Hacker News new | ask | show | jobs
by SpicyLemonZest 1382 days ago
It really depends on the business you run. If you run the local electric company, and you read in the paper that some guy in your service area has been doing terrible things, do you turn off his power? Cloudflare sees their anti-DDoS services as a similar infrastructure-level service, and while you might not agree with that (I'm not sure I do either), it's not immediately unreasonable.
1 comments
luckylion 1382 days ago
Is CF a utility in that way? I think you can argue that their DDOS-mitigation might be.

But that comes with the additional benefit of hiding the origin. This resembles a post-forwarder service or a bank that knows the customer's real identity, but provides a way for them to conduct business without exposing it. Is there a good-faith argument that this service is a public utility and should be provided even if the customer is using it for criminal activity?

If someone used FedEx to run a fake pharmacy and deliver fake medication to people while staying out of reach for law enforcement and regulators by using a FedEx-provided return address, would you say that FedEx should enforce their T&C and shut that customer down?

link
SpicyLemonZest 1381 days ago
In that hypothetical I'd grant that the answer is clearly yes, but it's not obvious to me how DDOS mitigation would help a company stay out of reach of law enforcement or regulators, unless Cloudflare is refusing to comply with subpoenas for customer information.
link
luckylion 1381 days ago
For most of the world, that's what it does: it only answers to US courts [1]. I'm sure you can imagine that this will only be a way for major crimes (murder, maybe, state level espionage and large scale ransom ware attacks, probably), essentially shielding all the common criminals like DDOS-for-hire from prosecution outside the US.

From their policy:

Cloudflare has long held the view that non-US governments should have to follow the same due process requirements to obtain any records about our customers. A number of US laws, like the Stored Communications Act or the Electronic Communications Privacy Act restrict companies from providing particular types of data, such as the content of communications, to any person or entity, including foreign law enforcement agencies, without US legal process. While there may be situations in which it might be appropriate to provide basic subscriber information in response to non-US legal process that complies with principles of due process, we generally believe that the best way forward at this time is for governments outside the United States to issue requests to us through a US court by way of diplomatic process like a mutual legal assistance treaty (MLAT) request.

[1]: https://www.cloudflare.com/trust-hub/law-enforcement/

link