Besides, there are multiple U.S. laws that already govern this, especially:
"No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider." (47 U.S.C. § 230(c)(1)).
This law is a bedrock, foundational law that helps the Internet grow by protecting ISPs and providers from liability.
Lastly, the U.S. is a sovereign country. A judgment from another country would need to be fully adjudicated here under U.S. law or any applicable treaties like the Berne Convention, not Moldovan law. Otherwise, chaos would reign. You would end up defending yourself from random judgments from foreign courts with radically different laws or even completely different ways of looking at IP protection that you might not even be aware of or be able to defend yourself from. This would be grotesquely unfair and manifestly unjust.
Furthermore, the questions you raise about jurisdiction are already covered by a bevy of international trade treaties. Notably, Moldova is a party to the Berne Convention as well as the US, so the judgments are entirely compatible. Yes, being on the Internet subjects you to hundreds of countries' laws at once[0], and the only reason why we have an Internet is because we have lots of treaties governing what judgments made where can be ported to which countries' jurisdictions.
Suffice it to say, any argument based solely on "you have no jurisdiction because I've never heard of you before and can't point to your country on a map" is not getting far in a court of law.
[0] If you think this is crazy, let me introduce you to the "linguistic jurisdiction argument", in which courts argue jurisdiction from the fact that you spoke that country's official language.
Cloudflare operates in and has a physical data center presence in Moldova, serves content owned by Moldovan citizens, and serves content to Moldovan citizens. Thus, they are subject to Moldova law. If they don’t want to be subject to it, they can remove their operations from the country and remove any interactions with Moldovans.
Moreover, it's pointless to expect that to do any good because the customer could obviously just use a provider that operates in country A but not in country B. Therefore, a presence in country B should be irrelevant when that isn't where the customer is because you're otherwise just setting up a catch 22 for no benefit.
If you want to use a GPL library and a proprietary library then you aren't allowed to - you can't choose to ignore the one you like the least.
This is equivalent to saying that no company can have operations is more than one country. Countries have so many laws that there will be a conflict between them somewhere.
The obvious and longstanding solution is for the company to set up a foreign subsidiary and then the subsidiary in that country complies with that country's laws. But that's not the same thing as expecting the subsidiaries in other countries to comply with the laws of a country they're not in.
I started having a huge problem with them ages ago when I reported that they were hosting a Bank of America phishing site. They took no action, and when pressed, they said that they couldn't take action because they needed to protect the site owners' free speech. Imagine that! Fraud, even when it's 100% obvious and blatant, is protected by free speech!
Right now, for example, a phishing site is hosted via Cloudflare at "schwabs-wild dot com". Cloudflare replied to a complaint about it in less than a minute and a half to say:
"We were unable to confirm phishing at the URL(s) provided."
Visiting the phishing site shows a site that's clearly trying to pretend to be Charles Schwab and that asks for a person's social security number as part of the login!
So are Cloudflare employees so dumb that they can't tell that this clearly is NOT legitimate, and are they so quick that they respond to complaints in literally a minute and a half, or has Cloudflare automated their responses for complaints like these because they've already gotten so many of them?
HN has a lot of Cloudflare users who like Cloudflare, so sometimes comments like these get downvoted, but I genuinely wonder how even CF fans could justify CF not only hosting blatant phishing sites like this, but also how anyone could justify ignoring complaints about this illegal activity. They clearly will continue to do it until there's more pressure, whether Charles Schwab has to contact them directly or there's a court order from a court they care about (certainly not a Moldovan one).
Cloudflare wants to pretend they're doing good for the world by offering things like DNS-over-https, wanting everyone to use it and telling us to just trust them when they say they won't do anything nefarious with the data that's made available to them, but so long as they pick and choose their judicial jurisdictions, why would the rest of the world want to trust them?
"Sorry, you have been blocked You are unable to access **.com"
But ye. Cloudflare's grip on access to different hosts have long since turned into a problem. Especially since their visitor abuse filter seem implicitly racist in which parts of the world they throw into endless captcha loops. And, no, I am not trying to be hyperbolic here. It plainly is. You can relive the experience of being from the wrong part of the world by using some privacy preserving browser settings, too.
Yes, putting rate limiting that's much slower than humans and CAPTCHAs that discriminate on to their abuse reporting pages just shows how much distain they have for people who want to report abuse.
My telephone operator seem to block it as a scam site without https, curiously.
Braindead libertarianism refuses to compromise. It insists, for whatever reason, that A and !A both be made true, that two and two make five. Sometimes there is a good reason to do this; the mathematics behind, say, encryption and computer security are such that you really can't build encryption algorithms that respect valid court decryption orders but refuse the millions of people that really would like to snoop through your texts to stalk you. But just as equally, the braindead libertarian just doesn't want to compromise. They take idiot politicians shouting at us to "NERD HARDER" to mean that we should shout back "WONK HARDER".
The spicy packet loss theory of censorship asserts that all Internet censorship is fundamentally the result of network interference. This is the braindead libertarian's approach to free speech. And the response to this - the protection for your free speech rights - is to build a machine to ensure your packets never drop, and insist that society tolerate 100% of it's ills. Even if that means being a bulletproof crimeware hoster for blatantly fraudulent phishing pages.
Mathematical axioms that lead to contradictions get dropped because of a fun thing called the Principle of Explosion. Taking both A and !A implies all statements are true, meaning that a theory with such a contradictory set of axioms says literally nothing. Fraud on CloudFlare's network is bad, but the real kicker is DDoS vendors. All of whom reliably use... CloudFlare. DDoS doesn't exactly match the spicy packet loss theory of censorship, but it's close enough to packet loss to be compatible with it. In fact, that's CloudFlare's selling point - that it protects you from DDoS. Which is why DDoS vendors love using it to protect their sales page where you can pay to attack and tear down other people's speech.
Literally any other host - aside from actual criminals - would have dropped DDoS vendors the moment they found out what they were selling. It's an obvious abuse pattern. But in CloudFlare's twisted logic, they can't drop the DDoS vendors, because that would make them censors, because they're dropping packets. So they have to tolerate DDoS vendors doing the censorship job anyway, in the world's dumbest trolley problem meme.
Private third parties are an inappropriate place to enforce the law. If you have a dispute with someone, you sue them, not their hosting provider. Then they have to pay you damages, the court will order them to stop, if they don't stop there are criminal penalties for contempt of court, etc. Why is the hosting provider even involved?
> a huge quarrel of lawyers
That's not... No, I'll allow it.
> Right now, for example, a phishing site is hosted via Cloudflare at "schwabs-wild dot com". Cloudflare replied to a complaint about it in less than a minute and a half to say:
> "We were unable to confirm phishing at the URL(s) provided."
Well yeah, because they're not law enforcement and they have no way to know if that site is a phishing site or a real or testing service by Charles Schwab or one of their subcontractors, or a honeypot or some law enforcement operation or the subject of an ongoing investigation the police don't want to spook etc. Meanwhile they get tons of fraudulent complaints from trolls and the competitors of their customers trying to take down their legitimate sites.
Stop expecting them to be a court. Go to a real court and get an injunction. Or report it to Charles Schwab or the police rather than Cloudflare so they can do it.
Sure. However, Cloudflare hide and protect the "them". The information in WHOIS, in the DNS SOA record, in the network hosting the content, in the servers hosting the DNS, in the registrar's abuse contact, all say "Cloudflare". Cloudflare'll "pass along" a message for you and will happily refuse to tell you who actually owns the site.
What's more, even when you can clearly show infringement, Cloudflare doesn't take action to stop it, even though they both can and should. Not taking action when you're informed that something is illegal is facilitation. Entities that host are not liable for the content of their clients, but entities that ignore illegal activities aren't (and shouldn't be) protected.
So there's literally no other option besides suing them, even if you want to go after the party that's using Cloudflare to do the illegal thing. You literally can't unless you sue Cloudflare and get a court (that Cloudflare actually listens to) to force Cloudflare to reveal the party they're hosting and protecting.
I'm not sure how you think "you sue them, not their hosting provider" is relevant in a discussion about Cloudflare unless you really didn't know all of this.
What does that matter? You can initiate a legal proceeding against a John Doe. And then the court would be able to subpoena Cloudflare for the information. That doesn't mean someone should sue Cloudflare for damages.
> What's more, even when you can clearly show infringement
How can you possibly "clearly show infringement" without a court proceeding? A service provider doesn't even have a reasonable mechanism to identify who the copyright holder is.
> I'm not sure how you think "you sue them, not their hosting provider" is relevant in a discussion about Cloudflare unless you really didn't know all of this.
There is a relevant distinction between issuing a subpoena for information and naming them as a defendant in a lawsuit.
Whereas many edge cases exist wherein conduct on the internet may have differing interpretations nothing stops anyone from handling the massive intersection where all reasonable parties agree.
Doing so in fact removes a lot of ammunition for arguments for more unworkable suggestions.
The issue is that they're trying to sue the wrong party -- the provider instead of the customer -- which US law rightfully discourages, which is why they're trying to cheat through some convoluted cross-border jurisdictional shenanigans.
Nobody has any expectation of privacy in their crimes.
Do you not realize the level of abuse this opens up? The company has no capacity to do thorough fact finding. They can't subpoena anyone or put them under oath. Trolls will send them complaints with plausible-sounding claims and their only practical options are to execute them without adequately investigating or to ignore them.
The only non-abusive option is to ignore them and leave the law enforcement to law enforcement.
If you take only unambiguously correct actions it will be harder for the government to push for much less friendly options later.
How do you know if it belongs to BOA? The name of the company/contractor on the bill is regularly different than the name of service being hosted. Even then, how do you know that it's crime rather than e.g. part of some computer security coursework or a research study on phishing or a misconfigured page where somebody was doing a copy and paste and accidentally pasted the wrong thing into their site?
The answer, of course, is that if it's crime then the people who think it's crime should report it to law enforcement to conduct an investigation. Then if it is crime, the perpetrators get arrested instead of just having their account closed (tipping them off that they've been discovered) and opening another one under a different name.
Most companies do due dilligence to avoid complicity with criminal activities. If Cloudflare doesn't believe they should now they can wait until a bunch of non-technical 65+ define their role for them in 35 different jurisdictions and hope that goes well.
>That's not... No, I'll allow it.
Allow it?! I suggest we carve it on the front door of the firm.