Cloudflare: Abuse Policies, Piracy & IP Blocking

Reading Time: 10 minutes

Cloudflare’s Polemic Against IP Blocking

Reeling from the botched handling of blocking Kiwi Farms in August-September, Cloudflare has penned a polemic against IP blocking with the stated goal of making IP blocking a non-starter for everyone.[i] The internet security services provider decided to proactively put its head above the parapet to take a principled stance opposing injunctions against online intermediaries. Specifically, injunctions affecting security providers and/or mere conduits, which so happens to be the operational model of Cloudflare.

Of course, all private individuals and companies are entitled to advocate for policies which benefit themselves. The problematic position arises from Cloudflare’s canon of doublespeak when it comes to content governance due process. The company doesn’t often venture into such debates, when they do they usually tie themselves in knots in trying take a pious tone of safeguarding the very fabric of the internet. Safeguarding the internet is supposedly not by suspending hate-filled websites inciting massacres, suicides, doxing, swatting, and other devilries of online harassment; safeguarding the internet is frame as Cloudflare doubling down on ‘not acting as the internet police’ post-policing toxic websites.

Rule of Law According to Cloudflare

August 2022, Cloudflare decided to assert the right not to suspend their provision of services to Kiwi Farms.[ii] Inevitably, a mere 3 days later, Cloudflare retreated from this position by blocking Kiwi Farms.[iii] This reversal of position was explicitly stated as not the result of the high-profile online pressure campaign started by Kiwi Farms victim Clara Sorrenti. The u-turn was also accompanied by a restatement of the abuse policy which had, a handful of days previous, tied Cloudflare’s hands from taking action. They went as far as saying “we concluded that the power to terminate security services for the sites was not a power Cloudflare should hold”, before wielding said power against Kiw. Not only did they no longer serve Kiwi Farms, they implemented measures to prevent Kiwi Farms content being accessed through any Cloudflare infrastructure. The change of heart was rationalised as not due to public pressure, nor a change in policy, but a decision necessary due to an imminent threat to the life of Clara Sorrenti. Sorrenti has fled from Canada to the UK after threats to her and her family including being doxxed multiple times.[iv] Sorrenti was again doxxed after arriving in Northern Ireland, which was reported to local police and the incident was under investigation. Cloudflare, in their role as not the internet police, clarified they took the decision upon themselves to terminate Kiwi Farms given law enforcement agencies were simply not equipped to deal with the unfolding emergency situation.

To be fair, law enforcement and intelligence services do struggle with handling online harassment campaigns. Sifting through the glut of online hate messaging boards to decipher genuine threats to life versus mere shitposting[v] is no easy job. Testimony to the fact are the announced massacres livestreamed on Facebook and elsewhere being overlooked until tragedy strikes. Adequate access to healthcare is just as important. Kiwi Farms, during its time being shielded by Cloudflare security services, contributed to the suicide of at least 3 people who were victimised by concerted, coordinated online harassment campaigns. The role of healthcare services and charities operating in the space cannot be underestimated, as recognised by hate groups which often target such services by hacking or creating impersonation websites to prevent victims accessing much-needed help when in crisis.

Kiwi Farm was relegated alongside The Daily Stormer and 8chan as those deemed undeserving of cybersecurity services without regard to “legal due process”. Each decision was followed by what reads as an apology to the internet community.[vi] With each apology Cloudflare becomes more virtuous in its role as guardian of the internet and more assertive such actions should not be taken again. Each apology note is packaged in pseudo-legal gobbledygook justifications proffered to defend the failure to take equivalent action in similar circumstances.

For context, The Daily Stormer was terminated citing the sole discretion to terminate customers’ service reserved in the Terms of Service.[vii] By the time Kiwi Farms came around Cloudflare stated this power was not one they should hold. A strong position to take publicly, although this reservation of power is of course retained in their Terms of Service.[viii] The Daily Stormer explanation cites due process as the overriding principle. Specific details of wrongdoing are given in the 8chan related blog, which labels The Daily Stormer and 8chan as disgusting, lawless, and unmoderated hate-filled communities. However, terminating service to The Daily Stormer was contemporaneously justified for what can only be described as perceived reputational risk: “The tipping point for us making this decision (to suspend) was that the team behind Daily Stormer made the claim that we were secretly supporters of their ideology…We could not remain neutral after these claims of secret support by Cloudflare.”[ix]. Cloudflare didn’t want to be guilty by association.

8chan on the other hand was terminated under the guise of the rule of law, a step beyond the previous due process wrapping.[x] As discussed previously, the rule of law framework as set out by Cloudflare is circular and lacks credibility.[xi] They also cite 8chan’s connection with the 2019 El Paso, USA tragedy, a reasonable basis to terminate services. However, Cloudflare noted this was not the first time 8chan had inspired a tragedy, referencing the 2019 Christchurch, New Zealand mass shootings. It seems tragic event in the singular is not a sufficient basis for blocking a website. Whether described as due process or the rule of law, it amounts to little more than a pseudo-legal excuse for Cloudflare’s abrogation of responsibility in setting, communicating, and sticking to clear abuse and content governance policies.

For instance, lawfulness and level of moderation were not factors mentioned in the Kiwi Farms post-mortem, yet seemingly apply to Kiwi Farms every bit as much as 8chan. This obvious lack of consistency is the predictable outcome when there is no clear direction on abuse policies. Whilst previous decisions of a company cannot be expected to set binding precedent, customers should expect some clarity in how a service can and cannot be used. The following summary may provide some guidance:

Factors insufficient to block a platformFactors sufficient to block a platform
A lawless, hate-filled platform with no moderationA lawless, hate-filled platform with no moderation
Being a safe haven for online harassment campaigns and hate speechSuggesting Cloudflare supports hate speech
Inspiring tragic eventInspiring tragic events
Inciting suicide, being complicit in at least 3 Suicides and numerous other harassment campaignsCreating a potentially life-threatening situation for a single individual, who may or may not be organising a high-profile campaign for Cloudflare to block a particular customer

The Consequences of Facilitating Piracy

Now it is clear what actions Cloudflare is willing to take according to their own abuse and content governance policies, it remains to be seen why Cloudflare decided to challenge the use of blocking IP addresses as a legal remedy. IP address blocking is available in many jurisdictions in Europe and elsewhere. In the 2019 8chan blog, Cloudflare conceded they are not a government, and do not have the political legitimacy to make determinations on content as such questions are societal issues that need politically legitimate solutions. However, in the recent IP blocking blog they focus on a tech-centric rule of law theory; the law should be subservient to technological standards, sacrosanct protocols who’s affairs the law has no rights to meddle in. This is most clearly evident in the cynical suggestion judges are at fault for overblocking because “entities like judges who are not technologists.”[xii]. Cloudflare had seemingly suggested they agreed with the general direction of online jurisprudence:

“Internet content regulation laws passed over the last five years around the world have largely drawn a line between services that host content and those that provide security and conduit services. Even when these regulations impose obligations on platforms or hosts to moderate content, they exempt security and conduit services from playing the role of moderator without legal process. This is sensible regulation borne of a thorough regulatory process.” (emphasis added)

The specific case used in the IP blocking blog is from Austria, whereby the Austrian Supreme Court ordered an IP blocking order, which indeed led to unintended consequences of significant overblocking. This mistake is used to justify the entire piece against IP blocking as a suitable legal remedy. A remedy which requires legal process, going through the courts, to obtain an injunction against mere conduits i.e. Internet Service Providers (ISPs). The injunction is granted on the basis “the service of intermediaries may increasingly by used by third parties for infringing activities. In many cases such intermediaries are best placed to bring such infringing activities to an end.” as explained in recital 59 InfoSoc Directive.[xiii]

Cloudflare argue IP blocking represents a failure to build legal remedies reflecting the internet’s architecture. It is the law which governs. Technologists must build systems and implement policies which comply with the law. It is a failing of technology, in part, enabling overblocking to happen. In the early 2000s, Yahoo deployed similar arguments in opposing challenges in France to ban Nazi-related content from appearing in the jurisdictions. Yahoo categorically stated this was an impossible request, only to almost immediately implement the request once the court ordered them to do so.[xiv] Rather than working to improve best practices of IP blocking, Cloudflare is totally opposed to the remedy, offering the alternative remedies of domain name blocking, and the panacea of content removal.

Content removal at source is indeed preferrable to rightsholders. It is cheaper and more effective in terms of actually removing the content. The reason rightsholders choose to obtain an expensive court order is content removal procedures often being entirely ineffectual. Content removal meaning notice and takedown procedures under the E-Commerce Directive or DMCA, whereby rightsholders send a notice and the website takedowns the infringing content. Notice and takedown is a vital remedy, but often a limited one. For example, the Austrian list which caused the overblocking, there are 14 variations of notorious torrent site The Pirate Bay.[xv] The Pirate Bay does not remove content and still operates after numerous legal cases against the platform. Simply relying on the DMCA and equivalents as suggested by Cloudflare  is offering no remedy at all.  Rightsholders content would remain freely and illicitly available via The Pirate Bay. Rightsholders of live sports, such as broadcasting rights to football or a PPV boxing event, are also not adequately protected under notice and takedown remedies alone. Many content hosts take far longer than the duration of a football match to respond to a takedown request, especially when the event occurs on a weekend. Or consider NFL piracy on Thanksgiving. As Arnold J in Cartier I stated when discussing notice and takedown to the webhost “it is unlikely that it would be effective to achieve anything other than short-term disruption”.[xvi]

In terms of blocking at the domain level, the 14 variations of The Pirate Bay alone is enough to show this method alone is not sufficient. There are countless more mirrors and proxies to access The Pirate Bay other than those included in the Austrian court order. Again with the live sports piracy example, streaming high-quality video with minimal latency usually entails complex networking structures including content delivery networks to deliver the content from a closer location and load balancing servers to avoid network congestion by distributing traffic. Simply put, domain name blocking alone is insufficient to protect rightsholders. For blocking injunctions to be effective, they (typically) require blocking at various levels.

Cloudflare’s absolutist position in its stated aim of making IP blocking a non-starter for everyone is as likely to succeed as their previous blogs in setting out a clear abuse policy. Rightsholders, and the courts in England, Spain, Italy to name a few, have long accepted IP blocking, and blocking injunctions in general, to be an effective tool against online intellectual property infringement. Blocking injunctions also have the added layer of proportionality by being territorial, reflecting the territorial nature of intellectual property rights.

A Necessary Remedy

Rights without adequate enforcement mechanisms are no rights at all. However, the Austrian experience does raise very serious concerns. Blocking injunctions are a necessary remedy for rightsholders,[xvii] but there are certainly improvements which can be made to ensure the Austrian incident isn’t repeated.

Precise details of blocking orders are typically kept confidential, as a counter measure to inevitable efforts of pirates to circumvent the order. This means blocking injunctions are not entirely effective, but then neither is a life sentence for murder entirely effective in dissuading murder. Knowledge sharing of blocking orders is therefore difficult. The Austrian court cannot simply look at an order from the Italian court for example. Blocking orders granted at an EU level would enable each member state to benefit from EU-wide best practices. This would enable a new entrant into the blocking injunction space to get up to speed immediately, without going through Austrian-scale overblocking.

Another improvement would be in terms of transparency, as highlighted by Cloudflare. Firstly, publishing block lists resolves most of the issues raised in the blog of users not knowing what happened. Secondly, the Cloudflare suggestion of applying the honest error codes would provide further clarity and standardisation within the process. With increased transparency a thorough evaluation of overblocking could be made, rather than Cloudflare’s approach of speculation and allusions. A study into recent overblocking in jurisdictions with featuring mature IP address blocking system, such as England or Italy, would provide a better evidential basis to assess the remedy.

Then, there is the option of technology companies taking responsibility. Rather than trying to abolish the system, an easy safeguard would be Cloudflare deploying a basic level of due diligence. This could mean either not providing services to, or moving obvious high-risk services to quarantined spaces. For example, Cloudflare still provides service to at least 4 of The Pirate Bay domains listed on the Austrian court order, including the main operating domain name. This is after numerous court decisions and determinations that The Pirate Bay is a platform existing predominantly to distribute pirated media content. Maybe if The Pirate Bay is ever foolish enough to suggest Cloudflare secretly supports piracy they may finally be cut off.





[v] Shitposting is the act of throwing out huge amounts of content, most of it ironic, low-quality trolling, for the purpose of provoking an emotional reaction in less Internet-savvy viewers.











[xvi] Para 201;