Cloudflare is urging the EU Commission to exclude the company from its upcoming Piracy Watch List, despite requests from several rightsholder groups for its inclusion. The American company says it's committed to addressing piracy concerns but not at the expense of user privacy and security. Instead, the European Commission should ensure that its Piracy Watch List does not become a tool for advocating policy changes.
Internet infrastructure company Cloudflare provides a range of connectivity and security services to customers around the globe.
This includes millions of organizations, including 30% of Fortune 500 companies, as well as various government agencies. These customers are generally pleased with the service they receive but Cloudflare has also faced criticism over the years.
Copyright holders, for example, have pointed out that the San Francisco-based company is offering its services to pirates. Many of the world’s largest pirate platforms use Cloudflare as a shield against attacks and to save bandwidth in the process. According to the complaints, this complicates piracy enforcement.
EU Piracy Watch List
A few weeks ago, various rightsholders shared their Cloudflare concerns with the European Commission. The EU requested input for its biannual ‘Counterfeit and Piracy Watch List’, allowing stakeholders to nominate piracy-affiliated sites and services for inclusion.In addition to traditional pirate sites, many rightsholders mentioned Cloudflare as a key problem. They accuse the company of indirectly facilitating piracy and shielding the identities of pirate site operators.
For example, music group IFPI complained that while Cloudflare discloses the hosting locations of pirate sites in response to abuse reports, it doesn’t voluntarily share the identity of these pirate customers with rightsholders.
“Where IFPI needs to obtain the customer’s contact information, Cloudflare will only disclose these details following a subpoena or court order – i.e. these disclosures are mandated by law and are not an example of the service’s goodwill or a policy or measures intended to assist IP rights holders,” IFPI wrote.
Video Games Europe offered similar criticism, informing the EU that Cloudflare continues to act as an important intermediary in the delivery of pirated content, without voluntarily sharing private customer details.
“Cloudflare does provide injured parties/trusted partners with the IP-address and name of the host ISP of an infringing website, but does not provide the contact details of the website operators nor cease to render services to these customers,” the group noted.
Cloudflare Responds to EU Commission
Cloudflare is aware of the critique. However, the company doesn’t believe that it should assume the role of anti-piracy arbiter or judge whether rightsholders complaints are valid. Aside from the legal complications, it believes that privacy rights deserve some level of protection.Rightsholders have increasingly used the EU and US piracy watch list consultations to argue for greater cooperation from online intermediaries. That applies to sharing of customer details, as well as more advanced “know your customer” policies.
The MPA also made a point of this in its submission to the EU Commission, where it listed several key piracy enforcement points.
Cloudflare, however, believes that the EU’s Piracy Watch list should solely focus on bad actors; pirate sites and services. It should not be used as a platform to demand policy change.
“The Commission should not issue a report – even an informal one – that is simply a mechanism for particular stakeholders to air their grievances that entities are not taking particular voluntary action to meet their concerns or to advocate for new policies.”
“Our view is that the Commission’s staff document and Watch List should be limited to Commission-verified allegations of illegal behavior, based on principled and fair legal standards,” Cloudflare adds.
Cloudflare is worried that if concerns about intermediaries are mentioned in the Watch List, even when the Commission doesn’t support them, it will be seen it as an endorsement. This could be used by rightsholders to influence policy discussions elsewhere.
Piracy vs. privacy
Cloudflare warns the EU against copyright holders’ broad generalizations that only focus on the downsides of technology. Those fail to recognize the value of innovative technologies that aim to increase privacy and security for the broader public.The video game industry, for example, complained that enabling privacy feature Encrypted Client Hello (‘ECH’) makes it hard to block pirate sites. The same technology, on the other hand, greatly benefits user privacy.
“Restricting progress and adoption of new technology tools that help protect the privacy and security of citizens operating online in order to continue the use of outdated means to combat piracy is short-sighted, and bad for Europe’s long term economic development,” Cloudflare notes.
The EU should be exceedingly wary of proposals that limit user privacy and security, to combat piracy. There’s an important trade-off to make either way, one that should not be taken lightly.
Problems still exist without Cloudflare
Concerns aside, Cloudflare stresses that it is open to collaboration with rightsholders and law enforcement. The company has a trusted reporter program, for example, which currently counts roughly 200 organizations.When these trusted parties report copyright infringements that take place though its reverse proxy and CDN service, Cloudflare shares additional information on the targets, including the origin IP-address of sites in question.
The company doesn’t terminate customer accounts for which it receives multiple complaints. It is not legally obliged to do so and disconnecting customers wouldn’t make much of a difference, the company argues.
Ultimately, pirate sites and services are hosted by third party providers. Taking away the Cloudflare service doesn’t change that.
All in all, Cloudflare believes that sharing hosting provider details in response to piracy complaints is sufficient. It puts rightsholders in the same position they are with any other site or service that doesn’t use its service.
“We believe it is time for rightsholders to shift their comments away from policy advocacy to focus instead on the physical and online markets and websites that are the intended subject of the Watch List report,” Cloudflare concludes.
A copy of Cloudflare’s letter to the European Commission, responding to the critique from rightsholders, is available here (pdf)
