Skip to content

Uncaged

Cloudflare has created the largest most rigidly exclusive walled garden in the world

Posted on 2024/03/18 - 2024/03/18 by nzx3233hom

Walled gardens are a technofeudal structure comprehensively defined by three varieties of oppression:

The 3 oppressions of walled gardens

  • (oppression 1) Exclusion— to keep people out
  • (oppression 2) Trapping— to keep people locked-in and held captive by inducing dependency
  • (oppression 3) Opacity— to keep people uninformed

Oppression 1 and 2 establishes a walled garden. Oppression 3 is commonly used to support oppressions 1 and 2.

History of walled gardens

A “walled garden” originated as a concept by John Malone and others at a telecom company that was later acquired by AT&T. Phones were leased to customers and the system was designed so customers could not connect their own telephones to the network.

The first notable evolution of the term appears in the adtech industry, which refers to walled gardens as a closed platform or ecosystem where the technology provider has significant control over the content, user data, advertising options, and generally the whole environment. The most well-known examples come from the Google and Facebook duopoly.

The walled garden paradigm has expanded beyond the adtech industry evolved toward a model that underpins all resources under technofeudalism independent of advertising. The biggest walled garden in the world has emerged with no known advertising component. It was created by US tech giant Cloudflare, Inc.

Oppression 1: Cloudflare excludes people from web-based resources

Cloudflare excludes people in pursuit of their abstract objective to convince their customers that malicious actors cannot reach their websites. Their business model entails offering this service free of charge. As a consequence, money-saving shortcuts are taken and Cloudflare uses a cheap blocking criteria based crudely on IP reputation. Similar to the effect SpamHaus has in yielding a high number of spam false-positives going back over 20 years, Cloudflare also yields substantial collateral damage to harmless users spanning several demographics, including:

  • people in developing countries
  • the Tor community
  • VPN users
  • people behind CGNAT (this often impacts poor people in impoverished regions whose ISPs receive a limited number of IPv4 addresses)
  • users of public libraries (consequently people who can’t afford a PC and internet subscription), and generally networks where IP addresses are shared
  • privacy enthusiasts who will not disclose ~25% of their web traffic to one single corporation in a country without privacy safeguards
  • people using non-graphical browsers or GUI browsers with image loading disabled (their traffic resembles that of robots); this includes:
    • blind people
    • poor people on capped internet plans
    • environmentalists and the permacomputing community
  • people with impairments and disabilities (CAPTCHA-blocked)
  • people who deploy beneficial robots – Cloudflare is outspokenly anti-robot and treats beneficial bots the same as malicious bots
  • Android users running AOS 6.0 and older

That list is incomplete due to the non-transparent nature of Cloudflare. No one knows all the groups excluded by Cloudflare or the full scale of the exclusion.

Oppression 2: People are trapped in Cloudflare’s walled garden

Cloudflare’s direct customers are website owners, not the general public. However both Cloudflare’s direct patrons AND the (often unwitting) end-users of the affected web services are mutually trapped by Cloudflare.

Website owners are enticed by the prospect of getting what they perceive¹ as a gratis service to protect their website. Since no other service offers to protect website for free, website owners are trapped by the perception¹ of cost savings. They are essentially in a gilded cage.

When a website administrator joins the cage by opting to reverse proxy their services via Cloudflare’s walled garden, the visitors of the website have no choice in this decision. The end user is forced into a disempowered take-it-or-leave-it proposition and thus trapped to an essentially absolute extent. For example when nine U.S. states (AZ, FL, GA, HI, ID, NY, OH, RI, WA) proxy their voter registration service through Cloudflare, citizens of those states are trapped because online voter registration is preconditioned on entry into the walled garden (which in fact excludes some people). Petition hosts like Change·org and Moveon·org are Cloudflared, so when someone wants to sign a petition that’s exclusively hosted on either of those sites, they are trapped. They cannot sign the petition outside of Cloudflare. When the Internet Engineering Task Force (IETF) moved their website into Cloudflare’s walled garden, developers who need to access the text of (otherwise previously open) standards are trapped.

Oppression 3: The opacity of Cloudflare’s walled garden conceals the exclusivity

Cloudflare is designed to keep web users oblivious to the existence of the garden walls. If it had been widely realised that Cloudflare is an exclusive walled garden, it may not have grown to the enormous size that it is today (around 20% of all websites in the world are Cloudflare-gated). The proliferation of Cloudflare’s walled garden depends on a majority of the population either not knowing of Cloudflare’s existence or believing Cloudflare’s deception that they only exclude harmful actors.

There is an included group and an excluded group. People in the excluded group clearly see the garden wall. It’s a dysfunctional blocking page in their face with no means to progress toward the content sought, or it manifests as an (often broken) CAPTCHA. People in the INCLUDED group have no login requirement or any extra steps to enter the walled garden. The gate is wholly invisible to them, which is “opaque” in the sense that they are deceived about where they are. They are deceived about having passed through an access-restricted gate. People in the included group contribute content to this exclusive resource without knowing that their contribution is not openly reachable to everyone. It is effectively locked into a private property despite the illusion that it’s open public access.

Another instance of oppression 3 manifests in the form of a browser padlock that deceives visitors of Cloudflared websites into thinking their traffic is secure between the user and the website’s host. In reality the padlock only indicates a secure line to Cloudflare, who sees everything including usernames and unhashed passwords. This deception is important to Cloudflare because a large portion of the public would not likely trust Cloudflare with everything sensitive; they would not enter the walled garden.

So the deception about data exposure works both ways: content users expect to be public (such as a comment in a public forum) is in fact exclusively reachable, and content they expect to be private is in fact exposed to Cloudflare.

Cloudflare’s walled garden is the largest

Unlike the better known walled gardens such as Facebook and Google, Cloudflare leverages substantial growth and activity with every website that joins it. It’s not a mere handful of services like surveillance advertisers which scale by one user account at a time. Around 20% of all websites in the world are in Cloudflare’s walled garden, each of which has potentially countless users.

Cloudflare’s walled garden is the most rigidly exclusive

Google and Facebook are exclusive to the extent that users who do not register are excluded. Users without mobile phones are excluded from joining. But it’s within the realm of possibilities for most people to go through the hoops to join the included group. With Cloudflare, there is no registration. The included group is undefined because the excluded group is undefined. If you are in the excluded group, how do you even know exactly why you are in the excluded group? Cloudflare does not tell you “you are blocked for have a CGNAT IP address”, for example. You just get a block screen with bogus messaging.

Suppose you happen to know your CGNAT IP address is the problem. Then what? How do you join the included group? Some would say subscribe to a VPN service. Yet VPNs are also among the groups excluded by Cloudflare’s walled garden. There is no clear path to being included. Hence the title: most rigidly exclusive.

Cloudflare’s defense: Why Cloudflare proponents and digital rights opponents object to tagging Cloudflare as a “walled garden”

Cloudflare proponents and advocates essentially claim:


Website owners have control. They can configure their website to permit Tor users to have access. If they do not change their Cloudflare configuration settings, it’s their fault, not Cloudflare’s.

It’s true that website administrators can whitelist Tor to enable Tor users to access their website. This has two problems:

  • It only makes Tor users part of the included group. What about everyone else? What about the people behind CGNAT? There are still many other people in the demographics of the excluded group.
  • The power of defaults

It’s very rare that web admins whitelist Tor in their Cloudflare settings. Corporate actors understand the power of defaults to the most pernicious extent. This is why 83% of Mozilla’s revenue comes from Google merely for making Google the default search engine in Firefox.

Consider the “free-range” chicken swindle. A factory farmer will ram-pack an over-crowded chicken coop, but in order to legally make the claim that the chickens are “free-range”, they merely have to provide a door with access to some area outside the building. They design this door so that only the most clever chickens can find it, operate it, and fit through it. So in reality 1 or 2 chickens may escape the overcrowded conditions while most suffer. The farmer’s lawyer argues that all the chickens have free will and access to freedom. Cloudflare proponents use the same tactic. Very few admins are clever enough to realise Tor users are legitimate, that those legitimate users are blocked and also that Tor access can be toggled on. Cloudflare understands the power of defaults and in the end Cloudflare is responsible for selecting a malicious default setting in support for the world’s largest walled garden.

footnotes

① When a website is attacked, Cloudflare tells customers they have exceeded the parameters of the free service and must upgrade to a premium package. Hence the phrasing of “perception” of cost savings, which is otherwise beyond the scope of this paper.

Post navigation

What do you call people who reject non-free software?
Comparison of the human disempowerment severity of 3 walled gardens (Facebook, Google, and Cloudflare)

Recent Posts

  • Comparison of the human disempowerment severity of 3 walled gardens (Facebook, Google, and Cloudflare)
  • Cloudflare has created the largest most rigidly exclusive walled garden in the world
  • What do you call people who reject non-free software?
  • 24 banking problems solved by cryptocurrency that Bruce Schneier does not know about

Recent Comments

No comments to show.

Archives

  • March 2024
  • April 2023
  • June 2022

Categories

  • General
Proudly powered by WordPress | Theme: micro, developed by DevriX.