[Barrin92]

What's at the heart of the entire Cloudflare situation is this discussion around the platform's alleged neutrality.

I do not understand this at all. If I run a business, and I see that unambiguously bad actors namely abusers, criminals, stalkers, harassers or whatever use my services to facilitate their actions I have a very clear ethical obligation to step in. I don't go "well the law isn't here, it's not my problem". Making money of unsavory individuals, metaphorically selling both shields and guns at the same time is unethical. Dodging that responsibility is moral cowardice.

The law isn't in every place, it's slow as hell and dysfunctional anyhow in some jurisdictions in particular but that's no excuse for inaction when it is within ones power to prevent harm. It should be that simple.

[SpicyLemonZest]

It really depends on the business you run. If you run the local electric company, and you read in the paper that some guy in your service area has been doing terrible things, do you turn off his power? Cloudflare sees their anti-DDoS services as a similar infrastructure-level service, and while you might not agree with that (I'm not sure I do either), it's not immediately unreasonable.

[luckylion]

Is CF a utility in that way? I think you can argue that their DDOS-mitigation might be.

But that comes with the additional benefit of hiding the origin. This resembles a post-forwarder service or a bank that knows the customer's real identity, but provides a way for them to conduct business without exposing it. Is there a good-faith argument that this service is a public utility and should be provided even if the customer is using it for criminal activity?

If someone used FedEx to run a fake pharmacy and deliver fake medication to people while staying out of reach for law enforcement and regulators by using a FedEx-provided return address, would you say that FedEx should enforce their T&C and shut that customer down?

[SpicyLemonZest]

In that hypothetical I'd grant that the answer is clearly yes, but it's not obvious to me how DDOS mitigation would help a company stay out of reach of law enforcement or regulators, unless Cloudflare is refusing to comply with subpoenas for customer information.

[luckylion]

For most of the world, that's what it does: it only answers to US courts [1]. I'm sure you can imagine that this will only be a way for major crimes (murder, maybe, state level espionage and large scale ransom ware attacks, probably), essentially shielding all the common criminals like DDOS-for-hire from prosecution outside the US.

From their policy:

Cloudflare has long held the view that non-US governments should have to follow the same due process requirements to obtain any records about our customers. A number of US laws, like the Stored Communications Act or the Electronic Communications Privacy Act restrict companies from providing particular types of data, such as the content of communications, to any person or entity, including foreign law enforcement agencies, without US legal process. While there may be situations in which it might be appropriate to provide basic subscriber information in response to non-US legal process that complies with principles of due process, we generally believe that the best way forward at this time is for governments outside the United States to issue requests to us through a US court by way of diplomatic process like a mutual legal assistance treaty (MLAT) request.

[1]: https://www.cloudflare.com/trust-hub/law-enforcement/