Comparison of the human disempowerment severity of 3 walled gardens (Facebook, Google, and Cloudflare)

Posted on 2024/03/20 by nzx3233hom

Individual disempowerment by walled gardens has two components:

Inability to enter the walled garden (exclusion)
Inability to escape the walled garden (trapping)

1. Exclusion

Google’s exclusivity

Entry criteria for Google’s walled garden is quite simple:

must have a mobile phone number
must be willing to share the mobile phone number with Google

This essentially excludes people who cannot afford a mobile phone and
service.

Facebook’s exclusivity (same as Google)

Entry criteria for Facebook’s walled garden is quite simple:

must have a mobile phone number
must be willing to share the mobile phone number with Google

This essentially excludes people who cannot afford a mobile phone and service.

Cloudflare’s exclusivity

Cloudflare conceals its criteria for exclusion, but we know from tests and complaints that the following demographics experience denial of service:

people in developing countries
the Tor community
VPN users
people behind CGNAT (this often impacts poor people in impoverished regions whose ISPs receive a limited number of IPv4 addresses)
users of public libraries (consequently people who can’t afford a PC and internet subscription), and generally networks where IP addresses are shared
privacy enthusiasts who will not disclose ~25% of their web traffic to one single corporation in a country without privacy safeguards
people using non-graphical browsers or GUI browsers with image loading disabled (their traffic resembles that of robots); this includes:
- blind people
- poor people on capped internet plans
- environmentalists and the permacomputing community
people with impairments and disabilities (CAPTCHA-blocked)
people who deploy beneficial robots – Cloudflare is outspokenly anti-robot and treats beneficial bots the same as malicious bots
Android users running AOS 6.0 and older

No one knows all the groups excluded by Cloudflare or the full scale of the exclusion. Some users can overcome the exclusion if they manage to figure out why they are excluded. Some have no hope of overcoming the exclusion. For example, if the only ISPs available to someone use CGNAT, they cannot enter Cloudflare’s walled garden by changing ISPs. They may be able to upgrade to a static IP address as a separate feature or by subscribing to a business plan, but this may be out of reach as it’s often poor people who are stuck with CGNAT addresses to begin with.

2. Trapping and Escapability

Walled gardens have attributes and features that are designed to keep users inside the walled garden. The variables are so vast and countless it’s impractical to track and enumerate all of them. However, a useful simplification follows from the assumption that a user has the will and the intent to escape. In that context, it’s only useful to examine access to essential services. When there is an essential resource exclusively within the walled garden, it carries significance in the trapping factor.

What’s essential? Any service that traces to a human right or constitutional right is well within the scope of services we can consider “essential”.

Google’s trap

Google’s Playstore is a gate-keeper to most Android apps in the world and this includes relatively essential apps, such as:

apps that contact emergency dispatch centers (e.g. apps that dial 112 in Europe or 911 in the US); these apps are configured with the user’s name and address which is instantly transmitted and they tend to support both voice and text so they function whether or not you have the use of your voice
banking apps (and 2FA apps for banking); although banking was traditionally a non-essential private sector service, it’s becoming increasing mandatory because cash payment for labor is already banned in some European countries
apps for public services (e.g. public parking)
national train apps
national eID services (e.g. “ID Austria” is exclusively accessible through “Digitales Amt” and “A-Trust Signatur”)

The above-mentioned apps all trace to a human right, such as the right to life, healthcare, the right to work, and the right of equal access to public services. The right to education is compromised by Google in a variety of ways:

Google Docs is used by students in public schools, by force to some extent. Thus gdocs sometimes cannot be escaped while pursuing education. When groups of students collaborate, sometimes the study groups impose use of gdocs. Some secondary school teachers impose the use of Google accounts for classroom projects.
The Wi-Fi networks at some public schools use a captive portal for authentication and the only way to gain access is to supply credentials for a Google or Facebook account.

Facebook’s trap

Facebook’s trap is triggered when someone needs to communicate with another organization that is exclusively reachable in Facebook. When that other entity is a public service or fills some other role related to human rights, it’s a noteworthy trap.

It’s impractical to document all such cases here but some examples are given:

A police department recovered stolen bicycles and announced that theft victims could visit the FB page of the police dept. to see if their bicycle appears in the photos. Non-FB users were blocked from the page and there was no other means to reach the photos. Effectively, non-FB users were denied equal access to public services.
A Danish university has a Facebook page as well as nearly every single student. Facebook is used exclusively to announce some campus social events and even some optional classes. Students without Facebook are excluded from being informed. They are effectively being excluded from some aspects to public education, although strictly speaking the Facebook exclusive events were not required to obtain a degree.
There is a local activist group fighting for the right to be analog. Their sole presence is on Facebook. So freedom of assembly in this case is conditions people on being trapped in Facebook. There are countless athletic clubs and housing associations that establish themselves exclusively on Facebook which has the effect of forcing others into the walled garden and retaining them.
Facebook marketplace facilitates the exchange of second hand goods. The right to environmental protection is enshrined in human rights law, so this is an essential service. For many people it is the sole resource that traps them in Facebook. Many would say the right to boycott is also essential despite not being enshrined in human rights law. The right to boycott is often exercised using the second hand markets.
Facebook
induces addiction to the service. This does not trace to a human right but it exceptionally impedes users with the will and intent to excape to the same extent an essential access has.

Cloudflare’s trap

Roughly 20% of all websites in the world exist inside Cloudflare’s walled garden. Countless Cloudflare websites are essential and indispensable. Where can we possibly begin? Below is a list of Cloudflared resources that play a significant role in protection of human rights. If someone exits Cloudflare’s walled garden, this is what they give up—

The right to vote:

The voter registration forms in nine U.S. states (AZ, FL, GA, HI, ID, NY, OH, RI, WA) are exclusively in Cloudflare’s walled garden.

The right to petition:

The biggest petition services in the world are in Cloudflare’s walled garden.

change·org
moveon·org
actionnetwork·org

Freedom of expression:

The biggest threadiverse server in the world (lemmy·world) is in Cloudflare’s walled garden.

Freedom of assembly and of association:

Countless political activist groups have their online existence exclusively in Cloudflare’s walled garden.

The right to education and academic freedom:

Learning platforms exclusively reachable within Cloudflare’s walled garden:

MyOpenMath
PhET

The right to engage in work and access to placement services:

Most of the biggest job searching sites are exclusively reachable within Cloudflare’s walled garden, including:

indeed·com
glassdoor·com
careerbuilder·com

Bank access is becoming increasingly critical for receiving payroll payments as the world eliminates cash. At the same time banks and credit unions are joining Cloudflare’s walled garden.

Fair and just working conditions:

Many workers’ rights organizations are exclusively inside Cloudflare’s walled garden, notably:

Center for Workers’ Rights
Justice at Work
Solidarity Center
The Farmworker Association of Florida, Inc.
Women Employed
Worker Rights Consortium (WRC)

Many workers’ safety organizations are also exclusively inside Cloudflare’s walled garden, notably:

American National Standards Institute (ANSI)
National Association of Safety Professionals (NASP)
National Safety Council (NSC)
The Electrical Safety Foundation International (ESFI)
World Health Organization – Office of Occupational Health (WHO-OCH)

The right of access to government documents:

At the federal level, these websites make access to government documents exclusively available in Cloudflare’s walled garden:

Library of Congress
The US Congress (congress·gov + the websites of some individual Congress members such as Ayanna Pressley)

Countless US states have made access to government documents and information exclusively reachable inside Cloudflare’s walled garden. There are too many to make a comprehensive list but if we only consider the Secretary of State resources, these states have made access to business registration records conditional on entry into Cloudflare’s walled garden:

Arizona
Georgia
Hawaii
Idaho
New York
Ohio
Rhode Island
Washington

Opensecrets·org enables people to review how money is spent in connection with politics. The site is also in Cloudflare’s walled garden.

The right life and to healthcare:

Searching for a health issue is often useful to quickly get essential medical information particularly in an emergency. When a search for medical information filters out Cloudflare sites, the resulting information is generally sparse and lacking. Websites like webmd·com are part of Cloudflare.

3. Exclusion (Cloudflare’s exclusion is more rigid and more vast)

Google and Facebook exclude those who do not have access to a mobile phone, which account for ~5% of the world’s population. A total of 5.35 billion people around the world were using the internet at the start of 2024, equivalent to 66.2 percent of the world’s total population. So it’s probably fair to say that a large portion of people without mobile phone access do not have internet access anyway. The people excluded by Google and Facebook may only be a small percentage of privacy enthusiasts who simply refuse to share their mobile phone number with a surveillance advertiser. Those who want to enter the walled gardens of Facebook and Google can also use a pinger service to overcome that barrier. This naturally pales in comparison to Cloudflare, whose exclusion is non-transparent. People in Cloudflare’s excluded groups cannot know how to overcome the exclusion if they do not even know the reason for their exclusion.

4. Trapping (Cloudflare’s walled garden is the least escapable)

Google’s Playstore traps people to the extent that they insist on the convenience of using an app. Most services offer web service as an alternative to a mobile app. There are some niche scenarios with schools but this does not affect a large portion of the population. Facebook’s trap is relatively weak as well apart from some niche situations. Escaping Cloudflare is unsurmountable. Most who decide to remain outside of Cloudflare’s walled garden must generally give up access to a substantial number of essential services.

Cloudflare has created the largest most rigidly exclusive walled garden in the world

Posted on 2024/03/18 - 2024/03/18 by nzx3233hom

Walled gardens are a technofeudal structure comprehensively defined by three varieties of oppression:

The 3 oppressions of walled gardens

(oppression 1) Exclusion— to keep people out
(oppression 2) Trapping— to keep people locked-in and held captive by inducing dependency
(oppression 3) Opacity— to keep people uninformed

Oppression 1 and 2 establishes a walled garden. Oppression 3 is commonly used to support oppressions 1 and 2.

History of walled gardens

A “walled garden” originated as a concept by John Malone and others at a telecom company that was later acquired by AT&T. Phones were leased to customers and the system was designed so customers could not connect their own telephones to the network.

The first notable evolution of the term appears in the adtech industry, which refers to walled gardens as a closed platform or ecosystem where the technology provider has significant control over the content, user data, advertising options, and generally the whole environment. The most well-known examples come from the Google and Facebook duopoly.

The walled garden paradigm has expanded beyond the adtech industry evolved toward a model that underpins all resources under technofeudalism independent of advertising. The biggest walled garden in the world has emerged with no known advertising component. It was created by US tech giant Cloudflare, Inc.

Oppression 1: Cloudflare excludes people from web-based resources

Cloudflare excludes people in pursuit of their abstract objective to convince their customers that malicious actors cannot reach their websites. Their business model entails offering this service free of charge. As a consequence, money-saving shortcuts are taken and Cloudflare uses a cheap blocking criteria based crudely on IP reputation. Similar to the effect SpamHaus has in yielding a high number of spam false-positives going back over 20 years, Cloudflare also yields substantial collateral damage to harmless users spanning several demographics, including:

people in developing countries
the Tor community
VPN users
people behind CGNAT (this often impacts poor people in impoverished regions whose ISPs receive a limited number of IPv4 addresses)
users of public libraries (consequently people who can’t afford a PC and internet subscription), and generally networks where IP addresses are shared
privacy enthusiasts who will not disclose ~25% of their web traffic to one single corporation in a country without privacy safeguards
people using non-graphical browsers or GUI browsers with image loading disabled (their traffic resembles that of robots); this includes:
- blind people
- poor people on capped internet plans
- environmentalists and the permacomputing community
people with impairments and disabilities (CAPTCHA-blocked)
people who deploy beneficial robots – Cloudflare is outspokenly anti-robot and treats beneficial bots the same as malicious bots
Android users running AOS 6.0 and older

That list is incomplete due to the non-transparent nature of Cloudflare. No one knows all the groups excluded by Cloudflare or the full scale of the exclusion.

Oppression 2: People are trapped in Cloudflare’s walled garden

Cloudflare’s direct customers are website owners, not the general public. However both Cloudflare’s direct patrons AND the (often unwitting) end-users of the affected web services are mutually trapped by Cloudflare.

Website owners are enticed by the prospect of getting what they perceive¹ as a gratis service to protect their website. Since no other service offers to protect website for free, website owners are trapped by the perception¹ of cost savings. They are essentially in a gilded cage.

When a website administrator joins the cage by opting to reverse proxy their services via Cloudflare’s walled garden, the visitors of the website have no choice in this decision. The end user is forced into a disempowered take-it-or-leave-it proposition and thus trapped to an essentially absolute extent. For example when nine U.S. states (AZ, FL, GA, HI, ID, NY, OH, RI, WA) proxy their voter registration service through Cloudflare, citizens of those states are trapped because online voter registration is preconditioned on entry into the walled garden (which in fact excludes some people). Petition hosts like Change·org and Moveon·org are Cloudflared, so when someone wants to sign a petition that’s exclusively hosted on either of those sites, they are trapped. They cannot sign the petition outside of Cloudflare. When the Internet Engineering Task Force (IETF) moved their website into Cloudflare’s walled garden, developers who need to access the text of (otherwise previously open) standards are trapped.

Oppression 3: The opacity of Cloudflare’s walled garden conceals the exclusivity

Cloudflare is designed to keep web users oblivious to the existence of the garden walls. If it had been widely realised that Cloudflare is an exclusive walled garden, it may not have grown to the enormous size that it is today (around 20% of all websites in the world are Cloudflare-gated). The proliferation of Cloudflare’s walled garden depends on a majority of the population either not knowing of Cloudflare’s existence or believing Cloudflare’s deception that they only exclude harmful actors.

There is an included group and an excluded group. People in the excluded group clearly see the garden wall. It’s a dysfunctional blocking page in their face with no means to progress toward the content sought, or it manifests as an (often broken) CAPTCHA. People in the INCLUDED group have no login requirement or any extra steps to enter the walled garden. The gate is wholly invisible to them, which is “opaque” in the sense that they are deceived about where they are. They are deceived about having passed through an access-restricted gate. People in the included group contribute content to this exclusive resource without knowing that their contribution is not openly reachable to everyone. It is effectively locked into a private property despite the illusion that it’s open public access.

Another instance of oppression 3 manifests in the form of a browser padlock that deceives visitors of Cloudflared websites into thinking their traffic is secure between the user and the website’s host. In reality the padlock only indicates a secure line to Cloudflare, who sees everything including usernames and unhashed passwords. This deception is important to Cloudflare because a large portion of the public would not likely trust Cloudflare with everything sensitive; they would not enter the walled garden.

So the deception about data exposure works both ways: content users expect to be public (such as a comment in a public forum) is in fact exclusively reachable, and content they expect to be private is in fact exposed to Cloudflare.

Cloudflare’s walled garden is the largest

Unlike the better known walled gardens such as Facebook and Google, Cloudflare leverages substantial growth and activity with every website that joins it. It’s not a mere handful of services like surveillance advertisers which scale by one user account at a time. Around 20% of all websites in the world are in Cloudflare’s walled garden, each of which has potentially countless users.

Cloudflare’s walled garden is the most rigidly exclusive

Google and Facebook are exclusive to the extent that users who do not register are excluded. Users without mobile phones are excluded from joining. But it’s within the realm of possibilities for most people to go through the hoops to join the included group. With Cloudflare, there is no registration. The included group is undefined because the excluded group is undefined. If you are in the excluded group, how do you even know exactly why you are in the excluded group? Cloudflare does not tell you “you are blocked for have a CGNAT IP address”, for example. You just get a block screen with bogus messaging.

Suppose you happen to know your CGNAT IP address is the problem. Then what? How do you join the included group? Some would say subscribe to a VPN service. Yet VPNs are also among the groups excluded by Cloudflare’s walled garden. There is no clear path to being included. Hence the title: most rigidly exclusive.

Cloudflare’s defense: Why Cloudflare proponents and digital rights opponents object to tagging Cloudflare as a “walled garden”

Cloudflare proponents and advocates essentially claim:

Website owners have control. They can configure their website to permit Tor users to have access. If they do not change their Cloudflare configuration settings, it’s their fault, not Cloudflare’s.

It’s true that website administrators can whitelist Tor to enable Tor users to access their website. This has two problems:

It only makes Tor users part of the included group. What about everyone else? What about the people behind CGNAT? There are still many other people in the demographics of the excluded group.
The power of defaults

It’s very rare that web admins whitelist Tor in their Cloudflare settings. Corporate actors understand the power of defaults to the most pernicious extent. This is why 83% of Mozilla’s revenue comes from Google merely for making Google the default search engine in Firefox.

Consider the “free-range” chicken swindle. A factory farmer will ram-pack an over-crowded chicken coop, but in order to legally make the claim that the chickens are “free-range”, they merely have to provide a door with access to some area outside the building. They design this door so that only the most clever chickens can find it, operate it, and fit through it. So in reality 1 or 2 chickens may escape the overcrowded conditions while most suffer. The farmer’s lawyer argues that all the chickens have free will and access to freedom. Cloudflare proponents use the same tactic. Very few admins are clever enough to realise Tor users are legitimate, that those legitimate users are blocked and also that Tor access can be toggled on. Cloudflare understands the power of defaults and in the end Cloudflare is responsible for selecting a malicious default setting in support for the world’s largest walled garden.

footnotes

① When a website is attacked, Cloudflare tells customers they have exceeded the parameters of the free service and must upgrade to a premium package. Hence the phrasing of “perception” of cost savings, which is otherwise beyond the scope of this paper.