IPTV Piracy: Cloudflare Says Thousands of Legal Sites Blocked Multiple Times

Home > Anti-Piracy >

In submissions to the European Commission, rightsholders insist that intermediaries must kill pirate IPTV streams within minutes and proactive internet blocking should be ramped up across Europe. In its submission to the EC, Cloudflare reveals that a voluntary site-blocking program in a member state saw an ISP block thousands of entirely legal sites, on several separate occasions.

iptvLast month the European Commission (EC) issued a call for evidence to support an incoming “toolbox” of measures to combat live sports piracy.

The announcement followed a huge campaign by rightsholders last October. Organizations and companies, including the MPA, UEFA, Premier League, beIN, LaLiga, Serie A, Sky, and BT Sport, called on the EC to introduce new law that would compel intermediaries to take pirate streams offline within minutes of a complaint.

After denying the request, the EC offered an opportunity for rightsholders and other stakeholders to file submissions detailing their problems along with possible solutions actionable under existing law.

Most major stakeholders filed submissions close to the deadline late Friday. The majority were filed by sports leagues and organizations, broadcasters, and/or affiliated anti-piracy groups. Cloudflare, CCIA Europe, and an Austrian ISP coalition represented the internet/comms/tech sector.

The Voices of Football

Despite being framed as a process to protect all live sports, it’s clear that the primary focus is to prevent European and UK football matches from appearing on pirate IPTV and similar web-based services. It therefore makes sense to focus on the demands of entities such as the Premier League, affiliated broadcasters, and the anti-piracy groups tasked with protecting their rights.

The Audiovisual Anti-Piracy Alliance (AAPA) represents football leagues and their broadcasters all over Europe. AAPA members played a key role in the campaign last October, and their current position remains completely unchanged.

“As signatories to the Call To Action to End Live Piracy Now, we would like to restate that an EU legislative instrument still remains the most efficient and effective way to tackle piracy of live content within and across Member States,” AAPA begins.

In the knowledge that’s not going to happen anytime soon, AAPA notes that since the purpose of the exercise is to “prevent” online piracy, the main focus should be on the immediate removal of infringing content via the notice and takedown mechanism.

What is a ‘Timely’ Takedown?

“The issue we have always had to face is the delayed response, if any, from online intermediaries that have been notified. The recently adopted Digital Services Act (DSA) makes no meaningful change to the concept of ‘expeditious’ removal currently enshrined in EU law,” the AAPA writes.

“The latter is open to interpretation from online intermediaries which, in many cases, means they will simply either not respond to notices or do so hours or days after the end of the live event. Many of them will exploit all ambiguities in the law to avoid acting at all – never mind expeditiously – which is why concrete measures need to be taken.”

To empower rightsholders in the face of slow or even total non-compliance, the AAPA says that clarification of takedown terms would allow it to build on the concept of “timely” removals introduced in the DSA. Since accurately identifying infringing content is reportedly straightforward, non-compliant intermediaries should be held responsible for any infringement.


“As live content is almost always watermarked and/or fingerprinted there is no question about identifying the stolen content which means the removal should be immediate and, in any case, well before the event terminates. In case online intermediaries do not remove access to the content in a timely manner, they should be held responsible for the harm caused to rights holders.”

If fingerprints are so easily detected and subscriber/device-level fingerprinting is available from multiple security vendors, that raises the question of why cutting off sources of infringing content isn’t a better option than battling to have streams taken down by uncooperative third parties. Perhaps we’ll hear more on this in due course.

EU-Wide Implementation of Proactive ISP Blocking

In several EU member states and the UK, rightsholders already obtain court injunctions that require ISPs to block pirate sites when they try to evade blocking. These ‘dynamic’ injunctions are useful but ‘live’ injunctions are favored by rightsholders tackling IPTV services since they offer even more flexibility.

In broad terms, some European courts authorize live injunctions with particular aims in mind, protecting football matches or PPV boxing events, for example. To thwart the efforts of pirate services seeking to evade specified domain or specified IP-address-based blocking, rightsholders are given the power to identify in advance any online locations that are likely to be used for piracy in the near future.


These are relayed to Internet service providers and rendered inaccessible, sometimes before events even begin. As such, live blocking injunctions are popular with rightsholders, but they’re not available in every member state. AAPA says this imbalance should be addressed by harmonizing this type of enforcement across the EU.

“The Commission should seek to create a level playing field and therefore replicate across the EU a powerful but carefully used approach to live blocking orders, bearing in mind that such actions shall not exclude rights holders who cannot act on the legal ground of copyright,” the anti-piracy group notes.

Cloudflare: Tackle Infringement at the Source

Cloudflare’s submission begins with an overview of the company’s approach to copyright infringement and examples of how it cooperates with rightsholders seeking to protect their content from piracy.

Cloudflare then moves on to the Digital Services Act (a common theme in many submissions) and the mechanisms it offers for dealing with illegal content, in ways that are proportionate to the harm, while offering transparency, due process, and remedy for incorrect actions.

“We believe those same standards must apply to any actions in the Commission’s toolkit for combating online piracy of live content,” Cloudflare informs the EC.

“The DSA assesses that the best way to address content challenges is at the source. Under the model outlined in the DSA, this is done by alerting hosting providers and owners of websites, who have the ability to remove content at a granular level, and who have an obligation to remove or disable access to it expeditiously under article 6.

“Article 9 of the DSA also poses clear conditions on orders to act against illegal content, which includes, amongst others a well-defined legal basis, the identity of the issuing authority and available redress mechanisms. From this, it follows that notice and take down orders should be targeted at the host of the live streamed content.”

Zero Transparency and Inevitable Blunders

Targeting infringing content at the source is not how rightsholder-favored dynamic/live injunctions work, quite the opposite in fact.

Instead of targeting sources of infringing content, blocking injunctions work on a regional level by ordering local ISPs to prevent internet users from accessing illegal streams, will leaving the streams intact. Rightsholders say that uncooperative hosting companies leave them with no other choice, and in fairness, that’s often the case when dealing with hosts of pirate services.

The problem – which is only getting worse as blocking injunctions develop – is the total lack of transparency which in turn fosters an environment of unaccountability. On one hand, rightsholders insist that if pirates obtain information relating to blocking, blocking becomes easier to counter. Since judges make decisions on the basis that their instructions will be carried out, all parties agree to render the blocking process completely opaque.

On the other hand, a complete lack of outside scrutiny means that when mistakes are made, and innocent third parties suffer due to erroneous or abusive blocking, no one is held to account. Certainly, no company, group or organization offers a public apology or compensation for those affected.

This isn’t a flaw in the system either – dynamic/live blocking and administrative website blocking programs are secretive by design, with the latter often operated under voluntary agreements. According to Cloudflare, blocking by IP address – which is favored against IPTV services – “often has serious unintended, unavoidable, and largely unreported consequences.”

Thousands of Legal Websites Have Been Blocked

As previously reported, ISPs in Austria were compelled to block Cloudflare itself in 2022, even though they knew that was wrong.

Thanks to a Supreme Court ruling, input from ISPs was no longer deemed necessary – all they had to do was blindly follow instructions and the letter of the law. It appears that Cloudflare has seen much, much worse.

“In another Member State, an ISP with a voluntary arrangement to block allegedly infringing content has, on multiple occasions, blocked thousands of unrelated websites using our services for its users,” Cloudflare’s submission reveals.


“Without any court oversight, this overblocking in some cases took days to remedy. Even though the Commission has focused on critical infrastructure reporting on outages in the NIS Directive, efforts to block for reasons of copyright infringement do not result in reporting on its unintended consequences, which look like outages for external parties.

“This lack of public awareness means we see few incentives for rightsholders or the ISPs involved to assume accountability for the overblocking, publicly describe what had happened, or represent that they would take steps to prevent overblocking in the future.”

In summary, stakeholders in the football sector believe that the Digital Services Act may offer opportunities to take infringing content down more quickly, while an expansion of ISP blocking across the EU may help to block content that doesn’t get taken down.

Cloudflare also supports the DSA’s takedown provisions but expects promised levels of transparency too. Infringing content should only be taken down at source though; not only because some deputies are a little bit trigger happy but because blocking does nothing to remove the source of the problem.

Image credits: Pixabay (1,2)


Popular Posts
From 2 Years ago…