Popular Internet infrastructure service Cloudflare serves millions of customers and provides a variety of connectivity and privacy features to the general public.
People can freely use the company’s open DNS resolver 18.104.22.168, for example, or use its IPFS and Ethereum gateways to access content on these decentralized web services.
One of Cloudflare’s main aims is to make the Internet more secure while respecting the privacy of its users. This laudable goal is broadly respected but in common with other internet services, abuse of Cloudflare’s services can lead to conflicting situations.
The California-based company previously terminated service to controversial sites including the Daily Stormer and Kiwi Farms. These actions were taken voluntarily, with Cloudflare citing an immediate threat to human life as the reason for the Kiwi Farms intervention.
In addition to these rare events, the Internet infrastructure company is also subject to court orders from around the globe. In some cases, these orders require the company to block access to piracy-related domain names.
Cloudflare mentions these blocking orders in its latest transparency report which covers the second half of 2022. The report doesn’t mention the number of court orders or blocked domains, but it confirms that Cloudflare complies with legitimate legal rulings.
“If we determine that the order is valid and requires Cloudflare action, we may limit blocking of access to the content to those areas where it violates local law, a practice known as ‘geo-blocking’,” Cloudflare writes.
DNS blocking orders apply locally and shouldn’t affect people in other countries. However, things got more complicated recently when an Italian court required Cloudflare to restrict access to three torrent sites through its public DNS resolver 22.214.171.124.
Cloudflare fiercely objected to the order but ultimately lost the legal battle. That left the company with no other option than to take action. But, instead of blocking content through its global DNS resolver, it geo-blocked the domains for Italians.
“To the extent that those websites used Cloudflare services, Cloudflare took steps following the issuance of the order to disable access to those websites for users in Italy or from Cloudflare equipment in Italy.
“Cloudflare took action to geoblock all three domains that were addressed by the court’s order and were using our service at the time the orders were issued via Cloudflare’s pass-through CDN and security services,” the company added.
IPFS and Ethereum Restrictions
In its most recent transparency report, Cloudflare further notes that it has implemented access restrictions on its public Ethereum gateway. The company doesn’t store any content on the Ethereum network, nor can it remove any. However, it can block access through its service.
If Cloudflare receives valid abuse reports or copyright infringement complaints, it will take appropriate action. The same applies to the gateway for the decentralized IPFS network.
In its previous transparency report, Cloudflare already mentioned more than 1,000 IPFS actions a figure that increased slightly in the second half of last year. At the same time, Cloudflare also restricted access to 99 ‘items’ on the Ethereum network.
Since these are ‘gateway’ related restrictions there’s no impact on the content hosted on IPFS or Ethereum. Instead, it will only make it impossible to access content through Cloudflare’s service.
It’s not clear how many of these restrictions are abuse or copyright-related, as not much context is provided. The Ethereum actions are, at least in part, a response to the U.S. Department of Treasury’s sanctions against the cryptocurrency tumbler Tornado Cash.
“Those sanctions raise significant legal questions about the extent to which particular computer software, rather than individuals or entities that use that software, can be subject to sanctions,” Cloudflare writes.
“Nonetheless, to comply with legal requirements, Cloudflare has taken steps to disable access through the Cloudflare-operated Ethereum Gateway to the digital currency addresses identified in the designation.”
DMCA Notices and Subpoenas
There are more obvious copyright responses as well. While Cloudflare generally doesn’t block content in response to DMCA notices for customers that use its CDN services, it does remove infringing content permanently hosted on its servers.
These hosting services have expanded over the years and the same is true for the volume of valid DMCA notices received, up from 18 to 972 in the span of a year, as shown below. That’s still a fairly modest number for a company with millions of customers.
Finally, Cloudflare reports that the number of civil subpoenas, including those issued under the DMCA, has decreased. Rightsholders including the Motion Picture Association (MPA) typically use these requests to obtain identifying information about Cloudflare customers.
In the second half of last year, the company received 20 civil subpoenas which targeted 57 domain names. That’s the lowest number since Cloudflare first disclosed this statistic five years ago, signaling a downward trend.
A copy of Cloudflare’s latest Transparency Report is available here (pdf)