256 lines
12 KiB
Markdown
256 lines
12 KiB
Markdown
# Codeberg's Attack on Transparency and on Cloudflare Opposition
|
|
|
|
Codeberg hosted the Crimeflare's `Cloudflare-Tor` (CFT) project.
|
|
In April 2021, Codeberg took down the project alleging libel.
|
|
|
|
|
|
## What the Cloudflare-Tor (CFT) project is
|
|
|
|
The CFT project is a non-profit charitable effort to
|
|
promote decentralization, network neutrality, and privacy with
|
|
[Cloudflare](../README.md) (a top adversary of that cause) as the core focus.
|
|
CFT project provides a variety of free software tools to help protect the
|
|
general public from Cloudflare.
|
|
An important component of protecting the community from Cloudflare is
|
|
documenting websites that subject people to the harms of Cloudflare by
|
|
maintaining a [massive list](../cloudflare_users/domains) of websites to avoid.
|
|
|
|
Unlike other tech giant adversaries to the CFT cause such as [GAFAM](https://en.wikipedia.org/wiki/GAFAM)
|
|
(Google, Amazon, Facebook, Apple and Microsoft), Cloudflare operates
|
|
surreptitiously and largely unknown to the general public, despite
|
|
having access to ~20-30%+ of the world's web traffic and 80%+ of CDN
|
|
market.
|
|
Their existence is so much in the shadows that privacy organizations
|
|
like "[Electronic Frontier Foundation](https://en.wikipedia.org/wiki/Electronic_Frontier_Foundation)" are largely oblivious to the threat of it.
|
|
Mainstream privacy organizations not only *neglect* to protect web users from Cloudflare,
|
|
but some of them actually naively *use* Cloudflare themselves and
|
|
unwittingly work *against* their own interest and declared purpose.
|
|
Some privacy and ethical advice sites like "Switching Software"
|
|
actually *recommend* Cloudflare sites to those who entrust them to
|
|
give advice pursuant to their own stated purpose.
|
|
|
|
The problem is so [rampant](../PEOPLE.md) that it became important for the CFT
|
|
project's tracking of the Cloudflare problem to start keeping track of
|
|
organizations and the pseudo-anonymous aliases of representatives who
|
|
were spotted publicly promoting Cloudflare.
|
|
|
|
|
|
## Codeberg-inflicted censorship
|
|
|
|
After someone
|
|
[on Codeberg's staff](https://codeberg.org/shadow/SpywareWatchdog/issues/77#issuecomment-188105)
|
|
was added to the Cloudflare supporter list, Codeberg shut down the CFT
|
|
project and issued
|
|
[this statement](https://codeberg.org/Codeberg/Community/issues/423#issuecomment-187783)
|
|
to contributors, and posted
|
|
[this blog announcement](https://web.archive.org/web/20210406012737/https://blog.codeberg.org/on-the-cloudflare-tor-takedown.html),
|
|
allegedly in response to complaints.
|
|
|
|
|
|
### Analysis of Codeberg's e-mail
|
|
|
|
> "target lists", with personal data, lists of employment status,
|
|
> social media identities,
|
|
|
|
Calling it a "`target list`" entails a presumption of *how* the list is
|
|
used. For example, if a threat actor wants to join the CFT project to
|
|
gain access to our internal operations, it is not CFT targeting them
|
|
but rather CFT avoiding being targeted by their adversary. CFT has
|
|
been attacked several times and sometimes at the hands of insiders who
|
|
gained trust by posing as those who support the CFT cause.
|
|
|
|
Transparency is essential in exposing the corporate bias behind the
|
|
information and advice you are getting. For example, a forum for talk
|
|
about bicycles might require [Brompton company](https://en.wikipedia.org/wiki/Brompton_Bicycle) representatives to be tagged as
|
|
such so that other users are aware of the bias behind their posts.
|
|
It would actually be reckless *not* to identify such conflicts of
|
|
interest. This is particularly important when dealing with Cloudflare
|
|
because they have *proven* to publish misinformation regularly.
|
|
Codeberg's move to *conceal* who represents a company ultimately
|
|
*promotes* corruption and deception.
|
|
|
|
Are forums hosted in Germany really forced to operate
|
|
non-transparently and conceal such conflicts of interest from the
|
|
public? *Unlikely*.
|
|
|
|
For Codeberg to allege CFT tracks "`personal data`" with social media
|
|
identities is perversely deceptive. CFT did not track personal data
|
|
or dox any social media identities. The social media identities were
|
|
listed and only *public* data was shared -- data that is already
|
|
public on platforms like Twitter. Personally identifiable information
|
|
was not collected on social media aliases even if it was public.
|
|
|
|
> Publication of such data, no matter if true or not, without the
|
|
> explicit consent of the person in question is illegal in EU.
|
|
|
|
When a user posts a tweet, they do so with consent to the publication
|
|
of that tweet. If Codeberg's assertion above were true, then Twitter mirror sites
|
|
would be banned in Germany for republishing the tweets of Germans.
|
|
We know this is not true because Germans have access to the mirror sites.
|
|
|
|
Codeberg's *false* accusation of *illegal* activity came with *destructive*
|
|
removal of forked repositories
|
|
[without warning, without redress, and while refusing explanation](https://codeberg.org/shadow/SpywareWatchdog/issues/77#issuecomment-188170)
|
|
to the users whose data they destroyed.
|
|
|
|
In response, Codeberg
|
|
[claims](https://codeberg.org/shadow/SpywareWatchdog/issues/77#issuecomment-188178)
|
|
they had to act immediately to what they perceived as *illegal*
|
|
activity. Even if we were to accept that the already public data
|
|
somehow became sensitive merely by replication, the correct
|
|
non-reckless action is to quarantine the data in a non-public state
|
|
until court proceedings or settlement could commence.
|
|
For Codeberg to destroy people's work, and also destroy what they believed was
|
|
evidence of illegal activity was nothing short of reckless.
|
|
Codeberg's haphazard response has actually created a legal liability
|
|
for themselves, as they *needlessly* destroyed people's work without due
|
|
diligence.
|
|
|
|
A take-down request implemented properly and fairly to all sides is
|
|
temporary and non-destructive of the artifacts.
|
|
|
|
> - This includes using personally identifiable information of other
|
|
> people without their consent for feigned commit author names and email
|
|
> addresses, potentially incriminating non-participants of acts of
|
|
> privacy violation and leaking proprietary information.
|
|
|
|
This is just a statement of Codeberg's interpretation of law. Note
|
|
that Codeberg does not accuse CFT of this, as doing so would be libel
|
|
against CFT. So it's unclear what purpose this statement serves other
|
|
than to imply an accusation without stating it. Such weasel wording
|
|
is designed to *deceive* the public while dodging legal accountability.
|
|
|
|
> - Considering reports we received, a significant number of claims and
|
|
> statements were factually false.
|
|
|
|
CFT has received only **one** complaint. It involved one social media
|
|
alias that was listed and it turned out to be a misunderstanding
|
|
surrounding the word "`support`". The listed party claimed to not
|
|
personally condone Cloudflare and thus claimed to not be a Cloudflare
|
|
"supporter" on that basis.
|
|
|
|
But investigation of [public statements](https://codeberg.org/swiso/website/issues/141#issuecomment-69593)
|
|
by that individual revealed that the other party *actually* supported
|
|
Cloudflare *operationally*. Note that Codeberg *destroyed* the
|
|
investigation logs which led to the finding, so we can't cite them here.
|
|
|
|
> The pure existence of lists "Enemies of X" is by all rational means
|
|
> unlikely to have any other purpose than public shaming, defamation,
|
|
> threatening and libel. These are generally considered illegal in
|
|
> German law and elsewhere.
|
|
|
|
The mere existence of a list of Cloudflare supporters certainly does
|
|
*not* imply shaming. The list *can potentially* be used for shaming
|
|
or praising, as well as in countless ways orthogonal to both *praise*
|
|
and *shame*. Codeberg further produces *no evidence* that the list was
|
|
used for *shaming* (which should be quite easy to do if they've had
|
|
complaints on the scale that they allege).
|
|
|
|
It's important to establish *bias* so that readers can assess the
|
|
accuracy of statements made by someone who is biased. This is why
|
|
aliases of those entrusted with advice on matters of privacy were
|
|
collected. It's important to track the underlying bias behind privacy
|
|
advocacy sites to address the problem of detrimental advice.
|
|
|
|
|
|
### Analysis of Codeberg's Blog Announcement
|
|
|
|
Codeberg [said](https://web.archive.org/web/20210406012737/https://blog.codeberg.org/on-the-cloudflare-tor-takedown.html):
|
|
|
|
> In the last couple of days, we have received multiple inquiries to
|
|
> remove **sensitive information** from the crimeflare/cloudflare-tor
|
|
> repository and all clones and forks of that repository hosted on
|
|
> Codeberg.org.
|
|
|
|
(emphasis added)
|
|
|
|
Data published on Twitter and public forums is *not* sensitive. Anyone
|
|
who posts in a *public space* and later has regrets, they have only
|
|
themselves to blame.
|
|
|
|
Once you share your information publicly, you can't control them anymore.
|
|
|
|
> We have been made aware that this repository contains lists of
|
|
> usernames that are either linked with their Codeberg profile or
|
|
> their social media accounts and allegedly blamed as Cloudflare
|
|
> supporters without an evidence
|
|
|
|
CFT was *never asked* for evidence. Only *one complaint* was received.
|
|
It was investigated and evidence was *provided* to the subject.
|
|
|
|
> We started a discussion with the maintainers of this repository and
|
|
> asked to remove these sensitive information, that are apparently for
|
|
> shaming people (defamation),
|
|
|
|
CFT did not "*shame*" or "*defame*" anyone, and no evidence was given to
|
|
that effect. Codeberg admitted earlier that their assumption is that
|
|
a list of Cloudflare supporters inherently shames people. Yet the
|
|
list is objective. It's for the reader to decide if the list is of
|
|
shame or of pride. No value judgment was expressed by the CFT
|
|
project.
|
|
|
|
> According to GDPR, we are obligued to remove sensitive user
|
|
> information as soon as a concerned person demands us to do so.
|
|
|
|
The GDPR ([General Data Protection Regulation](https://gdpr-info.eu/)) does *not protect* legal persons (i.e. organizations) and it
|
|
[does not protect anonymous information](https://gdpr-info.eu/recitals/no-26).
|
|
Specifically:
|
|
|
|
```
|
|
"The principles of data protection should therefore not apply to
|
|
anonymous information, namely information which does not relate to an
|
|
identified or identifiable natural person or to personal data rendered
|
|
anonymous in such a manner that the data subject is not or no longer
|
|
identifiable. This Regulation does not therefore concern the
|
|
processing of such anonymous information, including for statistical or
|
|
research purposes."
|
|
```
|
|
|
|
CFT's [Cloudflare supporter list](../cloudflare_users/cloudflare_supporter.md) did not contain real names; only
|
|
pseudoanonymous aliases.
|
|
|
|
The listed alias of the subject who complained did not use an alias
|
|
formed like "firstName_lastName", or any form that could reasonably
|
|
identify a natural individual person.
|
|
|
|
The sole complaint CFT received lead to an investigation that found
|
|
the data **accurate**. Even though the GDPR right to be forgotten does
|
|
not have force in that case, it was removed anyway and therefore CFT
|
|
was (and remains) in compliance with the GDPR right to be forgotten.
|
|
|
|
Yet Codeberg still removed the project *despite* immediate compliance.
|
|
|
|
> as well as Cloudflare employee data, that are considered as private
|
|
> information
|
|
|
|
CloudFlare itself is
|
|
[listing](https://web.archive.org/web/20210406200322/https://www.cloudflare.com/people)
|
|
their employees, so it's already public information.
|
|
|
|
> People reaching out to us and to the maintainers of the repository
|
|
> itself tried to make clear that they do not consider themselves as
|
|
> Cloudflare-supporters, but critical opponents of this company, and
|
|
> thus could not even imagine a reason for being listed there.
|
|
|
|
CFT only received *one* complaint regarding *one* individual. CFT has
|
|
*continously* been in GDPR compliance at *all times*. Codeberg destroyed
|
|
the repository anyway.
|
|
|
|
"`Support`" comes in many forms. You can support Cloudflare by
|
|
praising it, or you can support Cloudflare through actions (which may
|
|
even be unwitting to the supporter). In the one case that CFT
|
|
investigated, the subject's understanding narrowly assumed "support"
|
|
was limited to philosophical praise.
|
|
|
|
> We can not accept anyone attacking and threatening us and our users
|
|
> (or anyone for that matter), or inciting others to do so.
|
|
|
|
This is weasel wording, as directly accusing CFT of attacking or
|
|
threatening Cloudflare supporters would constitute libel on the part
|
|
of Codeberg. So they try to *imply* it. These claims can only be
|
|
ignored in the absence of evidence.
|
|
|
|
|
|
---
|
|
by [humanacollaborator](https://git.sdf.org/humanacollaborator). [License](../LICENSE.md)
|