And if Kiwifarms sending out bytes to the internet is free speech, then compelling cloudflare to send those same bytes is impernissible forced speech.
The problem is any organized body of people can start a similar pressure campaign against Cloudflare or Facebook or Reddit. It is now their job to be a complete legal system - listen to each complaint, adjudicate who is right and who is wrong, what is ethical or not, and respond. Which websites are allowed to exist, which subreddits, which ads and messages are okay and which aren't..
This is an incredibly dangerous & undemocratic precedent because those companies answer to stockholders not citizens. There is a reason the judicial system is set up the way it is, with elected lawmakers and juries of ordinary people.
It's good that this is not what people expect from them then. We're still taking about most egregious examples discussed for years with documented lethal real world impact. Just like they already say in their TOS they would act on.
So it's a justice system that only gets pulled out in the event of mass social pressure? Is that supposed to be something to be proud of?
Companies started acting like they shouldn’t need to know what their clients are doing only 20 years ago and it’s given us widespread counterfeiting, scam robocalls and DDoS attacks. Of course they want to continue doing it, because they’re making money hand over fist. Doesn’t mean we should let them.
Only _some_ companies, and for obvious reasons: there is good money to be made in shady business. Playing the naivité card is apparently enough to convince some. But it's just a card, they know precisely why they are doing it, and supporting free speech ain't it.
Should ISPs proactively block certain websites to all clients under threat of leaving of a group of clients?
I think we want some companies to behave like utilities and be agnostic.
Cancel culture is when people assemble and then say things in support of a cause I disagree with- in particular, it's really bad when they petition a company or government to do something I think is wrong. It's more and more common, and it's a real threat to free speech. I think the government should ban it.
• A data center refusing to host Kiwifarms.
• An ISP refusing to provide internet to the data center that hosts Kiwifarms.
• A power company refusing to provide electricity to the data center that hosts Kiwifarms.
• An ISP refusing to provide internet to the homes of Kiwifarms members.
• A power company refusing to provide electricity to the homes of Kiwifarms members.
• A water utility company refusing to provide running water to the homes of Kiwifarms members.
• A doctor refusing to treat Kiwifarms members.
I don't think I know the answer myself right now.
If I am a Jewish Doctor and a card-carrying Nazi came in, I should have the right to say "he can sit over there and I will not treat you". And if that causes him to die, that is his fault not mine.
If I am a Jewish contractor for a power company and I enter the home of a card-carrying Nazi, I should have the right to say "I will leave now, and you can sit in the dark until you find someone willing to do the work."
If I all the ISP administrators threaten to leave the IPS leaving them without workers because they are also serving Nazi websites, they should have the right to cut off that internet and tell them to find an ISP with Nazi workers to keep things running. And the same can be true for their homes.
Point here is: If you are a danger to society, society is not obligated to work with you as-is. You can certainly make your argument, but society isn't obligated to accept it.
People think just because they exist, they are owed. They are not owed. They are part of a collective, and if the collective deems they are a harm to itself, the collective will absolutely have the right to refuse to work with them. Think about the converse, would any of these Nazis help out Jews out of obligation to some sort of freedom doctrine? Hell no. They operate in the mentality "right for me, wrong for thee!"
So point is, there is no slippery slope. If you ask should the police arrest Nazis? Probably not, not unless they are breaking freedom of speech limitations. But since the _state_ is not blocking their speech, doesn't mean private citizens have to listen to it.
Not exactly. I don't think medical ethics work that way in matters of life and death. For example:
Israeli medics told to treat terrorists the same as victims
"New rules from Israeli Medical Association require that the wounded be aided in order of severity of injury, even if that means helping assailants before victims"
Would you be okay with dying if a doctor refused to treat you based on this post on HN?
Suppose a doctor has strong convictions about free speech, detests cancel culture and is willing to let you die to make a point?
Supporting the economy of illegal DDOS-for-Hire by protecting them from attacks from rivals lowers the cost to launch the attacks. That forces many webmasters to use large DDOS migration providers for which Cloudflare is the only one affordable to them.
Cloudflare is stopping many from avoiding using them by allowing booter websites and if it wants to play gatekeeper, the website should face legal action as it non-neutral platforms (rather than carriers) are subject to S.230 and allowing illegal website under that would mean losing safe harbor and Cloudflare being sized and its top people thrown in prison.
I'm personally more on the side that these are utilities, because really, one cannot get by without an internet connection. I mean, why don't we get the electricity company to turn off electricity if a customer is a pornographer or something that they don't like.
As long as a person is paying their bills, a utility has to serve them.
That's how I see it.
Despite the online fervor over this, payment processors are clearly within their legal rights to shut down payment processing for abuse - even if it is only suspected.
The problem is that you say "used Visa" like it's an inanimate object without its own agency and responsibilities. It's not and as a company it's both capable and has the responsibility of choosing whether or not to be in business with meth dealers.
This comes up a lot and makes me think I’ve misunderstood US free speech dynamics. I thought the USA traditionally limited the government’s ability to regulate free speech, leaving it to private / social regulation. In other words, it was up to individuals, communities, companies and so on to decide what was acceptable.
But perhaps that’s a misunderstanding. Can anyone recommend books or papers to better understand the history of free speech in the USA? I guess The Federalist Papers are often a good place to start?
In this context, the First Amendment is irrelevant - it doesn’t apply here; it says nothing about the actions of private companies. Instead, people are discussing the principle of freedom of speech, and in particular the extent to which private companies should be able to limit speech.
This is incoherent with the idea it's not a government matter. If it's not a government matter, then there's nothing to talk about - Cloudflare can do whatever they like because the law does not bind them otherwise.
Freedom of speech is rightly often characterized as a core American principle; it's emphasized in civic education, and most of the country will, if anything, overstate what is actually allowed by it. Generally though, I think it does follow the common interpretation; people can say what they want is the default, and courts have carved out specific exceptions over the centuries (libel, public endangerment, etc). Looking at the history of these laws, all the examples I know of started off to be assumed legal, and in specific cases those scenarios were deemed sufficiently bad to now be illegal.
In recent years, we've seen increasing amounts of misinformation that are hard to track down thanks to social media, and so there is now increasing debate about how to combat this. I think there are two parts to this question:
- Does (or how much of) this misinformation constitute a necessary legal response? Put another way, in the context of social media, which depending on platform and settings might not even be fully public, what defines whether something is serious enough of libel or a danger to the public to require legal action against its perpetrators? Explicitly calling for a lynch mob against someone probably breaches current laws, but claiming that Trump should have won the 2020 election probably doesn't (even if the person saying it knows its false; lying isn't normally a crime!).
- In an online world, how do we enforce these laws? Social media is often anonymous. Should public profiles be required to have verified contact information? How can we track and police international actors? Does liking a criminal post count as a crime? What about a retweet to millions of followers? Given these challenges, there is a push to have platforms take a role in this enforcement, whether through account verification, removal of potentially criminal speech, or other methods.
Both these questions are unsettled. The common person probably isn't thinking too much about the first question, and the courts will mostly hash it out over time. The second one is what gets more public debate.
Personally, I'd say the American enthusiasm for free speech, and wariness of business regulation more generally, make it unlikely to take significant action there, particularly since the big platforms themselves are clearly putting a lot of time into trying to address these things. If Europe creates a legal framework around platform responsibility, the US might follow, but otherwise will probably let the platforms keep working at it. That's just my guess though!
I love being able to be anonymous or pseudo-anonymous on the internet. At the same time, the ability of people to persuade others of dangerous, destructive lies on social networks is terrible for society. It's not just the us of course, there have been multiple other countries where people were persuaded to attack the 'other' minority group or religion or whatever because they were secretly attacking them.
I'm in the us and social media has destroyed the ability to have some basic agreement on what has happened in the world (such as the issues of the election in 2020). But it's not just social media. It's certain conservative news outlets that push these lies, persuasively!
And I don't know what to do about these problems. I honestly don't see how we as humans will develop a better ability to study what happens and get to a basic understanding of reality - even in the face of conflicting information. My own dad was an EE and a cfo of a billion dollar a year company and now he's fallen into the sway of a certain american network's lies and racial animus. Maybe he was always sympathetic to these views.
It's unfortunate that these two concepts are often lumped together in online discussions, because they are obviously very different, and many people who would agree with the First Amendment and the classical notion of "free speech" as a restriction on the government could have diverse opinions on the regulation of platforms and how they display content.
The government did not let it for private sector to regulate when it explicitly guaranteed the right in the constitution...
> Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.
This is explicitly about what sorts of laws Congress may not pass, and not about the conduct of private citizens or institutions.
The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.
That approach is fairly easy to work around. Just make sure your site is in a country whose police cannot issue requests that Cloudflare is obligated to follow. For added protection pick a country that your victims are not in, ideally one that does not have good relations with the US or the countries of your victims so there is little law enforcement cooperation between them.
> A private company should not be making decisions on essentially freedom of speech
I'd much rather see private companies doing it than see just government doing it.
Consider a site that is not bad enough to be illegal under current law but bad enough that a solid majority of people think it should be stopped.
If it is only government that deals with these things eventually the law will be expanded to cover that site. We'll end up with an ever expanding boundary on what is illegal. A boundary that will probably be very hard to ever shrink. The law is unlikely to handle subtleties well and will catch sites that aren't actually bad but might appear to be so.
If private companies are also looking at what sites they facilitate are doing and dropping those that they think have gone too far it adds fuzziness that allows the system as a whole (private companies plus government) to deal with the bad sites in a way that isn't as blunt and permanent as making the sites illegal.
Government works best as the last level in a multilayered approach to problems.
On the other hand, a private company has limited obligation to uphold what is essentially a government concern ... Unless we start redefining a lot of things related to private obligation.
More importantly, this seems to have no good outcomes for us, the viewers. I also don't want Twitter mobs and DDoS-ers to have a say in what I can and can't read.
This is honestly what I find the most disturbing about the entire story.
This "keffals" person -- an individual! -- managed to organise enough attention to make all of this happen. From what I understand the argument is based on a threat towards this person, but considering the (public) information they were gathering on them (From what I recall it was stuff like flirting with underaged people, selling HRT drugs via Discord, old sexist tweets, etc.) I don't see why it was not in their interest to pseudo-anonymously have these threats posted themselves. Of course it could just be that some user was stupid enough to post these threats themselves, but I believe the fact remains that "keffals" had more to gain from threats against themselves, since most of what was being posted was perhaps vulgar and certainly impolite, but practically harmless -- more embarrassing for those being "investigated". Just some people with too much time on their hands.
The site is probably going to be resurrected some way, soon enough. I believe hearing that they were considering an onion site. When this happens, I'd be interested to see the post histories of those issuing threats. But of course, since this is a private entity, they have no obligation to look at any evidence that would run contrary to the accusations. Of course this is their right, when considered in isolation, but CloudFlare has become a disproportionately significant player that thinking of them as just another company is rather difficult. In the end this all speaks for the fact that the internet was never intended to work on the scale it does. It is almost a miracle that it appears to do so most of the time ^^.
It was this mild but cloudflare took it down?
Police is executive, not legislative, they cant willy-nilly decide such things.
EDIT: shout out to all the techno libertarian hacker news bros downvoting my critique of techno libertarianism
No, it means Cloudflare was helping keep his website up, in a neutral manner.
In other words, exactly what Cloudflare have stated their policy is.
Now if Cloudflare allowed him to run DDoS code on its Workers, then yes, that's Cloudflare helping him.
Very false equivalence.
I think it's more subtle than that. It was keeping his website up to make a profit. It benefits Cloudflare to have powerful, well run bot networks out there ready take out any site which do not have Cloudflare's protection.
Yeah, it's a neutral manner on one level, but at a higher level it's bit more nuanced.
Would it be impossible to run DDoS as a service for profit without Cloudflare? People were doing fine at just that before Cloudflare ever existed.
Quite frankly, yes. Before CloudFlare won the race to the bottom, you'd have to front thousands of dollars per month for bulletproof DDoS shielded hosting to get started.
There is a finite amount of DDoS-for-hire business that used to keep itself in check because they were constantly throwing attacks at each other raising everyone's "cost of goods sold" so to speak. By protecting these providers shops and ignoring abuse complaints CloudFlare helps more of them stay in business increasing the frequency and size of attacks needing to be mitigated.
I do not believe CloudFlare really thought this out. I believe it was a happy accident.
Before Cloudflare there was decent DDoS protected hosting available for low hundreds of dollars per month, you didn’t have to pay prolexic.
It's just dumb.
To extend the analogy, the mall also refuses to tell the other store owners who owns the shop so they can take legal action. (Cloudflare quite famously will just forward your complaints about hosting illegal services to the service themselves)
Even if you genuinely believe that, how are you confident enough that people generally share your interpretation of what constitutes help to call the statement in question "false"?
What's next, is the landscaper helping run the DDoS network because they cut the grass outside so people can access the building better?
If it is the case that Cloudflare provided services to this website with full knowledge that it was a DDoS-for-hire service, which seems likely, this would significantly increase their culpability. This may also apply to the server host, if the server host directly worked with them.
I find it difficult to believe that the ISP, electric company, or government knew of the actions that this DDoS service was taking, and how their own actions benefitted them, since these entities are so far removed from the DDoS service. But if they did have knowledge of what was happening, of course they would be culpable to some extent.
I also disagree with the implication that we have to make a black-and-white judgment of "they helped" or "they didn't help". Depending on the extent of involvement, a third-party can have varying levels of culpability in the DDoS service's actions.
That is not how I read it at all; I didn't read a strong conclusion in the article one way or the other, but if anything I would say it's "if you kicked off KiwiFarms, then why not all the DDoS services?"
But most of all, I think it's a nice example on how "being neutral" is actually quite tricky around the edges.
Is that the takeaway people have from this article? My reading wasn't that the author is advocating that Kiwi Farms should have been left up. They're asking for DDoS sites to be added to the ban list.
The "hypocrisy" that they keep bringing up is Cloudflare's claim that inaction in these instances is a neutral stance, and that in actuality Cloudflare is an active participant in helping these sites stay online.
This kind of pedantic reasoning could be applied to any forum: the forum software doesn't do any active harm to anyone. It "only" serves to coordinate the bad actors.
Just like the DDoS site does. So, how is it different?
Look at crime.to. They still send bomb threats , exchange stolen credit card data , harass people to the point where they lose their houses  (SWATing, breaking in into their house and much more included), and probably more on a daily basis.
Still protected by cloudflare. Pretty hypocritical if you ask me.
 just browse the forum
Kiwifarms just comes to mind for me because someone I know kill themselves and the site took a serious role in that. I'm sure I'd be disgusted, and advocate for the takedown of, many sites.
I've learned enough during stupid internet fights I have had on reddit to never continue a conversation with an avid gamer, no matter the subject. Stories like this one you linked to on merkur.de (read via Google Translate, but I think they got it right) confirm to me that that was the correct call.
1. Lots of really nice people. I just spent an hour playing a game with a man in Brazil and we used Google translate to chat and teach each other our respective languages while we played.
2. It's actually really easy to get angry. Like, I'm an adult and even I have to be like "hey it's a game chill" to myself - I've never blown up at anyone but... holy shit, it's kind of insane how bad some people are lol. And it's frustrating. Like go to the objective, the game is literally blaring that you should go there, why are you going elsewhere????? over and over again.
With regards to gaming it's just a sort of "worst case" for human collaboration. It's fast paced, high pressure, and communication is both the most important part and also by far the hardest. It is absolutely no surprise to me, whatsoever, that anyone who plays a lot of video games might get angry easily.
Also, as someone who grew up very "on the internet", there's a lot of bitter and angry people out there. They're kind of relatable in a way. Like the whole "I want to fucking die" meme is sort of a meme but also sort of real and relatable, but when you smash that into your brain every day it stops being a meme, and I think that's the case with most irony poisoned internet discussions.
It's more like all of the world enjoy games, including these sociopaths.
You are chasing a red herring.
At some point you have to blame the community itself, that example OP linked to is not an isolated incident, unfortunately.
Later edit: This  is a very sick and not ok community, a very sick one. Harassing a person in his own village, in his own house, on the streets of his own physical community, it's not ok. I didn't know who that Drachenlord person was until seeing OP's link, I'm left wondering how come all of that is legally possible, how come those persons that physically harass him are not in prison by now.
Online harassment would presumably be cathartic for some of those people. People lash out for a reason and this is just lashing out at scale.
Also, Drachenlord is being harassed from essentially every german speaking website that doesn't have good moderation policies (hi pr0gramm) or doesn't enforce them (hi twitter); crime.to is not really the flashpoint. He also has a thread on Kiwifarms that's quite active.
But yes, the userbase of cnw and pr0gramm is overlapping. But pr0gramm is at least „only“ allowing bullying. Not the hard stuff such as actual murder, trading narcotics and your grandma’s credit card number + ID. And yes, cnw is way more ruthless than 1337crew ever was.
Anyway, I wanted to point at this because cloudflare said they took KF down because they felt like legal enforcement wasn’t moving fast enough. CNW destroyed lots of lifes too and it isn’t a secret that a few of cnw‘s users are well connected to rocker gangs which pull of murder for hire.
Let's disconnect Twitter from the Internet!
The same people gravely concerned about an infrastructure website being neutral are perfectly fine being on a social media platform that's used for coordinating all kinds of sketchy shit.
"Whataboutism!!!" is the only reply one usually gets when pointing it out.
No outrage here of course, even when the fact is that it is all true.
I keep hearing this allegation but it seems to be supported only by a poorly sourced twitter thread and some articles that dance around the issue. How do we know this, especially the swatting?
And why isn't law enforcement stepping in? The operator is an American afaict. It's not like he's some bond villain living in a cave on the other side of the world.
You'll struggle to find swatting, organized harrassment and non-internet stalking, but you'll see plenty of extremely unpleasant comments. If you were a kiwifarm target... well... see my comment above.
Out of all things, I think the swatting is the most easily believable. Swatting is commonly done to streamers, such that I am not surprised at all that it would be used for targeted harassment.
Because 1) they have limited resources and must prioritise and 2) America law enforcement seems to have a distinct lean towards the transphobic / homophobic / white supremacist / right-wing, etc.
Just because something is not being actively policed does not mean it's not an actual crime (cf motorists running red lights for an easy example.)
Regardless, it's a public forum(?), there should be tons of evidence if they routinely instigate swattings.
I can stand on the main road where I live in London and see 100+ violations an hour with no enforcement.
> So it's not a good example.
Perfect example if you're in London, though.
Meanwhile some neighboring suburban jurisdictions come down harshly on passerbys, even when the stop was unjustified and no crime occured.
As this submission shows, cybercrime is prosecuted in the U.S.
You're missing the qualifier "some" before "cybercrime".
Moderators get the worst backlash everywhere in the world. The only difference is that Cloudflare continues to refuse the fact that they have quite a lot of power over whose traffic they let through. When you, basically, govern 20% of internet traffic you must take the responsibility for it as well.
This article is a nonsensical shout in the air. Cloudflare, like Google, is not looking over every single request that goes through them. They take these actions after enough noise is raised to highlight the issue. The problem is that Cloudflare will become prone to bullying.
What I mean is that if I have a good number of fanatic followers, I can raise noise against a rival platform and get Cloudflare to, at least, scrutinize it and, at worst, deplatform it. Cloudflare will need to set in place some policies to protect themselves from this.
If Cloudflare does this kind of thing enough times, they will unintentionally become a policing force. That's really not a good place to be in for a business.
Cloudflare is a private company responsible for a product that they sell which they can choose not to sell to someone as is any company's rights.
The Fire department is a public sector entity, funded by our taxes, and we don't have any choice in which fire department we choose.
Anyone can come up with a cloudflare competitor for nazi materials, they have all the ability, money, and ability to build out data centers. All they need to do is to find people willing to build/fund it all. And it turns out those leading the charge don't know how to run a good business, and don't want to put money in, and can't find talent willing to work for them.
> Who interprets what qualifies as hate speech?
Exactly the issue. We should not give “activists” a free pass on this one. I wonder now which one(s) of them will commit the crime of actually DDoSing KiwiFarms. We probably will never know.
Vigilante “justice” is problematic because it leaves room for people to harm others without proper evidences of wrong doing. Mind you, I’m no way denying that Kiwifarms are reprehensible, but there are people out there claiming that KF is literally causing people to die, which I’m wondering where is the evidence of that? If someone is suicidal, one of the better ways to help them is to (among other things of course) make them understand that they have power over their circumstances by telling them that they are responsible for their actions. Claiming that some internet bullies can cause you to kill yourself is not helpful, nor is it true.
Isn’t this exactly what the people are KF were doing? Only instead of trying to get a website kicked off the internet, they were trying to get people fired from their jobs, weaponizing the police, trying to drive people to suicide. And not in the service of any sort of justice, but for entertainment. That is sick and it is evil.
They should absolutely be shunned and ostracized for their antisocial behavior. Free speech means that other people have the right to show you the door if you are acting like a jerk.
1. The internet is vast.
2. Figuring out what someone is doing on the internet even if you did somehow have full transparency over the data they send/receive is hard.
3. Any policy of intervention is going to leave behind a stream of poorly prioritised actions that are highly questionable.
4. Just because we see something doesn't mean it is there. It is usual for the first impressions to be wrong. Often even after researching an issue thoroughly.
I don't think there is a free speech issue here, but I do question whether Cloudflare has the motivation or capability to actually execute a policy of policing the internet fairly. All the pressure is going to be to police the internet for specific political goals.
If you can't figure out that one of your clients is doing this bad things, you shouldn't have so many clients
Agreed. It's very annoying that such services like ddos protection have an ever-growing scaling advantage (because the sizes of ddos attacks grow).
> If you can't figure out that one of your clients is doing this bad things, you shouldn't have so many clients
What kinds of entities would you extend this to? I would guess you wouldn't day the same thing about hardware stores (which sell dangerous tools).
Who are they?
Why are Cloudflare listening to this "they" instead of all the alternate "they" who object to alternate sites? There is someone group organised to go after every "bad" site and a lot more besides. How do you even know that they've correctly identified Kiwikarms as a problematic site? Are you a Kiwifarms regular to be so sure about what how it works?
Cloudflare have already banned the Daily Stormer and I can find people who are willing to call ~30% of any country neo-nazis with a straight face, so it isn't clear what they boundary is here. They certainly don't agree with your boundaries for what is "very clear", unless you happen to be posting on behalf of the Cloudflare CEO.
People. Me. Others. I don't have a list.
> Why are Cloudflare listening to this "they" instead of all the alternate "they" who object to alternate sites?
They're presumably listening to both? I don't understand the question.
> There is someone group organised to go after every "bad" site and a lot more besides. How do you even know that they've correctly identified Kiwikarms as a problematic site?
Because there's a long history of documented problems.
> Are you a Kiwifarms regular to be so sure about what how it works?
I don't understand why that would be relevant. Again, long documented history.
> Cloudflare have already banned the Daily Stormer
Right, the Daily Stormer was a self-described site for neo-nazis.
> I can find people who are willing to call ~30% of any country neo-nazis
> They certainly don't agree with your boundaries for what is "very clear", unless you happen to be posting on behalf of the Cloudflare CEO.
The first half of this sentence doesn't go with the second half.
>> I can find people who are willing to call ~30% of any country neo-nazis
I mean, the vibe I'm picking up here is they are the ones who decide, but not them?
Who are these they?
> I don't understand why that would be relevant. Again, long documented history.
There is a long documented history of the US being the Great Satan, or technically Shaytân-e Bozorg, based on a long history of documented problems. I'm not sure how to communicate with "them", but how do we make the call on whether "they" agree or disagree with that epithet? Pretty open and shut case I suppose, the US has done some pretty evil things as a group. Do "they" have a preference for booting the US or Iran off the internet, or are they sanguine about this and only worried about micro-scale harassment rather than macro-scale problems?
Things are done that are substantially worse than what Cloudflare has just acted on. And I suspect "they" will agree on a lot of it. And be wrong on a lot of it, because "they" are famously unreliable sources of information. Why aren't they going to act on all that stuff? It would be irresponsible to ignore it.
I don't think your stance is fundamentally workable, and suspect it hasn't made a serious attempt at engaging with the sheer diversity of human experience and perspective out there. Particularly when it comes to in-groups redefining words to shut people in other in-groups.
But your argument has a gaping hole in it - you haven't identified what that systemic manner is. You initially started with a "well its obvious to all of us" point. That is a poor foundation, because you literally can't identify who "us" is. And you don't have a counter to numerous groups - also part of this "us" of humans who make decisions - who simply don't agree with you on basic things. Which is likely to include whether Kiwifarms is an acceptable site.
The little handwave where you appeal to what we all know may seem minor to you, but that is literally the failing point for the entire strategy of benign censorship. You've missed something important here to the point where your argument is basically collapsing - the world is a lot more diverse than your frame and argument are able to deal with.
You also haven't articulated how you know so much about Kiwifarms and what actually happens on the site. I suspect you've read a few articles by people you feel are credible, or noted a mob forming and decided that mobs don't form without a good reason. If either of those is the case, let me assure you that we disagree about how easy it is to get to the truth - because that is not enough evidence for me to feel confident Cloudflare will get an 80% hit rate with their strategy. Mobs and journalists are both really bad at getting things right.
Now I do think it is acceptable for Cloudflare to occasionally boot good actors off the internet for no reason, but the point stands - they are wading in to water where they will make regular mistakes, and those mistakes will start to take on a political tinge as the radicals amongst us notice that they can get away with a few "mistakes" and silence people they find intolerable. Plus if they're going to start booting people they're going to have to justify themselves a lot more - there are worse than Kiwifarms out there.
My argument is exactly the opposite. That there are lots of grey areas that can not be categorized, but Kiwifarms is not one of thsoe grey areas, as Cloudflare discovered when they started getting dox'd by KF. There's no need for a system here, KF is very squarely a horrible site.
The rest of your post with regards to my argument is obviously moot since it is the opposite.
I am very familiar with KF and have been for quite a few years. I actually haven't kept up (much) on KF in recent years, but I saw that people were pushing for its removal and I was very glad to see it.
As for other sites being "way worse", there are a few... but not that many, actually. Most of the really bad sites are relegated to onion and are much harder to access. Those are really more of a problem for the FBI at that level of shit. I'd advocate for them to be taken down too, of course, if they were worse and also using CF or other services.
A bit of an odd take - it's like the fire department putting out the fire at the known arsonist-for-hire's house, and the police chief happens to run the fire department while doing nothing about the suspiciously wealthy arsonist.
The difference is that Cloudflare isn't an actual public service and has no obligation to DDOS protect anyone.
Now AWS does not realize this as they are large and have lots of operations.
However, one day a journalist asks Amazon directly about this website, and there is an official press release by Amazon made about it.
AWS has had this illegal activity brought to their attention, as well as the fact that they are facilitating this activity. They openly acknowledge the site existing.
Legally this is very different from not knowing about what is going on! Not only does Amazon in this hypothetical know, they have admitted publicly that they know!
So… now to Cloudflare. Did Cloudflare, experts in this domain, not know about these DDOS vendors? And did not realize they were offering protection to those? Maybe not! But maybe. And knowing makes things a lot worse for them. Especially if Cloudflare connected the dots internally about the usage for illegal activity. But! CF simply might not have known, or had a complete picture. Or anything in between.
Your aws story is completely irrelevant since AWS doesn't sell counterfeit luxury handbag insurance. Would you argue amazon webstore doesn't know about fake products in their marketplace?
I don't agree with the author because it is still early (and the author might be putting Cloudflare under pressure for some personal gain in some rhetoric), but these questions are interesting and is part of the cancel culture we are seeing more of.
By allowing the attackers to use their services, while deciding other websites are not allowed to. Cloudflare is removing others freedom of speech.
In the eyes of the law, the intent of the person is often (not always) extremely relevant.
I expect if they said "I want to rent a car to use as a getaway vehicle for a bank robbery" whilst standing next to a TV showing a picture of them committing a bank robbery, yes, the rental company would have some culpability.
See if you could come up with a simple regular expression to deny services to these well known DDoS providers that are actively using Cloudflare:
CryptoStresser.com Instant-Stresser.com FreeStresser.so StresserAI.com Booter.sx Flystress.net Bootyou.net
You're strangely trying to tie this to someone simply living in a high-crime neighborhood. It's racist to deny a qualified person because the neighborhood is "high-crime" because often neighborhoods are high-crime because they're also over policed (which increases crime stats). In your analogy, the person isn't a known criminal, and isn't more likely to commit crime simply by living in an area that has a higher crime rate.
I note this one more time: almost no posts talking in favor of banning stuff here specify any objective limiting principle of where it should stop. It's like an exercise of deliberately creating a slippery slope.
This is like complaining, "if Apple removes hate speech from its app store, then next people will ask it to remove malware."
It would be nice if these attacks were blocked before they even get to a transit provider, but cheap server / VPN providers seem unmotivated to try to solve the problem (since they barely lose any money when they facilitate the DDOS, and/or the attacking devices are rogue IoT devices and booting them would mean booting legitimate customers who don't know the first thing about auditing their network for compromised devices).
Problem is, this is not what Big Tech actually wants.
But this would put Cloudflare out of business so...
It's not as broad and sophisticated as Cloudflare may be, but at least it's not one big centralized entity all the time, it's only activated as needed and run by a co-op, basically.
I remember maidsafe was working on this for many years without much success. Then they got into crypto for micropayments a decade later and it all got a bit messy. Not sure how the project is doing these days but it was a solid concept at heart.
> legitimate customers who don't know the first thing about auditing their network for compromised devices
An IoT device not suddenly working is a good signal to endusers that it is compromised and being used illegally.
And then hit them with massive bills if they have a device that gets hacked?
Seems unreasonable given the current state of security.
While turbulent for a brief moment it would be a strong market incentive for those who pump out insecure devices to change their ways.
> And then hit them with massive bills if they have a device that gets hacked?
A ddos botnoet uses very little bandwidth in total for the individual, but yes someone should pay and there's certainly far worse things that can happen if they weren't made aware of a compromised device.
At some point global society has to decide whether we just employ more body scrapers to clean up the mess or stop letting people drive as drunk as they want on the roads. Cloudflare is the former.
Given the overall quality of cheap electronics, if I had a camera on the fritz, even knowing what I do, the last thing I’d suspect is that it’s been compromised.
Cloudflare is like a fire department that still fights fires in the homes of known pyromaniacs. Whether or not they set the fires themselves is irrelevant to the job of the fire department, if someone needs to stop them it’s the police.
If the police never does anything about the firestarters for hire, it’s a bit hard to see how that would be the fire departments fault (and certaily not something they should solve by not fighting fires any more).
I do not understand this at all. If I run a business, and I see that unambiguously bad actors namely abusers, criminals, stalkers, harassers or whatever use my services to facilitate their actions I have a very clear ethical obligation to step in. I don't go "well the law isn't here, it's not my problem". Making money of unsavory individuals, metaphorically selling both shields and guns at the same time is unethical. Dodging that responsibility is moral cowardice.
The law isn't in every place, it's slow as hell and dysfunctional anyhow in some jurisdictions in particular but that's no excuse for inaction when it is within ones power to prevent harm. It should be that simple.
But that comes with the additional benefit of hiding the origin. This resembles a post-forwarder service or a bank that knows the customer's real identity, but provides a way for them to conduct business without exposing it. Is there a good-faith argument that this service is a public utility and should be provided even if the customer is using it for criminal activity?
If someone used FedEx to run a fake pharmacy and deliver fake medication to people while staying out of reach for law enforcement and regulators by using a FedEx-provided return address, would you say that FedEx should enforce their T&C and shut that customer down?
From their policy:
Cloudflare has long held the view that non-US governments should have to follow the same due process requirements to obtain any records about our customers. A number of US laws, like the Stored Communications Act or the Electronic Communications Privacy Act restrict companies from providing particular types of data, such as the content of communications, to any person or entity, including foreign law enforcement agencies, without US legal process. While there may be situations in which it might be appropriate to provide basic subscriber information in response to non-US legal process that complies with principles of due process, we generally believe that the best way forward at this time is for governments outside the United States to issue requests to us through a US court by way of diplomatic process like a mutual legal assistance treaty (MLAT) request.
Note that this particular SWATing wasn't in the US, it was in Canada -- so it's not necessarily even a uniquely American problem.
How do you counter this weapon? Obviously you have to break the kill chain, but which part?
1. A target is geolocated; this is impossible to prevent if the target shares this information about themself freely.
2. The attacker makes a phone-call to emergency services, likely but not necessarily using a method they believe will anonymize them. Is it technologically feasible to close anonymity holes in the phone system? Should 911 calls from anonymous numbers be null-routed?
3. The attacker needs to persuade the emergency operator that an armed police response is necessary. This is theoretically possible in any country that believes armed police responses are sometimes needed, even those in which police normally patrol without weapons.
4. The armed police response will probably fail to kill the target. This seems to be the weakest part of the kill chain, where most murder-by-swatting attempts fail. Training police for this scenario could reduce the risk even more, but the possibility of an accident will always be non-zero if you have armed police responding to what might be some sort of murder in progress.
I think SWATings would probably continue to happen even if you completely resolved that third or fourth stages, eliminating the possibility of an accident completely. The anonymous troll probably still gets his rocks off at waking up the victim in the middle of the night by unarmed conflict resolution social workers banging on his door looking to resolve the [probable] misunderstanding. Breaking the kill chain at the second stage seems more promising for this reason, but I am not sure eliminating anonymous 911 calls is practical or ethical.
Energy companies are publicly traded companies as well, I don't see what difference this fact makes in the analogy and the argument.
Policing is the police's job, not that of infrastructure and utility companies, precicely because that would bring a lot of hairy questions that the author raises as well.
But you would expect them to turn off somebody's power if they were, e.g., using that power for a marijuana farm or torturing kittens with electrical shocks and standing outside their house shouting "I'M USING THIS ELECTRICITY FOR CRIMINAL MEANS, YOU KNOW".
A corporation deciding to cut off my power without due process because they think there may be a marijuana farm – which may or may not be true – does not sound like something that's desirable.
Either way, I don't think analogies like this are very helpful, because the situations are too different, and the analogy doesn't really help clarify anything IMO.
“This is not our stance, but we do it anyway for all the reasons we just said are bullshit.”
I have a ton of respect for Prince but this spineless double standards stuff is BS.
PS: I have no idea what the deal is with Kiwifarms and frankly I don’t care. If it’s really that bad then we need to have a judge order an injunction.
Honestly anything supporting the “there was an emergency and deplatforming kiwifarms just avoided it” claim would help.
They weren’t forced to do anything.
Does CF have to be an executive force in keeping the law of the US regarding non-US customers, or should the laws of the country the customer is in count instead, ...
You see the issue. The solution is that CF should remain as neutral as they can without breaking the law in their country themselves.
At Cloudflare's scale, providing service to one additional site costs exactly $0. It's actually beneficial because it spreads their fixed costs (hardware, staff) over more customers. Great (for Cloudflare and the site).
But that only works if they don't have to do any marginal work for each site. Actually investigating each new website, going through potentially each page on the website, making a judgement call on if there is sufficient moderation to allow it or they shouldn't - it could take several hours or days of a skilled worker for each website. Just putting an example out there - how long would it take you to evaluate if reddit.com adheres to all the terms in Cloudflare's TOS? There's a different standard for user generated content, but it gets a pass if there's a good faith attempt to moderate the site. This stuff is actually hard.
If they actually had to process every complaint, regardless of where it came from, the economics of their business might not make sense. And of course, they open themselves up to false positives. They might ban a forum that looks dodgy but ends up being a leukaemia support group, which spawns yet another #dropCloudflare. And lastly, if they're going to listen to outrage from Twitter, they don't have a leg to stand on if they receive lawful requests from sovereign governments in Turkey, Saudi Arabia etc.
They hoped to sidestep all of these issues - money, false positives and state sponsored takedown requests by saying "we don't take down anyone for any reason". Well, it didn't work out.
This community, by which I mean HN, likes to have its cake and eat it too. Perhaps they're not all the same people, but HN also gets upset that VISA polices what businesses are deserving of accepting credit card payments.
Regardless of which side you fall on, consistent and clear messaging is important. In that way, Cloudflare deserves some respect for attempting this, when every other corporation, be it VISA, or the FAANGs, simply do whatever is expedient to avoid negative attention, be it PR-wise, stock market wise, or regulatory wise.
1. A company can arbitrarily do whatever it wants within the confines of the law. Additionally a company's chief executive and/or leadership team can do whatever it wants so long is it is not in breach of their bylaws and/or they have the support of the board.
2. A company which is publicly traded is beholden to public perception if it affects current and future shareholders views on share price and health of the company. If shareholders believe being associated with potentially illegal activity means Cloudflare could be open to lawsuits, then leadership kicks off that activity. Leadership can't give an honest answer on this because it would admit they were worried about being complicit in illegal activity. This is why you see the response of 'we don't believe this is our responsibility, we're just a neutral entity' PR spin.
To return to OP's post, Cloudflare directly benefits by letting DDoS-for-hire operators use their service. They've been informed of this, this post is one of many on the topic. If you go a few comments back in my comment history you'll note I mentioned Cloudflare also pulled down sex worker sites in the fallout from SESTA being enacted. Why didn't they make the same argument then? Unlike SESTA at the time the caselaw on CFAA supports that DDoS-for-hire is illegal activity, going back a little over 10 years with plenty of prosecutions. The US prosecutor handbook on it was updated around 2010 to add it https://www.justice.gov/criminal/file/442156/download, the last time I remember anyone trying to claim it was legitimate protest was back in 2013 when some Anonymous indictments were handed out. Cloudflare also responds to DMCA takedowns even though they don't host the content, why would they do that if there's no liability?
Lets break it down a little more then: If my business is damaged because my website gets DDoS'd by a protected service Cloudflare knows will make me require the purchase of a service like theirs, why wouldn't I name them as a conspirator in a legal complaint?
Publicly traded? No, but fire depts in the US were commercial entities paid for by insurance companies. Arguably just as bad.
You had to be a paying member if you wanted them to put out the fire burning your house down.
Well documented that fire depts would stand idly by and do nothing for the neighbours.
But yeah, that's what you get with Cloudflare's shitty analogy.
Cloudflare's position is that they are neutral and will provide their services to anyone and everyone. They do not make those value judgements deciding who deserves their services or not.
The fact that they thus provide their service to booters isn't a flaw in Cloudflare's argument, in fact it's consistent with their position.
The author is implying that Cloudflare should independantly make that value judgement against a booter, rescind their services from the booter, thus allowing other booters to take that booter down? That's ridiculous. All the booters should be dealt with by some legal authority.
EDIT: So according to some comments cloudflare sometimes does decide independantly to rescind their services from some users? That would make them inconsistent in that case. The authors argument, that the solution to booting is more booting, still doesnt make sense tho imo. It's like the solution to too many guns is more guns.
"Our decision today was that the risk created by the content could not be dealt with in a timely enough matter by the traditional rule of law systems."
Booter services have been using CloudFlare for the better part of a decade, sure individual services come and go but the trend is persistent. So for booter services a decade is enough time for the rule of law to make the decision but another type of controversial platform follows it's own arbitrary timeline, and I would argue that is setting the most dangerous precedent of all, especially when the 'risk' created by a particular type of content doesn't outweigh any potential financial incentives.
It's an odd definition of neutrality that allows one to take decisive values positions.
We seem capable of recognizing certain actions and behaviors as universally abhorrent. Nobody can say “Cloudflare is neutral… Unless you are CSAM”, or “Cloudflare is neutral… Unless you are a live video feed of a mass murder event”, and call it an odd definition of neutrality.
There are a lot of sick individuals out there, an unfortunate number of people unable to discern trolling from legitimate discourse, people who may be convinced to commit abhorrent acts or think that they found like minded supporters of their abhorrent behavior. It is not neutral to actively defend and support the ability of a platform to take advantage of those people and or to allow the promotion of such abhorrent behaviors.
It seems like Cloudflare finds themselves walking a tightrope across a bottomless chasm. Any misstep will have dire consequences for the future of Cloudflare and the precedence it sets for the internet as a whole. It seems at this point they have taken a path of extreme caution and attempted to weigh that against collective voice of reason.
More properly, they want to b political in some way without people being able to criticise them for it. "Neutrality"
Cloudflare is still hosting other sites that let you search for people's public information. The line to me seems to be whenever a mob of people starts complaining loudly that a site should be removed. Misinformation is used by the mob to make sites look as bad as possible to try and get them removed. Since these are small sites there are not many people who know it's false. The public check wikipedia and see a biased article that reaffirms the narrative.
In my eyes, as long as they dont break any laws themselves, they are okay.
It seems rational for any partisan to think this way, no? People standing on opposite sides of the battlefield, shooting at each other with the same sort of weapons, both believing in the goodness of their cause.
You don’t see AWS or Microsoft having the same frequency of these sorts of reports. What am I missing?
AWS or Azure doing the same wouldn't make news because they would immediately drop a site like Kiwi Farms, and anything like it, after the first report or two. If you're routinely kicking people out, people don't scrutinize you when you do it. To bastardize Stalin's quote: three deplatformings is a tragedy, thousands is a statistic.
Still, I don’t understand why Cloudflare goes out of its way to be a white knight when its peers have far less mercy. What’s in it for them? Companies at this scale remove the “don’t be evil” slogans they adopted when they were smaller.
- Makes a website available through their IP addresses
- Resolves a site's DNS
- Stores the content of the website on their servers, to serve to clients. The fact that there's an expiration on that content is of no consequence.
The fact that the final source-of-truth lies offsite makes no difference.
If I rent a regular, run of the mill server and have it proxy all requests to a different server, does that suddenly make the first host bulletproof to any and all scrutiny?
Cloudflare likes to pretend they are a neutral entity, impartial, just like regular Internet Providers but they are decidedly not. They are being paid by their customers to store and serve their content from their servers and to perform traffic filtering.
If CloudFlare provided a way to find out the host of a website they run, and gave said host a way to find out what servers specifically are hosting it, they'd have a much better argument, because they'd make it easy for anyone to use the legal system to go after offenders.
I don't know how easy it is for US citizens or law enforcement to get that information from CF, but from what I've heard, it's very, very hard to do so from Europe, and will basically only be used for major crimes, but not for a common "scam a granny" operation. CF is essentially providing cover for these.
Surely they respond to subpoenas and warrants.
For all intents and purposes, that means they don't for anyone outside the US, except for very high profile cases. For everything else, they're providing a legal shield.
So, to continue the analogy, we are reading the post by (ex-)arsonist?
Using their own analogy, the real fire departments actively prevent fires by enforcing safety policies, not merely fighting existing ones. If fire department is paid only for the fires extinguished, they are strongly disincentivised to enforce safety policies.
The issue is not Cloudflare — it’s just the sad reality of the Internet in 2022.
Imagine a criminal pumps a full tank of gas into his vehicle and then uses that vehicle to commit crimes. Nobody goes out and blames the gas station or holds them accountable.
The owner of the vehicle should and would be held accountable in real life. And in any case related to the Internet or Cloudflare, the owner of the website should be held accountable.
If the gas station operator knows the criminal's identity and hides it, I'm pretty sure everyone would go after the gas station.
DDOS-protection is one of Cloudflare's services. The other one is hiding where you host your stuff, so people cannot contact your host to have them shut down the illegal operation.
Cloudflare isn't a protection racket, but doesn't have completely clean hands, either.
I strongly agree with the points made. What Cloudflare is doing is terrible. They should remove this protection and publish an apology to the victims before a court decides to think the same.
New conspiracy theory: all these drama about absolutely irrelevant websites like 8chan and kiwifarms are to distract from the fact that cloudflare has killed anonymity on the internet. Since 2011 or so, browsing any website behind cloudflare over Tor or pretty much shared IP address got you essentially blocked. You would have to fill out a captcha to even see the front page, and not just any captcha, but the worst one which almost never works when on a shared connection: recaptcha. THEN you had to open up the cdn.myshitwebsite.com and repeat the same bullshit, and then you can see images, css, scripts, whatever on the site. ONLY in 2018 they fixed this (it was always possible to bypass it by changing your user agent to a specific string and such things, but almost nobody knew about this), and then broke it again, I'm not sure what the current state is. Then around 2020, a bunch of cloudflare imitators popped up, which includes having the pointless captcha at the front of pages. Cloudflare literally killed Tor, it was solely their fault.
1. "But oh no, a jihad thing was posted on it", same with facebook but 1000x worse
Point being, it's there in the lead.
Let's also leave 'the law' to determining whether Rasbora should be paying fines. As well functioning, or otherwise, 'the law' is...