I only read about this on the NYTimes which, as of late has been engaged in much sensationalism, but they mentioned a site which was hosted out of the Netherlands, many reports were sent, but for privacy purposes, they were unable to act on the reports due to the provisions of the General Data Protection Regulation which protected privacy.
The site was tunneled through Cloudflare and was supposedly quite visible on the web. It is strange how the host could not simply look at the site, considering the site was fully public anyway, is there a way to correlate sites from in-front of a CDN with sites behind the CDN? For instance, if you get a report, you can take a look at it and see if there is obviously bad content?
Egregious sites are very bad as they serve as a gateway (in contrast to more discreet sites, which are problematic, but don’t have as much reach), especially when they start cropping up on search engines.
Perhaps, a CDN on automatically confirming they’re the host can present them with a token correlating the two? I don’t know how this could work, but there must be a way other than turning a CDN’s admittedly small team into the internet police.
Not sure that I understand the question, however, this may help. We’ll be writing an article on Cloudflare soon to explain how they operate. If they provide services to a site and it’s their assessment that it’s illegal child abuse content, they will terminate service. If they are not convinced that it’s illegal, then they won’t, but they will pass on a report to the website owners. Examples of the kinds of reports that they send can be found here.
In the NYTimes articles, they stated that the Dutch host couldn’t search for content on servers due to privacy legislation which makes sense, but if these sites are fully public, then it isn’t really a privacy breach to simply check the public site and see if there is illegal content? Surely, there isn’t an expectation for privacy there?
“We have not been served any secret court orders and are not under any gag orders.” Does that even still work anymore or is it just a meme?
It is believed to still work (it’s called a warrant canary). But I wouldn’t rely on it too heavily. Better to take your own steps to be secure rather than relying on the truth of what a provider tells you. Imagine that the feds seized the whole server suddenly and left the warrant canary up.