Daniel Brandt, who has spent decades researching the Central Intelligence Agency, covert action and government conspiracies, and the last 10 or so years as an investigator and critic of Google and Wikipedia, has turned his attention to a obscure (to me) Internet company called CloudFlare.
I asked Daniel to explain in layman’s terms just what was so significant about CloudFlare. This was his answer.
Thanks, Phil, for your invitation to write about what I’m trying to do with my new site, CloudFlare-Watch.org.
You are right — this CloudFlare-Watch stuff is much too technical. To confuse it more, CloudFlare is not a hosting provider, but merely a DNS provider (domain name system). This is why CloudFlare tries to claim that they are unable to exercise any authority over content, since they do not host content for anyone.
However, it is impossible to get to a website without going through DNS. If you deleted the records for a domain that uses CloudFlare’s nameservers, that site becomes unreachable within minutes. Moreover, CloudFlare actually does cache some of their customer’s pages on their servers, in order to speed up access. They currently claim that half a million domains are using their nameservers. They offer several levels of service, and the lowest level is free of charge.
You asked about laws, which instantly means that one has to make a huge number of distinctions. The DMCA (Digital Millennium Copyright Act) applies to sites hosted in the U.S. Probably over half of CloudFlare’s clients are hosted in other countries, even if the person creating the content is still in the U.S. The DMCA only covers copyright, and only covers providers in the U.S. Thankfully, CloudFlare is headquartered in San Francisco, which means that they try to make it appear that they are minimally cooperating with DMCA requirements. I believe that they are not doing this in good faith, and I provide evidence of this on my site.
Child porn, on the other hand, is universally illegal, which makes it easier to prosecute. Even here, you have to identify the< hosting provider and hope that this provider will hand over the identity of the person operating and hiding behind the server. In the U.S., a hosting provider will cooperate with the FBI if it involves child porn because they don’t want any servers seized at their data centers. If the FBI wanted to play tough, they could haul off a few extra racks of servers just to be sure they get it all. This would mean that many innocent customer sites in that data center would go down, and stay down.
But what about providers in other countries? Will you need a court order to get anywhere? You might even discover that the hosting provider is hidden behind a chain of “tunneling” servers in one or more countries. From the point of view of an FBI agent, this means that you have to deal with authorities in various places — Romania, Ukraine, etc., just to work your way toward identifying the perp. That’s a huge amount of work.
Defamation? Forget it. The laws are all over the place, and these are mostly civil laws, which means that you don’t have the assistance of law enforcement. Your chances of identifying the person you need to sue are minimal. Are you rich enough to sue someone in another country, even if you are lucky enough to find them?
At the corporate level, everything is even more confused. In 1996, the Communications Decency Act in the U.S. (Section 230) granted immunity to providers that host content, but do not create or monitor content. The federal law trumps all state laws in the U.S. Criminal laws are not affected, and copyright is handled by the DMCA, but that still leaves room for lots of nastiness on the web that is difficult to address.
Other countries see things differently. Google, for example, has court orders against them in Japan, Italy, Spain, Australia, and Argentina, based on search results that those courts have ruled are defamatory. Google can ignore them by pointing out that the relevant content is not based in that country. What’s the judge going to do, block all of Google? Hardly. That would be a career-killer. Google basically does not respond to defamation complaints at all, even when it involves content on their servers (blogspot.com, YouTube, etc.) as opposed to mere search results. For search results, Google consistently pretends that the algorithm did it, and they are not to blame — as if the algorithm was not created by Google’s engineers, and cannot not be fixed by those same engineers! Google knows this, but they’re too busy laughing all the way to the bank.
CloudFlare thrives in a legal gray area that was already gray even before they came along. They are exploiting this. Cyberwars are happening. You may think this is movie fiction and hype, but it’s not. CloudFlare is a cyberwar profiteer. They deliberately attract both sides in this war — the cyber criminals as well as the cyber victims. My new CloudFlare-Watch site is trying to sound the alarm so that CloudFlare’s chances of getting a second round of venture funding are diminished. It feels like I’m a voice in the wilderness — everyone else is hyping CloudFlare as much as possible.
But I’m used to it. I was the first Google critic at a time when webmasters ridiculed me on forums for arguing that Google was saving everything they could get on everyone (Google-watch.org started in 2002). I remember one whiz-kid webmaster who argued that you couldn’t possibly fit much information into a little cookie. I tried to explain that all you need in a cookie is a globally-unique ID of maybe 20 characters, and that this ID is what is used to reference all your information. The actual data on you is kept offline somewhere in the Googleplex, and you don’t get to see it. He couldn’t grasp what I was saying.
Much bigger fish than I are trying to tame Google these days, and this means that I can retire from Google criticism. Google’s search engine emerged into public consciousness around 2000, which was two years after they incorporated. In 2001 I noticed that there were some nagging questions that needed to be addressed, such as Google’s cookie that had an expiration date of 2038. I knew your hard disk wouldn’t last that long, but this wasn’t about hard disks. Rather, it was an important clue to Google’s state of mind about user privacy. It turned out that I was right.
Now it’s time to concentrate on CloudFlare, which is less than three years old, before it becomes the next web monster. The basic problem I have with CloudFlare is that it offers one more way to hide the location and identity of your hosting provider, and it’s easy and free to use.
I believe in privacy for passive web users. For example, someone who is doing research on Google deserves privacy, and that’s why I ran Scroogle for seven years. But what about web publishers? Anyone who publishes information on the web that can affect other people should not be allowed to hide behind a screen name, or behind CloudFlare, or behind VPNs (virtual private network or “tunneling” servers), or hide by cherry-picking a provider in whatever country they choose.
People who publish content that can affect others should use their real names so that they can be held accountable. Everyone who uses CloudFlare’s nameservers is some sort of web publisher, and CloudFlare should reveal the IP addresses of their hosting providers without any questions asked. They should have a search box on their home page that spits out the IP addresses with date stamps for every domain that uses their nameservers.
The problem, from CloudFlare’s perspective, is that this would mean that half of their clients would disappear overnight. It would mean that their hype about protection against DDoS (distributed denial of service) attacks would be null and void, because the attackers could now target the original provider. And cyber-criminals who use CloudFlare to hide would have to go elsewhere.
Their entire package of hype would fall apart. All that would be left of CloudFlare is a DNS and caching service, which would not be nearly as enticing. It would, however, be much more socially responsible.
— Daniel Brandt
Click on A watchdog and iconoclast of the Internet for my profile of my friend Daniel.
Click on CloudFlare-Watch.org for his CloudFlare site.