Daniel Brandt, who has spent decades researching the Central Intelligence Agency, covert action and government conspiracies, and the last 10 or so years as an investigator and critic of Google and Wikipedia, has turned his attention to a obscure (to me) Internet company called CloudFlare.
I asked Daniel to explain in layman’s terms just what was so significant about CloudFlare. This was his answer.
Thanks, Phil, for your invitation to write about what I’m trying to do with my new site, CloudFlare-Watch.org.
You are right — this CloudFlare-Watch stuff is much too technical. To confuse it more, CloudFlare is not a hosting provider, but merely a DNS provider (domain name system). This is why CloudFlare tries to claim that they are unable to exercise any authority over content, since they do not host content for anyone.
However, it is impossible to get to a website without going through DNS. If you deleted the records for a domain that uses CloudFlare’s nameservers, that site becomes unreachable within minutes. Moreover, CloudFlare actually does cache some of their customer’s pages on their servers, in order to speed up access. They currently claim that half a million domains are using their nameservers. They offer several levels of service, and the lowest level is free of charge.
You asked about laws, which instantly means that one has to make a huge number of distinctions. The DMCA (Digital Millennium Copyright Act) applies to sites hosted in the U.S. Probably over half of CloudFlare’s clients are hosted in other countries, even if the person creating the content is still in the U.S. The DMCA only covers copyright, and only covers providers in the U.S. Thankfully, CloudFlare is headquartered in San Francisco, which means that they try to make it appear that they are minimally cooperating with DMCA requirements. I believe that they are not doing this in good faith, and I provide evidence of this on my site.
Child porn, on the other hand, is universally illegal, which makes it easier to prosecute. Even here, you have to identify the< hosting provider and hope that this provider will hand over the identity of the person operating and hiding behind the server. In the U.S., a hosting provider will cooperate with the FBI if it involves child porn because they don’t want any servers seized at their data centers. If the FBI wanted to play tough, they could haul off a few extra racks of servers just to be sure they get it all. This would mean that many innocent customer sites in that data center would go down, and stay down.
But what about providers in other countries? Will you need a court order to get anywhere? You might even discover that the hosting provider is hidden behind a chain of “tunneling” servers in one or more countries. From the point of view of an FBI agent, this means that you have to deal with authorities in various places — Romania, Ukraine, etc., just to work your way toward identifying the perp. That’s a huge amount of work.
Defamation? Forget it. The laws are all over the place, and these are mostly civil laws, which means that you don’t have the assistance of law enforcement. Your chances of identifying the person you need to sue are minimal. Are you rich enough to sue someone in another country, even if you are lucky enough to find them?
At the corporate level, everything is even more confused. In 1996, the Communications Decency Act in the U.S. (Section 230) granted immunity to providers that host content, but do not create or monitor content. The federal law trumps all state laws in the U.S. Criminal laws are not affected, and copyright is handled by the DMCA, but that still leaves room for lots of nastiness on the web that is difficult to address.
Other countries see things differently. Google, for example, has court orders against them in Japan, Italy, Spain, Australia, and Argentina, based on search results that those courts have ruled are defamatory. Google can ignore them by pointing out that the relevant content is not based in that country. What’s the judge going to do, block all of Google? Hardly. That would be a career-killer. Google basically does not respond to defamation complaints at all, even when it involves content on their servers (blogspot.com, YouTube, etc.) as opposed to mere search results. For search results, Google consistently pretends that the algorithm did it, and they are not to blame — as if the algorithm was not created by Google’s engineers, and cannot not be fixed by those same engineers! Google knows this, but they’re too busy laughing all the way to the bank.
CloudFlare thrives in a legal gray area that was already gray even before they came along. They are exploiting this. Cyberwars are happening. You may think this is movie fiction and hype, but it’s not. CloudFlare is a cyberwar profiteer. They deliberately attract both sides in this war — the cyber criminals as well as the cyber victims. My new CloudFlare-Watch site is trying to sound the alarm so that CloudFlare’s chances of getting a second round of venture funding are diminished. It feels like I’m a voice in the wilderness — everyone else is hyping CloudFlare as much as possible.
But I’m used to it. I was the first Google critic at a time when webmasters ridiculed me on forums for arguing that Google was saving everything they could get on everyone (Google-watch.org started in 2002). I remember one whiz-kid webmaster who argued that you couldn’t possibly fit much information into a little cookie. I tried to explain that all you need in a cookie is a globally-unique ID of maybe 20 characters, and that this ID is what is used to reference all your information. The actual data on you is kept offline somewhere in the Googleplex, and you don’t get to see it. He couldn’t grasp what I was saying.
Much bigger fish than I are trying to tame Google these days, and this means that I can retire from Google criticism. Google’s search engine emerged into public consciousness around 2000, which was two years after they incorporated. In 2001 I noticed that there were some nagging questions that needed to be addressed, such as Google’s cookie that had an expiration date of 2038. I knew your hard disk wouldn’t last that long, but this wasn’t about hard disks. Rather, it was an important clue to Google’s state of mind about user privacy. It turned out that I was right.
Now it’s time to concentrate on CloudFlare, which is less than three years old, before it becomes the next web monster. The basic problem I have with CloudFlare is that it offers one more way to hide the location and identity of your hosting provider, and it’s easy and free to use.
I believe in privacy for passive web users. For example, someone who is doing research on Google deserves privacy, and that’s why I ran Scroogle for seven years. But what about web publishers? Anyone who publishes information on the web that can affect other people should not be allowed to hide behind a screen name, or behind CloudFlare, or behind VPNs (virtual private network or “tunneling” servers), or hide by cherry-picking a provider in whatever country they choose.
People who publish content that can affect others should use their real names so that they can be held accountable. Everyone who uses CloudFlare’s nameservers is some sort of web publisher, and CloudFlare should reveal the IP addresses of their hosting providers without any questions asked. They should have a search box on their home page that spits out the IP addresses with date stamps for every domain that uses their nameservers.
The problem, from CloudFlare’s perspective, is that this would mean that half of their clients would disappear overnight. It would mean that their hype about protection against DDoS (distributed denial of service) attacks would be null and void, because the attackers could now target the original provider. And cyber-criminals who use CloudFlare to hide would have to go elsewhere.
Their entire package of hype would fall apart. All that would be left of CloudFlare is a DNS and caching service, which would not be nearly as enticing. It would, however, be much more socially responsible.
— Daniel Brandt
________________________
Click on A watchdog and iconoclast of the Internet for my profile of my friend Daniel.
Click on CloudFlare-Watch.org for his CloudFlare site.
Tags: CloudFlare, CloudFlare Watch, Cybercrime, Daniel Brandt, Google, Internet, Internet Crime
Phil Ebersole's Blog 
February 9, 2013 at 4:53 am |
I am a network security specialist responsible for protecting 25,000+ high value users on various networks. Recently some of my users were targeted in a spear phishing attack. The link in the email that was sent to my users lead directly to a CloudFlare controlled IP. CloudFlare gave me nothing but difficulty in submitting an abuse complaint, as if they didn’t want to receive them. Their responses were all boilerplate BS that attempted to absolve them of liability while protecting the criminals identity. After haranguing them enough to respond, every piece of information they provided about the ‘owner’ of the malicious site lead to a privacy/proxy registrar. So I started looking into CloudFlare more and what I have found is disturbing. Particularly concerning are the CloudFlare CEOs views on ‘Swiss neutrality’ as it pertains to fighting malware, spam and related criminal activities. This man is not an asset to the Internet community. I have since firewalled every subnet that CloudFlare controls. I will be encouraging my peers in the end user protection community to do the same. If my firewall rules prevent my users from patronizing CloudFlare customers, or vice-versa, too bad. Security trumps all in my world and no one gets to override the blocks I put in place, for any reason. We are sick and tired of jokers like this. We will be working with organizations affected by our decision to block these subnets, to find new providers as we educate them about their current provider and their nefarious ways. The bottom line is that CloudFlare can host whoever they want, criminals included, but if I have anything to say about it there will be no one of value visiting any site related to CloudFlare ever again. CloudFlare means one thing in my world now: malware. I guess I should thank them for corralling all the bad actors into one pen so I can more easily brush them aside. CloudFlare is allowing the criminals to taint whatever legitimate customers they (may) have, and the push back starts right now.
LikeLike
May 12, 2013 at 11:05 am |
“People who publish content that can affect others should use their real names so that they can be held accountable.”
Really? Why don’t you move to China and see if you reconsider.
LikeLike
August 30, 2013 at 7:50 am |
Wow what a troll. Google-Watch / CloudFlare-Watch. Some people just like to complain about things to make themselves feel important.
Here is a even crazier idea, why don’t we just pull the plug on the internet then no one can pirate !
From reading his website, it seems like he must of been screwed big time, or he ha s a grudge, or hes just a bottom feeder trying to get attention to himself on the back of a successful business.
Anyways, pulling down DNS does not fix the problem, as anyone can direct access the IP address. And/or modify hosts.conf file and provide there own dns entry.
There is a lot of reason why you would not want your real IP address exposed, since the security threat is real. Yes a few scammers could hide there IP, but there is more harm done by hackers targeting good websites. (Hackers needs to fall off the face of the earth and die, along with layers and politicians)
Anyways shady websites are always after free DNS providers, it doesn’t matter where who the DNS provider is. And there is 1000s of times more small good websites that could not survive without free dns providers.
Lets face it Hackers, scammers, layers, Politicians don’t just fall off the earth and die, and it doesn’t matter how things change they will always be around. Not much we can do about them. So no point badmouthing other peoples service just because a few people from this unwanted group happens to use a service.
What’s next, will he badmouth OpenDNS……… or even further, badmouth Open source software as hackers use the tools? Hackers will always find a way no matter what we do.
If you want to provide a website to help assist people that been hurt by a few people that might fall victim to users hiding behind cloudflare then thats great, but why badmouth cloudflare. People are most respectful of people who RANT less and are more helping.
They say a troll is a troll, and its best to leave them along, but hey they are human and I am sure they will learn to be a better human then always ‘complain’. If you don’t like their service, then go make a better one that provide better service and morals instead of wasting your time complaining.
LikeLike
August 30, 2013 at 7:53 am |
Better go Complain about IPv6. As that is a whole new ball game. And it can make it very hard to track someone. (not only that, but its a bandwidth hog/latency increase due to bigger packets)
LikeLike