Cloudflare Asks Court to End LaLiga’s “Illegal” Blocking Response to Encrypted Client Hello

After the gloves came off earlier this week, Cloudflare has asked a Spanish court to declare LaLiga's “disproportionate” piracy blocking measures illegal. Details are currently scarce, but Cloudflare looks set to challenge the legitimacy of the court's original order. LaLiga and Telefonica sought enhanced blocking measures to counter internet users' adoption of Encrypted Client Hello.

 The background to events currently underway in Spain is detailed in our earlier reports but can be summarized as follows.

Through various court orders, top Spanish football league LaLiga may issue instructions for local ISPs to block pirate streaming sites and IPTV services.

Blocking is carried out by domain, URL, IP address, or meddling with DNS entries. Those actions are based on information supplied by LaLiga each week, no scrutiny from the court required.

LaLiga and Cloudflare Collide

In an effort to mitigate the effects of blocking or benefit from other features, pirate sites using Cloudflare are less easily taken offline. That caused tempers to boil over at LaLiga and then keep boiling throughout the current two to three week crisis.

LaLiga’s general position is that since Cloudflare is in a position to make LaLiga’s life easier by tackling piracy, it has an obligation to do so. Cloudflare says that LaLiga will be treated just like other rightsholders, and given access to the same tools.

Precisely what LaLiga demanded and on what basis, remains unclear, but when Cloudflare refused to cooperate, LaLiga told ISPs to block Cloudflare IP addresses. That blocked the pirate services, but it also restricted access to Cloudflare’s customers’ websites and prevented people from visiting them.

LaLiga says that, if people have website issues, they should blame Cloudflare – while also getting ready for more because it won’t be backing down anytime soon.

Cloudflare, in turn, has now responded with legal action that asks a court to rule that LaLiga’s blocking is illegal, and then on that basis, revoke LaLiga’s authority to issue blocking instructions previously authorized by the court.

Cloudflare Statement

As a long-time advocate for the open Internet, Cloudflare provides security and reliability services that protect millions of websites from cyberattacks and strengthen the Internet’s infrastructure.

 

In recent weeks, LaLiga and the Spanish ISPs have wrongly attempted to address the issue of illegal streaming, on the purported basis of a recently issued ruling that would order the blocking of shared IP addresses of Cloudflare and other cloud service providers, a clumsy and ineffective approach that has prevented millions of users from accessing thousands of websites unrelated to such activities.

 

LaLiga obtained this ruling without addressing the cloud service providers, thereby concealing from the Court the foreseeable harm to third parties and the public interest. LaLiga’s actions pose a clear threat to the open Internet.

 

Cloudflare has today filed a motion to annul the ruling, seeking to establish that LaLiga’s disproportionate blocking measures are illegal.

 

Cloudflare routinely works with rights holders to help resolve issues such as illegal streaming, but LaLiga has left Cloudflare with no choice but to pursue this legal avenue. Rather than addressing Spanish users’ concerns about over-blocking of content, LaLiga has attempted to divert attention by making unfounded accusations against Cloudflare, while stepping up its illegal blocking practices.

 

Cloudflare hopes this court action will help prevent future indiscriminate blocking measures and make clear that rights holders cannot put their commercial interests before the fundamental right of millions of consumers to access an open Internet.

(Courtesy of Bandaancha, translated from Spanish)

Cloudflare’s mention of a recent ruling is interesting for several reasons. On a fundamental level, not involving Cloudflare in a process that directly affects its ability to go about its business, was likely to cause friction sooner or later.

Second, it appears that the motivation for the ruling in question turns out to be quite unusual.

Targeting ECH

The judgment in question, dated December 18, 2024, was issued by Commercial Court No. 6 of Barcelona following legal action by LaLiga and Telefónica Audiovisual Digital (owner of broadcaster Movistar Plus+), which requested ISPs including Vodafone, MásOrange, Digi and Movistar, to block pirate sites/services.

The unusual feature of the complaint is the focus on Encrypted Client Hello, or ECH for short. As highlighted earlier, this can effectively be used to bypass site blocking.

A brief explanation of ECH and its benefits to internet users is available from Cloudflare but in short, whenever a user visits a website on Cloudflare that has ECH enabled, intermediaries (like ISPs) will be able to see the user is visiting a site using Cloudflare, but won’t be able to identify which one.

Both Cloudflare and Google are mentioned in the LaLiga/Telefonica complaint, with ECH acknowledged as a hindrance to the companies’ site-blocking measures, in a section of the decision cited below.

This protocol, initially designed as a solution to alleged breaches in the area of Internet users’ privacy, currently prevents the development of blocks by domains and URLs, as it allows traffic to be encrypted, and thus blocks can be made by domains and/or URLs, as Internet access service providers (ISPs) can no longer inspect the part relating to SNI5 necessary to apply blocks, according to reports on the application of the ECH protocol issued by LLCP and the anti-piracy department of [Telefonica].

 

The conclusion of the technical analysis is that the actual effectiveness of domain blocking (URLs/Domains) decreases as users use browsers (Google’s Chrome) that use ECH technology. A similar case occurs with Apple’s “Private Relay” feature, introduced as part of iCloud+, focused on web traffic.

According to Bandaancha, which published sections of the decision, the above issues were presented as justification for enhanced blocking measures against 119 entities, listed alongside their domain names, ports, IP addresses, and the hosting companies used.

LaLiga obtained permission to carry out dynamic blocking against new IP addresses, domains etc, in the event countermeasures were deployed by pirate sites.

Around 35 of the services are reportedly using Cloudflare and since the blocking measures requested were not considered “contrary to the law, public order or harmful to third parties,” the order was granted.

LaLiga used that authority to block the pirate sites, by blocking Cloudflare IP address and by extension, its users in Spain.

All in all, this case highlights the tension between copyright enforcement and intermediaries such as Cloudflare. The outcome could have significant implications for how these blocking issues are addressed in the future.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of January): 487

RIP Matrix | Farewell my friend