Cloudflare Warns EU About Extensive Piracy Overblocking, Calls for Safeguards

Two years ago, the European Commission published a non-binding recommendation to tackle the problem of live-streaming piracy, sports in particular.

For instance, the EU encouraged member states to introduce measures to facilitate prompt takedowns of live streams, while service providers and rightsholders were encouraged to tackle challenges through collaboration.

To the disappointment of many rightsholders, the recommendation required no mandatory action by EU member states. So, when the Commission recently launched an evaluation asking stakeholders to share their views on the recommendation, many asked for more robust legislation.

Advanced piracy blocking systems are high on the agenda. Semi-automated mechanisms capable of blocking sources quickly are preferred. These should be implemented by ISPs, but rightsholders see a role for DNS services and VPNs too.

Variations on this type of mechanism are currently active in Italy, Spain and France. Rightsholders, including the MPA and DAZN, mentioned this in their responses to the Commission, calling for expansion in the EU. However, not everyone agrees that broader and more automated blocking efforts are the right path forward.

Cloudflare Issues Stark ‘Blocking’ Warning

American tech giant Cloudflare, which provides CDN, proxy and DNS services, is fiercely against automated blockades. The company has been at the center of various blocking actions in recent months, as its infrastructure was targeted in Italy, Spain, and France.

In some instances, this has led to overblocking where legitimate Cloudflare customers (and their users) were hit as collateral damage.

“Over the past two years, we have witnessed disproportionate and damaging efforts by rightsholders to use blocking measures to tackle piracy online, particularly in relation to unauthorized live streaming of sports,” Cloudflare writes.

Cloudflare notes that pressure from rightsholders has led some European national governments to implement “problematic and imprecise” blocking mechanisms. It says that these blocking tools “often lack due process” and result in “significant collateral damage” for legitimate internet users and businesses across the EU.

As an intermediary, Cloudflare’s infrastructure and IP-addresses are used by pirate sites and services. However, since these are shared with innocent sites, blocking renders those inaccessible too.

“Blocking one IP address, thus can render thousands, tens of thousands, or even hundreds of thousands of domains unreachable,” Cloudflare warns.

Italy, Spain, and France

Cloudflare specifically highlights Italy, Spain, and France as countries where problems have emerged. The Italian “Piracy Shield” law has resulted in “overblocking on a massive scale,” the company says, adding that it violates the Charter of Fundamental Rights and EU law.

In Spain, blocking orders also caused substantial collateral damage. Cloudflare explains that, due to a broad court order that included Cloudflare IP-addresses, millions of Spanish users were blocked from accessing thousands of non-targeted websites.

“This blunt approach not only demonstrates a fundamental misunderstanding of how the Internet works, it also raises significant questions about compliance with the European Union’s Open Internet Regulation,” Cloudflare writes.

In France, meanwhile, courts have ordered VPN providers and DNS resolvers to block pirate sites. At the same time, there are plans to update the law to enable blockades of pirated live sports broadcasts in real-time, which also raises overblocking concerns.

No VPN and DNS Blocking

Cloudflare urges the EU to tread with caution going forward. Instead of updating the law to enable broader blocking powers, it calls for limiting the blocking efforts.

For example, it argues that blocking orders should never extend to core, global Internet technologies such as global DNS resolvers and VPNs. These services operate globally and can’t easily restrict blocking measures geographically, the company notes.

“Blocking applied to an ISP-owned DNS resolver will have a geographically restricted effect, since an ISP typically only serves users in one country. In contrast, public DNS resolvers or VPN providers operate globally.”

Aside from the technical challenges, Cloudflare notes that VPNs and proxies are widely used to protect free expression. Interfering with these services through onerous regulation could amount to a violation of privacy and freedom of expression.

Transparency, Safeguards and Compensation

Cloudflare recognizes that piracy is a real problem that needs to be addressed. However, it believes that more extensive blocking is not necessarily the answer. Instead, it calls for more transparency, proper safeguards, and cooperation between all stakeholders.

Cloudflare’s suggestions include the following (abbreviated and summarized).

– Last Resort Only: Blocking should only be used as a final option to reduce local access to pirated content.

– Protect Core Internet Technologies: Blocking orders must not apply to essential global internet technologies like global DNS resolvers and VPNs.

– Prioritize Notice-and-Takedown: Rightsholders must first attempt notice-and-takedown procedures with hosting providers before requesting blocking.

– Independent Verification: All blocking requests need formal justification and independent verification by a designated governmental or independent regulatory body.

– Transparency: Transparency reports should detail the blocked domains, implementation times, and the identities of requesting parties.

– Rapid Rectification: Publicly available rapid response systems should be in place to quickly correct any incorrect or overly broad blocking measures.

– Independent Dispute Resolution: An independent body should hear appeals from any affected parties, ensuring legal review and procedural fairness.

– Liability for Overblocking: Rightsholders should be held liable for any economic or reputational harm caused to non-targeted third parties due to overblocking.

EU Urged to Resist One-Sided Blocking Calls

More drastic blocking demands are not the way to tackle piracy, according to Cloudflare. Instead of drafting new legislation, the EU is encouraged to facilitate healthy cooperation where all stakeholders are heard.

“The European Commission should resist excessive requests to expand network level blocking as a means to tackle piracy,” Cloudflare writes.

“Effectively dealing with piracy of live events will depend on multiple solutions being deployed simultaneously, combining sharing of data, law enforcement measures, industry cooperation, and measures for distribution of legal content that better satisfy the demand.”

This can all be done without new legislation, Cloudflare says. While that may be true in theory, previous calls for increased collaboration haven’t led to concrete progress. And with tensions rising to the point where disagreements are fought out in public, cooperation between some parties might be a challenge.

—

A copy of Cloudflare’s submission in response to the European Commission’s assessment of the May 2023 Commission Recommendation to combating online piracy of sports and other live events is available here (pdf)