Cloudflare takes legal action over LaLiga's "disproportionate blocking efforts"
62 comments
·February 24, 2025asp1
cprecioso
> bandaancha.eu is doing a fantastic job on the reporting of this.
And LaLiga’s response to their reporting? Sending false abuse notices to their hosting provider [1]
[1]: https://x.com/bandaanchaeu/status/1892992576069783825?s=46
fer
>The result is that web browsing in Spain on weekends, when football is on, is severely impaired, with thousands of web sites going down as matches play.
At the risk of non-Spaniards being unable to understand: that's the most pandereta thing I've heard this year so far.
null
encipriano
I think the cloudflare issue only happens with movistar/digi. At least in my case I couldnt use github yesterday
Maken
Only Vodafone refused to implement the blocking.
dkh
So "only" the biggest broadband provider in the country :)
I've seen reports that Orange may have imposed the block as well, which is the #2 provider. Definitely a nontrivial slice of the population
swiftcoder
They've been routinely blocking GitHub, I think because there are several repos tracking lists of IPTV streams? I often have to VPN to the US just to access my open-source repos.
ErneX
Other ISPs are blocking as well.
chrisjj
> court order itself probably being illegal as well
How so?
dkh
The simplified answer is that Spain has greater net neutrality laws than most other places, and on top of that the relevant European Union laws specifically forbid any lawful blocking/enforcement action if it causes a nontrivial amount of collateral damage to unrelated parties. So in theory the court order should've violated both Spanish and European law.
https://www.redes-sociales.com/bloqueo-cloudflare-parte-lali...
viraptor
I can't find a violin small enough for cloudflare here. They're known for ignoring abuse and now they want to retaliate for someone blocking them like they're some kind of required utility provider? Maybe it's time for legal action from all the people randomly blocked by cloudflare without recourse?
ncruces
There's no violin small enough for LaLiga.
What (other than greed) can possibly justify blocking hundreds of different services, with little to no oversight?
The only saving grace here, is that premium broadcasts kinda succeeded in getting the fans, rather than corrupt politicians and the state, to mostly fund the entire scheme that is the sport.
Other than that, cry me a river with how much we allow football to bend (and break) so many of our laws and regulations (not to mention ethics and decency).
zorked
It is CloudFlare that should be shutting down websites to comply with the law. If they did that, LaLiga wouldn't need to restort to a bigger hammer.
Needless to say, companies should comply with the law of the place where they do business in.
ta1243
It's not blocking hundereds of services, it's blocking one, cloudflare. A service that routinely is used to share copyright material.
michaelt
> What (other than greed) can possibly justify blocking hundreds of different services, with little to no oversight?
In this case? A court order: https://bandaancha.eu/articulos/esta-nueva-sentencia-autoriz...
Personally I'm broadly pro-piracy and anti-big-sports-organisation. But alas the legal system disagrees.
swores
The court order provides the means of doing it, it isn't itself a justification for wanting to do it.
(Unless your view of ethics/morality is that anything ordered by any court is automatically good, which I'm sure some people believe but I suspect many more do not have such a binary view.)
viraptor
> There's no violin small enough for LaLiga.
Both?-both.gif
Walf
>What (other than greed) can possibly justify blocking hundreds of different services, with little to no oversight?
It could be that CloudFlare does absolutely nothing to aid any site, big or small, when asked to stop hosting & concealing blatantly malicious origins. I don't even care who it is at this point, at least someone is causing problems for CF who, frankly, behave as if they're untouchable.
Literally every scam site I've checked out in recent years, pretending to a government entity, or parcel delivery service, in order to defraud millions from those not blessed with much technological literacy, has been hidden behind CF. Their responses are excruciatingly slow, if they even do anything at all. Usually they don't.
ncruces
“Every scam comes from Cloudflare” is an asinine metric.
“Every one of those scams” are also on the internet, use email, DNS, whatever.
The metric that matters is how much of Cloudflare is a scam, and can the rate of scamming on Cloudflare be reduced without significantly impacting legitimate uses of it, and how.
Let's get ISPs to instablock IPs shared by thousands of sites immediately, making the internet an excruciating experience on weekends, because we may be loosing some football euros on our way to charge as much as the market will bear is just indefensible. If for no other reason, because IPs are a scarce resource.
Yes, piracy will take advantage of privacy technology (EDNS in this case). If we're cautious of violating privacy to catch child abusers, again, cry me a river about LaLiga not being able to fund the next hundred million euro transfer.
nabla9
> people randomly blocked by cloudflare without recourse?
Cloudflare does not randomly block access to sites that don't deal with Cloudflare.
Cloudflare customers buy blocking service to their sites from Cloudflare. Any randomness there is just customer service issue.
viraptor
They buy a service which should block a specific type of traffic, for example bots or attacks. I don't believe any of their customers have purchased a "block a random version of a specific browser" plan. The fact this is occasionally treated as a bug and fixed confirms that idea.
If the customer specifically set a header match to block some Firefox variant, people wouldn't complain to cloudflare about it.
jeroenhd
Customers can pick several levels of aggressiveness when it comes to blocking bots. Some of the more obscure browsers easily pass the "low" threshold but don't make it past the "high" threshold. Some older browsers like Palemoon seem to crash or break the JS Cloudflare serves but that seems to be a browser issue.
If your favorite website is blocking you, let them know. They can tweak a lot in their WAF settings. I don't think many websites care about obscure browsers, but it's something websites can control.
nabla9
That's why I wrote
>... just customer service issue.
dkjaudyeqooe
You covered everything except the most important case: Cloudflare blocks innocent people trying to access websites protected by Cloudflare.
For instance they block me because I'm behind CGNAT and because some of the millions of machines also behind that CGNAT once did something unsavory.
I'm not a customer of Cloudflare, so I have no one to call, I just get blocked from endless websites or have to click a checkbox, solve puzzles and suffer other indignities because I'm using a reputable and popular ISP in my country.
Fuck Cloudflare. They're accelerating the utter shittiness of the web because of their indiscriminate solutions to web malfeasance, which are worse than the disease.
mschuster91
For what it's worth I think Cloudflare and a few other ultra-large CDNs should be considered an utility provider, given that it is very difficult to exist in the Internet without their protection - no matter if you're just running a damn blog or an online forum, you'll get hounded by hordes of automated scanners looking to exploit you the very second a 0day appears. And if it's an online forum, chances are high someone will be pissed off by some moderation action and just buy a DDoS to shoot you off the 'net.
(In the end I think governments should finally hunt down and eliminate abusive netizens, but waiting for that to happen is pointless)
ta1243
curl ipinfo.io/`dig +short news.ycombinator.com`
{
"ip": "209.216.230.207",
"hostname": "news.ycombinator.com",
"city": "San Diego",
"region": "California",
"country": "US",
"loc": "32.7157,-117.1647",
"org": "AS21581 M5 Computer Security",
"postal": "92101",
"timezone": "America/Los_Angeles",
"readme": "https://ipinfo.io/missingauth"
}
HeatrayEnjoyer
Seconding that anything this big should be nationalized. That said, the internet still worked before cloudflare. The threat of a banned troll DDoSing your forum has been a risk for 30 years, yet the flourishing golden age of forums was before anyone had heard of cloudflare.
Add in their centralized panopticon of mass decrypted traffic and it becomes undeniable CF is an enormous net negative to the internet and society at large.
therein
Depends on the kind of abuse. Acting as if CloudFlare is providing bullet-proof hosting and carrier services would be insincere. I have had CloudFlare suspend accounts within 18 hours of reporting.
dkh
While massive overreach in the name of fighting piracy it's very on-brand for LaLiga, this seems pretty wild, even for them. I can't help but wonder if perhaps they didn't realize quite how many unrelated, legitimate sites/services that their citizens use would be affected by this.
I think burns/jokes about Cloudflare are missing the point. It's not about Cloudflare, it's about the millions of people in Spain who couldn't access a plethora of legitimate, unrelated websites and services because of the block. The block included things like Redsys, a major payments processor used by tons of ecommerce sites in Spain.
Piracy or not, you shouldn't be able to get away with this kind of collateral damage, blocking an entire population from accessing a far greater number legitimate websites.
And while I do understand their problems with piracy, LaLiga's view on the matter has always been so over-the-top and reminiscent of the false logic the record companies did in the early 2000s: LaLiga believe (or at least say, all the time) that every euro's worth of football that is pirated is a euro that has been stolen from them; that if piracy didn't exist, they would have that much more money. It's simply not the case. It's a hugely outdated viewpoint, and they shouldn't be able to cause damage to the public because of their adherence to it.
ellen364
> It's not about Cloudflare, it's about the millions of people in Spain who couldn't access a plethora of legitimate, unrelated websites and services because of the block.
I happen to agree that La Liga wildly overreaching is on brand. But I think this is partly about Cloudflare.
What's happening is a reminder of how centralised the internet is becoming. If blocking Cloudflare IPs brings down big chunks of the internet for Spain, that's a problem. Cloudflare could go down for a while, or collapse permanently, or get compromised.
Putting aside my opinions on La Liga overreach, it will also be a problem if companies get to say to courts "Oh, well, if you block those IPs the internet goes down for your country, so let us know what you want to block and maybe we'll get around to it."
Cloudflare might get a resolution from the court that suits them in the short-term. But drawing this to government attention might not suit them in the long run.
JoshTriplett
> Putting aside my opinions on La Liga overreach, it will also be a problem if companies get to say to courts "Oh, well, if you block those IPs the internet goes down for your country, so let us know what you want to block and maybe we'll get around to it."
On the contrary, it would be an excellent outcome if the Internet became all-or-nothing, and countries could either choose to provide Internet access or block the entire Internet, with zero ability to selectively block things they don't like.
Doing that via a few centralized CDNs would be bad. Doing that at the protocol level would be excellent.
asddubs
I think the comments here about cloudflare aren't trying to justify what LaLiga is doing, just pointing out that cloudflare does the same equally wrong thing ultimately. If you've ever ended up with an IP cloudflare decided is suspect for one reason or another, have fun being stuck in endless captcha loops all day for something like 70% of the websites you visit, with no recourse
tonyhart7
They want cloudflare deal with pirated issue for them
vanviegen
Sure it's blunt. But I guess it will be rather effective in getting Cloudflare to urgently revise their policy on copyright violation.
netdevphoenix
I don't understand why Cloudflare allowed itself to be use like this and is heading to court instead of just refusing to accept LaLiga's requests. They could just request them to provide appropriate evidence and make them pay for the time Cloudflare staff would need to review the evidence
whizzter
I suspect that LaLiga lawyers and lawyer-techs aren't perhaps the most technical so when they learned to figure out IP's they made it their go-to way of working without even considering that they might need to contact CF (or Github that also seems blocked in Spain).
Finding abuse contacts is actually a M:N problem for the entire industry since we skimped on IPv6 (Had we gone to IPv6 providers like CF could've just assigned customers their own IP's and third-party fallout would've been minimal).
JoshTriplett
Cloudflare isn't in a position to accept or decline LaLiga's requests; LaLiga, supported by a ridiculous court order, is forcing ISPs to block Cloudflare IP addresses.
yorwba
Cloudflare absolutely is in a position to take down domains they're hosting on those IPs while keeping other domains sharing the same IP up.
I think that's probably what they'll be doing in the end, so it's interesting to observe that they haven't done so already. Do they maybe have at least an internal domain reputation system so that long-time customers mostly share IPs with other long-time customers and are less likely to get caught in the crossfire?
jonatron
It's my understanding that the usual process is to ask Cloudflare to move infringing domains from shared IP addresses to fixed IP's, before blocking.
nightpool
Do you have a source for this?
jonatron
No, it's my recollection of words spoken by a lawyer. https://torrentfreak.com/internet-backbone-cogent-blocks-clo... is related to the topic.
Frederation
This arguement on whether LaLiga or Cloudflare are the biggest dicks is kinda dumb.
Yeah, CF has stepped in it from to time and yeah, maybe they have ego-ish proclivities. What Behemoth online service doesn't?
But at the core of this debate is about LaLiga and it's peripheral relationships dragging a lot of innocent folks along with the genuine targets of their focus. It's like those Drift Netters who have demonstrated they care not for the unindended species they catch. A bit of a labored metaphore but, there you have it.
mvdtnz
What's laliga
nubinetwork
I'd be interested to see if twitch is on their block list... or if running pirated tv, movies and sports from all over the world 24/7 just isn't as visible enough to them for them to say something...
dkh
Most streaming platforms actually put a lot of effort into combating live soccer broadcast piracy, more than a lot of other types of content. European soccer in is massively popular globally, as is the World Cup. Thus piracy of it is massive and global as well, and it gives the big leagues and competitions a lot of leverage. Most platforms try hard to counter soccer piracy, generally without waiting for a complaint or takedown request, and often using active methods like doing automated content detection on livestreams. The platforms simply have more to lose by poor enforcement of a huge soccer event than most anything else, including anything from Hollywood.
ErneX
When they started doing these blocks a few weeks ago they also took down Telegram for the whole weekend and part of Monday.
null
jb1991
Cloudflare is a flaming heap of garbage of a company and to see them have beef with another company like this is very ironic.
karlkloss
Cloudflare's ddos protection constantly locks out non-mainstream browsers, so pot and kettle, and such.
sureglymop
I've had issues with their captchas just not working but not providing that as feedback. Javascript enabled and all.
You can easily reproduce this by using a mainstream browser like Chrome and changing your user agent to e.g. a Firefox one (or the reverse). You'll be hit with captchas everywhere but unlike the cloudflare ones the google ones can at least be resolved.
jeroenhd
A Firefox user agent with a Chrome Javascript engine and a Chrome TLS engine is suspicious. Any decent bot prevention mechanism will trigger on that.
I don't have issues passing these blocks in Firefox, though.
gryn
from my travel experiences with my laptop
linux + firefox + less developed country ISP = endless captcha loop or straight up ban
zarzavat
Not just non-mainstream web browsers but also users in certain less developed countries.
Clearly there’s a balance to be had, but Cloudflare’s shadowbans are just mean.
anilakar
Can confirm. If I click certain links in the Discord Electron client on Windows they work just fine, but in Firefox on Linux I get the DDoS block page, regardless of the internet connection I'm using.
nabla9
It's a service that Cloudflare customers buy for their site.
This is about messing with unrelated parties. Cloudflare is not doing that.
karlkloss
I'm also an unrelated party, it messes with me, Cloudflare is doing it, and I can't opt out.
nabla9
You are related when you try to access a site. It's just customer service issue. You can't demand that sites allow you in.
you <---> C <---> site
you <--X--> C <---> site
|
Court order
cgcrob
I get locked out occasionally when travelling outside EU as well. I've got to the point I will just avoid using services with CloudFlare in front of them.
Also the one time I reported abuse which was online banking phishing they just replied that they'd informed the upstream provider and nothing happened.
tick_tock_tick
I mean isn't that a feature customers have to turn on?
anilakar
Most folks do not realize the consequences. Of those who do, a significant fraction thinks that the only people accessing it are from US mainland and use Chrome on Windows.
Some context the article misses: there's a court order that allows the Spanish Football League to block websites which may be unlawfully broadcasting football, and the ISPs have to comply. Since Chrome activated ECH, LaLiga requested the order to be expanded to block individual IPs, to which the court happily obliged, and this order is being used to block Cloudflare's IPs ranges.
The result is that web browsing in Spain on weekends, when football is on, is severely impaired, with thousands of web sites going down as matches play. This is a breach of the court order itself, which clearly states that "no unrelated sites may be affected", all while the court order itself probably being illegal as well. And, of course, IPTV pirates found ways around the block.
bandaancha.eu is doing a fantastic job on the reporting of this.