[xxdesmus]

Hello,

I’m the Head of Trust & Safety at Cloudflare. I wanted to clarify our processes, which were described inaccurately in this Hacker News post.

As part of our standard fraud review process, domains determined to be malicious registrations/transfers may be deleted. In those cases, we typically take steps to notify the account holder so that they can contest the determination if appropriate. Cloudflare allows transfers of domains out of Cloudflare’s registrar immediately, unless there are indications of potentially malicious or fraudulent activity. Cloudflare follows the standard industry practice followed by virtually all domain registrars of blocking the transfer out of domains deleted for what appears to be potentially malicious purposes.

[5ESS]

The process wasn't described inaccurately in the OP post. What you said here doesn't contradict anything in the OP post and infact confirms that it happened.

>domains determined to be malicious registrations/transfers may be deleted

The person in the story's domain was determined to be malicious and deleted for fraud. (however in reality it wasn't) and thus deleted, like you said.

>Cloudflare allows transfers of domains out of Cloudflare’s registrar immediately, unless there are indications of potentially malicious or fraudulent activity.

This is what the OP post described has happened in the story. The person's domain was determined fraudulent and was thus disallowed from transfering out, like you said.

>Cloudflare follows the standard industry practice followed by virtually all domain registrars of blocking the transfer out of domains deleted for what appears to be potentially malicious purposes.

The fact is, a serious mistake was made by Cloudflare and evidently the guy had no way to appeal the decision outside of Hacker News. It is clear that this industry practice needs reform. Perhaps instead of trying to dismiss/downplay this your time would be better spent improving the process or maybe implementing some form of due process/trial for these extremely important accounts. An accidental domain deletion seems to be no big deal to you. But in reality its a nightmare that can cause serious harm to a persons life and livelihood.

Try to imagine it yourself how it would feel. if one day all your important accounts stopped working. all your domains has been hijacked! Why? because your registrar set it to DELETED on short notice due to random false-positive-fraud and a sniper re-registers it elsewhere! there is nothing you can do about it, your registrar stonewalls you. You're completely screwed and theres nothing you can do about it. Your valuable domain is gone. All your important accounts tied to email on that domain get broken into. Your companies and brand are destroyed. No one ever suspects their properly secured domain name will randomly be DELETED in < than the time it was registered for. This is a really traumatic event for people and not something that should be minimized.

[tgsovlerkhgsel]

The main differences between the post here and your description that I see are a) the post didn't explicitly clarify that this only applies when domains are determined to be malicious, b) the post is less optimistic about your appeals process, and generalizes the recently documented example where the appeals process failed.

However, regarding the core issue (a false positive on the fraud detection can get my domain both deleted and blocked from transfers) the post and your reply seem to be in agreement. (And the "typically take steps..." makes me wonder whether there are cases where you don't even notify the account holder, aside from court orders.)

I get that dealing with fraud at scale is hard, but this (especially the lack of a "why this won't happen again") does not exactly reassure me.

[gdfgjhs]

Can you do a post-mortem on what happened there?

[donmcronald]

> Cloudflare follows the standard industry practice followed by virtually all domain registrars of blocking the transfer out of domains deleted for what appears to be potentially malicious purposes.

The problem here is the entire process is opaque. Obviously your process can have false positives, so why should anyone trust the "standard industry practice" is being followed for domain deletion? Plus, IMHO "standard industry practice" is a term that gets dragged out to describe subjective policies and measures that can't be quantified or explained easily.

> In those cases, we typically take steps to notify the account holder so that they can contest the determination if appropriate.

The thing that's problematic here is "typically". Maybe that's just wording to indicate that it's not always possible, but you always make an attempt (?). If so, say that. For me, the frustrating part is that I don't know the rules, so I can't adequately evaluate the risk of being banned. I can't have a contingency plan either because there are no guarantees. If the OP's story is even close to accurate, I think it's safe to say anything can get you banned due to a false positive and that scares me.

Even if you feel like you can't make the detection systems transparent, which I can understand, it would make a big difference if people could understand what the process is after an account is flagged. Why should I invest in development that targets Cloudflare's platform if I can be banned on a whim without any communication? Why doesn't my side of the deal get any guarantees?

I don't agree with instant blocking of any accounts, even the free ones, but I can understand the free accounts likely create challenges I can't even begin to hypothesize about.

That said, I don't think you're seeing the other side when it comes to instant blocking of services. I've dealt in the small business space a lot and the difficulty there is that a tiny, low priority issue for you, like blocking a small account, can be hugely detrimental to a small business. I've dealt with some small family run businesses where they own short domains that would be instantly squatted on upon deletion and the cost of recovering them would be significant in relation to their annual income.

Personally, I'd like to have some clear rules and guarantees surrounding account termination. Let me set one or more emergency contacts for my account and give me a clear timeline for attempts to reach out to those contacts before taking action on my account. And I'm not talking about some legalese buried on page 20 of the ToS. Put it in the control panel next to my contacts. If you can't give me any guarantees on a free account, that's fine, just say so up front and tell me what I need to do or pay to get to the point where my service won't be terminated by a robot.

I was really, really disappointed to see the OPs situation because I totally bought the mantra of Cloudflare wanting to make the internet a better place and I don't think you're doing that by being another "also ran" in the context of treating your users like they're disposable. Maybe I was just being naïve and overly optimistic because big tech treats everyone so badly that I wanted to believe there was truly someone out their trying to be on the side of the average user / developer.

The most disappointing part is that I think Cloudflare's strategy of targeting underserved markets has the potential to pay off more than people realize. I tried out Pages/Functions with a SvelteKit project (+ adapter) a while ago and it's the first time in years that I've actually been excited about something technology related because I can see the potential it has to give small developers a platform to capture the low end of underserved markets without having to worry about massive cost overruns or the complexity of managing infrastructure where time spent comes at the cost of forgoing something else.

I have a project I'd like to start building this year and I've been contemplating trying to do everything on Cloudflare. Now I'm thinking I should re-evaluate that idea and build it on DigitalOcean or AWS and use Cloudflare as an intelligent cache that's disposable if needed.

Why should I trust Cloudflare any more than I trust the other big tech companies where everyone is at risk of being banned by a robot in an instant?

[5ESS]

Why do they think they have the right to kill domains that people have entrusted them with their custodianship? I don't understand why they have to set any domain to pendingDelete status, short of a court order. It sounds like something ripe for abuse. I don't see what the benefit of overzealous deletion is. If they think a domain is malicious they want to stop it they can simply disable it via NS records without actually deleting it for the remainder of the contract payment cycle. People shouldn't have to live in fear that their domain might randomly be deleted with no recourse. Perhaps new legislation is necessary to protect people's domains from random registrar deletion.