While Cloudflare has been publishing transparency reports for a long time, this year we chose to revamp the report in light of new reporting obligations under the DSA, and our goal of making our reports both comprehensive and easy to understand. Before you dive into the reports, learn more about Cloudflare’s longstanding commitment to transparency reporting and the key updates we made in this year’s reports.
It's common to see items temporarily go into that offline items list (sometimes only for a second) prior to it being synced to your 1Password Account, but as soon as that sync is complete, it should disappear from that list.
Are you only noticing older items in that offline items list, or are newly created items also showing up there? Likewise, if you search for the items you're seeing in that offline list in your 1Password Account, do you happen to see an entry that matches and contains the same information?
Thanks. The items that appeared here were created in 2022 (when I set up these work accounts in my "Work" vault).
When I have 'Offline Items' selected, pressing the Cloud button with slash results in brief animation, like its syncing, and then the original error shows. The items stay as-is, there is no change.
Good news is, I have gone through them manually and don't think I have lost any data (they seem identical, but duplicated, in the Work vault).
OP here: I'm considering it. Can you email me please? (email in profile)
Would love to figure out a way I can work out a self hosted version for those who want it, given there is enough interest in it. This goes to anyone else who's interested in self hosting, please email me! Thanks!
I’m the Head of Trust & Safety at Cloudflare. I wanted to clarify our processes, which were described inaccurately in this Hacker News post.
As part of our standard fraud review process, domains determined to be malicious registrations/transfers may be deleted. In those cases, we typically take steps to notify the account holder so that they can contest the determination if appropriate. Cloudflare allows transfers of domains out of Cloudflare’s registrar immediately, unless there are indications of potentially malicious or fraudulent activity. Cloudflare follows the standard industry practice followed by virtually all domain registrars of blocking the transfer out of domains deleted for what appears to be potentially malicious purposes.
The process wasn't described inaccurately in the OP post. What you said here doesn't contradict anything in the OP post and infact confirms that it happened.
>domains determined to be malicious registrations/transfers may be deleted
The person in the story's domain was determined to be malicious and deleted for fraud. (however in reality it wasn't) and thus deleted, like you said.
>Cloudflare allows transfers of domains out of Cloudflare’s registrar immediately, unless there are indications of potentially malicious or fraudulent activity.
This is what the OP post described has happened in the story. The person's domain was determined fraudulent and was thus disallowed from transfering out, like you said.
>Cloudflare follows the standard industry practice followed by virtually all domain registrars of blocking the transfer out of domains deleted for what appears to be potentially malicious purposes.
The fact is, a serious mistake was made by Cloudflare and evidently the guy had no way to appeal the decision outside of Hacker News. It is clear that this industry practice needs reform. Perhaps instead of trying to dismiss/downplay this your time would be better spent improving the process or maybe implementing some form of due process/trial for these extremely important accounts. An accidental domain deletion seems to be no big deal to you. But in reality its a nightmare that can cause serious harm to a persons life and livelihood.
Try to imagine it yourself how it would feel. if one day all your important accounts stopped working. all your domains has been hijacked! Why? because your registrar set it to DELETED on short notice due to random false-positive-fraud and a sniper re-registers it elsewhere! there is nothing you can do about it, your registrar stonewalls you. You're completely screwed and theres nothing you can do about it. Your valuable domain is gone. All your important accounts tied to email on that domain get broken into. Your companies and brand are destroyed. No one ever suspects their properly secured domain name will randomly be DELETED in < than the time it was registered for. This is a really traumatic event for people and not something that should be minimized.
The main differences between the post here and your description that I see are a) the post didn't explicitly clarify that this only applies when domains are determined to be malicious, b) the post is less optimistic about your appeals process, and generalizes the recently documented example where the appeals process failed.
However, regarding the core issue (a false positive on the fraud detection can get my domain both deleted and blocked from transfers) the post and your reply seem to be in agreement. (And the "typically take steps..." makes me wonder whether there are cases where you don't even notify the account holder, aside from court orders.)
I get that dealing with fraud at scale is hard, but this (especially the lack of a "why this won't happen again") does not exactly reassure me.
> Cloudflare follows the standard industry practice followed by virtually all domain registrars of blocking the transfer out of domains deleted for what appears to be potentially malicious purposes.
The problem here is the entire process is opaque. Obviously your process can have false positives, so why should anyone trust the "standard industry practice" is being followed for domain deletion? Plus, IMHO "standard industry practice" is a term that gets dragged out to describe subjective policies and measures that can't be quantified or explained easily.
> In those cases, we typically take steps to notify the account holder so that they can contest the determination if appropriate.
The thing that's problematic here is "typically". Maybe that's just wording to indicate that it's not always possible, but you always make an attempt (?). If so, say that. For me, the frustrating part is that I don't know the rules, so I can't adequately evaluate the risk of being banned. I can't have a contingency plan either because there are no guarantees. If the OP's story is even close to accurate, I think it's safe to say anything can get you banned due to a false positive and that scares me.
Even if you feel like you can't make the detection systems transparent, which I can understand, it would make a big difference if people could understand what the process is after an account is flagged. Why should I invest in development that targets Cloudflare's platform if I can be banned on a whim without any communication? Why doesn't my side of the deal get any guarantees?
I don't agree with instant blocking of any accounts, even the free ones, but I can understand the free accounts likely create challenges I can't even begin to hypothesize about.
That said, I don't think you're seeing the other side when it comes to instant blocking of services. I've dealt in the small business space a lot and the difficulty there is that a tiny, low priority issue for you, like blocking a small account, can be hugely detrimental to a small business. I've dealt with some small family run businesses where they own short domains that would be instantly squatted on upon deletion and the cost of recovering them would be significant in relation to their annual income.
Personally, I'd like to have some clear rules and guarantees surrounding account termination. Let me set one or more emergency contacts for my account and give me a clear timeline for attempts to reach out to those contacts before taking action on my account. And I'm not talking about some legalese buried on page 20 of the ToS. Put it in the control panel next to my contacts. If you can't give me any guarantees on a free account, that's fine, just say so up front and tell me what I need to do or pay to get to the point where my service won't be terminated by a robot.
I was really, really disappointed to see the OPs situation because I totally bought the mantra of Cloudflare wanting to make the internet a better place and I don't think you're doing that by being another "also ran" in the context of treating your users like they're disposable. Maybe I was just being naïve and overly optimistic because big tech treats everyone so badly that I wanted to believe there was truly someone out their trying to be on the side of the average user / developer.
The most disappointing part is that I think Cloudflare's strategy of targeting underserved markets has the potential to pay off more than people realize. I tried out Pages/Functions with a SvelteKit project (+ adapter) a while ago and it's the first time in years that I've actually been excited about something technology related because I can see the potential it has to give small developers a platform to capture the low end of underserved markets without having to worry about massive cost overruns or the complexity of managing infrastructure where time spent comes at the cost of forgoing something else.
I have a project I'd like to start building this year and I've been contemplating trying to do everything on Cloudflare. Now I'm thinking I should re-evaluate that idea and build it on DigitalOcean or AWS and use Cloudflare as an intelligent cache that's disposable if needed.
Why should I trust Cloudflare any more than I trust the other big tech companies where everyone is at risk of being banned by a robot in an instant?
Why do they think they have the right to kill domains that people have entrusted them with their custodianship? I don't understand why they have to set any domain to pendingDelete status, short of a court order. It sounds like something ripe for abuse. I don't see what the benefit of overzealous deletion is. If they think a domain is malicious they want to stop it they can simply disable it via NS records without actually deleting it for the remainder of the contract payment cycle. People shouldn't have to live in fear that their domain might randomly be deleted with no recourse. Perhaps new legislation is necessary to protect people's domains from random registrar deletion.
Hello, I'm the Head of Trust & Safety. Please forward me the email? This is very likely legitimate and from our team, but I'd like to confirm. justin@ cloudflare.com
I recently transferred my domains from Google to Cloudflare precisely to avoid being terminated by Google's false-positive AI. Now Cloudflare is pulling the same stunt? Is there anything you can say to reassure your customers? Or do we need to find another registrar?
I don't know they recently started allowing to use any nameserver apart from cloudflare nameservers after transferring the domain. This vendor lock is what prevented me from using Cloudflare, but it turns out there is another reason, reading OP's text.
For domain name registration, I tend to trust smaller players. They tend to not run bullshit AI to suspend customers, and are small enough to be able to spend at least a minute reviewing any flagged user accounts.
This mirrors my strategy personally and professionally. I’ve dealt with CF Trust and Safety before, and they are hands down the most opaque organization I’ve ever dealt with. It’s almost like they take pleasure in being withholding, far beyond anything I’ve ever seen from a “trust and safety” team anywhere else.
Hey, Justin... Perhaps you can explain why this happened in the first place while also explaining why you ignore complaints about tons of spammers and scammers that are hosted(note) on your platform?
(note) hosting is providing services on the Internet without which a site / domain won't work, so please don't try to pretend you don't host because you've decided to redefine "hosting".
It’s very disappointing to see the same old big tech false positive “no appeals” failure from Cloudflare. I’m extremely bullish on Cloudflare because I think the way Pages/Functions work with framework adapters is a compelling solution.
Why can’t anyone come up with a solution that keeps this kind of thing from happening? How much does it cost to phone someone before potentially ruining their life and why can’t we simply pay money for that option?
I just forwarded the email to them. I will update what happens once its sorted out. I am hoping this is a mistake on my end, because it would suck so much to move all the stuff from cf, this is pretty much the ONLY issue I have had with them in the last 6ish years of using and recommending them to everyone.
That's not really an explanation. An explanation would be something like, "we discovered that you (lied about your identity/used your website to organize or commit criminal activity/etcetc.) - literally anything that gives the user enough context to figure out if this was an accident or a misunderstanding and defend themselves.
This was a false positive that was upheld through at least one round of human review.
That is incredibly concerning for your existing customers. Is there anything that legitimate users can do to premptively verify their accounts so that they atleast can't get taken down without human review?
Justin, is there any plans to change the awful T&S processes Cloudflare has? This thread is full of issues and I experienced something similar, except I got told to email my credit card info to support: https://socialism.tools/why-i-ditched-cloudflare-and-you-sho...
Not true -- according to the OP -- we'll tell you who the hosting provider is -- as in, the name and abuse email of the host. The origin IP is not needed.
I would think the origin IP would be needed for the hosting provider to identify their customer though? And the judge seemed pretty sure that the complainant could effectiely take it up with the hosting provider... still, there are lots of opportunities for misunderstanding here in case to judge to article to us. Not sure exactly what cloudflare will give you!
1H and 2H 2024 reports are now live.