Earlier this month, several copyright holder groups sent their annual “Notorious Markets” recommendations to the U.S. Trade Representative (USTR).
The submissions are meant to call out well-known piracy sites, apps, and services, but Cloudflare was frequently mentioned as well.
Cloudflare in the ‘Piracy’ Spotlight
The American web security and infrastructure provider can’t be officially listed in the final report since it’s not a foreign company. However, rightsholders have seized the opportunity to point out that the CDN service helps pirate sites with their infringing activities.
The Motion Picture Association (MPA), for example, pointed out that Cloudflare can mask the IP address and hosting provider of a website. This allows operators of copyright-infringing sites, including The Pirate Bay, to frustrate enforcement efforts.
“Cloudflare’s customers include some of the most notorious, longstanding pirate websites in the world, including The Pirate Bay, whose current domain, thepiratebay.org, has been identified as infringing rights holders’ copyrights nearly six million separate times,” the MPA wrote.
“Nonetheless, The Pirate Bay, and other notorious pirate sites, remain Cloudflare customers despite repeated notices of infringement to Cloudflare.”
Cloudflare: ‘We Share Information’
According to Cloudflare, these types of characterizations don’t tell the full story. In a rebuttal sent to the USTR this week the company hopes to set the record straight. Cloudflare doesn’t deny that it ‘shields’ IP addresses, but notes that there are plenty of options for rightsholders to obtain information.
For example, through a basic DMCA subpoena, which can be signed off by a court clerk, rightsholders can request information including IP addresses, payment details, and other account details. Last year alone, the company received 67 DMCA subpoenas which targeted hundreds of domains.
There are also more direct options. When copyright holders submit a copyright infringement complaint through Cloudflare’s web form, the company will share the name of the hosting company that’s used by the targeted site.
This option shouldn’t come as a surprise to the MPA, RIAA, and other groups that complained to the USTR, as they all use the abuse form. Apparently, this helped them to identify the hosting companies of the accused pirate sites.
“In fact, all of the rights holders who referenced Cloudflare in their complaints also referenced the hosting providers for websites that use Cloudflare’s services, demonstrating Cloudflare’s cooperation in providing them access to the information they need to pursue a takedown,” Cloudflare writes.
IP Addresses are Restricted
Without a subpoena, the CDN provider hands over details on the hosting company of allegedly infringing sites. However, the host’s IP address isn’t generally shared as this type of sensitive information has been abused by malicious actors in the past.
“Although we appreciate the importance of addressing copyright infringement, we do not believe that opening a website up to cyberattack is either an appropriate or legally acceptable way to address infringement,” the company explains, adding that a select group of ‘trusted’ notifiers can get this information.
“Cloudflare does provide origin host IP addresses through its Trusted Reporter program to those entities that have proven a genuine need for the information and have adequately demonstrated the willingness and ability to secure the information and protect it from being used for cyberattack.”
In addition, the CDN provider is also working with a small number of rightsholder groups to find ways to use automated processes so information on allegedly infringing sites can be shared even quicker.
Losing Trust in Trusted Reporters?
The trusted notifiers include the RIAA, MPA, and the Swiss Watch Industry, which all called out Cloudflare in their recent notorious markets submissions. Reading between the lines, the CDN provider is not happy with all of them, as some decided to share sensitive data in public.
“Unfortunately, however, some rightsholders who have been granted access to sensitive IP information through our Trusted Reporter process have demonstrated through public Notorious Markets submissions that they do not believe they have an obligation to secure that information.
“This flagrant disregard for the sensitivity of the information they have been given and the commitments they made when signing up for the program does not help build trust or long-term cooperative relationships,” Cloudflare warns.
The CDN provider doesn’t mention any names but the MPA and RIAA shared information on the hosting companies of alleged pirate sites hosted by Cloudflare. That said, we didn’t see any IP addresses being shared by these groups.
Tension and Accusations Remain
It is worth pointing out that the RIAA already anticipated Cloudflare’s rebuttal. The music industry group confirmed that it can obtain the IP addresses of pirate sites. However, since Cloudflare informs its customers if this happens, these can quickly move to new hosting providers before RIAA can do anything.
“Since there is no real-time access to the site’s location, any IP address provided by Cloudflare one day may be inaccurate the next,” RIAA wrote.
All in all, it’s clear that there is quite a bit of tension between Cloudflare and some rightsholder groups. This is also illustrated in one of the closing comments from the CDN provider, which urges rightsholders to keep their eye on the real target.
“We believe it is time for rightsholders to shift their comments away from policy advocacy to focus instead on the physical and online markets that are the intended subject of the Notorious Markets report,” the company concludes.
A copy of Cloudflare’s rebuttal, submitted to the Office of the United States Trade Representative, is available here (pdf)