Cloudflare: The bad, the worse and the ugly?

In the US, a large technology company is about to go public. Cloudflare, a San Francisco-based company, wants to collect nearly $3.5 billion on the stock exchange in the first half of the year with the support of the investment bank Goldman Sachs. But there are dark shadows over Cloudflare. The spectrum of its customers ranges from credit card fraudsters and spammers, to sites that engage in copyright infringement as a business model, to terrorist sites. Even US embargos are undermined.

What is Cloudflare?
Cloudflare offers a content delivery network. In simple terms, it provides a kind of turbo drive for web pages, allowing them to be delivered world-wide quickly and securely. Cloudflare places itself between, on one hand, the web page and/or servers of its customers and, on the other, the site visitor and/or user of the service. By enabling it to selectively control and distribute site traffic, it can offer increased speed and protection against network overload attacks (DDoS).

However, Cloudflare also offers another feature: anonymizing its customers.
By placing a virtual screen over the original web page and/or their server, Cloudflare makes the operator practically untraceable. Upon inquiry, Cloudflare will only provide its own data, hiding client information such as hosting service and IP address, making it impossible to take legal action against illicit sites and services.
Civil law inquiries are futile, because Cloudflare only provides the naming of the hosting services, which is worthless without the respective IP address. This is roughly equivalent to seeking info on an unmarked apartment with just the address of a high-rise building housing thousands of residents.

The Cloudflare problem is well known
This anonymizing feature from Cloudflare attracts a number of unsavory customers including, again and again, copyright infringers. But it doesn’t stop there.

Since December 2018, the EU Commission has included Cloudflare on a watch list for counterfeiting and piracy.

Most recently, the service received the dubious prize as the worst enemy of the creative community from the US blog TheTrichordist.

The listing of infringing market participants has a long history in the US. The music association RIAA submits an annual list of the worst offenders to the US Trade Representative. In 2017, 9 out of 20 violators could not be identified by the RIAA because Cloudflare effectively camouflaged them. The US film association MPAA is also aware of the problems with Cloudflare obfuscation and names the company in its annual list of interferers.

In the relatively new piracy segment IPTV – the streaming of non-licensed TV signals – the company is also on the move. A study from Fall 2018 shows the role of Cloudflare both in camouflaging the sites that sell IPTV subscriptions and in concealing the origin of the streams.

In a survey of data centers comprising file and streaming hosts in 2016, 40% of the Top 10 and 47% of the Top 30 used Cloudflare.

The ECO, a German association, which obviously doesn’t care about anything
Cloudflare is a member of the German industry association ECO. The purpose of this membership is probably to get a discount for traffic at the Frankfurt (DE-CIX) internet node, which ECO operates through a subsidiary.
ECO has never seemed to care that providers who are very heavily involved in piracy, including Cloudflare, are members of the association. In any case, there was no reaction to corresponding reports that ECO members, including Cloudflare, are responsible for over 50% of piracy traffic in the film sector in 2014, with 45.2% of this activity accounted for by Cloudflare and around 6% by a further five members.

Screenshot: Extract from the ECO member list, February 2018, www.eco.de/ueber-eco/mitglieder/#C

 

Cloudflare in court
The reports of legal proceedings against Cloudflare are long and concern more than just virtual goods. For example, two manufacturers of bridal fashions filed suit for trademark and copyright infringements by plagiarizers who were made anonymous by Cloudflare. And, while a claim brought by adult entertainment provider ALS-Scan ultimately ended in settlement, the judge found that Cloudflare’s activities could significantly support copyright infringement by hosting cached copies of files (though the settlement precluded a final judgment on Cloudflare’s actions and liability).

Supporting Illegal Activity: Calculated or Coincidence?
In Fall 2018, Cloudflare made news by ending its business relationship with pirate hosts like Rapidvideo due to violating its terms of use. After all, before this, Cloudflare had only voluntarily terminated its business relationship with US Nazi site the Daily Stormer in 2017.

Screenshot Youtube Video with Cloudflare CEO Matthew Prince on Fox Business Network


Big Data brings it to light

The current Google Transparency Report offers a look at the actual extent of Cloudflare’s involvement in piracy.
In the report, Google lists all requests from rights holders for deletions from the Google search index that concern rights violations. Meanwhile these are more than 2.9 billion messages. The top 5,000 of still existing domains already account for 79% of all reported URLs.
In order to understand the significance of Cloudflares for this market, the 1,355 domains that are parked with companies such as Team Internet, Sedo or GoDaddy have to be subtracted from the 5,000 domains, since it makes no sense to protect parked sites with Cloudflares.
This leaves 3,645 domains. Of these 3,645 right-infringing sites, 41.9 % run via Cloudflare. For their part, they are responsible for 44.7 % of the copyright infringements reported to Google.

If one were to extrapolate this proportion to the total number of domains listed in the Google Report for copyright infringements, one would come up with almost 670,000 domains protected by Cloudflare – a significant portion of the 2.2 million domains with requests for delisting from Google’s search engine.

Among Cloudflare’s customers are: Torrentz.eu, Gosong.net, Share-online.biz, Catshare.net, Bitsnoop.com, Deepwarez.org, Turbobit.net, Myfreemp3.eu, and Nitroflare.com.
Each of these websites received at least 3 million deletion requests from the Google search index.

Not only pirates love Cloudflare – also credit card fraudsters, phishing sites, extortionists, and terrorists

The Watchwebsite Crimeflare is a real treasure trove of information about Cloudflare, listing 650 credit card fraud sides alone, to which Cloudflare offered shelter.

Cloudflare also proudly deals in SSL certificates, providing sites like Phishingseiten the manufactured consumer security and confidence-building necessary to be successful. According to the German magazine Heise, hundreds of such certificates for cheats were issued by Cloudflare.

Of course, as Spamhaus reports, the spreading of Malware often takes place over Cloudflare.

With Cloudflare, extortion is also par for the course, which conveniently generates additional services. By providing anonymity and untraceability to sites threatening, for example, to bring a web page to a standstill through DDoS, Cloudflare can then sell the attacked site its protection services. A truly special form of customer acquisition.

Cloudflare has also found good business in terror. As far back as 2012, the news agency Reuters confronted Cloudflare with the fact that it maintained the websites of Hamas and Al-Quds, designated by the US as terrorist groups.
And in 2018, terrorist organizations were still being supported, with Dutch security researcher Bert Hubert identifying at least 7 different terrorist organization websites that use Cloudflare.

The Huffingtonpost had these findings evaluated by Benjamin Wittes, Senior Fellow of the Brookings Institution:

„This is not a content-based issue. Cloudflare] can be as pure-free-speech people as they want – they have an arguable position that it’s not their job to decide what speech is worthy and what speech is not – but there is a law, a criminal statute, that says that you are not allowed to give services to designated foreign terrorist organizations. Full stop.“

As icing on the cake, the company even has customers who are on the official embargo list of the US (SDN-List). For example, CENTRAL REPUBLIC BANK from the Donetsk region uses Cloudflare’s services.

Screenshot: Collage of information from the US Treasury’s Office of Foreign Assets Control
https://www.treasury.gov/resource-center/sanctions/SDN-List/Pages/default.aspx
Screenshot: Whois record of crb.dnr.ru at February 18th 2019

 

Do investors actually know what they are investing in?
Against the background of all these facts, two things are worth considering:
1) How has Cloudflare been able to obtain financing rounds from various investment companies in the past, including Google’s parent Alphabet?
2) Does Goldman Sachs actually know anything about the extent of its involvement in rights violations and its support of dubious „ventures,“ even to the point of undermining US embargoes?

Risk management is one of the central parameters of investment banks when evaluating investments. Risks must be known and assessable in advance. Cloudflare’s considerable participation in dubious transactions is rare in an IPO and a huge risk. Particularly if, as in the ALS-Scan case, the company is faced with its own liability, or if criminal law is violated through the service’s business with terrorist organizations.
Goldman Sachs and current investors either lack moral standards, are naïve, or consider the risk of failure to be very low, which only shows how urgently we need government regulation of intermediaries on the Internet.

 

Volker Rieck, Jörg Weinrich