
CloudFlare's Partnership with Baidu - rdl
http://www.nytimes.com/2015/09/14/business/partnership-boosts-users-over-chinas-great-firewall.html
======
rdl
There was a huge amount of work behind the scenes over the past 3-4 years to
pull this off, by both CloudFlare people and Baidu. There will be some
engineering posts about it.

I personally wasn't particularly involved in this, but met some of the Baidu
engineers. What amazed me was just how smart they were -- they were basically
indistinguishable from the engineers I've met at top-tier US companies.

I'm really looking forward to the great Internet services for everyone which
will come out of companies in China over the next decade. People outside China
really underestimate the potential there. It will mean more competition, but
also a lot more awesome products and tools, and will make the world a better
place for everyone.

~~~
steve19
In the very long term, sure. In the medium term no.

If Chinese firms were to start competing with Western firms, then the legality
of Chinese protectionism would be called into question.

The fact that CloudFlare even needs to partner with Baidu, rather than just
put some servers into a local datacenter, is an example of this protectionism.

Until the Chinese internet market is saturated with Chinese products, the
government is not going to encourage internet startups to compete in Western
markets, and even then they might decide that trade sanctions/WTO rulings
against them are not worth it (compared to having total control of what
internet services their citizens use)

~~~
rdl
There are definitely protectionist aspects to some of China's policies (just
like there are protectionist aspects to many US policies, especially outside
IT), but there is also a lot of complexity to the market on its own. It is one
of the few large, developed markets for Internet products where it makes a lot
of sense for outsiders to partner.

Also, it's changing rapidly, so "very long term" might be 5 years, and "medium
term" might be 1 year, for anything. Some of the biggest companies in China
are less than 5 years old.

~~~
steve19
> There are definitely protectionist aspects

Do I read it correctly that you are arguing it is significantly less about
protectionism and mostly about state censorship/control?

~~~
rdl
No. It's primarily about the market just being unique. We have maybe 10 people
in the company who speak Chinese; trying to build a Chinese-language product
alone would be challenging. The language portion is the smallest aspect to
localizing a service like ours. The Chinese Internet has evolved differently
-- for us to learn how it works on our own, even with full access, would take
forever (5y maybe to where it is now, by which point it would have evolved --
would never catch up.)

It's secondarily about regulation for its own sake -- governments regulate
because they think they should, especially communications. Communications is
one of the most highly regulated sectors of the economy around the world, even
in countries which are relatively free market.

It's tertiarily about protectionism. That might have been more true 5-10 years
ago, but I'd be amazed if a non-Chinese company could go into the Chinese
market directly and out-compete on services built by local companies. There
are definitely products (high-end machine tools, luxury goods) where foreign
companies are preferred, but Internet services aren't one of them.

It's only minimally about censorship. If you're operating in a country, you're
subject to their laws, which doesn't really matter if you're in a partnership
vs. have your own servers in that country.

------
gojomo
The headline's euphemism – "…Boosts Users Over…" – makes it sound like it
could allow users to access content that China wants censored. But, there's no
support for that idea in the article, and I can't imagine Baidu could be
involved in any sort of anti-censorship effort.

Instead, this appears to just help reduce the firewall's latency tax on non-
censored content.

Given the way many of Cloudflare's SSL offerings work, it could presumably
also (eventually) mean that outsiders will be able to reach Chinese customers
with SSL – but only with a decrypted mid-point under Baidu's control inside
China.

~~~
hurin
This, the lauding of the engineering and business efforts involved mentioned
in other comments on this article pales in comparison to the continued
oppression of human rights in China and government censored access to
information. Let's stop praising technology that doesn't do anything positive
for the world.

------
p1mrx
I assume this gives the Chinese government raw access to everything before
it's TLS-encrypted, right?

~~~
eastdakota
While we extended our network into China, we also took steps to ensure that
all customer data would be kept secure. No CloudFlare customer traffic will
pass through the China network unless a customer explicitly opts in to the
service. Sites' log data from traffic outside of China is never sent into
China. And, for customers that opt in to serving content inside China,
customer identifiable information such as email addresses, password hashes,
and billing information is not sent to the China network nor ever shared with
Baidu.

Other potentially sensitive information is also kept outside of China. For
instance, CloudFlare's Keyless SSL technology allows us to serve encrypted
traffic for customers who opt-in to the China network without having to store
private SSL keys inside the country. CloudFlare can keep our customers' keys
outside of China, if they choose to, while still providing our full suite of
services inside China.

As part of this partnership, CloudFlare was never asked nor did we ever
volunteer to provide any data about any of our users to Chinese, United
States, or any other governments’ regulatory authorities. Had that been a
requirement of entering the region we would have passed on the opportunity.

~~~
p1mrx
None of the things you said relate to the government having raw access to the
plaintext before TLS is applied.

Given the parties involved, it seems obvious that this is just a second, more
efficient GFW that runs on Baidu's servers instead of at the border.

------
rahimnathwani
How does this work, in practice, for Cloudflare customers based outside of
China?

Each customer still needs an ICP licence: "CloudFlare customers that wish to
serve traffic for their domains across the China network must possess a valid
Internet Content Provider (ICP) license." [0]

ICP licences are only available to Chinese companies/individuals: "Please note
that you must be a Chinese passport holder to be named the contact for a
website. Foreign companies (unless they have a Chinese subsidiary) cannot
apply for an ICP." [1]

[0] [https://www.cloudflare.com/china](https://www.cloudflare.com/china)

[1] [https://support.cloudflare.com/hc/en-
us/articles/209714777](https://support.cloudflare.com/hc/en-
us/articles/209714777)

~~~
detaro
By having a Chinese subsidiary.

~~~
rahimnathwani
So if I'm a company outside China, with a web site that I want to make
accessible in China using CloudFlare's collaboration with Baidu, I have to set
up a WFOE in China first?

------
eastdakota
More details on the CloudFlare/Baidu partnership and how existing and new
CloudFlare customers can get announced on the China network:

[https://www.cloudflare.com/china](https://www.cloudflare.com/china)

~~~
doxcf434
According to this article, you have to pick one or the other:
[https://support.cloudflare.com/hc/en-
us/articles/209156358-I...](https://support.cloudflare.com/hc/en-
us/articles/209156358-If-I-would-like-to-improve-performance-in-China-which-
service-should-I-choose-CloudFlare-or-Yunjiasu-)

So AWS has had a ChinaNet partnership for years. And Tencent's CDN supports
HTTPS today. Not getting what's so new here. Ideally, we need a CDN that
allows you to manage China just like any other edge, that's the holy grail.

~~~
eastdakota
HTTP limitation going away very soon. At that point, China and the rest of the
world will be managed from a single interface with a perfectly parity feature
set.

------
nailer
So, the obvious question: will this stop Baidu from being used to attack
American companies again [1] or not? There's nothing mentioned in the article.

Presumably if Baidu's site has some JS injected to make Baidu customers attack
GitHub again, Cloudflare could do some egress filtering?

This would effectively secure Baidu's outbound traffic from the Great Canon.

[1] [http://arstechnica.com/security/2015/03/github-battles-
large...](http://arstechnica.com/security/2015/03/github-battles-largest-ddos-
in-sites-history-targeted-at-anti-censorship-tools/)

------
rdlecler1
On the surface, this seems risky. CloudFare, which manages thousands of U.S.
sites, hands over IP (and I assume source code) to a Chinese company. Pretty
soon the CCP comes knocking and uses that data in a way that may not be in the
best interest of non-Chinese users. Moreover, if this becomes a large revenue
source for CloudFare then the CCP is going to have additional leverage over
them. Maybe next time, for instance, they don't deal with the DoS attack
because China says not to interfere.

~~~
eastdakota
A possibility we specifically discussed with our Board who all agreed if it
ever came to that we'd walk away from the partnership.

~~~
kevcampb
Surely it's going to be hard to maintain that position?

Cloudflare have been involved in a number of projects in conflict with the CCP
in recent years. One recent example:

[http://thenextweb.com/asia/2014/06/20/cloudflare-hong-
kong-d...](http://thenextweb.com/asia/2014/06/20/cloudflare-hong-kong-
democracy-movement-battling-one-largest-ddos-attacks-history/)

There's also Galileo which I'm sure supports a number of organisations which
the party would take issue with.

Would such initiatives be at risk?

------
revelation
Did I understand this correctly in that CloudFlare now has CDNs in China
(operated by Baidu) from which US sites can be quickly distributed to chinese
users?

Because this article was giving this ominous impression of using metaphors not
to simplify the concept, but to hide a deep-seated ignorance about the actual
working principle.

------
simonjgreen
What defines CloudFlare as a startup? They are pretty established...

~~~
rdl
~180 employees is in the startup range. A lot of people say "startup" for
anything pre-IPO.

It is borderline, I agree. "Internet infrastructure provider", "Tech company",
etc. would be just as accurate as "startup"

~~~
alexro
"startup" is well defined if you care to think about it - it's an entity
looking to find a working business model.

once the model is established, whatever is the size of the entity and the
turnover, it's no longer a startup, unless it pivots of course.

this definition rules out all stupid scenarios.

~~~
sneak
So by this logic, 4sq and Twitter are startups, and Github is not?

~~~
alexro
it's difficult to call github a startup by any means.

4sq and Twitter could be startups - I'm not sure if they found a business
model or not.

------
dang
This was flagkilled by users earlier. I'm guessing that's because Chinese
censorship is controversial? If it was for some other reason, I'd be curious
to know.

The story seems obviously on-topic for HN so we've turned flags off for now.
We did, however, give the story a less contentious title.

~~~
enraged_camel
Isn't it ironic that people abused the flagging feature to basically censor an
article about Chinese censorship?

Anyway, you should consider implementing a harsh penalty for people who abuse
flagging like that. It was designed to help HN self-moderate, not to allow
people to bury or kill things they don't want discussed.

~~~
dang
That distinction isn't as easy as you suggest.

