A court order blocked pirate sites that weren’t supposed to be blocked
Poorly crafted court orders threaten the open Internet, Cloudflare says.
One week ago, the news site TorrentFreak reported that The Pirate Bay and nearly 20 other torrent and pirate sites were being blocked by Cogent Communications, an Internet backbone provider. The block had been in place for more than a week and appeared to “appl[y] to the company’s entire global network,” affecting customers of ISPs “from all over the world” that send traffic through Cogent.
Though most Internet users were unaffected, anyone “attempting to pass requests through Cogent’s network are unable to access [the sites],” the article said.
Cogent CEO Dave Schaeffer yesterday confirmed to Ars that the company is complying with a court order issued recently in Spain. But The Pirate Bay was not the subject of the court order, Schaeffer also confirmed. Schaeffer would not say which site or sites the order was intended to block, but the incident demonstrates how court orders to block websites can have unintended effects. (We have not been able to track down the specific court order at this time.)
The Pirate Bay is a customer of Cloudflare, which operates a global network that improves performance of websites and protects them from DDoS attacks and other security threats. That means when Internet users try to reach thepiratebay.org, their queries are resolved to a Cloudflare-run IP address, which is shared by a number of Cloudflare customers.
This is where trying to block specific websites becomes a problem for websites that aren’t supposed to be blocked, Cloudflare General Counsel Doug Kramer told Ars yesterday. On Cloudflare’s network, there are multiple domains on an IP address, and IP addresses assigned to websites can change.
Dangers in censoring the Internet
“This is part of the danger you get into when you start to censor the Internet or you get orders to pull things down,” Kramer said. “It may not be so easy to limit access to a specific domain,” or to make sure a block applies only in a certain country.
Cogent, and not Cloudflare, is the company that had to implement the block, but Cloudflare is “trying to set up a technical system where Cogent can respond to the order that they’ve been given, but within the narrow scope of that and not have impacts that go beyond that,” Kramer said.
That effort may already have been successful. Running traceroutes on Cogent’s Looking Glass website now shows a network path to The Pirate Bay and the other websites that were reportedly blocked, although neither Cogent or Cloudflare have told us whether the problem is fully solved. The other sites include Primewire, Movie4k, TorrentProject, TorrentButler, and Torrentz.cd. (TorrentFreak today attributed this change to Cloudflare putting the pirate sites on new IP addresses.)
Court orders to block websites are more commonly issued to residential ISPs that directly serve consumers, not Internet transit providers like Cogent. The backbone operators are “usually the last guys” to get such orders, which can have unpredictable effects at that layer of the network, said co-founder and CTO Don Bowman of Sandvine, which makes network management equipment.
“Usually when they do this enforcement, they do it at the consumer edge or the business edge,” rather than the Internet backbone, Bowman told Ars.
The US has a net neutrality rule that prohibits ISPs from blocking websites. But that rule applies only to “mass-market retail services” such as the cable and phone companies that home Internet users are familiar with. The net neutrality rules also only apply to “lawful” content, and they don’t prevent ISPs from complying with court orders to block websites.
In the early months of 2015, Spanish courts told ISPs to block The Pirate Bay and the pirate music site Goear in order to prevent copyright infringement. Cogent was also told to block Goear and appealed the order, a Spanish lawyer who reviewed the documents told Ars, but it’s not clear whether the most recent order is related to that case.
Cogent acknowledges “collateral effects”
Cogent’s official statement to Ars said the company’s “policy is not to discuss with third parties the specific details of the mitigation of any abuse issue that may result in the reduced routing visibility of a particular IP address or network.”
Cogent went on to say that “as a general matter, courts may require Cogent, as an ISP, to take certain actions with respect to a third-party website, an IP address or block of IP addresses. If Cogent’s customer decides to commingle traffic from the website that is the target of the court order with the traffic of other websites, the other websites that point to the same block of IP addresses may be adversely affected. When a Cogent customer controls the affected IP addresses, Cogent does not have the ability to know ahead of time what other websites may be affected or to control the collateral impact on these other websites. When collateral effects occur, we do work with our customer to try and mitigate the effects on others websites.”
Cloudflare executives are concerned about the impact of court orders such as the one that affected The Pirate Bay. Cloudflare can rearrange its IP addresses to help companies like Cogent comply with court orders narrowly and tell the companies which IP addresses should and shouldn’t be blocked. But grouping IP addresses based on court orders will not be simple when there are a series of court orders affecting different websites and different network operators.
The Cogent situation is not the first such court order, but “it’s still early in this evolution, and it gives us concern that if these sorts of orders continue to multiply, it’s going to provide additional complexity and complication,” Kramer said. “We want to be proactive about it now to make sure these court orders don’t multiply in a problematic way.”
For global network operators, it might be easier to comply with an order by blocking access to a website globally even if the order only applies to one country, Kramer said. However, Kramer said Cloudflare can “generally” help limit blocks to specific countries.
Besides developing technical solutions, Kramer said Cloudflare has tried to work with courts to make sure orders are written so that they can be applied in a narrow way. There’s not always a chance to do that, as evidenced by the Cogent/Pirate Bay problem. Kramer said he hasn’t even seen the court order issued to Cogent.
“We’re fully committed to complying with legitimate court process,” Kramer said. “On the other hand, it’s complicated to deal with those things and it’s something we generally don’t like to do.” Cloudflare is committed to supporting “a free, open, and secure Internet,” he said. “As a company, we like the idea of keeping things on the Internet.”