2021-04-06 22:17:56 -04:00
|
|
|
# Codeberg's Attack on Transparency and on Cloudflare Opposition
|
2021-04-06 21:05:28 -04:00
|
|
|
|
|
|
|
Codeberg hosted the Cloudflare-Tor project. In 2021, Codeberg took
|
|
|
|
down the project alleging libel.
|
|
|
|
|
2021-04-13 12:01:07 -04:00
|
|
|
## what the deCloudflare project is
|
2021-04-06 21:05:28 -04:00
|
|
|
|
2021-04-18 20:59:04 -04:00
|
|
|
The [Cloudflare-TOR project](http://crimeflare.eu.org) is a non-profit
|
|
|
|
charitable effort to promote decentralization, network neutrality, and
|
|
|
|
privacy with Cloudflare (a top adversary of that cause) as the core
|
|
|
|
focus. The CFT project provides a variety of free software tools to
|
|
|
|
help protect the general public from Cloudflare. An important
|
|
|
|
component of protecting the community from Cloudflare is documenting
|
|
|
|
websites that subject people to the harms of Cloudflare by maintaining
|
|
|
|
a massive list of websites to avoid.
|
2021-04-15 18:57:43 -04:00
|
|
|
|
|
|
|
Unlike other tech giant adversaries to the CFT cause such as GAFAM
|
2021-04-06 21:05:28 -04:00
|
|
|
(Google Amazon Facebook Apple Microsoft), Cloudflare operates
|
|
|
|
surreptitiously and largely unknown to the general public, despite
|
2021-04-06 21:59:16 -04:00
|
|
|
having access to ~20-30%+ of the world's web traffic and 80%+ of CDN
|
|
|
|
market. Their existence is so much in the shadows that privacy orgs
|
|
|
|
like EFF are largely oblivious to the threat of it. Mainstream
|
|
|
|
privacy orgs not only neglect to protect web users from Cloudflare,
|
|
|
|
but some of them actually naively use Cloudflare themselves and
|
|
|
|
unwittingly work against their own interest and declared purpose.
|
|
|
|
Some privacy and ethics advice sites like
|
2021-04-06 21:05:28 -04:00
|
|
|
[Switching Software](https://switching.software) actually recommend
|
|
|
|
Cloudflare sites to those who entrust them to give advice pursuant to
|
|
|
|
their own stated purpose.
|
|
|
|
|
2021-04-15 18:57:43 -04:00
|
|
|
The problem is so rampant that it became important for the CFT
|
2021-04-06 21:05:28 -04:00
|
|
|
project's tracking of the Cloudflare problem to start keeping track of
|
|
|
|
organizations and the pseudo-anonymous aliases of representatives who
|
|
|
|
were spotted publicly promoting Cloudflare.
|
|
|
|
|
|
|
|
## Codeberg-inflicted censorship
|
|
|
|
|
2021-04-07 11:14:20 -04:00
|
|
|
After someone
|
|
|
|
[on Codeberg's staff](https://codeberg.org/shadow/SpywareWatchdog/issues/77#issuecomment-188105)
|
2021-04-15 18:57:43 -04:00
|
|
|
was added to the Cloudflare supporter list, Codeberg shut down the CFT
|
2021-04-07 11:14:20 -04:00
|
|
|
project and issued
|
2021-04-06 21:05:28 -04:00
|
|
|
[this statement](https://codeberg.org/Codeberg/Community/issues/423#issuecomment-187783)
|
|
|
|
to contributors, and posted
|
2021-04-06 22:17:56 -04:00
|
|
|
[this blog announcement](https://blog.codeberg.org/on-the-cloudflare-tor-takedown.html),
|
|
|
|
allegedly in response to complaints.
|
2021-04-06 21:05:28 -04:00
|
|
|
|
|
|
|
### Analysis of Codeberg's e-mail
|
|
|
|
|
|
|
|
> "target lists", with personal data, lists of employment status,
|
|
|
|
> social media identities,
|
|
|
|
|
|
|
|
Calling it a "target list" entails a presumption of how the list is
|
2021-04-15 18:57:43 -04:00
|
|
|
used. For example, if a threat actor wants to join the CFT project to
|
|
|
|
gain access to our internal operations, it is not CFT targeting them
|
|
|
|
but rather CFT avoiding being targeted by their adversary. CFT has
|
2021-04-06 21:43:43 -04:00
|
|
|
been attacked several times and sometimes at the hands of insiders who
|
2021-04-15 18:57:43 -04:00
|
|
|
gained trust by posing as those who support the CFT cause.
|
2021-04-06 21:05:28 -04:00
|
|
|
|
|
|
|
Transparency is essential in exposing the corporate bias behind the
|
|
|
|
information and advice you are getting. For example, a forum for talk
|
|
|
|
about bicycles might require Brompton representatives to be tagged as
|
|
|
|
such so that other users are aware of the bias behind their posts. It
|
|
|
|
would actually be reckless *not* to identify such conflicts of
|
|
|
|
interest. This is particularly important when dealing with Cloudflare
|
|
|
|
because they have proven to publish misinformation regularly.
|
|
|
|
Codeberg's move to conceal who represents a company ultimately
|
|
|
|
promotes corruption and deception.
|
|
|
|
|
2021-04-06 21:43:43 -04:00
|
|
|
Are forums hosted in Germany really forced to operate
|
|
|
|
non-transparently and conceal such conflicts of interest from the
|
|
|
|
public? Unlikely.
|
2021-04-06 21:05:28 -04:00
|
|
|
|
2021-04-15 18:57:43 -04:00
|
|
|
For Codeberg to allege CFT tracks "personal data" with social media
|
|
|
|
identities is perversely deceptive. CFT did not track personal data
|
2021-04-06 21:05:28 -04:00
|
|
|
or dox any social media identities. The social media identities were
|
|
|
|
listed and only *public* data was shared -- data that is already
|
|
|
|
public on platforms like Twitter. Personally identifiable information
|
|
|
|
was not collected on social media aliases even if it was public.
|
|
|
|
|
|
|
|
> Publication of such data, no matter if true or not, without the
|
|
|
|
> explicit consent of the person in question is illegal in EU.
|
|
|
|
|
|
|
|
When a user posts a tweet, they do so with consent to the publication
|
|
|
|
of that tweet. If Codeberg's assertion above were true, then Nitter
|
|
|
|
would be banned in Germany for republishing the tweets of Germans. We
|
|
|
|
know this is not true because Germans have access to the Nitter
|
|
|
|
network.
|
|
|
|
|
|
|
|
Codeberg's false accusation of illegal activity came with destructive
|
|
|
|
removal of forked repositories
|
|
|
|
[without warning, without redress, and while refusing explanation](https://codeberg.org/shadow/SpywareWatchdog/issues/77#issuecomment-188170)
|
|
|
|
to the users whose data they destroyed.
|
|
|
|
|
|
|
|
In response, Codeberg
|
|
|
|
[claims](https://codeberg.org/shadow/SpywareWatchdog/issues/77#issuecomment-188178)
|
|
|
|
they had to act immediately to what they perceived as illegal
|
|
|
|
activity. Even if we were to accept that the already public data
|
|
|
|
somehow became sensitive merely by replication, the correct
|
|
|
|
non-reckless action is to quarantine the data in a non-public state
|
|
|
|
until court proceedings or settlement could commence. For Codeberg to
|
|
|
|
destroy people's work, and also destroy what they believed was
|
|
|
|
evidence of illegal activity was nothing short of reckless.
|
2021-04-06 21:47:19 -04:00
|
|
|
Codeberg's haphazard response has actually created a legal liability
|
|
|
|
for themselves, as they needlessly destroyed people's work without due
|
|
|
|
diligence.
|
2021-04-06 21:05:28 -04:00
|
|
|
|
|
|
|
A take-down request implemented properly and fairly to all sides is
|
|
|
|
temporary and non-destructive of the artifacts.
|
|
|
|
|
|
|
|
> - This includes using personally identifiable information of other
|
|
|
|
> people without their consent for feigned commit author names and email
|
|
|
|
> addresses, potentially incriminating non-participants of acts of
|
|
|
|
> privacy violation and leaking proprietary information.
|
|
|
|
|
|
|
|
This is just a statement of Codeberg's interpretation of law. Note
|
2021-04-15 18:57:43 -04:00
|
|
|
that Codeberg does not accuse CFT of this, as doing so would be libel
|
|
|
|
against CFT. So it's unclear what purpose this statement serves other
|
2021-04-06 21:05:28 -04:00
|
|
|
than to imply an accusation without stating it. Such weasel wording
|
|
|
|
is designed to deceive the public while dodging legal accountability.
|
|
|
|
|
|
|
|
> - Considering reports we received, a significant number of claims and
|
|
|
|
> statements were factually false.
|
|
|
|
|
2021-04-15 18:57:43 -04:00
|
|
|
CFT has received only one complaint. It involved one social media
|
2021-04-06 21:05:28 -04:00
|
|
|
alias that was listed and it turned out to be a misunderstanding
|
|
|
|
surrounding the word "*support*". The listed party claimed to not
|
|
|
|
personally condone Cloudflare and thus claimed to not be a Cloudflare
|
|
|
|
"supporter" on that basis. But investigation of
|
|
|
|
[public statements](https://codeberg.org/swiso/website/issues/141#issuecomment-69593)
|
|
|
|
by that individual revealed that the other party actually supported
|
2021-04-06 22:17:56 -04:00
|
|
|
Cloudflare operationally. Note that Codeberg destroyed the
|
|
|
|
investigation logs which led to the finding, so we can't cite them
|
|
|
|
here.
|
2021-04-06 21:05:28 -04:00
|
|
|
|
|
|
|
> The pure existence of lis ts "Enemies of X" is by all rational means
|
|
|
|
> unlikely to have any other purpose than public shaming, defamation,
|
|
|
|
> threatening and libel. These are generally considered illegal in
|
|
|
|
> German law and elsewhere.
|
|
|
|
|
|
|
|
The mere existence of a list of Cloudflare supporters certainly does
|
|
|
|
*not* imply shaming. The list *can potentially* be used for shaming
|
|
|
|
or praising, as well as in countless ways orthogonal to both praise
|
|
|
|
and shame. Codeberg further produces no evidence that the list was
|
|
|
|
used for shaming (which should be quite easy to do if they've had
|
|
|
|
complaints on the scale that they allege).
|
|
|
|
|
|
|
|
It's important to establish bias so that readers can assess the
|
|
|
|
accuracy of statements made by someone who is biased. This is why
|
|
|
|
aliases of those entrusted with advice on matters of privacy were
|
|
|
|
collected. It's important to track the underlying bias behind privacy
|
|
|
|
advocacy sites to address the problem of detrimental advice.
|
|
|
|
|
|
|
|
### Analysis of Codeberg's Blog Announcement
|
|
|
|
|
|
|
|
Codeberg [said](https://blog.codeberg.org/on-the-cloudflare-tor-takedown.html):
|
|
|
|
|
|
|
|
> In the last couple of days, we have received multiple inquiries to
|
|
|
|
> remove **sensitive information** from the crimeflare/cloudflare-tor
|
|
|
|
> repository and all clones and forks of that repository hosted on
|
|
|
|
> Codeberg.org.
|
|
|
|
|
|
|
|
(emphasis added)
|
|
|
|
|
|
|
|
Data published by Twitter and public forums is not sensitive. Anyone
|
|
|
|
who posts in a public space and later has regrets, they have only
|
|
|
|
themselves to blame.
|
|
|
|
|
|
|
|
Privacy is like virginity: once you lose it, you can't have it back.
|
|
|
|
|
|
|
|
> We have been made aware that this repository contains lists of
|
|
|
|
> usernames that are either linked with their Codeberg profile or
|
|
|
|
> their social media accounts and allegedly blamed as Cloudflare
|
|
|
|
> supporters without an evidence
|
|
|
|
|
2021-04-15 18:57:43 -04:00
|
|
|
CFT was never asked for evidence. Only one complaint was received.
|
2021-04-07 11:14:20 -04:00
|
|
|
It was investigated and evidence was provided to the subject.
|
2021-04-06 21:05:28 -04:00
|
|
|
|
|
|
|
> We started a discussion with the maintainers of this repository and
|
|
|
|
> asked to remove these sensitive information, that are apparently for
|
|
|
|
> shaming people (defamation),
|
|
|
|
|
2021-04-15 18:57:43 -04:00
|
|
|
CFT did not "shame" or "defame" anyone, and no evidence was given to
|
2021-04-06 21:05:28 -04:00
|
|
|
that effect. Codeberg admitted earlier that their assumption is that
|
|
|
|
a list of Cloudflare supporters inherently shames people. Yet the
|
|
|
|
list is objective. It's for the reader to decide if the list is of
|
2021-04-15 18:57:43 -04:00
|
|
|
shame or of pride. No value judgment was expressed by the CFT
|
2021-04-06 21:05:28 -04:00
|
|
|
project.
|
|
|
|
|
|
|
|
> According to GDPR, we are obligued to remove sensitive user
|
|
|
|
> information as soon as a concerned person demands us to do so.
|
|
|
|
|
2021-04-07 09:39:28 -04:00
|
|
|
The GDPR does not protect legal persons (i.e. organizations) and it
|
2021-04-08 11:37:42 -04:00
|
|
|
[does not protect anonymous information](https://gdpr-info.eu/recitals/no-26).
|
|
|
|
Specifically:
|
2021-04-07 09:39:28 -04:00
|
|
|
|
|
|
|
```
|
|
|
|
"The principles of data protection should therefore not apply to
|
|
|
|
anonymous information, namely information which does not relate to an
|
|
|
|
identified or identifiable natural person or to personal data rendered
|
|
|
|
anonymous in such a manner that the data subject is not or no longer
|
|
|
|
identifiable. This Regulation does not therefore concern the
|
|
|
|
processing of such anonymous information, including for statistical or
|
|
|
|
research purposes."
|
|
|
|
```
|
2021-04-15 18:57:43 -04:00
|
|
|
CFT's Cloudflare supporter list did not contain real names; only
|
2021-04-07 09:39:28 -04:00
|
|
|
pseudoanonymous aliases.
|
|
|
|
|
|
|
|
The listed alias of the subject who complained did not use an alias
|
|
|
|
formed like "firstname_lastname", or any form that could reasonably
|
|
|
|
identify a natural individual person.
|
|
|
|
|
2021-04-15 18:57:43 -04:00
|
|
|
The sole complaint CFT received lead to an investigation that found
|
2021-04-07 09:39:28 -04:00
|
|
|
the data accurate. Even though the GDPR right to be forgotten does
|
2021-04-15 18:57:43 -04:00
|
|
|
not have force in that case, it was removed anyway and therefore CFT
|
2021-04-06 21:05:28 -04:00
|
|
|
was (and remains) in compliance with the GDPR right to be forgotten.
|
2021-04-07 09:39:28 -04:00
|
|
|
|
2021-04-06 21:05:28 -04:00
|
|
|
Yet Codeberg still removed the project despite immediate compliance.
|
|
|
|
|
2021-04-06 21:59:16 -04:00
|
|
|
> as well as Cloudflare employee data, that are considered as private
|
|
|
|
> information
|
|
|
|
|
|
|
|
CloudFlare itself is
|
|
|
|
[listing](https://web.archive.org/web/20210406200322/https://www.cloudflare.com/people)
|
2021-04-06 22:17:56 -04:00
|
|
|
their employees, so it's already public information.
|
2021-04-06 21:59:16 -04:00
|
|
|
|
2021-04-06 21:05:28 -04:00
|
|
|
> People reaching out to us and to the maintainers of the repository
|
|
|
|
> itself tried to make clear that they do not consider themselves as
|
|
|
|
> Cloudflare-supporters, but critical opponents of this company, and
|
|
|
|
> thus could not even imagine a reason for being listed there.
|
|
|
|
|
2021-04-15 18:57:43 -04:00
|
|
|
CFT only received one complaint regarding one individual. CFT has
|
2021-04-07 11:14:20 -04:00
|
|
|
continously been in GDPR compliance at all times. Codeberg destroyed
|
|
|
|
the repository anyway.
|
2021-04-07 09:39:28 -04:00
|
|
|
|
|
|
|
"*Support*" comes in many forms. You can support Cloudflare by
|
|
|
|
praising it, or you can support Cloudflare through actions (which may
|
2021-04-15 18:57:43 -04:00
|
|
|
even be unwitting to the supporter). In the one case that CFT
|
2021-04-07 09:39:28 -04:00
|
|
|
investigated, the subject's understanding narrowly assumed "support"
|
|
|
|
was limited to philosophical praise.
|
2021-04-06 21:05:28 -04:00
|
|
|
|
|
|
|
> We can not accept anyone attacking and threatening us and our users
|
|
|
|
> (or anyone for that matter), or inciting others to do so.
|
|
|
|
|
2021-04-15 18:57:43 -04:00
|
|
|
This is weasel wording, as directly accusing CFT of attacking or
|
2021-04-06 21:05:28 -04:00
|
|
|
threatening Cloudflare supporters would constitute libel on the part
|
|
|
|
of Codeberg. So they try to imply it. These claims can only be
|
|
|
|
ignored in the absence of evidence.
|
2021-04-06 21:59:16 -04:00
|
|
|
|