Cloudflare, dirty networks and politricks
Owen DeLong
owen at delong.com
Sat Jul 30 22:47:37 UTC 2016
> On Jul 30, 2016, at 12:34 PM, bzs at theworld.com wrote:
>
>
> On July 30, 2016 at 10:51 owen at delong.com <mailto:owen at delong.com> (Owen DeLong) wrote:
>> If they are using a website hosted or accelerated by your CDN to advertise
>> an illegal activity or an activity in violation of your ToS, then if you
>> have written your ToS properly, you are free to shut down said site (or
>> at least your portions of it) based on their violation of your ToS.
>
> Well, yes, of course, which is why I suggested developing generally
> agreed upon definitions and writing them into contracts.
>
> One can't really write a useful contract if terms aren't well defined.
>
>>
>> That’s not a business boycott because you didn’t conspire with their other
>> providers to shut it down, you took an independent action based on your
>> own ToS.
>
> The issue arises if you shut them down when you're not the harmed or
> involved party.
Not if they are using your service in a way that is contrary to the agreement
they have signed.
> I don't know if one can write a ToS which says you will be shut down
> if you harm another party utilizing another party's services but not
> otherwise involving us. Well, you can write anything but is it lawful
> and enforceable?
Probably not, but you wouldn’t do that anyway.
What you would write instead is that “You shall not use the service to
carry out attacks or other malicious activity, nor shall you use the
service to advertise, solicit, or contract to carry out such actions even
if the actions themselves are carried out independent of the service.”
You can, of course, prohibit any action you want on your network, even
if the prohibited action isn’t the actual objectionable action.
> In some cases where that sort of thing has come up I've turned it into
> a credit relationship which has greater leeway.
>
> Something like:
>
> It has come to our attention that you are engaged in activities,
> even if not thus far involving our services, which might incur us
> legal fees. Consequently we require a deposit to cover those legal
> fees, in advance, of $10,000 [pick a number] with the understanding
> that any such legal fees will be billable in full even if above and
> beyond that $10,000 deposit. Since I extend you no credit a failure
> to provide that deposit by [date in the near future] will result in
> termination of services. Please feel free to contact us with any
> questions or concerns.
Here you risk running up against a claim that this new requirement
is a change to the ToS which they haven’t agreed to and which,
depending on how well they negotiated the contract may not be
enforceable until it comes time for contract renewal and you add
this deposit to the terms of the new contract.
> but consult your attorney, state and local regulations and your own
> ToS and corporate organization may affect how and whether you can do
> that sort of thing or exactly how it has to be architected.
Always.
> If one wants to one can include demand for indemnification with
> evidence of ability to indemnify and/or business insurance policies
> where you've been written in as a legitimate potential claimant for
> legal fees and damages assuming the business insurance policy covers
> that but as I said you need a lawyer to suss that out.
Sure, but it’s questionable whether the aggrieved party has any legitimate
claim against the hosting company that merely hosted the site that
advertised the DDOS service in question.
Much easier to just prohibit advertising such a service in the first
place, IMHO.
> They probably could still fight with you over all that if none of it
> was anticipated in your ToS (hint: might be something to add to a ToS,
> reserving the right to...blah blah.) Or even try to perfect an
> argument based on some theory of estoppel (you changed the conditions
> in a way which harms me the client.)
>
> More likely they'll ask for time and assistance to leave your service
> (in my experience), generally what you actually wanted. Buh-bye!
Yep… Unless they’re starting to run out of options.
>> There’s fairly wide latitude to “reserve the right to refuse service to
>> anyone”, especially if you can show that their use of said service is
>> in violation of the contract(s) applicable to that service.
>
> Yeah well as any lawyer will tell you relying on broad principles like
> that rather than specifying covenants is just asking for legal fees :-)
Sure, but my point is that specifically spelling out certain actions that
you refuse to provide service to is usually the easiest way to terminate
someone for committing such actions on your service.
Owen
>
>>
>> Owen
>>
>>> On Jul 29, 2016, at 12:36 , bzs at theworld.com wrote:
>>>
>>>
>>> Unfortunately that raises the issue of what's generally termed in law
>>> a "business boycott" which is at least tortiable if not illegal.
>>>
>>> The grocer can't agree with your landlord not to sell you food until
>>> you catch up on the rent.
>>>
>>> They can agree to use this information to refuse you credit but even
>>> that's quite constrained by law even if often done anyhow. And that's
>>> a credit relationship so different.
>>>
>>> I went over this with my attorney when another ISP asked me to shut a
>>> customer's account down because they were spamming them from a third
>>> ISP's account.
>>>
>>> I asked to look at the emails (spam) in question and none originated
>>> at our site. The acct in question on my site didn't do anything
>>> problematic that I could find.
>>>
>>> My lawyer explained the above to me: You can't do that, business
>>> boycott.
>>>
>>> The other ISP (specifically a sysadmin) who'd asked me to shut the
>>> acct got so angry at this response, he took it all very personally and
>>> unprofessionally, that I had to bring in his own legal dept to explain
>>> this to him which he of course took as a further affront. It got ugly
>>> but you don't need the details.
>>>
>>> That's the problem with all this folksy armchair "law", it's often
>>> very bad advice and based on the assumption that the law must agree
>>> with one's emotional feelings. Good luck with that.
>>>
>>> On July 29, 2016 at 08:08 rsk at gsp.org (Rich Kulawiec) wrote:
>>>> On Thu, Jul 28, 2016 at 11:30:12PM +0000, Donn Lasher via NANOG wrote:
>>>>> If we want to be accurate about it, Cloudflare doesn???t host the DDoS,
>>>>> they protect the website of seller of the product. We shouldn???t be
>>>>> de-peering Cloud Flare over sites they protect any more than we would
>>>>> de-peer GoDaddy over sites they host, some of which, no doubt, sell
>>>>> gray/black market/illegal items/services.
>>>>
>>>> This strategy fails for two reasons.
>>>>
>>>> First, nobody gets a pass. Anybody providing services to abusers
>>>> needs to cut them off, whether it's a registrar, a web host, an email
>>>> provider, a DNS provider, or anything else. Nobody gets to shrug it
>>>> off with "Well, but..."
>>>>
>>>> Second, nobody *can* get a pass, because the people behind these operations
>>>> have long since learned to distribute their assets widely -- in an attempt
>>>> to avoid exactly the actions in the first point. And you know what?
>>>> It works. "We're just hosting their email", says X, and "We're just
>>>> hosting their DNS", says Y, and "We're just hosting their web site",
>>>> says Z, and none of them do anything, and nothing gets done.
>>>>
>>>> The only way to make action against them effective is to do it broadly,
>>>> do it swiftly, and do it permanently.
>>>>
>>>> ---rsk
>>>
>>> --
>>> -Barry Shein
>>>
>>> Software Tool & Die | bzs at TheWorld.com | http://www.TheWorld.com
>>> Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD
>>> The World: Since 1989 | A Public Information Utility | *oo*
>>
>
> --
> -Barry Shein
>
> Software Tool & Die | bzs at TheWorld.com <mailto:bzs at theworld.com> | http://www.TheWorld.com <http://www.theworld.com/>
> Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD
> The World: Since 1989 | A Public Information Utility | *oo*
More information about the NANOG
mailing list