with the DMCA, it effectively lets companies/individuals shut down those they don't like at critical points without any court involvement with effectively no negative consequences for abusing that. It's an extremely biased law, even compared to how unfair copyright is to begin with.
Clownflare. Different circus, same clowns.™
Cloudflare gave up neutrality when they terminated Daily Stormer. Before that, there was even discussion if they have technical ability to terminate single site like that (deleting content from distributed store is hard).
More political activism they do, more damage for them!
Sorry but continuing to host Daily Stormer is not neutral either.
There is no neutral and apolitical option on this issue.
This is an interesting position.
What if Kamala Harris used cloudflare in front of her website? Is cloudflare now supporting the Democratic party? What if Trump did? Same thing?
By your logic, it seems like cloudflare would have to review the content of every page on every site and only host it if they agree with it. That's going to mean a pretty big chunk of websites don't get hosted.
You really don't think a neutral position would be to just not care what the content is, and just host everybody regardless who they are, what they believe, etc?
Hosting content isn't the same as endorsing every word of it. Newspapers print op-eds that run counter to what the editorial board believes. But providing a platform to someone is still a choice, yes.
Nah, what is allowed vs how you enforce it are two different things. Believe it or not, the decision of how to enforce the rules is political too. Nothing about having a ToS that bans certain content necessarily requires pre-review of content any more than the rule that bans phishing sites or pirated movies does.
Absolutely it isn't. Declaring that you don't care about offensive hate speech and will not remove it when made aware of it is a choice. It's a deeply political choice. (Also, this is a bit of a straw man: surely you can't "not care what the content is" when something potentially illegal)
Thanks, you make some good points. You've won me over somewhat.
I agree that there's always at least some politics in choice/policy/enforcement because for any given value there are going to be people that oppose that value, but I don't think that means we should just embrace the political nature of it all and not try to be as "neutral" as possible. (To be clear I'm not suggesting that you are advocating for this, but I think it is the logical conclusion of accepting that everything is equally political). Some people's politics include free speech absolutism, and others include significant speech limitations, so a largely "we allow all legal speech" is a political stance when viewed that way, though it also strikes me as also the most "neutral" a platform can be, and I think that is mostly coincidental. There are plenty of political parties that disagree on many things for example, yet mostly agree that free speech and ability to express oneself is a good thing.
To be clear, I despise hate speech and I hate when people say offensive things. But trying to define hate speech is a recipe for sadness. The Israel/Palestine conflict has really shown that recently where some people consider it "hate speech" to criticize the government of either side. When it's a company or a newspaper or something, the cost of getting it wrong (either too tight or too loose) is much lower than when it's a platform that controls vast swathes of the public square.
Also, at what level does/should this matter? For example, should ISPs be pulling the plug if the customer has or shares content that they deem to be hate speech? Should power companies cut off electricity to those people?
I fully agree btw that Daily Stormer really messed up by claiming that CF supported them, but CF could have left their website in place and C&D'ed or sued for libel. I don't know what I would have done in their position though. There's a pretty good chance I would have done the same thing they did. It's hard to really know when you aren't in the soup.
A peer comment from three hours prior to yours said:
If Kamala Harris used Cloudflare, not an issue. If Kamala Harris went on to very publicly falsely state on her website that Cloudflare supported her and the Democratic Party to the hilt .. then that's another thing and something that breaks the Terms of Service .. apparently that was what tripped The Daily Stormer .. claiming they had Cloudflare "in their corner".
Yes there is. Don’t look at the content unless the law requires it.
That’s neutral. You host sites, regardless of their content.
You're describing a philosophy called Free Speech Absolutism. It's a perfectly reasonable stance and I get where you're coming from, but it is not objectively more correct than any other approach. And it's definitely a choice with political implications.
Hosting something that doesn't break your local laws or your ToS is as neutral as it gets. Not hosting something because you don't agree with them - is not.
In this case, they broke ToS and got removed from CF.
Isn’t the operative question here, what should the ToS include in the first place?
Also: I don’t really agree. Enforcement of ToS is inherently political too.
A neutral stance might be one that doesn't unhost somebody for legal speech, regardless of the content.
Granted, that is a political stance.
It's political activism to terminate service over TOS violations?
It was pretty simple really - all they had to do was not lie about Cloudflare endorsing them (per the contract that had extremely standard boilerplate language about such things).
People seem to get really upset when Nazis are held to the same basic contract law standard anyone else would be held to. Just because the politics of promoting hate makes it hard to find vendors, it doesn't mean that vendors need to make a special TOS just to coddle those that do.
I think you assume this detail is widely known about the affair, but I didn't know about it.
Here's an article from the time describing what happened: https://gizmodo.com/cloudflare-ceo-on-terminating-service-to...
Importantly:
“I realized there was no way we were going to have that conversation with people calling us Nazis,” [CloudFlare CEO Matthew] Prince said. “The Daily Stormer site was bragging on their bulletin boards about how Cloudflare was one of them and that is the opposite of everything we believe. That was the tipping point for me.”
I do not know background of that. But Stormer at some point also endorsed Hilary Clinton (as a satire). I could imagine they were trolling BBC or CNN, that compared Cloudflare to nacist, for not censoring them.
why would it be hard to delete content for them? you can literally in seconds delete files/sites from cache in cloudflare
It was 2017, technical difficulties were they argument against DMCA strikes or censorship. That argument was rendered void after that.
Gmail initially did not had delete button for "technical difficulties".
How exactly? Cloudflare has been a threat to the open web for as long as I've been paying attention to them
Without Cloudflare, a lot of the internet sites you use daily would have had to give up rather sooner than later.
The dream of a free and equal Internet died on the day shitheads could rent 0wned devices for ddos attacks for 10$ an hour in bitcoin. There would have been a tiny window where governments could have stepped in and demanded that ISPs follow up and act on abuse reports, but Obama on his last legs didn't have the power any more and Trump didn't care.
Ideally, there would be an FCC regulation requiring ISPs above 500 customers have a time frame of two hours between getting notified of an attack originating from their network, investigate it, and cut off the other party unless they had shown evidence of effort to be a better netizen. That would also have led to economic pressure on Microsoft and other vendors (looking at you Java) to actually make their products more secure.
Countries can still just as well step in now, there is no window that has passed.
However, swift shutdowns not involving a court would be the wrong way to do it - as wrong as the DMCA is. All that is needed is appropriate consequences for bad behavior, including those shielding bad actors.
Courts are not customer support, the court system is already massively overloaded as it is.
I agree that courts have their place, in this case to provide an appeals solution if someone remains blocked by their ISP despite provably not being a bad netizen. But they cannot shoulder the load of policing - in the meatspace, that's done by police, in the digital space the ISPs are the closest equivalent.
It would be nice if there was some sort of system in place to resolve attacks at the source. Sounds like a really hard problem though. Based on reports ISPs can identify which routers are causing problems. With more invasive routers they might even be able to identify the specific devices. Then I guess they inform the customer via email or something? What happens if customers don't do anything about it?
Also what's to prevent attackers from sending tons of bogus alerts to ISPs to muddy the waters and undermine the entire system?
The problem is that Cloudflare is the company that protects those that do the ddos atacks. Their whole existence as a company depends on there being a healthy market for ddos attacks.
There should be internet 2.
Kick off all ISPs which refuse to do good ingress/egress filtering. Kick off all customers which absolutely positively need to be completely exempt from the filtering because of their ultra special snowflake networks, when creating source spoofed abuse a couple times. So now you have an internet with reliable source IPs. Allow ISPs for their customers to push firewall rules blocking abusive traffic to the originating ISP, subject to some fair use rules. If an ISP's firewall slows down because they are overloaded with rules for obvious abuse from their customers ... well that's working as intended then.
What he should do is set up a clownflare site.
I think the article correctly places most of the blame on the DMCA. It's a bad law and always has been. I'm not sure how much customer service and legal support one can expect from a company that you are presumably using on a Free tier.
CloudFlare has promised to side with their customers, paying or not, for these kinds of things. Any lawyer could have easily dismissed this takedown request as invalid, and prevented the company from making a sloppy move that throws into question their core promises to their customers.
Now we all know that any given Cloudflare customer is vulnerable to a fraudulent takedown request, because Cloudflare doesn't do their due diligence. That's entirely on CloudFlare.
Cloudflare loses DMCA safe harbor protections if they do not follow the law and disable content after receiving a notification with all the required elements. Correct me if I'm wrong, but the DMCA doesn't say anything about verifying the merits of the takedown. (Setting aside the practicality of having an expert on copyright law review each notice even for customers who aren't paying anything)
In the case, if they had ignored the notification and CloudStrike sued anyway they could be stuck as a defendant on that lawsuit.
Plenty of providers happily ignore DMCA takedowns when they think their legal risk is low and when the customer is important-- they lose the safe harbor, sure, but only for that specific instance, which if it's transparently nonsense isn't much of a loss. This even often applies when the infringement is obviously real but the source of the report is someone that lacks the obvious resources to make it a real problem.
Even with the safe harbor they can still find themself a defendant, it may just be easier and faster to get themselves dismissed from the case.
This two tier system of handling is part of how the procedural flaws in the DMCA are able to persist as long as they have. If major institutions and brands were finding their content forced offline for 15 days at a time we'd see revisions quite quickly.
Read the actual complaint [0] forwarded by Buttflare before making baseless claims. This was NOT a DMCA takedown request but a trademark dispute.
[0] http://clownstrike.lol/crowdmad/
clownflare.com is available from godaddy for a bit less than $3K USD.
It looks like clownstrike.com has been redirected to crowdstrike.com. (Likely purchased by them or a friend.)
Edit: I see it's clownstrike.lol and is at this time up. clownflare.lol has "recently been registered."
They are neither good nor evil. They are for profit.
Being "For profit" to the detriment of everything else is like, children's cartoon evil, like disney villain evil.
It's a little more complex than that. Being say the only good company within a system that, aside not encouraging being good, usually awards with more profit who is not, can make the difference between life and death. I'm not a fan of the corporate world but sometimes they're forced to behave in such a way because there's no strong enough regulation to discourage everyone from doing so to gain an advantage.
CrowdStrike Holdings, Inc. is a publically traded company. They have to maximize profit for their shareholders. But a company does not have to be public. It can be owned by one person (having all shares), family owned, or owned by people with similar values. I'm not saying this is always the easiest route, but it's certainly the way for any entrepenour who doesn't want to sell his morals.
I found Cloudflare completely useless when trying to take down cloned scam websites using ".shop" domains. We had to go directly to the registrar to get them removed.
Moreover, the constant CAPTCHA prompts by Cloudflare are incredibly frustrating. This practice is a form of abuse and needs to be called out for being so.
I despise Cloudflare with a burning passion. Currently they're blocking access to the danish parliament website (ft.dk) by putting up a CAPTCHA wall. Of course it's wrong of the admins to put essential danish infrastructure in the hands of a shitty american tech giant, but as you say this crap is everywhere. I refuse to interact with any CAPTCHA unless I absolutely have to.
Have you filed a complaint with the appropriate authorities? Citizens being blocked from government infrastructure shouldn't just be accepted as the way things are.
I agree to some extent, but if the user is on a free account it seems complicated. You are asking Cloudflare to review sites on a case-by-case basis, evaluate legal documents, and potentially open themselves to legal risk, all for a non-paying user they don't know.
The user might very well lie about their situation, but also their contact info, and can easily create many accounts to avoid genuine DMCA requests.
That's fair, although I don't think they need to review every site on every dmca request, but if the customer replies to the automated request, they should at least take a quick look at that instead of just ignoring it and sending another automated request.
I get that cloudflare, just like every big tech company nowadays, doesn't want to pay for customer service. They want to automate everything and let the code handle the issues. Unfortunately, that general approach is turning our lives into a dystopian hellscape.
In this case, it's a parody site so it's not that big of a deal, but in cases that I'm sure happen regularly that we never hear about, it can be people's livelihoods being destroyed. I think we should expect more from these companies.
It's definitely true though, that if they had to spend on this sort of thing for free accounts, they may just take away the free accounts. That would obviously not be in our interest. I also think that's a very reasonable deal.
I would personally be satisfied if they would make a policy explicit, that for free accounts they will not review the DMCA request, rather they will just forward it and take automated action. For paid accounts though, I expect more.
The biggest thing I think, is to just be transparent and explicit about what their policy and procedure will be and for which account. Having mystery behind it is what bothers me the most and gives me pause when I think about hosting my assets with them.
Isn't that Cloudflare's fault though? If you choose to offer a free account, you're aware of this risk. If you weren't, stop offering them and grandfather them.
They should be forced to keep it up until proven guilty in a court of law, no?
"Presumed legal, until it isn't" should be the same as presumed innocence"
Companies generally don't have immutable characteristics like "good" or "bad". They have lifecycles. Today's scrappy startup fighting for the people becomes tomorrow's hated big tech oligarch.