back to article Google, EFF back Cloudflare in row over pirate streams

Google, EFF, and the Computer and Communications Industry Association (CCIA) have filed court documents supporting Cloudflare after it was sued for refusing to block a streaming site. Earlier this year, a handful of Israel-based media companies took to court, accusing it of streaming TV and movie content it had no …

  1. Anonymous Coward
    Anonymous Coward

    about the aside

    That email sanitisation service relies on email not being encrypted, which while the most common scenario, is hardly a happy state of affairs.

    A better idea would be for the scanning to happen on the end user's device and then redirect (with user permission to avoid sensitive data being leaked) to the remotely hosted browser (which one hopes is itself properly hardened).

    1. katrinab Silver badge

      Re: about the aside

      Microsoft [both Exchange Server and hosted offerings], Google, and Yahoo encrypt email by default, provided the other party supports it.

      Outside of China and Russia, those three account for the vast majority of email traffic, so I would say that encrypted email is now the most common scenario.

      Of course the Russian and Chinese email providers might also encrypt their email, I haven't looked into that.

      1. Charlie Clark Silver badge

        Re: about the aside

        Google, and Yahoo encrypt email by default, provided the other party supports it.

        Sort of depends what you mean by encryption: TLS, yes. But actual encryption of the e-mail at rest, no and Exchange is easy enough to hack. S/MIME isn't much better because, apart from the technical shortcomings, admins can easily read the e-mail. And none of the big players has gone far enough to support anything like PGP, even though they're technically in a great position to do this.

        Note, that in some situations in some jurisdictions, it is a legal to keep archive, and thus, unencrypted copies of e-mails. But it's possible to think up ways of how this could be done: separate keys for certain communications and an offline archive.

        1. Anonymous Coward
          Anonymous Coward

          Re: about the aside

          > Note, that in some situations in some jurisdictions, it is a legal to keep archive, and thus, unencrypted copies of e-mails. But it's possible to think up ways of how this could be done

          My company does it. I forget the details but it involves stripped (PGP) keys. Users can encrypt and only they can sign, but the admin can decrypt anything encrypted to a users key. This suggests that the admin has a copy of the encryption key but not of the signing key.

          OpenPGP because of the issues expounded by another poster below, plus control over the chain of trust.

      2. J. Cook Silver badge
        Black Helicopters

        Email and encryption...

        As mentioned by @Ccharlie Clark, most SMTP servers support TLS, so that the data transmission is encrypted and less likely to be caught by someone sniffing the packet stream in the middle somewhere.

        Encrypting the message contents, at rest(1)? Different animal entirely. I'm speaking here as both a mail admin and PKI admin, and I can tell you that configuring an entire company's worth of user accounts to use encryption is a very tall, and VERY expensive order.

        First you'll need to ether A) Purchase a public signing certificate, which most certificate resellers will either want 5 digits for if they'll do it at all; OR offload your chain of trust for the domain to them and pay a per user, per year fee for it;(2) B) run your own publicly accessible CA for certificate validation and get one of the root trusts to sign off on it (not easy OR cheap); AND train your support staff, users, and probably random members of the public, vendors, and whoever else whines about how to react now that the emails are all encrypted using their very own personal certificate.

        Oh yeah, and since you are the SME for implementing it, you are now the point of contact for EVERYTHING email related that breaks, even if (or especially if) it's not actually related to the encrypted email chains.

        Good luck!

        (1) Defining "at rest" here as sitting in an outbound, transitory, or inbound mail spool/datastore/mailbox.

        (2) [RedactedCo] has in excess of a thousand users; $20 /user, per year; that's a lot of money for something that'll likely rarely get used unless it's forced on, which causes even more headaches on the receiving side.

  2. VoiceOfTruth Silver badge

    One small point

    -> Its lawyers noted in court filings [PDF] that data just passes through Cloudflare's networks on its way to and from websites and visitors, and it doesn't engage in editing or removing content.

    That is exactly the argument the US regime often uses for money laundering. If data about money passes through a US owned or operated network at all, even for a. millisecond, then they claim jurisdiction. The fact that those networks did nothing but pass it on is considered irrelevant.

    -> [huge long list of every kind of service provider removed for clarity]

    I wonder if this is some kind of cookie cutter, pro forma so-called judgement. Copy and paste this long list from some handy grab bag of judicial goodies.

  3. Anonymous Coward
    Anonymous Coward

    Cloudflare had an outage this morning

    I know coz Vulture Central was unavailable.


  4. Charlie Clark Silver badge

    DMCA safe harbour

    In the US Cloudflare should be in the clear by claiming Safe Harbour, which was designed for something else but should easily cover this. The only aspect they're vulnerable on is failing to act on a cease and desist case if they've been instructed not to provide services for insert-name-here, but that would be contempt anyway.

    DMCA was almost specifically designed to protect US copyright without penalising US video service providers, like YouTube. Non-US copyright holders have much reduced rights and non-US service providers find it harder to claim Safe Harbour. This is standard US trade policy via extra-territorial enforcement.

  5. xyz123 Bronze badge

    > any other service provider which has provided services or in the future provides services to defendants

    This instantly renders the order null and void in the United States as it forbids the defendant from seeking the services of or retaining legal representation.

    Because thats 100% unconstitutional, none of the remainder of the order is legally enforceable.

    PLUS the site owners can sue for violating their constitutional rights

    1. John Brown (no body) Silver badge

      "PLUS the site owners can sue for violating their constitutional rights"

      Was owned by US citizens, resident in the US? Do they even have constitutional rights?

    2. Michael Wojcik Silver badge

      Someone's being a lawyer on the Internet!

  6. Claptrap314 Silver badge


    that Cloudflare is objecting to being ordered to drop service to a client convicted of breaking the law, while it public dropped service to a client that was merely extremely distasteful.

    These are NOT good times...

  7. Kevin McMurtrie Silver badge

    Here we go again

    Cloudflare acts like they're just an innocent pipeline/proxy/whatever when they actually have customers subscribing to a specific services. It's not their job to monitor their customers but it is their job to respond when they have been notified of customers using services for crime. I'd personally like to see Cloudflare get in a lot more trouble.

    Reg - before you delete this, have you looked at the fake Louis Vuitton store links I emailed? You asked for evidence in another story comment thread.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like