September 3, 2020 by Ernesto Van der Sar
Cloudflare doesn't remove anything in response to DMCA takedown notices unless it stores the content permanently. However, the company will hand over personal details of customers to copyright holders who obtain a DMCA subpoena. Over the past 12 months, Cloudflare was ordered to share information regarding more than 400 accounts.
Popular CDN and DDoS protection service Cloudflare has come under a lot of pressure from copyright holders in recent years.
The company offers its services to millions of sites. This includes multinationals, governments, but also some of the world’s leading pirate sites.
Many rightsholders are not happy with the latter. They repeatedly accuse Cloudflare of facilitating copyright infringement by continuing to provide access to these platforms. At the same time, they call out the CDN service for masking the true hosting locations of these ‘bad actors’.
Cloudflare sees things differently. The company positions itself as a neutral service provider that doesn’t ‘host’ any infringing content. They just pass on information that is cached on its services temporarily.
This means that if copyright holders report Pirate Bay URLs to Cloudflare, the company takes no action other than forwarding the DMCA takedown notices to its customer. By doing so, Cloudflare is convinced that it operates in accordance with the law.
Identifying ‘Infringing’ Customers
Not all rightsholders agree with this approach and some have filed lawsuits to hold Cloudflare liable. Others have gone to court to obtain DMCA subpoenas, which require the CDN provider to hand over all personal details it has on allegedly infringing customers.
We regularly report on these requests, which target torrent sites, streaming sites, and many other pirate portals. In its latest transparency report, Cloudflare reveals how many times it was asked to comply and what information was shared in response.
Over the past 12 months, Cloudflare received 58 DMCA subpoenas and the company answered all but one. Together, these affected more than 1,000 domains and close to 500 Cloudflare customers.
Previously it wasn’t clear what type of records the company could hand over, but the transparency report provides more information on that as well.
What Information is Shared?
To comply with the subpoenas, Cloudflare can share the IP-addresses that were used to login to the site as well as the login times. In addition, it can hand over so-called ‘basic subscriber info.’
“This basic subscriber data would include the information our customers provide at the time they sign up for our service, like name; email address; physical address; phone number; the means or source of payment of service,” Cloudflare writes.
Whether copyright holders can do anything with this information remains a question. Many larger pirate sites are quite skilled at hiding the tracks that lead to their true operators. For smaller sites that may be different.
The transparency report also touches on website blocking, which is another high-profile topic. While Cloudflare is very cautious with blocking, it may in some cases comply with law enforcement requests and foreign court orders.
“If we determine that the order is valid and requires Cloudflare action, we may limit blocking of access to the content to those areas where it violates local law, a practice known as ‘geo-blocking’. We will attempt to clarify and narrow overbroad requests when possible,” Cloudflare writes.
Cloudflare says it’s cautious because of “the significant potential impact on freedom of expression.” How many domains are blocked is not mentioned, but it does occasionally take action.
For example, earlier this year the pirate site DDL-Music.to was blocked in Germany following a court order.
Finally, we have to note that Cloudflare also offers hosting services to some clients. If that’s the case, it will remove content when appropriate. That happened three times over the past year, affecting one or two domain names.
This topic is locked; no new posts are allowed.