I run an anonymous political blog in the UK calling out misinformation. I use Cloudflare. A former Councillor in the UK has taken issue with a factual story written about him. He has somehow managed to get a Subpoena against Cloudflare, they have not challenged it, and they intend to hand over my details. This will cause me and my family to be put in danger, as many people do not like being called out on the site. Cloudflare have already given my sites origin IP without any notification, causing this individual to harass my host. I am struggling to get representation and I have asked many media groups. I know @eastdakota is the CEO of Cloudflare and I am appealing to him for help. Please don't throw me to the wolves. I would be grateful if anyone could get this message to him.
Hello. I was in practically the same situation: I hosted a political site via cloudflare that some people took exception to. In my case they took the example of clearly satirical cartoons (that were uploaded by users - not my own content)and claimed they promoted violence. Cloudflare immediately terminated my account without warning and refused to refund me for the remainder of the month. The harasser then went on to contact my host and after a campaign of reporting every cartoon over the course of several months the host decided it wasn't worth the headache anymore and dropped me also. This experience really soured me on the lack of defense of free speech in the US. I'm afraid I have nothing to offer but my sympathies. If you're reading this and hosting political content on Cloudflare please act accordingly.
Free speech (as in the first amendment) allows you to say most things, it does not however compel others to broadcast or host your speech. So there is no free speech argument for a service provider to be required to host your website or protect it with a reverse proxy.
You can speak, but nobody is required to give you a megaphone and nobody is required to listen.
I was with you until the last paragraph. How do SLAPP laws intimidate people into silence? Their purpose is to combat the use of legal means to silence speech, so it seems the opposite is true.
Further, if SLAPP laws did burden speech, then that would be a first amendment issue since they are enacted by states which are bound by it.
Cloudflare is very happy to lend their megaphone and DDoS protection to people hosting nonconsensual pornography boards on the other hand. Along with a multitude of other sites that exist solely to traffic in human misery and exploitation. Even when you follow their processes to the letter to report them nothing comes of it.
No, but you wouldn't expect them to just hand over a users data just because some individual doesn't like the opinion someone has of them. There are consequences for free speech I totally understand that. Unfortunately the consequences for me are not going to be good.
That's a violation of privacy problem, quite different from free speech. With all the vacuuming of user data, our data is leaking around all the time for all sorts of reasons, including just being sold. No subpoena required.
Why do people make the default assumption that "free speech" only refers to a specific American legal principle? Free speech existed long before the Constitution and yet whenever someone says, "My right to free speech is being violated," unless the culprit is directly the US government, someone always responds, "Actually, that's not literally illegal, so it's fine."
This kind of confusion was so common online (where people often complain about uneven and capricious applications of TOS) that I never failed to find it. It makes two mistakes: confusing 1A with free speech and an appeal to the law.
Just because companies are legally allowed to remove content (e.g. the owner of Twitter removing content critical of Tesla) does not mean there are no free speech issues. That would be like saying there are no free speech issues in China as long as you follow the law.
Further, just because the law says a thing doesn’t mean I have to agree with it. Laws have legal authority not moral authority, so even if a company is legally allowed to do something doesn’t end the conversation.
Yeah I really regret using Cloudflare. It was in the back of my mind that they could 'throw me under the bus' to use a British colloquialism.
I'm amazed that this can happen so easily in the US. I realise the US courts probably don't care about UK citizens, but free speech is free speech. I realise that's not without consequence, there's been nothing untrue said about this individual to warrant this action.
How are US courts relevant in a case concerning a UK citizen being challenged by another UK citizen in the UK?
From what I understand anyone in the UK can make claims, file cases, etc…, against anyone else.
Edit: They may take action in another jurisdiction where they posesss some advantage, but it would have to be taken up in UK courts to actually mete out formal punishment.
Cloudflare is the middleman to my site. The individual got a court to issue a subpoena to Cloudflare, a US based company to find out the identity of the operators of the site.
At least in the UK a lawyer would tell him whether he had a case or not. At least I'd be dealing with the UK court system where I have some chance of understanding it. I also have legal insurance. I do not genuinely believe it would get to court. Cloudflare just handing over details is just chilling. They could have just asked me to take the content down.
Using Cloudflare for anything risky seems short-sighted, but rather than just complaining about that, here is a proposed solution: https://njal.la/ (not affiliated, just a grateful user)
100% focused on privacy, relatively cheap, available over Tor, established by Peter Sunde (of ThePirateBay/IPredator/Piratbyrån fame) and finally in 2020 RIAA and MPA both complained about Njalla which gives a bit more confidence Njalla haven't completely sold out yet.
I don't think I'd even go for a mainstream US service like AWS, Google or Cloudflare if I what I want to host is even slightly controversial-but-not-illegal or where I prefer the hosting provider not to know who I am.
(worth noting though, Njalla is still a company who has to follow the applicable laws, so unsure how much it would have helped in OPs case)
I used Njalla for my domain. I was going to move off Cloudflare but I shouldn't have used it from the start. I never imagined they would just roll over to a court order given they don't host the content.
You should assume that 100% of global companies will roll over for a court order in their jurisdiction. It would be foolish to think otherwise because if they don't, eventually a bunch of guys with guns will come in and take what they want.
There's no such thing as a subpoena in the UK, just equivalents. I guess you translated it for an international audience, but can you clarify exactly what Cloudflare received? From what court? What did it require them to disclose?
Cloudflare do not guarantee protection against your identity being discovered when the law is involved, they are not a service for anonymity against the law. You will need to make peace with your identity being revealed. Although too late now, there are other options for publishing online with anonymity.
The subpoena has been issued against Cloudflare in the US in a California court. I have a copy of the subpoena that states they must hand over information that identifies the person behind the site.
I did not expect a subpoena to be issued in the first place, without any test to see if the person has a valid claim.
If you're unable to find a lawyer, contact the court directly to seek advice on responding: you should be able to file a response yourself.
That said, keep in mind, if the person chasing you is willing to hire a lawyer to file in California, they're probably not going to stop pursuing you. They'll file again and again for different reasons in different jurisdictions. Cloudflare have your identity and will give it up every time they are asked to by a court, it doesn't take much for an enterprising adversary to get access to it.
Taking your statement of factualness at face value, this councillor is behaving shamelessly and inappropriately, in a manner that would not be politically advantegous if discovered more broadly.
While it may not solve your immediate problem of wishing to remain anonymous, it may be worthwhile writing of this to Private Eye. (https://www.private-eye.co.uk/). If they shine a light on you, shining it back may be your best bet.
As someone who runs a political blog in the UK, you are almost certainly aware of the magazine's existence. However for others, the magazine features a consistent section of the shameful acts one finds across local councils across the UK. While the readership is niche and the content is almost exclusively in print, not online, it has an outsized impact in media and political circles.
Blog about this and provide more detail and background. Links to content, screenshots of the subpoena. Looks like your post has been flagged here. I'd go into more detail if you want visibility on this.
Remember, Cloudflare is a for-profit corporation that is listed on the stock market and are held accountable to local laws. While over the years they've done an excellent job of positioning themselves as fighting the good fight, they're not an activist organization and they are solely accountable to their shareholders.
If you sign up for a paid Cloudflare account, you're essentially submitting to what is called KYC (know your customer) in the banking industry by handing over payment information which personally identifies you. This opens you up to this kind of thing.
Cloudflare does not provide a level of anonymity. Instead it creates one more way to identify you.
As an aside, what is happening in the UK regarding free speech is worth keeping an eye on, no matter where you lean politically and how you feel about the players. It is going to shape the future of the global internet. It's also creating sharp divisions between the incoming conservative US administration and the left leaning UK labor government over there, and it will be interesting to see what the "special relationship" looks like coming out of the next four years.
Unfortunately every attorney I've contacted so far is not in a position to help. I've asked Cloudflare to hold providing the information until I get representation. Unfortunately as a free customer who only pays for the wordpress optimisations, I am too much of a small fry for Cloudflare to worry about. This is why I am trying to appeal to the CEO here. I have no resources to quash the subpoena. It seems a wealthy individual is going to get their way and cause me harm and stifle free speech.
> It seems a wealthy individual is going to get their way and cause me harm and stifle free speech
This may sound like a slight from an American, but I truly don't mean it that way. This is an honest expression/question.
My (probably poor) understanding is that there is not general free speech in the UK, that the free speech guarantees only apply to members of parliament (and/or maybe other government reps?), and not to individual citizens. At least, constitutionally. Am I wrong about that? Are there legal protections for "free speech" for average citizens in the UK?
Technically you are right. We do have free speech but not quite like the USA. I have been advised by police here that if a statement is true or the opinions are genuine beliefs of the person making them, then you are not breaking the law. As a civil matter, this has not even been challenged in the US by the court to see if they had a case.
The US court doesn't really examine the complaint prior to issuing a subpoena, the plantiff has a dispute with you and wants to contact you but can't. So they've gone to court to ask how to contact you.
Cloudflare could move to quash the subpoena, but unless your contract says they must, that's at their discression, and unless your contract says you'll pay for it, something they would have to pay for.
If you had representation, you could move to quash the subpoena, too. And then it would be challenged.
I understand about the contact thing. They have had contact with me directly and via my host and Cloudflare. They have asked for information about the account from the time their story was published up until now. So it's not just about that. They can contact me, they just aren't getting the response they want.
I really do not understand why. Cloudflare only gave me a week to intervene and get counsel. I have asked them to delay. Everyone I've contacted law firm wise say they're not in a position to help. I've also contacted the EFF and they've provided recommendations to me who have turned out not to be able to help for various reasons. There's been a few on holiday, some say they've not got enough time, or too much work on.
Thanks I will contact them. I've lost count of how many organisations I've contacted. This lies with Cloudflare really to bat it back and say this isn't right.
Presumably for the same reason that publicly feminist lawyers are not in a position to defend accused rapists regardless of the strength of the accusation.
Your best option is to transfer all ownership of the web page out of your control to someone you trust in a territory that has better 1st amendment protections, such as the USA. I'd be happy to help with that. My email is in my profile.
It makes me sad to see the current speech protections eroding so quickly in the UK. Anything I can do to help.
For four months, I was stuck in a nightmare with traderup.com, unable to access my funds due to a PIN issue. Despite numerous attempts to resolve the problem by contacting their customer support, I was repeatedly promised a solution within 24 hours, but nothing came through. I checked my inbox and spam folders, but I never received any follow-up emails. I even tried reaching out through their Telegram channel, but that led to no progress either. It became clear that traderup.com was doing everything it could to prevent me from accessing my money, Feeling completely helpless and desperate, I searched online for a solution and found Blockchain Cyber Retrieve. Although I was initially skeptical, their professional and attentive team quickly put my mind at ease. They acted swiftly and, within a week, I had my funds back. Blockchain Cyber Retrieve truly saved me when no one else could. I highly recommend their services to anyone facing similar issues.
CONTACT THEM ON:
WhatsApp:+1520 564 8300
Email: blockchaincyberretrieve@post.com
Is Cloudflare here acting in an inappropriate manner?
If the poster had instead been hosted by any regular
host in the US, Dreamhost, AWS, Squarespace?
Would they most likely do the same?
Is Cloudflare in this instance acting a midle layer between
the actual hosting entity and the Internet?
Or is Cloudflare the hosting company as well?
I do know that Cloudflare have at times done more for some of
their users I would not expet them to fight a court order
evertime they recieve one.
No, Cloudflare is not acting inappropriately at all.
This is standard industry practice, not just in the U.S., but also in Europe and the UK.
Hosting providers, telcos, social media platforms, and other similar entities generally comply with court orders or subpoenas directed at their customers.
It’s uncommon for these companies to challenge such orders unless there’s a very compelling legal reason to do so - i.e. some crazy demand.
I know there are several companies offering
anonymous hosting and most of those I would not
trust to do even regular hoosting.
Running an anonymous website is difficult.
Running an anonymous website is difficult,
where users are allowed to upload content
that is posted on the site is even more difficult.
Do you do anything to monetize the site?
That would be impossible, I think.
I would think a static site
(just local html , imagesand as litle
javascript as possible wuold be good.
Then finding a hosting enentity of some form
outside of US / EU juristrition.
Paying in cash without ever meeting.
(Cash is harder to trace than bitcoin)
(Depending on handover).
and ensure that the hosting provider flushes
all logs every 5 mins or so.
Stragenluy I htink part of the package would
be to flush teh site in a second if it became
needed
I looked at monetising. It wasn't what I wanted to do. The cause was more important to me. It entered a phase where as someone below said, it became a 'gossip rag'. But then it grew up and started being a trusted source in the town it serves. I never imagined I would have to go to the lengths criminals do just to keep me safe from my opinions.
> I never imagined I would have to go to the lengths criminals do just to keep me safe from my opinions.
Friendly reminder. Treat criminals the same way you want to be treated, because the line separating a good citizen from a criminal is very fuzzy at times.
Keep in mind that your registant details of your .com domain might also be disclosed.
Your domain is at Tucows:
>Tucows Privacy Policy prohibits the release of registrant information without express permission from the registrant except under limited circumstances such as when necessary to comply with ICANN’s Whois publication requirements or when required to comply with law or legal process properly served on Tucows or one of its affiliates.
Perhaps this is an unhelpful question, but do you have a link to this blog? Ideally to the story about the former councillor? Getting a sense of what exactly is going on here might help, and I don't think that linking it to this new HN account will impact your privacy.
Thanks for replying. I wasn't sure what I was able to do and did not wish to spam. This is the article. It did not actually name him, but when he started to harass the site, and try to have it taken down, I started to document this in further stories. Unfortunately he is unrelenting. Apologies if the language in the title offends anyone. The site has matured since then and has over 10k unique visitors per month.
I see, as for the language I recognize it as a familiar "bawdy and comic" style I've read in other publications in the UK. Cloudflare really seems to have done you dirty here, as you say you didn't name him in the article, which would seem to make a claim of defamation pretty hard to prove.
If you can't get Cloudflare to stand behind you, or a lawyer willing to take your case, a last-ditch attempt might be to reach out to the person who made the claim you published; if they have evidence then you'd be in a much stronger position, since truth is an absolute defense against defamation in the UK.
I wish you luck, I think you're being treated very unfairly here.
In the future, consider hosting with the following:
* Flokinet (long standing host standing for freespeech, very seriously presented)
* Njalla (created by PirateBay founder, will actually troll any copyright trolls, but seems reliable)
* Cockbox (a silly but also likely reliable option)
Also it seems that you'd have been fine using Cloudflare without giving them any identifying details - when I signed up way long ago, they didn't ask for anything...
I can't say much about your legal situation and wish you no misfortune whatsoever but this is a gossip rag. You could and should have done more research to substantiate such a wild claim before publishing it. Surely there is ample documented evidence of this behavior.
It was a clear as day allegation made by someone for everyone to see. There was no more research to do.
In fairness it was not what the blog was set up to do and have since reverted to cause. I was going to take the articles down but after being harassed felt less inclined.
I reported on what I saw. It is not the sites finest hour and not what I set it up to do. There were also other people emailing in saying it happened to them. Unfortunately they had no evidence. The evidence was someone saying he did that on a public Facebook post that anyone could access.
I'll be blunt. I believe in the UK (as in NZ) a statement of truth or opinion is not defamatory. One would still have to go through the motions though, to prove it.
Reading the blog post I am left with the feeling you are on thin ice. You don't qualify it as an opinion and it doesn't sound you have evidence to support the claims. Screenshots may not suffice. You would need witnesses and statements or documents to prove it.
You will need these if the person unmasks your address and brings a case to court.
> Screenshots may not suffice. You would need witnesses and statements or documents to prove it.
Speaking from my own experience,
Fortunately in UK civil courts are less aggressive than the US courts on laying foundation for evidence. If evidence is challenged you'll have to fight out the merits of the challenge, to be decided on a more likely than not basis. But it isn't like the US where it's so easy for evidence to be precluded on procedural grounds.
OTOH, UK disclosure is way less powerful than US discovery and subponea power. The plus side for the OP is that for the same reason their opponent should have less power to damage them by fishing for private information. Unfortunately, it seems like OP's opponent has managed to buy their way into the best (for them) of all worlds by using US representation to subpoena cloudflare's records. In the UK it's unusual and extremely difficult to force third party disclosure, which means that if OP needs records from someone else to prove their case they may be screwed.
Someone I know who was in a similar position went through a similar effort to you only to find out once they were represented that cloudflare had handed over they and their readers data in advance of the deadline.
Exactly. They're treating their customers with contempt by not at least pushing back. It almost seems like this is all automated and they don't care unless you're an enterprise customer.
In the US subpoena are extremely overpowered, unfortunately. Often the respondent has little to no legal standing to resist the subpoena and they're issued without meaningful supervision of a competent court.
Most providers won't even tell you when your data has been subject to a subpoena.
I heard quite a few folks run political dissident content from non-western countries. I wonder if they are in danger too, given how easy Cloudflare share info without any notification.
This is very concerning, specially due to the size and omnipresence of Cloudflare. What are the alternatives here? How can we guarantee freedom of press to journalists on the internet?
I guess a lot of it comes down to what scale of publicity wandaluzt wants to deal with, whether they want to put more fuel on the fire or let it burn out, but I'd say sending a tip to the press who deal with these topics would sting more. The Register for their hosts being leaned on and their responses, Private Eye for the politics.
I understand his family have already seen it and it has caused him to not stand in another election. It was not the intention of the site to harm him. In fact the allegations were possibly going to be used to harm him if we hadn't got hold of it.
Not at all. It was appropriate that allegations were brought to the fore so that they could be investigated by those appropriate. He chose to end his career by not standing. Would you say that about a national newspaper finding a clear allegation about a politician or celebrity and publishing it in the public interest?
Trying to mock someone for the absolutely valid tactic of wanting to be anonymous due to the very real threat of life-ruining retaliation is extremely childish and short-sighted.
Do you want Cloudflare to act as a judge? If they find your calling out misinformation resonable you then want them to act as a legal shield for you?
I do understand and accept the need for privacy when running such a blog. But who should judge whether you got your facts wrong?
Surely it is no fun going to court. But around here I would not be afraid to go myself for a simple case. And I do mean simple: If you are damn sure what the facts are.
But then it might be the thing with judicial lineage: Objective vs subjective truth. French or British style system. In the US I would be scared senseless without representation. Is that inherited from the UK way of thinking?
> But around here I would not be afraid to go myself for a simple case
That's naive. You wouldn't be afraid to suffer 100k in costs up front just to deal with a completely meritless case? ... and if the litigant is aggressive and dishonest enough to survive summary dismissal then in the UK you can easily be immediately on the hook for hundreds of thousands of dollars in their legal costs for your failed attempt to get it summarily dismissed. (As the UK will award costs hearing by hearing)
The courts are an adversarial system where you're at risk of ruin, you have to put forward your best fight even if the case is stupid. If you phone it in, get less than completely competent representation, put in a lackluster defense you're in grave risk of losing.
Our civil courts has replaced the duel as a method of resolving disputes, but in many senses it is still a duel. Less bloody, somewhat more biased towards justice, sure. But when you're standing there pistols at dawn and your opponent draws, standing there complaining that they suck and their duel is dumb will only get you shot. You have to draw and you only get one chance.
The severity of the case is the severity of the credible worst case outcome. And totally losing even an absurd case is, sadly, almost always a credible outcome. Sure, you're more likely to win a stupid and meritless case (presuming you don't flub the defense by not taking it seriously)-- but the consequences should you lose aren't diminished by the case being dumb.
Sorry for your situation. If your origin has been handed over, are you not already cooked (so to speak)? Who's your host? Surely they have your details as well.
I'm not saying this is right, it's just the reality of the situation: your opsec precluded anonymity in the face of the legal system when you tied your personal information to the blog you were publishing.
Like others have said, its time to get legal representation. The first thing they're going to tell you is to under no circumstances post things about your case in social media outlets. Good luck.
My host has been amazing. They're based in Europe and have told the person they have no right to ask for information and they will not give it. The individual has got nowhere in that European country, but the USA where free speech is guaranteed has just let him get his way.
I realise opsec was lax on the Cloudflare side but I never imagined they would do this with no questions asked.
Ah, yeah. Well free speech is guaranteed over here in the states, but so are corporate entities that kowtow to fascist policies.
Cloudflare (or any other company) does not have your best interest in mind, just their bottom line. They will fold to any legal system if there are no regulations against them folding.
Then a whole bunch more that all seemed to find
Hostinger to be THE PLACE for your anonymous privacy
super secure hosting.
Now I know a lot better, but if your average Betty
wanted to get set up to do some whistle blowing
and followed these recommendations she would be
F**d.
Unhelpful for this situation, but NearlyFreeSpeech.Net is a pretty great host and their general policy is to tell people to pound sand for any requests.
Specifically in the face of a subpoena from a US court, they are bound by law to comply. There’s really no way around this. If a company wishes to remain in operation, they cannot flout the laws of the jurisdiction they operate within. That said, their policy is firm that they require legally binding instructions before acting and that they will alert you unless bound by law not to. This is a stronger guarantee than most hosts.
From their privacy policy:
> Unless legally prohibited, we will inform you of any cooperation we provide to any law enforcement authorities.
>Cloudflare requires valid legal process such as a subpoena or a foreign government equivalent of a subpoena before providing this type of information to either foreign or domestic government authorities or civil litigants.
>It is our policy to notify our customers of a subpoena or other legal process requesting their customer or billing information before disclosure of information, whether that legal process comes from the government or private parties involved in civil litigation, unless legally prohibited.
Welcome to why we've always warned people to learn to sustainably self-host. After a while, the deep pocketed will begin to use disintermediation and deplatforming against you.
It's hard. It seems like it shouldn't be necessary, but it is.
reply