it also seems like it could be easily technically circumvented: put an email address to which you have access on your phishing lists. see if it gets the mail as expected.
I don't understand why it's better to surreptitiously alter records for ToS violators rather than simply close their accounts altogether. Seems like the definition of a slippery slope.
I agree. If they're going to be doing this, why not also use the Cloudflare apps framework to insert a warning overlay on the page content saying that the domain has been reported for phishing.
If that's too slippery slope, then so is the email _DMARC override settings.
And doesn't this kind of behavior open them up to a lot of legal risk? By moderating _DMARC records, they're assuming responsibility for email content going into the future. If inappropriate content is then passed via email, and Cloudflare failed to blackhole it with _DMARC recordsy, then the can't they become liable for that content?
Because evidence has shown when you waste the time of people doing this, they move on. If you instantly ban them, its easy to spot, easy to automate and doesn't really solve the problem.
> Because evidence has shown when you waste the time of people doing this, they move on.
I'm not convinced of this. At best, shadow-banning wastes a little bit of their time and delays slightly their inevitable creation of a new account.
> If you instantly ban them, its easy to spot, easy to automate and doesn't really solve the problem.
Shadowbanning only really works for unsophisticated users. If you know it's a possibility, it's easy to check for (just create another account and check with it). Phisher's are probably going to be fairly sophisticated, since they're working to make a profit, not to only disrupt or push a POV.
Correct this will not stop "sophisticated" users. The whole goal of this system is to cause bad actors to dedicate more resources to using your platform and add a shadow of doubt. Spammers, etc. all want a cheap easy payday, that's the entire point (money for minimal time).
I run a service that spammers and pfishers love. I started by banning these people (and sending them an e-mail letting them know why). They didn't stop, they just grabbed another free e-mail and continued. Now I quietly just delete the data they submit and never ban accounts. I let them submit data, tell them its accepted, then some time later (1-120 seconds) just delete the data. Their account still works, they just can't do much with it. Once the system became unreliable for them, they just moved on to something else.
> Spammers, etc. all want a cheap easy payday, that's the entire point (money for minimal time).
I'm under the impression that spamming isn't as easy as it once was, and a fair amount of effort needs to be devoted to bypassing spam/abuse detection and blocks, which is exactly what a shadowban is.
> Once the system became unreliable for them, they just moved on to something else.
I would imagine that would depend on if there are equivalent services that the spammer could more easily migrate to. It sounds like they didn't move on from spamming, just from your service. Switching to drop in replacement would definitely be easier than writing a shadowban detector.
I'm just disputing that shadowbanning is a more effective solution than straight bans. It's just not that much harder to detect.
This is even worse than "we don't like you so we are no longer selling you our service", which is already problematic :/. Deciding "we know what you are doing with our service, so we are going to keep selling you our service but make it do something different" should probably just be illegal. As it stands, if they really want to do this, I hope they realize it makes them de facto responsible for all email that goes through their service (and if they don't, then they are even bigger idiots than I normally paint them to be, as they literally are involved in a similar case in court right now).
This is equivalent to "I know you are going to use our invitation service to invite people to a meeting of your local gang, so we have made the emails go out with a typo in the location and phone number field", which has the same sort of "wait, are you sure it is a gang? how do you define a gang? is the gang even doing something harmful today?" problem that comes with the term "phishing". While this is much better than them claiming to block "spam" (which I will claim has so nebulous of a definition as to be meaningless), this is still a slightly ambiguous classification of any given communication due to how it interacts with trademark law.
Regardless, now that they have shown that they are interested in modifying the behavior of their platform to stop "using the Cloudflare platform for evil" (a direct quote from their blog post), clearly they now also should be using similar techniques to stop people from sending email about drug paraphernalia, and they should stop people from sending email with hate speech, and they should stop sending email about terrorism. They also should, of course, stop people from sending email about software piracy, or sending email about services designed to undermine copyright like SciHub, or sending email advertising "obscene" pornography.
They have now shown both the ability to do this and an interest in doing this, which is exactly what they recently demonstrated with the Daily Stormer SNAFU, where they showed the ability and interest to block use of their service "for evil"; in that case, the people were "Nazis", which may or may not be more clear cut than "phishers", but the scenario is essentially the same... and they are now having to backpedal their actions in court as this is being used as evidence for why they should be responsible for blocking piracy on their platform. The reality is that once you show an ability and an interest in policing content, what kinds of content you are forced to police will be taken from you and given to the state.
It looks like this is a policy on the FREE DNS, which IMHO, is fair game. Free services needs to be much more heavily scrutinized for potential abuse.
I spent a lot of time dealing with phishing and fraud prevention. By far the biggest source that I had to deal with was free service abuse and near non-response from those service providers abuse teams.
So you are saying that your opinion changes if the user pays some token amount for the service? If they upgraded their plan to whatever the cheapest level is, then this would be no longer be a good thing for Cloudflare to do?
Let us not forget that these emails aren't even being sent by or through Cloudflare: Cloudflare is not an email provider. Their interest in this is simply that they provide DNS. I find the ways that cloudflare thinks about how we should stop Internet abuse--such as their plea that all ISPs turn on packet logging to help find the sources of denial of service attacks--extremely concerning from a surveillance perspective :/.
I'm saying that free services are easily abused because of the lack of up front cost and ease of forging contact info.
You abuse a service, the service is terminated, you got to utilize it for a while and suffered no penalty aside from having to sign up for a new account.
You use a stolen credit card, the service will be terminated and now that stolen credit card can be reported for abuse as well.
A legitimate account that is paying for service and has legitimate contact information can actually make contact and rectify the issue, clear up a misunderstanding or be made aware that their domain is being abused in some way.
I signed up for Sendgrid a few years ago for a company that I worked for and we used it to send the company's first newsletter to 300,000 users in about 14 years. About 70,000 of those bounced and somewhere shortly into delivery process, Sendgrid halted it and called us demanding to know where we got our email list and insisting that we verify user information for multiple addresses that had bounced.
Once we explained the situation and verified everything, they released the halt and that first volley continued creating records for which email addresses we shouldn't be sending to again. Everything was fine from that point forward...but even with a paid account they were actively working at fraud prevention...and as long as there was a legitimate contact on the account it was perfectly reasonable to get resolved.
>Once we explained the situation and verified everything, they released the halt and that first volley continued creating records for which email addresses we shouldn't be sending to again.
I have little confidence in this working in the defense of an ideology that gives the host bad PR or the deplatforming of which would give it good PR, like in the case of The Daily Stormer.
Recent history should make it abundantly clear that private entities feel no obligation to defend noble ideals like freedom of speech, nor should they, being private entities. Paying for their services shouldn't change this meaningfully, especially where even Western governments like Germany's and the UK's are similarly illiberal (in the traditional sense of the word) and pressure those companies to remove "hate speech".
Where did you get your email list? Were those entered by the users themselves, but with typos? It seems like a pretty high percentage to be caused only by that.
I use Cloudflare and life is wonderful. This is a good writeup of a cool strategy and while I understand the fears of my fellow posters - and point out the fear-mongering too - we could just take them at their word and see this as a positive step in the fight against evil.
The Daily Stormer army deserves little sympathy, and using them to invoke a slippery slope argument full of straw men is somewhat sloppy and escalates this discussion to a place where criminal actors are victims and a company trying to do something good is told they're lackeys of a police state.
It's not that simple. When you're a party claiming to be a transparent pass-through then you should be just that. As soon as you start tampering with the signal on some of the connections you lose trust for all of the connections. After all, you shouldn't even have that capability to begin with.
Again: this is not "slippery slope" as Cloudflare is already at the bottom of the slope. I will implore you, as well, to actually pay attention to the facts of the situation--one that includes an active case playing out right now in court--as opposed to trying to knee-jerk your way to a victory by playing Internet argument fallacy cards.
I realize that you are probably very used to people making this argument just assuming the conclusion: I do not in general (and have been going around giving talks about the failure of centralization from the perspective of "let's be very careful to not theorize and only look at concrete situations that have already come to pass") and have not done that here either (instead, I showed why this scenario is the same as the one being played out with the same actor--Cloudflare--for which we already know the conclusion: they are in court, right now, getting beaten up over blocking a site and are furiously backpedaling).
I don't see why the slipery slope argument is to be rejected. If you walk on the edge of a cliff, it's a good thing to realize falling is part of the risk.
> The Daily Stormer army deserves little sympathy, and using them to invoke a slippery slope argument full of straw men is somewhat sloppy and escalates this discussion to a place where criminal actors are victims and a company trying to do something good is told they're lackeys of a police state.
I agree that The Daily Stormer deserves no sympathy, and will note I did not apologize for them (I even chose to call them "Nazis" instead of "neo-Nazis" or "alt-right": let's call a spade a spade, after all).
However, I also did not make a theoretical argument to which you can try to play your dismissive cards of "slippery slope" or "straw man": in fact, I pointed to an ongoing case playing out right now, in court.
> If Cloudflare Can Block Neo-Nazi Sites, Why Can’t They Block Piracy Sites?
> In a recent filing, lawyers for the adult entertainment company demanded a 7-hour deposition. Using Prince’s own words against him, ALS Scan wrote,
> “By his own admissions, Mr. Prince’s decision to terminate certain users’ accounts was ‘arbitrary,’ the result of him waking up ‘in a bad mood,’ and a decision he made unilaterally as ‘CEO of a major Internet infrastructure corporation’.
> “Mr. Prince has made it clear that he is the one who determines the circumstances under which Cloudflare will terminate a user’s account.”
The reality is exactly as I claim it to be, and the stakes are just as high as I argue. If you disagree, I implore you to respond to the evidence, not simply dismiss the argument out of hand.
Clumsy handling by Mr Prince - and certainly suggests that we need more due process everywhere - but an emotive issue that most people could sympathize with.
The company has basically decided that Nazis don't get service but porn-pirates do. It's not very black and white, though. Morally, it's a minefield. "Porn producers pissed-off at pirates not being given the same treatment as Nazis"
I bow to your observations, but I'm not convinced that the stakes are as high as you argue...
Limit free speech to score brownie points? "Good" and "evil" are subjective and mutable, and that's why defending free speech is a good idea -- it's the best process we have to arrive at better definitions of those things.
For example, letting even Nazis have their own site gives everyone rational a glimpse into how "evil" and bankrupt their ideology truly is. Banning them from all platforms, on the other hand, makes them dangerous and mystical, robbing us of data.
>>> Cloudflare's decision today is going to be devastating not only for them, but for the Internet as a whole (as usual :/).
How is this devastating for the internet as a whole?
How does this interact with trademark law?
Why does shadowbanning phishing accounts automatically lead to stopping people from sending emails based on their content?
Flipping this for a second: what's the better alternative? That should cloudflare do nothing to stop people from misusing their services?
I guess the issue is that if nothing is done to prevent and hinder phishers, hackers, and other shitty denizens of the net, their influence and capabilities will only continue to grow... and It's well understood that security is extremely asymmetric in favor of attackers.
> How is this devastating for the internet as a whole?
For the same reasons the EFF was angry at Cloudflare for shutting down a website we all hated: The Daily Stormer; only, I honestly think this is worse, as here they didn't even have the decency to do it in an obvious way, and they are doing it to an ancillary service (DNS) for things being done (sending emails) outside their platform.
"Blocking neo-Nazi site is 'dangerous,' warns digital rights group EFF"
The concept of a "phishing site" is a bit nebulous: it is essentially "I sent you an email claiming to be one party, but I am actually a different party; I will then use this trickery to steal your account credentials or otherwise mess with you"; however, if I put a real service on the other end... is this illegal? What differentiates "this is Amazon, your package has shipped, log in at this website to find out what happened: Amaz0n.com" from "this is Amaz0n, a legitimate and new company providing a new service for your Amaz0n account; log in at this website to find out more: Amaz0n.com".
Is it that the second one registered a company? Is it that the second one stood up a silly fake web service? This aside about trademark law was just to show that "phishing" is not an objective category: that there will be things I consider phishing that you do not, and vice versa; it isn't like you can look at an email, analyze it, and say "nope: this is phishing"; without knowing the full intent and process behind the website, the best you can usually figure out is "this is a trademark violation".
> Why does shadowbanning phishing accounts automatically lead to stopping people from sending emails based on their content?
I don't understand the question, as that was the entire premise of this post by Cloudflare: the DNS records were changed to indirectly block email being sent by causing DMARC to reject the email at the target email server. This was done because of the content of the emails being sent by the people who owned the DNS records: in this case, it was due to them running a phishing operation. (Did you read the article?)
I think there is a problem with so many people using cdn's when often they aren't needed, because they are adding another layer of centralization on top of an already too centralized platform (dns). There are other ways to prevent ddos other than just a cdn, which is the main reason I hear other techs say they use cdns.
Thats not really a comment on the issue at hand, but I can see how potentially questionable moves in such centralized gatekeepers could cause others to worry about precedent being set and followed by others.
> As it stands, if they really want to do this, I hope they realize it makes them de facto responsible for all email that goes through their service (and if they don't, then they are even bigger idiots than I normally paint them to be, as they literally are involved in a similar case in court right now).
This argument is based on a long-outdated understanding of the law. Section 230 of the Communications Decency Act extends immunity even to services exercising editorial control over content.
See Zeran v. AOL:
"Congress' clear objective in passing §230 of the CDA was to encourage the development of technologies, procedures and techniques by which objectionable material could be blocked or deleted."[5] Since distributor liability would have the effect of disincentivizing the filtering of content by third parties, the court found that such laws were in conflict with the "purpose and objectives of congress," and were thus preempted.
There is a difference between "responsibility" in the form "you are now liable for the damages caused by the other party" (which is what you are looking at, I think?) and "people can come to you and demand you take down more content and you will end up in a position where they can force you to do that with injunctions" (which is what I am looking at).
I should verify, though, if your point here is partially that this would be different from ALS Scan v Cloudflare, as the latter involves "infrastructure level caching"? That said, in the case of AOL, the content wasn't just cached: it was being hosted. Is it that one was an awkward case of defamation and this one is more about copyright? But then I would say that Section 230 has severe limitations.
I guess let's look at this from another direction: why do you feel Section 230 is a protection that is relevant here but isn't helping Cloudflare on their other fronts? It would seem to me that the actual issue of concern (that Cloudflare can and likely will be asked to block DNS for domain names that happen to host or advertise things like The Pirate Bay) is not affected by the existence of Section 230.
OP is not saying you should "have a problem with it," in the sense that it requires a new law or justice-driven activism or something like that. He's expressing an opinion that it's not good long term for society.
If it were gay marriage, or drug addiction, or gambling, similarly someone might say "it's their life" while also expressing disdain for the range of effects they believe it will cause.
> … clearly they now also should be using similar techniques to stop people from sending email about drug paraphernalia, and they should stop people from sending email with hate speech, and they should stop sending email about terrorism. They also should, of course, stop people from sending email about software piracy, or sending email about services designed to undermine copyright like SciHub, or sending email advertising "obscene" pornography.
Those things are all forms of content. Phishing is a form of fraud. Cloudflare is preventing criminals from using their infrastructure to do actual crime, as opposed to blocking content that someone might consider criminal in itself.
If a mail client does not support dmarc,or happens to move reject policy emails to junk (as opposed to not delivering at all). And the user loses all their money to a phishing campaign,would cloudflare be held responsible?
I get the intent but in these situations,no solution is better than a half-cooked solution. If I happened to be a victim in my hypothetical scenario above,sure I would get pissed at my (web)mail client,but also at cloudflare for not terminating the phisher's service when they were so sure of the malicious content hosted they went as far as sabotaging dmarc records.
From a more practical point of view,most phishing campaings like to use compromised websites or email accounts to send the email. Now the email itself will typically have a link to some nasty site or an attachment that eventually ends up "dropping" a second stage malware from some other nasty site. So, if these nasty sites sit behind Cloudflare,how does it make sense to not hold Cloudlfare responsible? Historically,their defense was "we are just the network transport provider". But what now? They can sabotage dmarc records but not A records? Their legal team must either be sleeping on the job or so good that an obvious liability like this isn't seen as a business risk.
> If a mail client does not support dmarc,or happens to move reject policy emails to junk (as opposed to not delivering at all). And the user loses all their money to a phishing campaign,would cloudflare be held responsible?
No.
This argument is based on a long-outdated understanding of the law. Section 230 of the Communications Decency Act extends immunity even to services exercising editorial control over content.
See Zeran v. AOL:
[L]awsuits seeking to hold a service liable for its exercise of a publisher's traditional editorial functions – such as deciding whether to publish, withdraw, postpone or alter content – are barred. The purpose of this statutory immunity is not difficult to discern. Congress recognized the threat that tort-based lawsuits pose to freedom of speech in the new and burgeoning Internet medium. [...] Section 230 was enacted, in part, to maintain the robust nature of Internet communication [...] ."
"Congress' clear objective in passing §230 of the CDA was to encourage the development of technologies, procedures and techniques by which objectionable material could be blocked or deleted."[5] Since distributor liability would have the effect of disincentivizing the filtering of content by third parties, the court found that such laws were in conflict with the "purpose and objectives of congress," and were thus preempted
Correct me if I am wrong wouldn't this position Cloudflare as a "Publisher" of the content? Forget about holding it liable for censoring content(email via dmarc p=reject;),but as a publisher is it not liable for the nature of the content it publishes?
I understand that you can't hold Cloudflare liable just because it's customers hosted illegal or damaging content. But isn't a "publisher" liable for content take-down after an abuse notice? If they can't be sued under civil law,can't they be prosecuted under criminal law?
> (b) Whoever willfully causes an act to be done which if directly performed by him or another would be an offense against the United States, is punishable as a principal.
42 comments
[ 3.2 ms ] story [ 85.1 ms ] threadI understand the positive intent, but it feels wrong to have email content altered by infrastructure layers. A slippery-slope argument may apply.
If that's too slippery slope, then so is the email _DMARC override settings.
And doesn't this kind of behavior open them up to a lot of legal risk? By moderating _DMARC records, they're assuming responsibility for email content going into the future. If inappropriate content is then passed via email, and Cloudflare failed to blackhole it with _DMARC recordsy, then the can't they become liable for that content?
https://en.wikipedia.org/wiki/Stealth_banning
I'm not convinced of this. At best, shadow-banning wastes a little bit of their time and delays slightly their inevitable creation of a new account.
> If you instantly ban them, its easy to spot, easy to automate and doesn't really solve the problem.
Shadowbanning only really works for unsophisticated users. If you know it's a possibility, it's easy to check for (just create another account and check with it). Phisher's are probably going to be fairly sophisticated, since they're working to make a profit, not to only disrupt or push a POV.
I run a service that spammers and pfishers love. I started by banning these people (and sending them an e-mail letting them know why). They didn't stop, they just grabbed another free e-mail and continued. Now I quietly just delete the data they submit and never ban accounts. I let them submit data, tell them its accepted, then some time later (1-120 seconds) just delete the data. Their account still works, they just can't do much with it. Once the system became unreliable for them, they just moved on to something else.
I'm under the impression that spamming isn't as easy as it once was, and a fair amount of effort needs to be devoted to bypassing spam/abuse detection and blocks, which is exactly what a shadowban is.
> Once the system became unreliable for them, they just moved on to something else.
I would imagine that would depend on if there are equivalent services that the spammer could more easily migrate to. It sounds like they didn't move on from spamming, just from your service. Switching to drop in replacement would definitely be easier than writing a shadowban detector.
I'm just disputing that shadowbanning is a more effective solution than straight bans. It's just not that much harder to detect.
This is equivalent to "I know you are going to use our invitation service to invite people to a meeting of your local gang, so we have made the emails go out with a typo in the location and phone number field", which has the same sort of "wait, are you sure it is a gang? how do you define a gang? is the gang even doing something harmful today?" problem that comes with the term "phishing". While this is much better than them claiming to block "spam" (which I will claim has so nebulous of a definition as to be meaningless), this is still a slightly ambiguous classification of any given communication due to how it interacts with trademark law.
Regardless, now that they have shown that they are interested in modifying the behavior of their platform to stop "using the Cloudflare platform for evil" (a direct quote from their blog post), clearly they now also should be using similar techniques to stop people from sending email about drug paraphernalia, and they should stop people from sending email with hate speech, and they should stop sending email about terrorism. They also should, of course, stop people from sending email about software piracy, or sending email about services designed to undermine copyright like SciHub, or sending email advertising "obscene" pornography.
They have now shown both the ability to do this and an interest in doing this, which is exactly what they recently demonstrated with the Daily Stormer SNAFU, where they showed the ability and interest to block use of their service "for evil"; in that case, the people were "Nazis", which may or may not be more clear cut than "phishers", but the scenario is essentially the same... and they are now having to backpedal their actions in court as this is being used as evidence for why they should be responsible for blocking piracy on their platform. The reality is that once you show an ability and an interest in policing content, what kinds of content you are forced to police will be taken from you and given to the state.
https://torrentfreak.com/daily-stormer-termination-haunts-cl...
Cloudflare's decision today is going to be devastating not only for them, but for the Internet as a whole (as usual :/).
I spent a lot of time dealing with phishing and fraud prevention. By far the biggest source that I had to deal with was free service abuse and near non-response from those service providers abuse teams.
Let us not forget that these emails aren't even being sent by or through Cloudflare: Cloudflare is not an email provider. Their interest in this is simply that they provide DNS. I find the ways that cloudflare thinks about how we should stop Internet abuse--such as their plea that all ISPs turn on packet logging to help find the sources of denial of service attacks--extremely concerning from a surveillance perspective :/.
You abuse a service, the service is terminated, you got to utilize it for a while and suffered no penalty aside from having to sign up for a new account.
You use a stolen credit card, the service will be terminated and now that stolen credit card can be reported for abuse as well.
A legitimate account that is paying for service and has legitimate contact information can actually make contact and rectify the issue, clear up a misunderstanding or be made aware that their domain is being abused in some way.
I signed up for Sendgrid a few years ago for a company that I worked for and we used it to send the company's first newsletter to 300,000 users in about 14 years. About 70,000 of those bounced and somewhere shortly into delivery process, Sendgrid halted it and called us demanding to know where we got our email list and insisting that we verify user information for multiple addresses that had bounced.
Once we explained the situation and verified everything, they released the halt and that first volley continued creating records for which email addresses we shouldn't be sending to again. Everything was fine from that point forward...but even with a paid account they were actively working at fraud prevention...and as long as there was a legitimate contact on the account it was perfectly reasonable to get resolved.
I have little confidence in this working in the defense of an ideology that gives the host bad PR or the deplatforming of which would give it good PR, like in the case of The Daily Stormer.
Recent history should make it abundantly clear that private entities feel no obligation to defend noble ideals like freedom of speech, nor should they, being private entities. Paying for their services shouldn't change this meaningfully, especially where even Western governments like Germany's and the UK's are similarly illiberal (in the traditional sense of the word) and pressure those companies to remove "hate speech".
It was a very unique situation, in all honesty.
The Daily Stormer army deserves little sympathy, and using them to invoke a slippery slope argument full of straw men is somewhat sloppy and escalates this discussion to a place where criminal actors are victims and a company trying to do something good is told they're lackeys of a police state.
Geez, cut them some slack.
I realize that you are probably very used to people making this argument just assuming the conclusion: I do not in general (and have been going around giving talks about the failure of centralization from the perspective of "let's be very careful to not theorize and only look at concrete situations that have already come to pass") and have not done that here either (instead, I showed why this scenario is the same as the one being played out with the same actor--Cloudflare--for which we already know the conclusion: they are in court, right now, getting beaten up over blocking a site and are furiously backpedaling).
I agree that The Daily Stormer deserves no sympathy, and will note I did not apologize for them (I even chose to call them "Nazis" instead of "neo-Nazis" or "alt-right": let's call a spade a spade, after all).
However, I also did not make a theoretical argument to which you can try to play your dismissive cards of "slippery slope" or "straw man": in fact, I pointed to an ongoing case playing out right now, in court.
https://www.digitalmusicnews.com/2017/10/11/cloudflare-ceo-n...
> If Cloudflare Can Block Neo-Nazi Sites, Why Can’t They Block Piracy Sites?
> In a recent filing, lawyers for the adult entertainment company demanded a 7-hour deposition. Using Prince’s own words against him, ALS Scan wrote,
> “By his own admissions, Mr. Prince’s decision to terminate certain users’ accounts was ‘arbitrary,’ the result of him waking up ‘in a bad mood,’ and a decision he made unilaterally as ‘CEO of a major Internet infrastructure corporation’.
> “Mr. Prince has made it clear that he is the one who determines the circumstances under which Cloudflare will terminate a user’s account.”
The reality is exactly as I claim it to be, and the stakes are just as high as I argue. If you disagree, I implore you to respond to the evidence, not simply dismiss the argument out of hand.
Clumsy handling by Mr Prince - and certainly suggests that we need more due process everywhere - but an emotive issue that most people could sympathize with.
The company has basically decided that Nazis don't get service but porn-pirates do. It's not very black and white, though. Morally, it's a minefield. "Porn producers pissed-off at pirates not being given the same treatment as Nazis"
I bow to your observations, but I'm not convinced that the stakes are as high as you argue...
Limit free speech to score brownie points? "Good" and "evil" are subjective and mutable, and that's why defending free speech is a good idea -- it's the best process we have to arrive at better definitions of those things.
For example, letting even Nazis have their own site gives everyone rational a glimpse into how "evil" and bankrupt their ideology truly is. Banning them from all platforms, on the other hand, makes them dangerous and mystical, robbing us of data.
How is this devastating for the internet as a whole? How does this interact with trademark law? Why does shadowbanning phishing accounts automatically lead to stopping people from sending emails based on their content?
Flipping this for a second: what's the better alternative? That should cloudflare do nothing to stop people from misusing their services? I guess the issue is that if nothing is done to prevent and hinder phishers, hackers, and other shitty denizens of the net, their influence and capabilities will only continue to grow... and It's well understood that security is extremely asymmetric in favor of attackers.
For the same reasons the EFF was angry at Cloudflare for shutting down a website we all hated: The Daily Stormer; only, I honestly think this is worse, as here they didn't even have the decency to do it in an obvious way, and they are doing it to an ancillary service (DNS) for things being done (sending emails) outside their platform.
"Blocking neo-Nazi site is 'dangerous,' warns digital rights group EFF"
https://www.usatoday.com/story/tech/2017/08/18/blocking-neo-...
> How does this interact with trademark law?
The concept of a "phishing site" is a bit nebulous: it is essentially "I sent you an email claiming to be one party, but I am actually a different party; I will then use this trickery to steal your account credentials or otherwise mess with you"; however, if I put a real service on the other end... is this illegal? What differentiates "this is Amazon, your package has shipped, log in at this website to find out what happened: Amaz0n.com" from "this is Amaz0n, a legitimate and new company providing a new service for your Amaz0n account; log in at this website to find out more: Amaz0n.com".
Is it that the second one registered a company? Is it that the second one stood up a silly fake web service? This aside about trademark law was just to show that "phishing" is not an objective category: that there will be things I consider phishing that you do not, and vice versa; it isn't like you can look at an email, analyze it, and say "nope: this is phishing"; without knowing the full intent and process behind the website, the best you can usually figure out is "this is a trademark violation".
> Why does shadowbanning phishing accounts automatically lead to stopping people from sending emails based on their content?
I don't understand the question, as that was the entire premise of this post by Cloudflare: the DNS records were changed to indirectly block email being sent by causing DMARC to reject the email at the target email server. This was done because of the content of the emails being sent by the people who owned the DNS records: in this case, it was due to them running a phishing operation. (Did you read the article?)
Thats not really a comment on the issue at hand, but I can see how potentially questionable moves in such centralized gatekeepers could cause others to worry about precedent being set and followed by others.
This argument is based on a long-outdated understanding of the law. Section 230 of the Communications Decency Act extends immunity even to services exercising editorial control over content.
See Zeran v. AOL:
"Congress' clear objective in passing §230 of the CDA was to encourage the development of technologies, procedures and techniques by which objectionable material could be blocked or deleted."[5] Since distributor liability would have the effect of disincentivizing the filtering of content by third parties, the court found that such laws were in conflict with the "purpose and objectives of congress," and were thus preempted.
I should verify, though, if your point here is partially that this would be different from ALS Scan v Cloudflare, as the latter involves "infrastructure level caching"? That said, in the case of AOL, the content wasn't just cached: it was being hosted. Is it that one was an awkward case of defamation and this one is more about copyright? But then I would say that Section 230 has severe limitations.
I guess let's look at this from another direction: why do you feel Section 230 is a protection that is relevant here but isn't helping Cloudflare on their other fronts? It would seem to me that the actual issue of concern (that Cloudflare can and likely will be asked to block DNS for domain names that happen to host or advertise things like The Pirate Bay) is not affected by the existence of Section 230.
If it were gay marriage, or drug addiction, or gambling, similarly someone might say "it's their life" while also expressing disdain for the range of effects they believe it will cause.
Those things are all forms of content. Phishing is a form of fraud. Cloudflare is preventing criminals from using their infrastructure to do actual crime, as opposed to blocking content that someone might consider criminal in itself.
I get the intent but in these situations,no solution is better than a half-cooked solution. If I happened to be a victim in my hypothetical scenario above,sure I would get pissed at my (web)mail client,but also at cloudflare for not terminating the phisher's service when they were so sure of the malicious content hosted they went as far as sabotaging dmarc records.
From a more practical point of view,most phishing campaings like to use compromised websites or email accounts to send the email. Now the email itself will typically have a link to some nasty site or an attachment that eventually ends up "dropping" a second stage malware from some other nasty site. So, if these nasty sites sit behind Cloudflare,how does it make sense to not hold Cloudlfare responsible? Historically,their defense was "we are just the network transport provider". But what now? They can sabotage dmarc records but not A records? Their legal team must either be sleeping on the job or so good that an obvious liability like this isn't seen as a business risk.
No.
This argument is based on a long-outdated understanding of the law. Section 230 of the Communications Decency Act extends immunity even to services exercising editorial control over content.
See Zeran v. AOL:
[L]awsuits seeking to hold a service liable for its exercise of a publisher's traditional editorial functions – such as deciding whether to publish, withdraw, postpone or alter content – are barred. The purpose of this statutory immunity is not difficult to discern. Congress recognized the threat that tort-based lawsuits pose to freedom of speech in the new and burgeoning Internet medium. [...] Section 230 was enacted, in part, to maintain the robust nature of Internet communication [...] ."
"Congress' clear objective in passing §230 of the CDA was to encourage the development of technologies, procedures and techniques by which objectionable material could be blocked or deleted."[5] Since distributor liability would have the effect of disincentivizing the filtering of content by third parties, the court found that such laws were in conflict with the "purpose and objectives of congress," and were thus preempted
I understand that you can't hold Cloudflare liable just because it's customers hosted illegal or damaging content. But isn't a "publisher" liable for content take-down after an abuse notice? If they can't be sued under civil law,can't they be prosecuted under criminal law?
https://en.m.wikipedia.org/wiki/Aiding_and_abetting
Section two title 18:
> (b) Whoever willfully causes an act to be done which if directly performed by him or another would be an offense against the United States, is punishable as a principal.