Hacker News new | past | comments | ask | show | jobs | submit login
Cloudflare Terminates Service to Sci-Hub Domain Names (torrentfreak.com)
415 points by jakobdabo on Feb 5, 2018 | hide | past | web | favorite | 218 comments

This is terrible news in the chilling effects department.

The mere fact that CloudFlare and similar services are a "requirement" for not being beaten in to submission for pennies of traffic flooding in to a website is a clear design flaw of the global communications system.

No site or service should be forced to receive //every// bit of information sent at it. Nor should they be forced to blackhole (route) /themselves/ (giving in to the terrorists) out of existence.

Clearly, we are lacking a means for pushing 'cancer' filtering over to the source side of data transit. To the point where it becomes the problem of the source ISP. "Block this customer" (for a while) and "don't send us any traffic at all" (for a while; in response to /far too many/ abusive customers) are the necessary solutions.

> Clearly, we are lacking a means for pushing 'cancer' filtering over to the source side of data transit. To the point where it becomes the problem of the source ISP. "Block this customer" (for a while) and "don't send us any traffic at all" (for a while; in response to /far too many/ abusive customers) are the necessary solutions.

That problem is hard. It's not just that we need a way to tell the source ISP to drop the traffic on their end, it's that we need a way for them to trust that you are the actual destination and not someone trying to cause a denial of service by having them drop legitimate traffic.

Which is basically the key distribution problem, i.e. one of the hardest problems in security.

And it's not clear it would even fix it because of the way DDoS works. The attacker has some huge botnet with hosts all over the place. Each of the hosts don't have to send an unusually large amount of traffic, there are just many more of them than there are normal users, which is enough to overload the servers. But unless you have a way to distinguish the attackers from the normal users -- and it has to be something they can't compensate for once you start doing it -- you don't know who to block.

What Cloudflare does is to just absorb the traffic by brute force, and then the problem is that they themselves become a centralized target for imposing censorship.

So it feels like the solution is some kind of decentralized Cloudflare, in the nature of IPFS or BitTorrent, which causes content to be hosted on more sources the more popular it is. So that if you get a huge traffic surge targeting some specific data, every node hosting it sends it to another node which doubles the number of hosts, and then doubles it again until there are enough sources to handle the traffic.

>That problem is hard. It's not just that we need a way to tell the source ISP to drop the traffic on their end, it's that we need a way for them to trust that you are the actual destination and not someone trying to cause a denial of service by having them drop legitimate traffic.

I think a large part of it could be solved by a combination of (1) egress filtering and (2) the ISP enforcing TCP congestion control -- so that if a DDoS'd server stops sending an ACKs to an attacker, the attacker get limited (at its own ISP) to 1 packet every few seconds. For UDP, something similar could probably be done -- e.g., if no packets are received from the other host, then drastically rate-limit the bandwidth to that host. (I'm not sure if this would break any widely used UDP protocols, though.)

"Have middleboxes do something" as a method of solving problems has historically created more problems than it solved.

The current dark age where nearly everything uses TLS/443 has been the net result, because for a significant minority of networks nothing else can get through. People are now even running DNS over TLS, even though DNS itself is allowed and DNS over TLS is complicated and inefficient, because the middleboxes prevent the DNS protocol from evolving to have better security.

Inviting more interference would only create more problems. For example, suppose I want to create a multipath UDP-based protocol where the acknowledgments can be consolidated (and so only sent along one path). That proposal would break it and force me to use something less efficient. In general it creates asymmetric routing problems at the ISP level.

Middlebox "solutions" cause problems that are hard to predict and even harder to fix after the fact, because once 20% of networks are doing something it's hard to get half of them to stop even after the problems are discovered.

And it may not even solve the original problem. What happens when the DDoS is just a botnet acting like a huge number of normal users?

> What happens when the DDoS is just a botnet acting like a huge number of normal users?

I thought that's exactly what the first `D` stood for...

They can do things like spoof DNS requests from the victim which are known to have large responses. The attacker causes ~4000 bytes of traffic to be sent to the victim from the DNS server by sending a ~40 byte DNS request.

That amplifies the attacker's bandwidth but is a lot easier to distinguish from normal traffic, and would be prevented if everyone did egress filtering because then the attacker couldn't spoof the requests.

But that only prevents the amplification, not the general problem. A botnet with millions of computers in it has enough bandwidth even without amplification to cause plenty of trouble.

Hell, I’d be happy if ISPs blocked outbound traffic with source IPs outside their blocks. That alone seems to be asking to much sadly.

Yeah, it seems like it should be possible to send a packet using a "firewall rule protocol" to the DoSing IP address, and have any non-malicious routers in between enact a rule that blocks traffic in the opposite direction (obviously there needs to be either spoofing prevention, or the packet must be signed with a certificate provided by the RIR to prove ownership of the source IP address).

Why not do this? Is it impossible to design it in a non-abusable way, or is there too much overhead to store and apply a possibly long list of arbitrary blocking rules?

Well, there would be the overhead, so more ideally you'd be submitting such requests to an out of band network (possibly forward to such a CnC network /by/ the routers along the way).

The command and control network would authenticate the source request via some means and if it's authentic act accordingly.

The benefit of this is that it also allows for identifying infected or otherwise abusive customers and actually being proactive about getting them cleaned up.

Of course all of that degrades the 'customer' experience, and costs money. Both of which are probably why no one does this right now.

ISPs do this and have such capabilities. They don't necessarily use the same protocol, like BGP Flow Specification (RFC 5575), but they often do provide a way to push filtering rules if you need it and you are an ISP yourself.

It would be better to use a separate term from "chilling effect" for this. That term has a specific legal connotation and generally indicates a fear of unfavorable treatment by the government for doing/saying something otherwise totally permissible.

This situation involves a private company that is no longer serving data from a domain found to be in violation of the law. It does not meet the same definition.

The main problem why DDoS work is because ISPs are routing traffic that can't be originating from them. If ISPs would stop this, any IP that is trying to DoS you, is really that IP, not some spoofed source address.

The scaling problems between small senders and a potentially huge crowd of receivers can be solved with immutable, hash-addressed resources + proxies/caches and best effort multicast. The former would at least require changes at several levels in the protocol stack, which is difficult when most changes happen incrementally one level at a time. The latter I believe faces real hardware design problems in network equipment AND incentive problems on the ISP sides.

So large collective action is required. Or we continue to pay cloudflare.

Based on the article it sounds like they were mostly using the CDN part of Cloudflare's offering.

> No site or service should be forced to receive //every// bit of information sent at it.

They aren't, but usually public websites/services want to receive everything. Determining what's legitimate or not isn't easy because of the distributed part of DDoS.

I am surprised that so many sites rely on cloudflare. I'm sure they provide some very cool services, but I would be concerned both from

- a design perspective (they are a somewhat single point of failure for much of the web, and add complexity/potential vulnerability), and from

- a control perspective, you are giving them control over your site and they have shown themselves a capricious in the past as well as vulnerable to legal coercion. (For instance, could a malicious actor take down a website by sending CloudFlare fake DMCA notices?)

You're right! That does seem like a lot of risk to be taken on blithely.

If I may offer a few points, in the interests of helping you understand why people might make a decision that seems so obviously silly?

First, bandwidth is still fairly expensive. It adds up much faster than many people expect. A CDN, especially one that doesn't meter or charge for bandwidth, is a lifesaver. Yes, it's adding a complex potential point of failure to your system. As you completely correctly point out, that is not a desirable thing. However, what you get in exchange for that complexity and potential failure is more controllable costs and a greater ability to fend off some major attacks.

On the control point, you're once again absolutely right! With the potential caveat that this puts CloudFlare on a level with every single other service on the internet. Unless you're one of the few people who owns all the infrastructure starting with your server and ending with a full backbone network, you're already relying on capricious companies vulnerable to legal coercion. So this isn't really a new risk for most people. It is, again, a risk people take because they judge the costs and added risks to be worth taking on.

And one would have to work pretty hard at it to get a fake DMCA notice through. CF's legal department doesn't screw around.

So you're absolutely, completely, 100% right on all counts. It's a lot of risk to take on, and your concern is wise and justified! For a lot of people, the gains to be realized justify the risks taken.

>you're already relying on capricious companies vulnerable to legal coercion.

The important distinction is that you're relying on a local ISP, not some company based in the jurisdiction of some foreign government (for everyone outside of the US like sci-hub).

Indeed! But there's more, you know? You're not just relying on your local ISP.

You're relying on every single local, national, and international ISP between client and server. In many places, at least one of those is going to be owned outright by a government that might take a keen interest in what bits it transports. You're also relying on a variety of DNS providers and other services.

The number of services that have to cooperate for you to use any given website is staggering. And they're all capricious and vulnerable to legal coercion.

We're talking about take-downs, not wiretapping. Don't muddy the waters trying to equate them.

I'm not aware of cases where a government has coerced someone like level3 to drop a peering relationship to an ISP in a foreign government or conduct BGP hijacking to take down a website under that governments jurisdiction.

Cloudflare is a significant risk for anyone pushing the boundaries of US laws in a different company.

Indeed! We are discussing take-downs, rather than wiretapping. You're completely right, and I failed to be sufficiently clear previously. Any level of ISP might be tasked with taking down content that flows over its wires.

For example, at one point a Pakistani ISP accidentally black-holed YouTube worldwide (briefly) through BGP while attempting to comply with a court ruling to block it.

Thanks for your responses. Apologies if my post came off as portraying cloudflare use as silly -- not the intent. I definitely see the tangible benefits (and you helped me see more), I just worry about the intangible risks especially if too large of a fraction of the web shares a point of failure.

Your heart is definitely in the right place! It's a good thing to worry about and a major cause for concern.

Awkwardly, the internet already has a lot of those. Remember when DynDNS went down under attack? A lot of websites stopped working that day. They're not the only major DNS provider, either. There are only a few certificate authorities that most commercial certs trace back to. There's a very small number of tier one ISPs.

Ultimately, it's about risk and cost tradeoffs to service providers. How much risk are you comfortable with, and how much as you willing and able to spend resources to reduce? There are no easy answers here, and services that trade on economies of scale (like CDNs) will tend towards concentration.

Indeed. As an end user who browses behind Tor frequently Just Because, this is actually welcome news. Solving captchas to access sci-hub was a frequent pain point.

As a developer, I'm willing to try and help sci-hub secure their network against DDoS or other malicious traffic, assuming this was their reason for using Cloudflare services, and assuming sci-hub were to open source some of this effort publicly.

Your heart is in the right place. Freedom of information, and access to it, is a critical human right.

There is, however, a possible catch. As a developer, there's a sharp limit to what can be done purely in server-side software to mitigate a DDoS attack. Some classes of attack rely on particular kinds of server-side vulnerabilities, and against these your skills are very valuable! I'm sure your contributions of skill would be most welcome.

But against pure bandwidth-flooding attacks, it's more likely that writing more code is of at best marginal benefit. The state of the art for responding to these requires a big network, a lot of bandwith, and active management. Things difficult to deliver as a lone developer who cares deeply.

Just want to say that your style of argument has me in awe. It's feels close to the patronizing line, but it's obviously not.

I think you just assume the best from people and I really like that.

Thank you. I appreciate that.

Mostly I assume people mean well but suggest silly things because they're ignorant. Reading Dale Carnegie taught me that you have to tell people they're right and stroke their egos a bit before you can imply that they might have the wonderful opportunity to become more right.

It's honestly exhausting to implement. It's a lot of hoops to jump through to tell someone that they don't actually understand what they're talking about. However... most people do not typically respond well to being flatly told they're wrong. Explaining how and why they are wrong does not generally improve matters, as people usually stop honestly listening as soon as they hear "You're wrong".

As you say, it does run the risk of coming off as patronizing. It's hard to avoid that entirely, as different people sometimes have drastically different standards.

>As you say, it does run the risk of coming off as patronizing. It's hard to avoid that entirely, as different people sometimes have drastically different standards.

Definitely. I read your post as very patronizing (even though I agree with it) because you started with "Your heart is in the right place." That's just a sugar-coated way tell a child "nice try but you're extremely naive". IMO it's better to skip telling someone they are wrong like a child and skip right to the rebuttal without including any references to the parent author (an ad-hominem).

In the abstract, I agree with you. In practice, I've found that a lot of people react to being treated that way in the same way they might react to being slapped. This is not always the best way to further a productive conversation.

They actually taught us this in Business English class. They said we should do this when talking to people from the States which was really weird for us since most Europeans said they find it patronizing.

I wonder if it could be done in a less grating way? I agree with the general idea of affirming the good in others' viewpoints, but I do find GP's phrasing patronizing. Why not something like:

I agree, and I think there'd be a lot of developers who feel the same way (re: wanting to help, valuing freedom of access to scientific information). I wonder, though, if there's really that much we can do as developers. There are of course some vulnerabilities that can be mitigated with good code on the server, but most attacks are impossible to prevent without the resources that a company like CloudFlare can marshal. Unfortunately, the state of the art for responding to DDoS attacks requires a big network, a lot of bandwidth, and active management.

Ideally, I'd like to be able to say "Your offer is well-intended, but of little value against the kind of bandwidth-flood-type attacks CloudFlare is very valuable against. This is because the solution to that problem is servers and bandwidth, not more devs hacking things out server-side."

But, obviously, I did not. What I've found is that, if you run light on the praise and ego-stroking, people often either view it as token and ignore it or skip past it entirely. It's a fishhook that lets you smuggle your actual points past defensive mechanisms. You have to set it deep before it's actually useful.

And then you have to wrap your point in completely unjustified uncertainty anyway, to be sure that whoever you're interacting with doesn't feel attacked. People who feel attacked generally aren't listening to, engaging with, or learning from your points.

Makes sense! I tend to take the "wrapping your point in uncertainty" approach, without all the ego-stroking. Nothing against ego-stroking; it just seems hard to make it feel genuine enough for it to work. Most comments (mine included!) contain little enough insight that any praise more intense than "good point!" or "agreed!" or "that's totally right!" feels somewhat disingenuous.

Oh I absolutely agree. Which is why I specified that it should be an open source project. And I wasn’t thinking so much server side code to protect against DDoS but orchestration scripts and test suites to help create some form of redundancy offering some level of resilience.

The source code is relatively uninteresting. The power of cloudflare is in having the servers.....

richardwhiuk completely nailed it.

Orchestration scripts and test suites are of minimal value here. They already exist for pretty much every configuration you might need, and already in open source ways. Open sourcing the tools is of very little value in meeting the needs of a site like SciHub in protecting itself from DDoS attacks. What's actually needed is servers and bandwidth.

Which is to say your heart is in the right place. You have the right ideas, and it's wonderful how much you care! It's just possible that the need at hand might be other than a maximal fit for your skills.

I hope this conversation has been as educational for you as it has for me, and thank you for the opportunity to engage!

> As an end user who browses behind Tor frequently Just Because, this is actually welcome news. Solving captchas to access sci-hub was a frequent pain point.

When using Tor you had the possibility of using captcha-free SciHub with their own onion service: http://scihub22266oqcxt.onion/ (it's down for now)

Yes it appears, AFAICT, that has been down for quite a while. In fact I’ve never gotten the onion service to load. I’m assuming malicious traffic at some point.

You can access Sci-Hub at https://5ly.me/scihub .

It's more of a sign of how broken the internet is. For example, how you can take down most sites with $5.

Or how there's no downside for an ISP to not filter outbound connections (ip spoofing). Or how there's no downside for people to send unlimited traffic because their devices were compromised (imagine if their bill suddenly went up).

The internet is broken. Complaining that people use CloudFlare doesn't solve it.

Cloudflare is a problem for the Internet as a whole, but if you are running a site that needs this kind of service, how much extra are you willing to pay in order to not contribute to this problem. I think for the long tail of websites it would be significantly more expensive to purchase the same level of protection from elsewhere.

Because CloudFlare is a proxy, it doesn't take much work to turn it off or switch to another CDN. This dramatically reduces the risk of using them.

Also, CloudFlare is far less capricious than any other company, even free speech crusaders like Twitter and Reddit. AFAIK, CloudFlare has capriciously banned just one site in its history.

A few years ago, I had an employer come up with the idea of a web application firewall that involved routing all of the customer's traffic through our network. I don't think I've ever been as horrified to be in Ops as I was that day. Thankfully it never came to pass; the architecture was changed. The idea of being in a role where all we could do is make the end user experience worse was fairly terrifying. (Leaving aside the possible benefits of caching of cloudflare-style caching, of course).

But this is very standard for sub layer 7 traffic filtering and DDOS mitigation, so I dont understand your reaction

Because, like most teams, we had certain resource constraints (time, money, datacenter space, employees, etc). The undertaking of a massive new project that puts greater-than-ever reliability demands on existing infrastructure that is properly sized for the existing tasks is a huge burden.

If you run a website cloudflare is pretty nice. DDOS can affect anyone and cloudflare is the only provider where you know they won't kick you off their service because of an attack. You also hide your server ips which can make it harder for attackers and get a CDN on top of that.

I really hope we see a competitor for cloudflare and I'd immediately switch. But as far as I know, all others bill you for traffic and are focused on CDN more than protection.

Just curious -- why would you immediately switch, provided that the competitor was doing roughly the same thing with roughly the same quality for roughly the same price?

HN is served up by Cloudflare. A pretty sizeable fraction of the internet is.

Cloudflare showing they could take down some websites because of their content conveniently set them up to be a pressure point in other cases as well such as this one. The argument that they are 'just a common carrier' and have no influence over the content they serve went out the window that day.

They were served a court order to stop serving Sci-Hub. They had attempted to argue common carrier in a previous case and were told by the court that argument didn't hold water.

Yes, and my point is they owe that to themselves. Exercise control over content once and you lose any kind of common carrier argument that you might want to make in the future.

>"Exercise control over content once"

Is this the incident you are referring to? https://www.theregister.co.uk/2017/08/16/cloudflare_ceo_dail...

Regardless of whether that's the reference, it certainly satisfies the conditions of the argument.

I'd imagine so. And because of that move they lost their common carrier argument.

> And because of that move they lost their common carrier argument.

> "We could not remain neutral after these claims of secret support by Cloudflare."

So common carrier status is forfeited if a company reasonably terminates a contract due to the actions of the other party?

Honestly part of the problem with this discussion is that people are just making stuff up. CDNs never had "Common Carrier" status, so all arguments around it make no sense.

That being said, this argument is a recurring theme. It came up when spez edited comments on "/r/the_donald" and comes up any time a company enforces it's own TOS to a way the alt-right and libertarian crowds don't like.

I can come up with dozens of examples of companies exercising control over the content of their networks without issue. Reddit removed "fatpeoplehate" and related subs, youtube removes terrorism recruitment videos, and even Cloudflare removes malware (if pushed hard enough). None of those cases resulted in this mythical "common carrier" status from being removed, or caused them legal issues in other ways. If I'm wrong it should be easy enough to come up with examples proving it, but that won't happen.

Reddit has never tried to argue it should be thought of as a common carrier to a judge. Cloud fare did.

>to a way the alt-right and libertarian crowds don't like.

sci-hub is appreciated by far more people than the alt-right and libertarian crowds. Is there any particular reason you felt the need to try to politicize it?

Please reread what I said. My comment had nothing to do with sci-hub at all- I am explicitly talking about the people who keep bringing up the "common carrier" claims whenever someone removes content they don't like.

For some reason the alt-right has been all over this claim, and they use it whenever they get censored (either on reddit or twitter), and the libertarian crowd does the same here on this website.

Also, I do want to point out something- saying that someone's argument isn't valid because they have a misunderstanding of the law is not the same thing as taking a side. I think sci-hub is awesome, but I'm not going to defend it by making stuff up.

>>the libertarian crowd does the same here on this website.

I have never seen "the libertarian crowd" (of which I count myself a member of) use "common carrier" language on anything outside Internet Service Providers, NN, and Title II regulations.

We defend free speech, and want to hold organizations that claim to support free speech to actually supporting free speech, We believe if a website says "They support free speech and want to allow free exchange of ideas" that they actually uphold those claims... to make a public claim of supporting free exchange of ideas or free speech on your platform then use heavily handed censorship is in our opinion very similar to bait and switch fraud and should be considered as such under the law even if you sneak in some provisions on page 100 of your 8point font legalese terms of service...

I know we libertarians are soo crazy with our ethics and principles...

There's no such thing as common carrier status for CDNs, but, when you're in court trying not to take a site down you'll have to make arguments about why you took others down but don't want to take this one down, part of that is how consistently you applied your own standards.

"We don't take sites down if the content is not illegal" is a pretty clear consistent position to fall back on.

"We don't take sites down if the content is not illegal except that one time the CEO decided we would" is not, so you need a different reason, and they don't have one anymore.

Exactly. Cloudflare had an annoying position, but at least it was a consistent one. Now they have an annoying inconsistent position which makes it much easier to get them to move if you're a large enough party.

> So common carrier status is forfeited if a company reasonably terminates a contract due to the actions of the other party?

Yes. That's why I can trash Verizon or smear Verizon's CEO name from a Verizon phone and Verizon cannot use it to terminate my service. Neither can AT&T.

[Edit: Responding here because HN is saying I'm posting too fast]

Non physical plant phone companies have never had any decisions on them that would affirm if they are or they are not common carriers. Verizon Wireless' data services subs behave as if they were.

Brand X decision is largely misunderstood because it deals with LECs, CLECs and companies that would like to get access to CLEC like benefits without being CLECs. Its scope was incredibly narrow which is why it took that many years for FCC's net neutrality rules be overturned ( and why it was done by the FCC ) and why it allowed FCC rules to stand.

Being disconnected due to utilizing it for harassment is also rather complicated ( and has lots of possible legal theories that have not been tested ):

- it is known that a phone company cannot disconnect the last "live line" service, even for non-payment.

- phone company may restrict one's ability to use the service as long as it continues to provide live line service ( for wireless service it is what allows one to use a locked or administratively disabled phone to make emergency calls ). There are however tons of hoops to jump through.

[Another edit:]

Things become a lot more interesting with MVNO because they are really nothing other than buying clubs even if what they buy is a network access. I believe MVNOs can actually terminate services for any reason as they should not fall under the common carrier label.

This in turn makes me wonder if Verizon/Sprint/ATT/TMO are actually MVNO themselves as I know for certain that entity from which customer's buy services are not the entities that operate it.

Can you find an example of this that isn't a phone company? Common carrier only applies to phone companies, it doesn't apply to CDNs, content providers in general, or websites.

I'll point out too that Verizon or AT&T can terminate services for other things. If your line is used to harass people or make prank phone calls then it can be shut down. Common carrier doesn't mean that they have to allow everyone to use their service.

Every ISP in the United States has common carrier status.


Note that this is subject to change in the present.

>And because of that move

Why not because of their countless previous similar moves?

You’re right about editorial control.

I am proud that as an ISP in the 90s, and then as a VDN (CDN for video) in 2000s, we successfully kept all our clients online despite countless acts of bullying including CDA and DMCA.

We even had a major satellite carrier go after our various DC real estate providers and backbone connections.

You’d be amazed how long you can keep a client online just by requiring DMCA notices to adhere to the letter of the law before complying — usually weeks!

More than enough time to give clients notice and for clients to make arrangements.

Didn't you argue that CF should exercise control over content when the Daily Stormer account was terminated?

My comment you replied to is still sitting at -4 :(


This is a great reminder for those who question the logic of free speech.

This is a great reminder to not auto-upvote an HN darling when you see the handle. It's pathetic this comment pointing out their hypocrisy is buried at the bottom of the thread.

And where did you see me advocating in this thread that they should not exercise editorial control?

I merely pointed out the consequences of exercising editorial control: that once you show you can do it you lose any kind of argument based on your ability to do it or that you are only taking down content when the law requires it, such as when ordered to do so on account of a ruling by a judge.

My position is pretty consistent:

- Cloudflare for the longest used a broken argument to leave all kinds of crap websites up longer than they should have (for instance: booter sites)

- Their argumentation was that they would not censor sites based on content unless a court order was presented to them

- And so they were aiding and abetting many illegal schemes, which were too costly for the people suffering from those schemes to prosecute (for instance: because they were abroad)

- But when the Daily Stormer thing happened Cloudflare crossed their self imposed line

- At the time I pointed out that they would regret this, just like Slashdot folding for Scientology would regret it.

- And now we've come to the end of that line and Cloudflare now takes down sites because some vested commercial interest is harmed, as predicted.

So, I argue that they should exercise editorial control, and that they never had any shot at achieving common carrier protection (because (a) they are not a phone company and (b) because they are not essential, and (c) they never litigated that).

In this case it would have been nice for them to make a stand. Unfortunately for Cloudflare the publishing houses can now point at Cloudflare taking down the Daily Stormer without a court order, and there is no helping them for that. But just like before, Cloudflare simply is a commercial service, they have the ability (and sometimes the responsibility) to take down content. They are simply bad at picking their battles.

Then finally, I see the likes of Cloudflare as a cancer on the web. Way too much power in the hands of one entity in a jurisdiction that is too expensive to litigate in for the vast majority of the world. I hope the net/webservers will get fast enough and that bandwidth on the server side will get cheap enough that we do not need CDNs anymore.

Apologies, I misread what you originally wrote. You are consistent after all.

I want to ironically downvote this, but I won’t.

Yes I did. And where do you see me arguing for the opposite?

> The argument that they are 'just a common carrier' and have no influence over the content they serve went out the window that day.

I thought you were taking the position that CF should be a common carrier. Which to me seems like the logical stance.

Upthread you mentioned CF as not being essential, but based on the current limitations of the web - DoS protection is essential for small publishers. It would be too easy to silence marginalized communities with a small botnet.

Leaving it up to CF to be the judge jury and executioner is too much power for one company. We have democratic courts for this sort of thing. The web is broken and until then I think DoS protection is essential in exercising our first amendment.

> I thought you were taking the position that CF should be a common carrier.

CF took that position, in the past to defend their leaving all kinds of outright illegal stuff such as booter websites (sites that offer easy to use interfaces to DDOS tools) up and running.

> Which to me seems like the logical stance.

But that makes your argument more a strawman than anything else.

No, I don't think CF is special in any way, not until they litigate that and get an official stamp of approval that they are not going to have to comply with 'regular' takedown requests, since normally aiding and abetting criminals is bad.

CF does not have to provide service to every comer and they have gone out of their way to prove this.

> Leaving it up to CF to be the judge jury and executioner is too much power for one company.

That I agree with, but this is no different from Facebook, Google or any other tech giant. Cloudflare claimed to be somehow special in this respect, I've yet to see FB or Google make such an argument.

Though, Google to some extent tried to do this by claiming for a while that only their algorithms determined what is visible without human input. Nowadays human input is as important a signal as the algorithms and it has final say too.

> We have democratic courts for this sort of thing. The web is broken and until then I think DoS protection is essential in exercising our first amendment.

Unfortunately, your point of view is still US centric, which means you are missing an important piece of the puzzle here. The web is much larger than the United States, 'first amendment' protections do not apply outside of the US, and Cloudflare is routinely hiding behind that first amendment in a way that makes it very hard to prosecute - or even do anything about - the criminals they enable.

Cloudflare wishes to have it both ways: to claim first amendment rights when it suits them and to play judge, jury and executioner when it does not. And in the meantime the rest of the world has to dance to their tune because they are not in the jurisdiction of the victims. That's not a tenable stance in the long term and the Elsevier case shows you quite nicely just how hypocritical this is.

I agree CF wishes to have it both ways. I think they should have never been the content police. Policing should be left to the police. Go after the host server and the criminals who set them up. Countries have IP and extradition agreements for exactly this sort of thing.

CF is closer to an ISP than something like FB because CF only provides the pipes. It's literally providing an internet service. I'm aware they haven't legally earned that distinction, but from a logical perspective - mirroring a server is nothing like providing a social networking platform.

They never had a common carrier argument that held water.

Common Carrier is a legal term that refers to regulation under Title II of the Telecommunications Act. It grants the FCC the ability to classify certain communication companies as common carriers. That status can only be acquired by FCC action, not implicitly by following any standard set of rules.

The argument that taking action once creates a liability to police all content you're serving stems from an outdated court case.

The Communications Decency Act of 1996(!) specifically addressed the issue:

[..] Through the so-called Good Samaritan provision, [Section 230] also protects ISPs from liability for restricting access to certain material or giving others the technical means to restrict access to that material.

> They never had a common carrier argument that held water.

Agreed, they're not a phone company to begin with. But they did try to use that argument and they definitely did not help themselves.

A better argument would have been to claim they don't have the technical capability, that might have bought them some time but then too they should not have shown first that they do have that capability. All in all a less than stellar performance.

I can’t see how that argument would hold water. As a DNS provider, removing DNS records is clearly something they are capable of, regardless of whether they have demonstrated that ability.

Me neither, it was a bs argument to begin with.

But you can see how their reasoning went from "If ISPs can be common carriers why couldn't a CDN be a common carrier?". That said I can see the case for domain registrars and the Tor network long before I can see one for a CDN.

Cloudflare regularly takes down sites without court orders.

Try hosting a site on cloudflare that significantly upsets a major SV company and see what happens.

Do you have any examples?

They pulled the plug on a white supremacy site, the Daily Stormer.

Hardly a problem with most people, but they certainly exercise content-level discrimination (in the most neutral sense of the word).

That’s not what was claimed: the Daily Stormer wasn’t annoying a major tech company even if most of their employees find Nazis detestable.

That case is also complicated by the claim that they dropped that site in response to Daily Stormer people claiming CloudFlare supported their ideology. Given the number of objectionable sites which they continue to provide service to, that seems plausible.

Hmm, fair, I suppose. But if they remove a site arbitrarily for one motivation, why not a profit motivation?

I have no idea where the remark about the other tech giants comes from, though.

I'm not all that thrilled about them because the make me complete captchas all the dame time just because I like to route my browsing through Tor. I'd understand if I was running scrapers or other high-intensity requests through tor exit nodes, but usually I'm just loading pages at slow intervals to actually read the content. I guess it's like news sites that piss and moan about my adblocker on my very first visit before I've had a chance to actually evaluate any of their content (and I do whitelist sites I visit even semi-regularly).

I don't even use tor but have to fill these stupid things out just because my ISP is stretching some IPv4 things a bit too far. Sure wish they would stop doing that, I have to fill out like 10 cloudflare or google captchas a day.

Not just that - their CAPTCHAs are broken on Orfox (Tor browser on Android) so their sites can't be accessed at all.

Doesn’t privacyPass fix that?

I haven't tried it, but if so I'll let you know.

This is pure FUD. The fact that Cloudflare took down one site does not negate the common carrier laws that never applied to Cloudflare in the first place. No CDN is a "common carrier".

The idea that exercising some control over the content on someone's network or application removed their various liability shields is also completely false. Youtube removes pornography and terror related videos, and sites like reddit remove "abusive" (defined by their TOS, not any law) content, all the time. Never once has this broken their liability shield.

> The idea that exercising some control over the content on someone's network or application removed their various liability shields is also completely false

It doesn't break the liability shield because it's not being selectively enforced.

If YouTube deleted some porn but not others, this protection would no longer apply. Reddit is allowed to delete content that violates their ToS without needing to answer to anybody.

What are you basing this off of? Can you cite any source at all for this?

Seems like they are mishmashing common carrier, the safe harbor provisions of the DMCA, and some magic dust and calling it “liability shield”.

Section 230 of the Communications Decency Act, 18 U.S. Code § 2257 and 47 U.S. Code § 231.

> Section 230 of the Communications Decency Act

This is literally the opposite of what you are claiming. To quote wikipedia,

"The act was passed in part in reaction to the 1995 decision in Stratton Oakmont, Inc. v. Prodigy Services Co.,[3] which suggested that service providers who assumed an editorial role with regard to customer content, thus became publishers, and legally responsible for libel and other torts committed by customers. This act was passed to specifically enhance service providers' ability to delete or otherwise monitor content without themselves becoming publishers."

> 18 U.S. Code § 2257 ( https://www.law.cornell.edu/uscode/text/18/2257 )

This is the law requiring record keeping for producers of pornographic content. This has nothing to do with what we're discussing here.

> 47 U.S. Code § 231 ( https://www.law.cornell.edu/uscode/text/47/231 )

This law requires people who make porn available to not allow minors to access it. The closest thing I can see that relates to our point is that it grants immunity to ISPs for porn sent over their network.

All three are different laws, yes, but the latter two also make it clear that service providers are immune from liability for third party content in those contexts if they aren't actively participating in its selection or alteration, excepting justified deletions.

You said it's completely false that exercising control over content on one's network diminishes a provider's ability to claim safe harbor. I've given you two laws on the books in the US that say otherwise. What are you basing your claims on?

That's actually not a fud.

Government/whatever party has to compensate a common carrier a reasonable amount of money for determining and filtering content. Not having tools to do it means a company gets to say "this would cost X, write us a check". If X is too big, government/other party tends to walk away. In my previous life, we have used this argument successfully to quash several court orders. The reason why we were successful is because a very smart attorney that happened to be a relative of a founder convinced him one day that under no circumstances should we develop such tools ahead of time.

One of our competitors had these tools developed. They had a similar court order served on them. They attempted to use the same argument we used. They failed because the government offered court the evidence that those tools already existed and were used by our competitor and hence there was no undue burden.

[Edit: Responding here due to rate limiting]

> It's FUD because it does not apply, at all, to the existing scenario. Common Carriers have specific legal meanings, and internet companies don't fall under that.

This is also unclear. Common carrier is reasonably well defined based on what was known about certain technologies at the time.

NSPs/webhosting providers/CDNs/etc have never litigated their common carrier status to my knowledge as in most of the cases it does not appear that being a common carrier is beneficial to them. This does not, however, mean that there cannot be a situation where being a common carrier would not be advantageous to a NSP/CDN/webhoster. This is why most of them would prefer to behave like common carriers even if they are not - it is optionality and having more options is typically better.

It's FUD because it does not apply, at all, to the existing scenario. Common Carriers have specific legal meanings, and internet companies don't fall under that.

This comes up all the time. During the Obama administration there was talk about reclassifying network services so that this would apply (it would make things like home internet far more competitive if it was). That never happened.

> internet companies don't fall under that.

ISPs actually do. And they are very much internet companies.

CF's whole mistake was to pretend that they were nothing more than dumb pipes and that what was legal or at least not explicitly ruled forbidden on a case-by-case basis was good enough for them. They never were dumb pipes, they always had editorial control and they provided the proof of this themselves.

"Take down" feels bit dramatic; ultimately CF discontinuing service leaves the sites to same position that they would be without CF in the first place. The operators are still free to continue running the site as they see fit, just not with CFs service. Sure, there is a (short) interruption for the site as the operators need to reconfigure systems, but I feel like that is fairly minor issue in the scale of things.

Taking down nazi content but then losing some Sci Hub domains is a net positive, so even if there was causality (there isn't), it still looks like a good decision.

Who decides what a net positive is?

To those unclear, Cloudflare is terminating Sci-Hub due to court order, not their own censorship.


Terminating Stormfront voluntarily discredits any attempt at common carrier status.

EDIT: I'm unsure you can argue, with a straight face in front of a judge, that you're a common carrier when you've publicly blogged about determining to terminate a user because you felt like it. I'm not judging Cloudflare (anymore), just observing the pickle they've put themselves in because of their own decisions.

Even if they were classified as a common carrier it’s likely they would have to stop acting as a name server, when instructed by a court.

You cannot argue for Common Carrier status in front of a judge if you're not classified as a common carrier by the FCC.

> You cannot argue for Common Carrier status in front of a judge if you're not classified as a common carrier by the FCC.

Sure you can, since “common carrier” is a centuries old common law classification that the FCC has nothing to do with, as well as also a statutory classification under the Telecommunication Act inspired by the common law classification, as well as a statutory classification under other laws.

And even for the classification under the Telecommunication Act, one could argue the definition in the Act whether or not the FCC has applied it in a particular way (this requires overcoming the deference that courts give to executive agencies delegated decision-making powers by Congress, but it is not an impossible argument to make in principle.)

Edit: more connected than I thought it was!

Explanation for why I downvoted your comment:

Your comment is completely unconnected to the statement above it. It's only connected to the story in that Cloudflare was involved with both, but if you're going to try to connect it to this story your comment should go at the top level. But connecting a highly controversial subject to this one by posting inflammatory comments does not seem to be a good way to connect these two different stories.

It’s not unconnected. Cloudflare would’ve been able to defend against the court order more aggressively had they not made the mistake previously of violating the principal of common carrier status.

Cloudflare wants to project the idea of being critical Internet infrastructure without the governance and responsibilities that go along with that.

No one wakes up at a root DNS server one day and deregisters a domain because they feel slighted by the content of that domain.

Well, it is connected because it has to do with cloud flare being a common carrier or not.

If cloud flare hadn't effectively given up its status as a common carrier, by blocking stormfront, maybe it would have been able to defend itself from the sci-hub court order.

Cloudflare being forced to take down content in the future is exactly what people predicted when they decided to give up their status as a common carrier.

They were never a common carrier. “Common carrier” is a well-defined legal term that does not apply to them.

In related news, I did not give up my status as a fish by breathing air.

Tell that to Cloudflare.

They are trying very hard to be a common carrier, because they want the legal protections that it provides them.

But, because of their actions, they've lost the court cases, and are unlikely to recieve that status.

Sci-Hub pits US law against morality, public sentiment, and public interest much more directly than usual. Unfortunately, the US government is not the sort of entity which can notice itself being a villain, or notice itself burning its credibility.

Why are you singling out the US? Sci-Hub is against the law in most countries.

Eh, copyright law in most countries is the way it is because of pressure from the richest countries (like the US) to conform or lose all trade (or even get a visit from a Marine expeditionary force).

The parts of copyright law that Sci-Hub is violating in most countries' copyright laws are parts that have been in place at least as far back as the 19th century, long before the US was using trade pressure to try to influence anyone's copyright laws.

In fact, up until near the end of that century if anyone was using trade pressure to try to get copyright changes, it would have been other countries trying to get the US to change. The US copyright law at the time provided very little protection for foreign authors. Their works were essentially public domain in the US.

I'm a proponent of open culture, and curtailed limits on the duration of copyright.

But that being said, no rational person could possibly believe that copyright exists only due to external state actor pressure from "the richest countries"... and not due to the fact that entrenched financial interests influence every nation on earth. Over-the-top zealotry only serves to discredit more sober critiques.

If you look at what happened to Kim Dotcom in NZ, a rational person might change their view.

But that being said, no rational person could possibly believe that copyright exists only due to external state actor pressure from "the richest countries"

History suggests otherwise. Something that many of "the richest countries" have in common, including the US, is near-complete disregard of other countries' IP laws during their formative stages. Once these nations climb to the top on a heap of broken IP laws, they invariably set about building it even higher.

>Has the US invaded China over copyright

To begin with, a figurative threat to do so is being issued by USA with nowadays unsurprising regularity.

And the more of a paper-tigerness USA's trade policy demonstrates, the more countries ignore it wholehandedly.

So you're saying that everything the world does is predicated on a fear of a US invasion?

Has the US invaded China over copyright? Has India been invaded or embargoed over lax IP laws? How about Russia, Argentina, Chile, Indonesia, Pakistan, Thailand?

Here's the Priority Watch List from the US Trade Representative naming the biggest IP offenders in the world:


We can note that the US hasn't sent a "Marine Expeditionary Force" to any country over the issue. The US hasn't even sent a cruise missle to send a message to prolific IP violators. A strongly worded letter has been the extent of the "invasion."

It's getting to be almost comical that the US is being presented as the cause of all that is wrong in the world. The anti-Americanism that's rife here is a bit ridiculous -- we're on Hacker News -- a site that is sponsored by an organization (YC) that's the epitome of American capitalism, located in the epicenter of one of the most successful and valuable regions on the planet: ground zero for the invention of the devices and software with which you're able to read this and type your responses.

It's ironic to be complaining about the country that invented much of the tech you're using right this minute enabled by the very laws about which you complain.

The United States isn't perfect, nobody is disputing that. However, the suggestion that the United States is going to send in the Marines over differences in IP law.. That's just absurd, based on zero logic, and needs to be called out for the nonsense it is.

It's not an invasion that countries fear. It's not being able to trade in Dollars.

> Has India been invaded or embargoed over lax IP laws?

Have you forgotten how India was made to agree with TRIPS in the 90's?

>It's getting to be almost comical that the US is being presented as the cause of all that is wrong in the world. The anti-Americanism that's rife here is a bit ridiculous

Unfortunately, this could be said on basically any forum on the internet. Do you happen to know of an alternative to Hacker News that doesn't have this problem?

> The anti-Americanism that's rife here is a bit ridiculous

Well—here's the other side of that—I frequently get thoroughly sick of the US parochialism, ignorance of history, denial of basic realities etc "that's rife here". Well, people swallowing whole the shiny story the US mass media seems to paint about the US' role in the world in the last 130 years is a large part of it I guess.

Not the first time I've read on here about someone sick of "the US being presented as the cause of all that is wrong in the world." But I don't think anyone says that.

You could have chopped out a page of your comment, the many lines of ridicule, as advised in the guidelines. Well, I can hardly advise you to stick to your point in a comment as off-topic as this. :-) But I thought your complaint needed counterbalancing.

this negates previous argument how exactly?

Is it just because I'm not a native speaker, or is that very cryptically phrased? I'm really not sure what you are trying to say, for or against the termination.

He's saying

- Sci-Hub is doing good, but breaking the US law.

- The US law in this case is immoral, people don't like the law, and the law is bad for the country.

- The US government is unable notice that these laws are bad, and so will continue to doing bad things (like shutting down Sci-Hub).

In the sentence "Sci-Hub pits US law against morality", "pits" means to put things in a fight against each other (ostensibly, a fight inside of a pit). He's saying that the situation shows that the US law is not on the side of morality in this specific spot at least.

Native speaker. It is understandable (explained in sibling comments) but definitely puts eloquence before readability.

Non-native speaker I think. It was unambiguously supportive of the unarmed party in the conflict.

Its users are also against the law.

Looks like their onion service is also down: http://scihub22266oqcxt.onion/

Can anyone test their i2p eepsite as well?

Sci-Hub should host an IPFS node with all their contents. Once owner sets-up IPFS directory, owner can update it (it's not static like torrents), other nodes will download changes, it will be distributed, censorship-resistant and shared between community of people who pin directories on their PCs and ARM computers.

Another similar solution would be to setup ResilioSync or LibreVault repositories, again makes it decentralized by P2P, there are public repositories so anyone can join and leach/seed files, owner can update files.

I'm surprised they're not doing it already.

First off, there's a difference between Sci-Hub (no content is hosted, only a portal) and LibGen. Papers downloaded from Sci-Hub are hosted in the latter. And secondly, they do offer torrents as a P2P solution: http://gen.lib.rus.ec/repository_torrent/

I'm not familiar enough with IPFS, but I think once onions play nicely with IPFS (i.e. when this is solved[1]), then it could be very promising. I'm not sure how censorship resistant it could be.

[1] : https://github.com/ipfs/notes/issues/37

> they do offer torrents as a P2P solution: http://gen.lib.rus.ec/repository_torrent/

yes, that's the problem. Once you have a torrent they can't add new files to the torrent, they have to make a new one, and you have to download the new one.

Also this website is blocked in the UK.

> Also this website is blocked in the UK.

Use the Tor Browser to access it: https://torproject.org/download

I have a VPN at home.

How does censorship resistance work in this case? Simply by giving the rights holders more targets to sue / have taken offline?

Exactly, which is extremely effective - good luck suing someone in China who doesn't give a fuck about US copyright (and in this case rightly so).

So in other words, the technology doesn't have any particular benefits in this regard — all of the advantages come from hosting somewhere without a high enforcement risk.

Can I offer my computer to Sci-Hub to store and retransmit encrypted content for them? If I could run software that would assist Sci-Hub, I would.

Is anyone else doing something similar?

Sci-Hub is important - it's one of the most important resources we have today. How can we support Sci-Hub?

PopcornTime for Sci-Hub?

To the people upset with CloudFlare: please explain why it is better for random startups and multinational corporations to set and enforce policy, than for elected officials and governments and courts. Because that’s basically what you’re saying...

While I'm fine with CloudFlare's actions here, the reason one might hold independent companies to a higher standard than governmental entities is the fact that the U.S. government has, consistently and repeatedly, proven itself almost entirely invested in corporate interests with regards to the Internet. The government cannot be expected to work in favour of Internet users' interests in any situation except those where they coincide with corporate interests.

This will remain the case, because the impact of tech-interested voters to whom elected officials' support of this status quo matters is trivialized by the apathetic majority. Therefore, the tech community's only recourse is to pressure the middlemen, such as CloudFlare, who can interfere with this type of corporate action.

To the people upset with CloudFlare: please explain why it is better for random startups and multinational corporations to set and enforce policy, than for elected officials and governments and courts

Lately, I'm not impressed with our government or the people who elected it. I think both groups -- meaning corrupt people in the first instance and stupid people in the second -- have far too much power over the rest of us.

Subversion and disobedience on the part of everyone from multinational corporations to individual Internet users may, unfortunately, be the only remaining way forward. I don't pretend that this state of affairs is good for society, but it is what it is.

People upset with CloudFlare are not asking CloudFlare to set up policy instead.

They are saying CloudFlare should behave like a common carrier and NOT have any policy to begin with.

But Cloudflare already lost that privilege. And now the Common Carrier Chickens are coming home to roost.

"Common Carrier" status is granted by the FCC to certain communication companies. It is not something acquired by (not) acting in a certain way. Example: You can't just run the mafia's books and "I'm a common-carrier accountant; I don't get involved in my customers' business".

Common carrier is a legal concept which goes way beyond Title 2.

Public transport is a common carrier in the US oil and gas pipelines are also common carriers they don’t ask the FCC to classify them as such.

There is other delivery networks that work peer2peer such as IPFS, Bittorrent and websockets p2p cdn.

Are you prepared to host and distribute copyrighted documents from your home connection and publically advertise that to the whole world? Because that's what P2P really means in this case, unfortunately.

If a little civil disobedience is what it takes to save public access to human knowledge, than so be it...

Yes, but if you get caught right away, you aren't maximizing your impact. It would be better to use P2P with anonymizing layers.

True for the ones that were listed there. It's unfortunate that the networks that are getting the most pub weren't built with anonymity and plausible deniability in mind.

It’s a very hard problem in this case because it’s a public service and there’s no reliable way to prevent someone from firing up a client, downloading something copyrighted, and recording where the bits came from. That limits hosting to people who live in jurisdictions without copyright enforcement or who have very deep pockets for legal defenses.

Cloudflare is on a path to no where. The more services they ban the less attractive they are.

You are speaking only from a free-speech perspective.

As a business user, I would absolutely want $CDN_PROVIDER to only allow / serve traffic in compliance with the laws of my country. I wouldn't want any chance of my non-controversial content being blocked because some third-party caused my host to be removed from the internet, either by direct action (BGP blackholing / similar) or by side-effect (IP or block being added to $FIREWALL blacklist).

When they change your acceptable content to non-acceptable content it might be too late to protest.

Your comment makes it seem like they they had a choice here. Cloudflare were given a court order stop Sci-Hub from using its services.

In years past they would have made a big deal about fighting the order.

I can't stand companies like Cloudflare that won't let you contact them to get support. My phone was stolen and with it my 2nd factor. Now I can't get in, and you can't access any support whatsoever without logging in first.

So now I have to transfer all my domains away from them and go through all the trouble of setting up DNS elsewhere.

Their CTO is always here on HN. Try to reply to him.

Also, use a app such as Authy to store your 2-way tokens.

You can access Sci-Hub at https://5ly.me/scihub .

sci-hub.tv and sci-hub.hk seem to work fine

why would they want to mess with cloudflare anyway.

We're going to see this kind of thing happening more and more as Cloudflare receives takedown requests from every copyright association. By taking down websites, it signaled to the industry that Cloudflare was a viable place to go to if they wanted things to be removed from the Internet. Cloudflare dug this hole for themselves, and it's going to be very hard for them to go back to the "dumb pipe" status they enjoyed before.

Well, at least we still have SciHub access through Tor

According to Sci-Hub’s operator, losing access to Cloudflare is not “critical,” but it may “cause a short pause in website operation.”

There is some kind of weird disconnect between the reality of distributed communications, and people/companies who seem to think that they have a prayer of stopping them. You’d think that the near implosion of the music industry would habpve be a clue though. Where there is demand and anti-consumer practices, there will be piracy.

Is it just that people making these decisions are ignorant, or emotional? Does anyone know?

I really hate to sound like I'm defending Elsevier, but is it really unreasonable to assume that a large corporation that has built itself on an entire multibillion dollar company would be opposed to being toppled by piracy?

I am 100% for Sci-Hub; I think it and sites like Arxiv are the natural evolution of professional journals and the future of academic publications. But I do understand why Elsevier is fighting this. It's not a disconnect, it's not like they don't see the writing on the wall, they just want secure their benefits as long as they can and enjoy the good life while it lasts. If their lawyers succeed, then there's no worry, the party continues.

If they fail, at least they have plenty to rest on. If they're going to lose it all by not fighting, then it makes perfect sense to bet it all by fighting, because with Sci-hub and distributed systems (Tor, bit torrent), there is no winning in the long run. At least, not living with the revenue they are now.

So you don't have to be ignorant or emotional to make such a decision, you just have to make a calculated gamble and figure out which is going to hurt the least in the long run all things considered.

I agree, large companies like Elsevier generally do not care about low magnitude piracy, but something like SciHub is probably to them an existential threat, and something they would throw everything at.

The music industry saw a revival of sorts, with Spotify and other streaming services offering a reasonably priced and extremely convenient alternative to piracy. That sort of an arrangement, while still not ideal, is probably the best Elsevier can hope for in the long term - provided they can offer a sufficiently interesting alternative to scihub.

>> is it really unreasonable to assume that a large corporation that has built itself on an entire multibillion dollar company would be opposed to being toppled by piracy?

That position is not what is "unreasonable", their existence is what is unreasonable. The fact that a company like Elsevier needs to be toppled by piracy at all is unreasonable.

The legal framework that has allowed Elsevier to profit from public research is unreasonable

>>But I do understand why Elsevier is fighting this.

I also understand why a serial killer would fight going to prison, that does not make the serial killer reasonable, ethical or just

>>If their lawyers succeed, then there's no worry, the party continues.

I disagree here, if their lawyers succeed then they do a great disservice to humanity, and further entrench copyright law, possibly even expanding it with legal precedent

Full +1 with you on this one.

The core problem seems to me that ethics has way too low impact on university courses, no matter if in STEM, finance, law or everything else.

For example, it is certainly justified for a lawyer to defend a serial killer (after all the right to representation in court is a basic human right, or at least should be) but a company has no moral right to legal assistance. No lawyer is bound by code or law to assist a company - but many do because of individual profit and ignore the loss that society has to shoulder.

> You’d think that the near implosion of the music industry would have been a clue though. Where there is demand and anti-consumer practices, there will be piracy. Is it just that people making these decisions are ignorant, or emotional? Does anyone know?

Wow. That is harsh.

The current state of music is that artists need about 4 million Spotify plays per month to make minimum wage ($1160) [1]. That's assuming the artist does not have to share the revenue with anyone and not counting the time needed to break even on the initial investment (if you even manage to break even before the recording is 'old' and you're up for a new one).

Realistically there is no money in recorded music anymore except for the John Mayers and Taylor Swifts, so nothing has been solved in that industry and there is no 'clue' to get.

There was a legitimate source of income, then technology devaluated the product to oblivion. It's not worthy of damnation that those in an industry that is being levelled with the ground are caught off guard and attempt to fix their problems.

It would do us good to empathise with the people in these industries, because there are going to be a heck of a lot of them in the coming years. If we value the product of their labor we should want to offer them an alternative source of income instead of berating them.

[1]: https://informationisbeautiful.net/2010/how-much-do-music-ar...

That is pretty misleading to reference 'minimum wage' in regards to how much money a band makes from streaming. A wage is determined by hours worked / revenue. Once the music is recorded, they aren't 'working' anymore hours, so how would you figure they need $1160 a month to make minimum wage? They aren't working any hours while that music is being streamed.

If you wanted to figure out the wage, you would have to take the number of hours spend creating the music (writing, practicing, recording), then divide by (revenue from streaming - costs to record). Since that streaming revenue can keep going long after they are done recording, you are going to hit minimum wage if you wait long enough and people keep streaming your music.

Artists deserve to be compensated for their work, but we should be thinking about it in terms of income per hour worked. No other job expects to be paid forever for work done years ago; if someone hires me to build a fence, I don't expect to keep being paid for every year that fence is up.

> Once the music is recorded, they aren't 'working' anymore hours, so how would you figure they need $1160 a month to make minimum wage?

I completely agree. The minimum wage figure was just a reference point that aligns with the way we pay for it: monthly. It's ridiculous music has (been) moved into this area.

The same problem is in the software industry now. More and more companies move to subscription business models simply because a pay-upfront model isn't viable anymore. Sure, it's great to support developers in their endeavours, but what if I just want to buy this exact version of the app and decide for myself if I want to pay for bug fixes and extra features later? Maybe this version is fine for me. But the new business reality doesn't allow for this.


> No other job expects to be paid forever for work done years ago; if someone hires me to build a fence, I don't expect to keep being paid for every year that fence is up.

The entire intellectual property licensing space works in this way, and that space is badly broken. I agree that there's no moral requirement to pay someone for work done years ago, and the reality is that most musicians really aren't. A quality recording takes a long time to make and its average lifespan is about a year (if that) before attention (if any) dies out.

On top of that it requires a big investment to record, produce and promote an album (consider also a new website, logo and album art) and then after all you have to share the $0.00029 per song play with about five people and the label. You're lucky to break even at all.

At least in the case of the music industry, the current state seems great in many respects:

1. Everyone could afford access to all the music in the world.

2. Tons of new music is being created. Creativity seems fine. Creators are still highly motivated to release their music and even without making a living through music there are still many benefits to being a musician.

And yes, it's hard to make a living through music. So what ? Why is this a necessity ?

Substitute “making music” for “programming” here, as a thought experiment. See how that reads.

Just because people keep doing something doesn’t mean it’s all “fine”. People make music in spite of the hardship. All of society benefits from their irrational, self destructive drive for creation. We could show some empathy and at least acknowledge that. Maybe even help find a way to make this beautiful gift they bestow on us less painful?

Currently it feels like we’re making them shit roses for us. Maybe let’s help trim the thorns :)

Source : I know several musicians first hand, and it’s not “fine”. :/

Substitute “making music” for “programming” here, as a thought experiment. See how that reads.

It would still be correct. Low average incomes for musicians and most apps not breaking even is a signal in both cases that the current supply is more than enough, and you should consider other opportunities.

People make music in spite of the hardship. All of society benefits from their irrational, self destructive drive for creation.

There's a difference between the total and marginal benefit to society. If all musicians spontaneously quit and nobody replaced them, we'd be worse off. But in the actual world, if somebody is deciding whether to pursue a career in music or engineering, the latter probably has a higher expected benefit.

Building things for people to use has always been valued. Making music just had a weird and brief period during which it could be monumentally lucrative. The circumstances have changed, and music is roughly back to being like any other art form in terms of average monetary reward. Music is only “special” because of physical recording creation and distribution.

That has ended.

> Making music just had a weird and brief period during which it could be monumentally lucrative.

As a programmer I sometimes reflect just how lucky I am to be born right at the historical moment when my abilities align with the economic demand. A few decades earlier or later and I'd be lucky to be an accountant or something.

I have a great deal of empathy and compassion for artists. These are people who pour out their hearts and souls and lives for the sake of us and our culture. They deserve to be met with a response that cares about them. You're completely right. They define us, and tell us who we are.

Yet, what form should empathy and compassion take? Empathy isn't a policy prescription. It doesn't come with technical requirements. Artists have alternate sources of income available, but this often runs into the basic problem that they aren't structured like the album sales of yesteryear. Different skills and approaches are required.

So what's an empathetic lover of music and culture to do? I only know that the previous system didn't work any better - Courtney Love doing the math made that clear.

While I agree with the sentiment that recorded music has been devalued to all hell, implying that an artist racking up 4M Spotify streams every month is living off of $1160 a month is a bit disingenuous.

If you're pulling those numbers, and know what you're doing, you will almost always have opportunities to make (much) more money doing shows and placements.

Additionally: while the distribution of musical success was and still is bimodal, thanks to the fragmentation of culture caused by the Internet there is a growing middle creative class.

> Realistically there is no money in recorded music anymore except for the John Mayers and Taylor Swifts, so nothing has been solved in that industry and there is no 'clue' to get.

Have you seen Patreon?

> Have you seen Patreon?

Patreon, Bandcamp and Tunecore collectively pay out about $25 million per month [1]. That's minimum wage for 21 000 people, assuming each artist gets an equal share (which they obviously don't). This doesn't seem like a lot to me.

[1]: http://musically.com/2015/02/16/what-are-musicians-making-fr...

I call that a good start. Society is still learning about this kind of funding model; there will be growing pains[1]. I find it incredible that Patreon is already allowing funding talented niche artists[2], important "not advertiser safe" social/political commentary[3], and other projects that would never make it past the usual funding filters.

Yes, it isn't a lot, but it's a good start that has already had some success. Hopefully it will continue to grow.

[1] e.g. the recent drama with Patreon changing their payment model

[2] https://www.youtube.com/user/oancitizen/videos

[3] https://www.youtube.com/user/ContraPoints/videos

> 4 million Spotify plays per month to make minimum wage ($1160)

I would (and do) advise an artist (and a friend, or a random person off the street) to have income from more than one revenue stream.

> It would do us good to empathise with the people in these industries

there's no reason to be empathetic towards the industry, even if we are entirely and wholly in support of artists, their work, and expression.

to put a finer point on it: the fact that there is an "entertainment industry" frightens me. this is not to say we shouldn't find entertainment, and share artworks/creativity/etc... but that our need (or training) to be distracted from the horrors of modernity presents sufficient demand for An Industry of this scale is troubling. The existence of this Industry may be seen as an indicator that our civilizations are performing acts of violence upon ourselves and our homes that we would be better served by ending.

Isn't it rational to hold on as hard as you can, to as much as you can, for as long as you can? The old models of commerce are so lucrative that adapting early to the sustainable models comes at a serious cost.

Imagine the area under the curve, and how much money that adds up to, if we went from a market with CDs and DVDs and happy cable subscribers to Spotify and Netflix and internet-only broadband as they are today overnight instead of over the course of the years.

> Isn't it rational to hold on as hard as you can, to as much as you can, for as long as you can?

Depends on just exactly how rational you want to be. If your planning horizon is quarterly and annual numbers it makes perfect sense. If you want your company still do business in the coming decades then holding on and denying change can make you blind to the necessary adaptions.

> your planning horizon is quarterly

I think their planning horizon is Retirement

I see your and other poster’s points. I suppose that I let morality and rationality mix in my assessment of Elsevier’s behavior, with predictably confusing results. Yes, it is rational to fight for so much money and power, even if it’s just for another quarter. The fact that I despise that behavior doesn’t change the rationale behind it.


In a society governed by the rule of law, nobody should have to defend their decision to avail themselves of the protections these laws offer.

If large parts of the population disagree with a business model, they have the collective power to change it.

As a former scientist, I can't wait to desecrate Elsevier's grave. But I'm still uneasy about the prospect of people taking matters into their own hands simply because their technical capabilities are more advanced than those of their opponents. There are also journals, such as Science, that finance the valuable non-profit foundations publishing them.

Of course, this is to a large extend the fault of scientists and university administrators themselves, because they have all the power to refuse to publish in for-profit closed-access publications (as they are apparently doing in Germany.) And the political process in the US is basically broken.

But look at other examples of the same principle, and you might find one where you land on the other side: The Federal Reserve seems the safer bet vis-a-vis the libertarians that jumped on Bitcoin to topple it. Uber has a litany of problems from their "rule-breaking DNA". Or, for the political right: should "illegal" immigrants receive citizenship simply for evading border checks?

> a society governed by the rule of law

* stifled laugh *

our actions are governed by the reality of enforcement. our planning is governed by the expectation of enforcement of the rule of law.

this should be apparent by now.

I mean, it was pretty clear the music industry would continue in one form or another. There is some form of value add.

But science publishers? These guys haven't made an honest buck in decades now. Their business is entirely due to inertia and regulatory capture. The short to medium term goal of all stakeholders is their entire elimination.

Even if a company knows that they are dying, there's a lot of money to be made by postponing that death as long as possible.

Need alternatives outside the reach of the us government and other hostile entities.

I don't see the issue. We were all ok when daily stormer was kicked off the internet by godaddy and google. Apparently companies are within their rights to shut down anything they don't approve of. So wtf is the problem now?

Really disappointing of Cloudflare. I thought they were above this.

Above the law?

> Cloudflare has received the attached court order, Case 1:17-cv-OO726-LMB-JFA

I must clarify I'm not saying this is fair or unfair, I just doubt CloudFlare has much room for maneuvering.

Oh, my bad. The bold text on top says they "seemed to offer no resistance this time," which made it sound like they could have. I should have read on and seen your quote.

Then just don't use US based servers to host them.

Above being sued?

Time for our sites to switch to keycdn or cachefly. I am not going to support cloudflare with my business any more.

Since those ignore court orders? Which in turn means they would ignore court orders if you sue them. Cloudflare didn't act on their own ("Cloudflare has received the attached court order, Case 1:17-cv-OO726-LMB-JFA")

I highly doubt if you handed either of these providers a court order to remove a site, they would go out of their way to prevent the court action.

As much as I'd rather see it happen to something other than Sci-Hub, I'm glad Cloudflare is being held accountable for their hosting services.

Their "we're only a neutral pipeline" spiel is complete bullshit and I'm glad they are being held accountable for it.

(Short version: They are not neutral because they provide a paid service for the websites they host.. Yes, in some cases it's a free service but in that case you are still "paying" in good publicity. The fact that no money changes hands doesn't suddenly make them a neutral party.

They are also absolutely a hosting provider. Even though they don't host the central, permanent, authorative data of the sites themselves, they still host plenty. They store images, code, stylesheets even complete pages in their cache. The data is on their servers, being pushed onto the internet from their ip's. They host the DNS. They can even host some business logic with their page rules.)

Without going into whether the rules that apply to webhosts are fair, it is a very good thing that Cloudflare is being held just as accountable as any other service provider. Their IP's, their responsibility just like any other party.

Edit: Those downvotes came quick. Care to comment on why you think Cloudflare should be held to a different standard than a traditional hosting provider?

By this logic, you must want us to hold counties accountable for the highways they build. After all, every truck full of illegal material is driven down roads that somebody built; gee, if only those road builders took a more active stance to enforce the law. Come on.

That is not the logic. The logic is this:

Cloudflare serves up illegal content, let's say a phishing site.

Cloudflare refuses to stop serving the phishing site.

Cloudflare refuses to disclose who they are serving the site for.

By using your metaphor, the county would not even send out the sheriff to prevent a shipment from illegal material being driven over their highway once they were aware of it and would just flat out refuse to cooperate with state police.

It's not up to Cloudflare to decide what content is or isn't illegal. But Cloudflare actively prevents investigations to even start determining whether or not something is illegal.

> Cloudflare refuses to stop serving the phishing site.

You name cloudflare and a provider of the phishing site in a lawsuit. It makes it through courts. Cloudflare is unlikely to attempt to defend it. Your attorneys figure out how as a part of the redress get an order for cloudflare to disconnect the phishing site. You hire appropriate parties to service Cloudflare. Cloudflare disconnect the phishing site.

That's exactly how it is supposed to work.

> a provider of the phishing site in a lawsuit.

Except CloudFlare refuses to name such an entity. All they're willing to do is forward my complaint to the "provider of the phishing site".

So they're willing to violate my privacy and put me in danger by possibly forwarding my details to possible criminals, but they refuse to do anything about the actual problem.

They say they will

> put a warning page up for when visitors try to access the specific link. We will also notify the site owner to have them clean the malicious files on their site. [0]

but that's a flat out lie. I've tried this avenue numerous times.

I shouldn't have to go to court for what is basic network hygiene.

What you're advocating is like having google, disable their spamfilter and me then having to sue every single spammer that sends me spam mail.

[0] https://support.cloudflare.com/hc/en-us/articles/200167736-H...

You file a lawsuit. Support article always loses to a court motion.

That comparison makes no sense. I'm saying that if you lease a server and allow a third party to distribute data through it, you should be considered someone who partners with that person. Whether you store the content on your server or use your server as a pass-through layer shouldn't matter in this case.

I'm not saying the same thing about routers.

Cloudflare is not operating routers that make the internet work. They act in the interest of their clients, not the internet in general.

www.stormfront.org ->

Checking your browser before accessing stormfront.org.

This process is automatic. Your browser will redirect to your requested content shortly.

Please allow up to 5 seconds… DDoS protection by Cloudflare Ray ID: 3e87d9d41f9b5504


I would posit that, although speed is protected in many ways in the USA, there are cases where there are definite actions behind the speakers. And I would therefore argue, that when X person gives hatred against a group, and later takes violent actions against said group, their speech isn't just speech. It's a definite call to action of assault and murder.

I also recognize there are false flag operations that could demonize more legitimate groups. But then again, I don't believe that anti-war protestors, or the women protestors are going to advocate for killing Jews, blacks, and LGBT anytime soon.



Poe's law can become a cudgel when paired with takedown rules that companies don't want to (or can't) enforce with the level of thought as a real court decision. I don't like cloudflare saying that they're totally absolved of responsibility, but I do have a lot of sympathy towards their CEO's complaint about being the gatekeeper. If I was in their shoes, I wouldn't want to have to try and formulate a policy rule that keeps Solanas but bans whatever satire or allegory the alt-right publishes.

While SCUM has some merit, A Modest Proposal was satire at the rationalism of economics.

That's why I was very careful with my words. Of course, we will see parodies and the like.

However, Charlottesville, and their speakers should absolve any idea that this is a joke. These white supremacists actively call for violence against other, and then proceed to enact it.

The distinction here, is the "call to arms"->"illegal action directly related to call to arms". And I do believe that Cloudflare and others have a distinct responsibility in this.

Tl;Dr: say the shit you want, but once you bring violence into it, all bets are off.

The state always and invariably brings violence with it.

The state is violence.

As America becomes increasingly polarized and driven towards echo chambers, political violence continues to emerge across the political spectrum. For instance the recent attempt of an individual randomly murder congressmen after verifying they were republicans [1], or perhaps the mass murder of police officers in Dallas by an individual at a BLM associated rally [2]. Both had strong links to various political organizations. Using anecdotal evidence you can condemn most of anything.

In my opinion Cloudflare should not be in the business of making judgement calls one way or the other. The law exists for a reason and, as in this case, when a group is seen as acting outside the law, Cloudflare can be directed to terminate access. They need not preemptively act as judge, jury, and executioner themselves. Another issue is that when you start refusing to accept some group or another, it leads to an implicit endorsement of all the other groups. You can certainly find all sorts of completely abhorrent sites that utilize Cloudflare. A social campaign showing this sites while emphasizing that Cloudflare can, and does, refuse service to sites for what might be perceived as 'lesser crimes' would leave them in a difficult to handle situation. And this will happen. By contrast, not all that long ago they could have simply and eloquently responded, "We do not judge content."

[1] - https://en.wikipedia.org/wiki/2017_Congressional_baseball_sh...

[2] - https://en.wikipedia.org/wiki/2016_shooting_of_Dallas_police...

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact