Posts Tagged ‘Cloudflare’

@cloudflare CEO Calls for a Decider–When That Decider Is Cloudflare Employees

November 2, 2019 Comments off


Diogenes searched the world for an honest man, and Cloudflare is searching the world for a decider in chief to tell them what to do.  But as we know from Cloudflare’s IPO, Cloudflare need only look within because the insiders have structured the company’s governance so there is clear responsibility–and it’s with Cloudflare employees.

The horror stories about Cloudflare are starting to dribble out more frequently after its amended  IPO filing with the SEC.  According to the Wall Street Journal:

[Cloudflare’s IPO disclosure form, its SEC Form S-1], filed with the Securities and Exchange Commission last month, was amended last week. The company said in the filing that it made the self-disclosure in May to the Treasury’s Office of Foreign Assets Control, which enforces U.S. sanctions, and the self-disclosure is under review by the agency…

[Cloudflare] also disclosed that it may have violated U.S. export control regulations and has submitted self-disclosures to the Commerce Department’s Bureau of Industry and Security as well as to the Census Bureau regarding potential violations of the Foreign Trade Regulations. Cloudflare said it learned this year that it may have submitted incorrect information to the U.S. government in connection with certain hardware exports, according to the filing.

When you do the timeline of when Cloudflare filed its initial IPO form with the SEC (August 15), the time when Cloudflare says it filed disclosures with the Treasure Department Office of Foreign Assets Control (the May before the IPO filing) and the amended IPO filing (September 10) you have to ask yourself a question.  If the Treasury Department filing was important enough to disclose in an amended S-1, who decided to wait to disclose it until the Friday before Cloudflare shares started trading?

And then there’s this story from the BBC:

The anti-child-abuse campaign Battling Against Demeaning & Abusive Selfie Sharing claims to have first made the internet company aware of numerous indecent images, including some showing child sexual abuse, on three of its clients’ websites over a year ago.

The websites in question reportedly state any takedown notice would be ignored.

And one allegedly allows users to search through a catalogue of abusive images.

Following a Twitter campaign, Cloudflare director of trust and safety Justin Paine asked the charity send a detailed report of its complaint.

“We hope that by making noise, we will finally receive a response from Cloudflare. We’re hopeful that they will end their relationship with these sites that profit off the exploitation of non-consenting women and and girls,” charity advocate Emily Wilson told the BBC.

And then there’s hosting the Daily Stormer neo-Nazi site and of course 8Chan.  Cloudflare’s insiders decided to terminate those customers–so it’s not that they are seeking a decider to tell them what to do in those cases.  They know what to do and they know who will make that decision.  They just always seem to be making another decision first–letting bad actors onto their network and profiting from doing so.

The company structured its corporate governance using the discredited dual class voting system that gives insiders (and employees in Cloudflare’s case) 10 times the public’s voting power.  There’s no question who the deciders are in a dual class system–like King Louis XIV said, “I am the state”.

For a company that profits from all the bad actors they facilitate, there’s no question who decides.  It is clear that the Cloudflare co-founder is on a deflection campaign by answering the question no one asked:

“We don’t think we should be deciding what content should be online,” Michelle Zatlyn says, however she adds that, “somebody should.”

No one is asking Cloudflare to decide what content should be online–that’s a fallacy of composition and typical grandiosity of the Internet’s ruling class.  What is at issue is how much of Cloudflare’s profit from bad actors that Wall Street is prepared to accept.  Cloudflare is the one who decided to take the public’s money, Cloudflare is the one who decided to take the public regulation that comes with those riches, Cloudflare is the one who allows bad actors to be on their network.

It’s pretty clear who the decider is and Cloudflare has the dual class stock voting structure to prove it.  They are in control, they have met the decider and the decider is them.

And they need to get busy because what comes next may introduce them to some deciders they really might not like.  They’ve already met some of them by the sound of it.

Cloudflare got itself into this mess and only Cloudflare can get out of it.  Or someone will do it for them.

Rut Roh: @LibraryCongress Hoster Cloudflare Discloses “Incorrect” Submissions to Treasury Dept. Office of Foreign Assets Control For Blacklist Payments by Narcotraficante

September 12, 2019 Comments off

Cloudflare’s drip drip drip:  If we’re caught dealing with criminals it could have a material adverse effect on our business.

As reported by Mengqi Sun in the Wall Street Journal, 8Chan and Library of Congress hosting provider Cloudflare amends IPO documents on September 10 to disclose to the Treasury Department’s Office of Foreign Assets Control violations of U.S. economic and trade sanctions regulations by trading with terrorists and narcotraficante that have been blacklisted by the U.S. but paid money to Cloudflare. AKA blood money.

Isn’t it time for the U.S. Government to at least review any contracts with Cloudflare?  Sounds like a job for the Scooby Doo Gang.

Fortunately, #irespectmusic fan Rep. Ted Deutch was already on top of it and had questioned the wisdom of continuing that contract at a recent House Judiciary Committee oversight hearing.

As we all collectively gasp, ask yourself this question:  If Cloudflare has this problem–why doesn’t Google have a much bigger version of the same problem?

Here’s the except from the amended Cloudflare IPO document (Form S-1 filed with the Securities and Exchange Commission):

We are subject to governmental trade sanctions laws, and export and import controls, that could impair our ability to compete in international markets and subject us to liability if we are not in full compliance with applicable laws.

Our business activities are subject to various economic and trade sanctions regulations administered by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) and U.S. export control and similar foreign laws and regulations, including the U.S. Department of Commerce’s Export Administration Regulations (EAR). We incorporate encryption technology into certain of our products, and the encryption products and the underlying technology may be exported outside the United States only with the required export authorizations, including by license, a license exception or other appropriate government authorizations, including the filing of classification requests or self-classification reports. Further, the U.S. economic sanctions laws and export control laws include restrictions or prohibitions on the sale or supply of most products and services to U.S. embargoed or sanctioned countries, governments, persons, and entities. Even though we take precautions and have implemented policies and practices to assist in compliance, there is a risk that we may not be in full compliance with these laws.

In 2019, we learned that we may have failed to comply with certain U.S. export-related filing and reporting requirements and may have submitted incorrect information to the U.S. government in connection with certain hardware exports. Upon learning of these potential violations and associated export control requirements, we promptly initiated a voluntary internal review and are taking remedial measures to prevent similar export control anomalies from occurring in the future. In May 2019, we submitted a voluntary self-disclosure to the Bureau of Industry and Security regarding potential violations of EAR and a voluntary self-disclosure to the Census Bureau regarding potential violations of the Foreign Trade Regulations. These voluntary self-disclosures are under review by the respective agencies.

In May 2019, we submitted a voluntary self-disclosure to OFAC related to our non-compliance with certain economic and trade sanctions programs. Specifically, we identified that our products were used by, or for the benefit of, certain individuals and entities included in OFAC’s Specially Designated Nationals and Blocked Persons List (the SDN List), including entities identified in OFAC’s counter-terrorism and counter-narcotics trafficking sanctions programs, or affiliated with governments currently subject to comprehensive U.S. sanctions. A small number of these parties made payments to us in connection with their use of our platform. Although we have implemented, and are working to implement additional controls and screening tools designed to prevent similar activity from occurring in the future, there is no guarantee that we will not inadvertently provide our products to additional individuals, entities, or governments prohibited by U.S. sanctions in the future. The voluntary self-disclosure is under review by OFAC.

Additionally, we currently provide products to certain OFAC-sanctioned regions based upon general licenses issued by OFAC to engage in such activity. We continue to review the OFAC sanctions and our practices to verify compliance.

These efforts related to export controls and OFAC sanctions could result in negative consequences for us, including costs related to government investigations, financial penalties and harm to our reputation. The impact on us related to these matters could be substantial.

In addition, various countries regulate the import of certain technologies and have enacted or could enact laws that could limit our ability to provide our products and operate our network or could limit our customers’ ability to access or use our platform and products in those countries.

If we are found to have violated the U.S. or foreign laws and regulations, we and certain of our employees could be subject to civil or criminal penalties, including the possible loss of export privileges and fines. We may be materially and adversely affected through penalties, reputational harm, loss of access to certain markets, or otherwise. Obtaining the necessary authorizations, including any required license, for a particular transaction may be time-consuming, is not guaranteed, and may result in the delay or loss of sales opportunities. In addition, changes in our platform, products, or screening process, or changes in export, sanctions, and import laws, could delay the introduction and sale of subscriptions to our products in international markets, prevent customers in certain countries from accessing our platform and products or, in some cases, prevent the provision of our platform and products to certain countries, governments, persons, or entities altogether. Any decrease in our ability to sell our products could materially and adversely affect our business, results of operations, and financial condition.



February 27, 2019 Comments off

You may have never heard of Cloudflare and you may be wondering what the company has to do with music, technology or policy.  Cloudflare plays a vital role in the worldwide criminal enterprise of piracy and competes with Google, Facebook and Amazon for the moniker of the Genco Olive Oil company of the Internet.  Here’s how the company describes itself:

Cloudflare, Inc. is a U.S. company that provides content delivery network services, DDoS mitigation, Internet security and distributed domain name server services. Cloudflare’s services sit between the visitor and the Cloudflare user’s hosting provider, acting as a reverse proxy for websites. Cloudflare’s headquarters are in San Francisco, California, with additional offices in London, Singapore, Champaign, Austin, Boston and Washington, D.C.

But Torrentfreak tells us:

As a CDN provider, Cloudflare relays traffic of millions of websites through its network, including many pirate sites.

Or said another way, Cloudflare is a lynchpin in the biggest income transfer in commercial history.  So what do you do when you’re Cloudflare?  How do you get some liquidity with that big income transfer?  How else–you find some sleaze bags to underwrite an IPO so they can shovel some money their way, too.

Cloudflare, a U.S. startup whose software makes websites load faster and with greater security, is preparing for an initial public offering (IPO) that could value it at more than $3.5 billion, people familiar with the matter said.

The company is looking to go public in the first half of next year, the sources said this week, joining a string of software and internet firms seeking to tap the stock market and capitalize on strong investor appetite and rich valuations.

The IPO will be led by investment bank Goldman Sachs, said the sources, who asked not to be named because the matter is confidential. Exact timing of the IPO has not been finalized, the sources added.

The astute researcher in Germany Volker Rieck has some insights into Cloudflare that the Securities and Exchange Commission would do well to review before they let Cloudflare make Mr. & Mrs. Main Street their partner in crime.

Read the post on Webschauder

In the US, a large technology company is about to go public. Cloudflare, a San Francisco-based company, wants to collect nearly $3.5 billion on the stock exchange in the first half of the year with the support of the investment bank Goldman Sachs. But there are dark shadows over Cloudflare. The spectrum of its customers ranges from credit card fraudsters and spammers, to sites that engage in copyright infringement as a business model, to terrorist sites. Even US embargos are undermined.

What is Cloudflare?
Cloudflare offers a content delivery network. In simple terms, it provides a kind of turbo drive for web pages, allowing them to be delivered world-wide quickly and securely. Cloudflare places itself between, on one hand, the web page and/or servers of its customers and, on the other, the site visitor and/or user of the service. By enabling it to selectively control and distribute site traffic, it can offer increased speed and protection against network overload attacks (DDoS).

However, Cloudflare also offers another feature: anonymizing its customers.
By placing a virtual screen over the original web page and/or their server, Cloudflare makes the operator practically untraceable. Upon inquiry, Cloudflare will only provide its own data, hiding client information such as hosting service and IP address, making it impossible to take legal action against illicit sites and services.
Civil law inquiries are futile, because Cloudflare only provides the naming of the hosting services, which is worthless without the respective IP address. This is roughly equivalent to seeking info on an unmarked apartment with just the address of a high-rise building housing thousands of residents.

The Cloudflare problem is well known
This anonymizing feature from Cloudflare attracts a number of unsavory customers including, again and again, copyright infringers. But it doesn’t stop there.

Since December 2018, the EU Commission has included Cloudflare on a watch list for counterfeiting and piracy.

Most recently, the service received the dubious prize as the worst enemy of the creative community from the US blog TheTrichordist.

The listing of infringing market participants has a long history in the US. The music association RIAA submits an annual list of the worst offenders to the US Trade Representative. In 2017, 9 out of 20 violators could not be identified by the RIAA because Cloudflare effectively camouflaged them. The US film association MPAA is also aware of the problems with Cloudflare obfuscation and names the company in its annual list of interferers.

In the relatively new piracy segment IPTV – the streaming of non-licensed TV signals – the company is also on the move. A study from Fall 2018 shows the role of Cloudflare both in camouflaging the sites that sell IPTV subscriptions and in concealing the origin of the streams.

In a survey of data centers comprising file and streaming hosts in 2016, 40% of the Top 10 and 47% of the Top 30 used Cloudflare.

The ECO, a German association, which obviously doesn’t care about anything
Cloudflare is a member of the German industry association ECO. The purpose of this membership is probably to get a discount for traffic at the Frankfurt (DE-CIX) internet node, which ECO operates through a subsidiary.

ECO has never seemed to care that providers who are very heavily involved in piracy, including Cloudflare, are members of the association. In any case, there was no reaction to corresponding reports that ECO members, including Cloudflare, are responsible for over 50% of piracy traffic in the film sector in 2014, with 45.2% of this activity accounted for by Cloudflare and around 6% by a further five members.

Screenshot: Extract from the ECO member list, February 2018,


Cloudflare in court
The reports of legal proceedings against Cloudflare are long and concern more than just virtual goods. For example, two manufacturers of bridal fashions filed suit for trademark and copyright infringements by plagiarizers who were made anonymous by Cloudflare. And, while a claim brought by adult entertainment provider ALS-Scan ultimately ended in settlement, the judge found that Cloudflare’s activities could significantly support copyright infringement by hosting cached copies of files (though the settlement precluded a final judgment on Cloudflare’s actions and liability).

Supporting Illegal Activity: Calculated or Coincidence?
In Fall 2018, Cloudflare made news by ending its business relationship with pirate hosts like Rapidvideo due to violating its terms of use. After all, before this, Cloudflare had only voluntarily terminated its business relationship with US Nazi site the Daily Stormer in 2017.

Screenshot Youtube Video with Cloudflare CEO Matthew Prince on Fox Business Network

Big Data brings it to light

The current Google Transparency Report offers a look at the actual extent of Cloudflare’s involvement in piracy.

In the report, Google lists all requests from rights holders for deletions from the Google search index that concern rights violations. Meanwhile these are more than 2.9 billion messages. The top 5,000 of still existing domains already account for 79% of all reported URLs.

In order to understand the significance of Cloudflare for this market, the 1,355 domains that are parked with companies such as Team Internet, Sedo or GoDaddy have to be subtracted from the 5,000 domains, since it makes no sense to protect parked sites with Cloudflare.
This leaves 3,645 domains. Of these 3,645 right-infringing sites, 41.9 % run via Cloudflare. For their part, they are responsible for 44.7 % of the copyright infringements reported to Google.

If one were to extrapolate this proportion to the total number of domains listed in the Google Report for copyright infringements, one would come up with almost 670,000 domains protected by Cloudflare – a significant portion of the 2.2 million domains with requests for delisting from Google’s search engine.

Among Cloudflare’s customers are:,,,,,,,, and
Each of these websites received at least 3 million deletion requests from the Google search index.

Not only pirates love Cloudflare – also credit card fraudsters, phishing sites, extortionists, and terrorists

The Watchwebsite Crimeflare is a real treasure trove of information about Cloudflare, listing 650 credit card fraud sides alone, to which Cloudflare offered shelter.

Cloudflare also proudly deals in SSL certificates, providing sites like Phishingseiten the manufactured consumer security and confidence-building necessary to be successful. According to the German magazine Heise, hundreds of such certificates for cheats were issued by Cloudflare.

Of course, as Spamhaus reports, the spreading of Malware often takes place over Cloudflare.

With Cloudflare, extortion is also par for the course, which conveniently generates additional services. By providing anonymity and untraceability to sites threatening, for example, to bring a web page to a standstill through DDoS, Cloudflare can then sell the attacked site its protection services. A truly special form of customer acquisition.

Cloudflare has also found good business in terror. As far back as 2012, the news agency Reuters confronted Cloudflare with the fact that it maintained the websites of Hamas and Al-Quds, designated by the US as terrorist groups.
And in 2018, terrorist organizations were still being supported, with Dutch security researcher Bert Hubert identifying at least 7 different terrorist organization websites that use Cloudflare.

The Huffingtonpost had these findings evaluated by Benjamin Wittes, Senior Fellow of the Brookings Institution:

„This is not a content-based issue. Cloudflare] can be as pure-free-speech people as they want – they have an arguable position that it’s not their job to decide what speech is worthy and what speech is not – but there is a law, a criminal statute, that says that you are not allowed to give services to designated foreign terrorist organizations. Full stop.“

As icing on the cake, the company even has customers who are on the official embargo list of the US (SDN-List). For example, CENTRAL REPUBLIC BANK from the Donetsk region uses Cloudflare’s services.

Screenshot: Collage of information from the US Treasury’s Office of Foreign Assets Control
Screenshot: Whois record of at February 18th 2019


Do investors actually know what they are investing in?
Against the background of all these facts, two things are worth considering:
1) How has Cloudflare been able to obtain financing rounds from various investment companies in the past, including Google’s parent Alphabet?
2) Does Goldman Sachs actually know anything about the extent of its involvement in rights violations and its support of dubious „ventures,“ even to the point of undermining US embargoes?

Risk management is one of the central parameters of investment banks when evaluating investments. Risks must be known and assessable in advance. Cloudflare’s considerable participation in dubious transactions is rare in an IPO and a huge risk. Particularly if, as in the ALS-Scan case, the company is faced with its own liability, or if criminal law is violated through the service’s business with terrorist organizations.
Goldman Sachs and current investors either lack moral standards, are naïve, or consider the risk of failure to be very low, which only shows how urgently we need government regulation of intermediaries on the Internet.

Volker Rieck, Jörg Weinrich

%d bloggers like this: