12 KiB

Codeberg's Attack on Transparency and on Cloudflare Opposition

Codeberg hosted the Cloudflare-Tor project. In 2021, Codeberg took down the project alleging libel.

what the deCloudflare project is

The Cloudflare-TOR project is a non-profit charitable effort to promote decentralization, network neutrality, and privacy with Cloudflare (a top adversary of that cause) as the core focus. The CFT project provides a variety of free software tools to help protect the general public from Cloudflare. An important component of protecting the community from Cloudflare is documenting websites that subject people to the harms of Cloudflare by maintaining a massive list of websites to avoid.

Unlike other tech giant adversaries to the CFT cause such as GAFAM (Google Amazon Facebook Apple Microsoft), Cloudflare operates surreptitiously and largely unknown to the general public, despite having access to ~20-30%+ of the world's web traffic and 80%+ of CDN market. Their existence is so much in the shadows that privacy orgs like EFF are largely oblivious to the threat of it. Mainstream privacy orgs not only neglect to protect web users from Cloudflare, but some of them actually naively use Cloudflare themselves and unwittingly work against their own interest and declared purpose. Some privacy and ethics advice sites like Switching Software actually recommend Cloudflare sites to those who entrust them to give advice pursuant to their own stated purpose.

The problem is so rampant that it became important for the CFT project's tracking of the Cloudflare problem to start keeping track of organizations and the pseudo-anonymous aliases of representatives who were spotted publicly promoting Cloudflare.

Codeberg-inflicted censorship

After someone on Codeberg's staff was added to the Cloudflare supporter list, Codeberg shut down the CFT project and issued this statement to contributors, and posted this blog announcement, allegedly in response to complaints.

Analysis of Codeberg's e-mail

"target lists", with personal data, lists of employment status, social media identities,

Calling it a "target list" entails a presumption of how the list is used. For example, if a threat actor wants to join the CFT project to gain access to our internal operations, it is not CFT targeting them but rather CFT avoiding being targeted by their adversary. CFT has been attacked several times and sometimes at the hands of insiders who gained trust by posing as those who support the CFT cause.

Transparency is essential in exposing the corporate bias behind the information and advice you are getting. For example, a forum for talk about bicycles might require Brompton representatives to be tagged as such so that other users are aware of the bias behind their posts. It would actually be reckless not to identify such conflicts of interest. This is particularly important when dealing with Cloudflare because they have proven to publish misinformation regularly. Codeberg's move to conceal who represents a company ultimately promotes corruption and deception.

Are forums hosted in Germany really forced to operate non-transparently and conceal such conflicts of interest from the public? Unlikely.

For Codeberg to allege CFT tracks "personal data" with social media identities is perversely deceptive. CFT did not track personal data or dox any social media identities. The social media identities were listed and only public data was shared -- data that is already public on platforms like Twitter. Personally identifiable information was not collected on social media aliases even if it was public.

Publication of such data, no matter if true or not, without the explicit consent of the person in question is illegal in EU.

When a user posts a tweet, they do so with consent to the publication of that tweet. If Codeberg's assertion above were true, then Nitter would be banned in Germany for republishing the tweets of Germans. We know this is not true because Germans have access to the Nitter network.

Codeberg's false accusation of illegal activity came with destructive removal of forked repositories without warning, without redress, and while refusing explanation to the users whose data they destroyed.

In response, Codeberg claims they had to act immediately to what they perceived as illegal activity. Even if we were to accept that the already public data somehow became sensitive merely by replication, the correct non-reckless action is to quarantine the data in a non-public state until court proceedings or settlement could commence. For Codeberg to destroy people's work, and also destroy what they believed was evidence of illegal activity was nothing short of reckless. Codeberg's haphazard response has actually created a legal liability for themselves, as they needlessly destroyed people's work without due diligence.

A take-down request implemented properly and fairly to all sides is temporary and non-destructive of the artifacts.

  • This includes using personally identifiable information of other people without their consent for feigned commit author names and email addresses, potentially incriminating non-participants of acts of privacy violation and leaking proprietary information.

This is just a statement of Codeberg's interpretation of law. Note that Codeberg does not accuse CFT of this, as doing so would be libel against CFT. So it's unclear what purpose this statement serves other than to imply an accusation without stating it. Such weasel wording is designed to deceive the public while dodging legal accountability.

  • Considering reports we received, a significant number of claims and statements were factually false.

CFT has received only one complaint. It involved one social media alias that was listed and it turned out to be a misunderstanding surrounding the word "support". The listed party claimed to not personally condone Cloudflare and thus claimed to not be a Cloudflare "supporter" on that basis. But investigation of public statements by that individual revealed that the other party actually supported Cloudflare operationally. Note that Codeberg destroyed the investigation logs which led to the finding, so we can't cite them here.

The pure existence of lis ts "Enemies of X" is by all rational means unlikely to have any other purpose than public shaming, defamation, threatening and libel. These are generally considered illegal in German law and elsewhere.

The mere existence of a list of Cloudflare supporters certainly does not imply shaming. The list can potentially be used for shaming or praising, as well as in countless ways orthogonal to both praise and shame. Codeberg further produces no evidence that the list was used for shaming (which should be quite easy to do if they've had complaints on the scale that they allege).

It's important to establish bias so that readers can assess the accuracy of statements made by someone who is biased. This is why aliases of those entrusted with advice on matters of privacy were collected. It's important to track the underlying bias behind privacy advocacy sites to address the problem of detrimental advice.

Analysis of Codeberg's Blog Announcement

Codeberg said:

In the last couple of days, we have received multiple inquiries to remove sensitive information from the crimeflare/cloudflare-tor repository and all clones and forks of that repository hosted on

(emphasis added)

Data published by Twitter and public forums is not sensitive. Anyone who posts in a public space and later has regrets, they have only themselves to blame.

Privacy is like virginity: once you lose it, you can't have it back.

We have been made aware that this repository contains lists of usernames that are either linked with their Codeberg profile or their social media accounts and allegedly blamed as Cloudflare supporters without an evidence

CFT was never asked for evidence. Only one complaint was received. It was investigated and evidence was provided to the subject.

We started a discussion with the maintainers of this repository and asked to remove these sensitive information, that are apparently for shaming people (defamation),

CFT did not "shame" or "defame" anyone, and no evidence was given to that effect. Codeberg admitted earlier that their assumption is that a list of Cloudflare supporters inherently shames people. Yet the list is objective. It's for the reader to decide if the list is of shame or of pride. No value judgment was expressed by the CFT project.

According to GDPR, we are obligued to remove sensitive user information as soon as a concerned person demands us to do so.

The GDPR does not protect legal persons (i.e. organizations) and it does not protect anonymous information. Specifically:

"The principles of data protection should therefore not apply to
anonymous information, namely information which does not relate to an
identified or identifiable natural person or to personal data rendered
anonymous in such a manner that the data subject is not or no longer
identifiable. This Regulation does not therefore concern the
processing of such anonymous information, including for statistical or
research purposes."

CFT's Cloudflare supporter list did not contain real names; only pseudoanonymous aliases.

The listed alias of the subject who complained did not use an alias formed like "firstname_lastname", or any form that could reasonably identify a natural individual person.

The sole complaint CFT received lead to an investigation that found the data accurate. Even though the GDPR right to be forgotten does not have force in that case, it was removed anyway and therefore CFT was (and remains) in compliance with the GDPR right to be forgotten.

Yet Codeberg still removed the project despite immediate compliance.

as well as Cloudflare employee data, that are considered as private information

CloudFlare itself is listing their employees, so it's already public information.

People reaching out to us and to the maintainers of the repository itself tried to make clear that they do not consider themselves as Cloudflare-supporters, but critical opponents of this company, and thus could not even imagine a reason for being listed there.

CFT only received one complaint regarding one individual. CFT has continously been in GDPR compliance at all times. Codeberg destroyed the repository anyway.

"Support" comes in many forms. You can support Cloudflare by praising it, or you can support Cloudflare through actions (which may even be unwitting to the supporter). In the one case that CFT investigated, the subject's understanding narrowly assumed "support" was limited to philosophical praise.

We can not accept anyone attacking and threatening us and our users (or anyone for that matter), or inciting others to do so.

This is weasel wording, as directly accusing CFT of attacking or threatening Cloudflare supporters would constitute libel on the part of Codeberg. So they try to imply it. These claims can only be ignored in the absence of evidence.