Cloudflare urged to clamp down on pirates, counterfeiters

The operators of a “disproportionate” number of websites specialising in online piracy or counterfeiting are routinely abusing content delivery network (CDN) services offered by Cloudflare, a report has revealed.

In a whitepaper, Simon Baggs, president of brand and content protection at Corsearch – a specialist in trademark and brand protection services – revealed that 71% of websites his firm had notified to Google for search engine demotion were using Cloudflare.

Additionally, he said, 49% of all websites flagged for content piracy – such as film, music, photography and television shows – used Cloudflare, as did 23.5% of those offering counterfeit goods.

Further analysis carried out with the Police Intellectual Property Crime Unit (PIPCU) appeared to show that 67% of the websites it lists are abusing Cloudflare’s hospitality.

While there is no suggestion that Cloudflare is knowingly playing host to illegal activities, Baggs said it was a significant source of concern that its services were being so routinely abused.

“Cloudflare is a key intermediary that can do a lot more. Its services are fundamental to the operation of many websites that infringe intellectual property. There is no doubt that if Cloudflare followed the example of others and did more to assist rights owners, the online environment for consumers would be substantially improved,” he said.

In the whitepaper, Baggs claimed that because US-based Cloudflare does not verify identification and business or personal details for its CDN customers, and offers some base elements of its CDN service for free, malicious actors were incentivised to make it their provider of choice over others with more stringent policies in place.

He added that Cloudflare was in a unique position to use its clout to protect digital rights holders, and noted that many other intermediaries have been active in taking steps to prevent harm to consumers when their services are exploited in this way.

Corsearch is calling on Cloudflare to implement eight policies that it says will go a long way to helping mitigate the problem.

These include terminating services to websites when Google demotes or removes their URL, when they are accepted by a recognised law enforcement body as unlawful, or in a limited set of other circumstances.

It also wants Cloudflare to publicly disclose when it terminates a service, and to implement “know-your-client” policies which at the very least should include making customers provide formal identification, bank details and contact details.

Corsearch is not the first to highlight this particular problem. Last year, the Motion Picture Association (MPA) – members of which include Disney, Netflix, Paramount, Sony, Universal and Warner Bros – called out intermediary hosting providers, DNS providers, cloud services and others, including Cloudflare, for failing to take responsibility for tackling copyright infringement.

Cloudflare also recently came under fire for failing to act against a far-right troll forum that waged campaigns of harassment and stochastic terrorism for years against women and LGBTQIA+ people while using its security services as cover.

The firm at first refused to stop providing services to the forum but backed down after threats from its users became more aggressive and violent in response following an internet campaign to de-platform the service, which was led by a prominent Twitch streamer.

In a blog post, Cloudflare founder and CEO Matthew Prince said he had acted in the face of an “unprecedented emergency and immediate threat to human life”, but maintained Cloudflare was “uncomfortable” with denying service to far-right hate groups.

Computer Weekly contacted Cloudflare but the organisation had not responded at the time of publication.