Jump to content
  • Piracy Shield Cloudflare Disaster Blocks Countless Sites, Fires Up Opposition


    Karlston

    • 553 views
    • 6 minutes
     Share


    • 553 views
    • 6 minutes

    Experts warned that a radical site-blocking program without proper checks and balances would end badly in Italy. On Saturday, at least one Cloudflare IP address was added to the Piracy Shield anti-piracy system. According to an expert, that ended up blocking a large number of websites, including a charity, a telecoms company, and several schools. It's the outcome many people predicted but one that could've been easily avoided.

     

    Following a statement that Italy’s all-new anti-piracy system had received top marks from telecoms regulator AGCOM for “working perfectly,” on Saturday the truth came out in all its glory.

     

    Piracy Shield has only been fully operational for a few weeks. So, expecting it to work flawlessly, right out of the box, was always unrealistic. There have been reports of unexpected behavior in the ticketing system, for example, plus other issues one might describe as relatively normal for a new system, or at least non-critical.

     

    But while any unexpected behavior needs to be understood, the Piracy Shield system, i.e software, hardware, and sundry biological components, arguably had just one job to perform perfectly in its first month. Through meticulous care, prove the naysayers wrong by not blocking innocent sites and staying away from CDNs. A single IP address blocked in error can do damage anywhere but, on a platform such as Cloudflare, problems can multiple extremely quickly.

    Like a Moth to a Flame

    As reported less than two weeks ago, the first issue to cause elevated public concern was the blocking of Zenlayer CDN IP addresses. During the first two weeks in the public spotlight, that wasn’t ideal or even an isolated incident.

     

    Piracy-Shield-ZenLayer-Block-Error-24022

    Black spots = No connectivity

     

    When AGCOM and anti-piracy group FAPAV turned up on TV recently to announce an expansion of Piracy Shield blocking, the system was said to be “working perfectly” while reports to the contrary were labeled “fake news.”

     

    But even before those statements had time to fully sink in, along came Saturday afternoon, otherwise known as ‘TTFN CDN’.

    AS13335 Cloudflare – IP: 188.114.97.7

    Around 16:13 on Saturday, an IP address within Cloudflare’s AS13335, which currently accounts for 42,243,794 domains according to IPInfo, was targeted for blocking. Ownership of IP address 188.114.97.7 can be linked to Cloudflare in a few seconds, and doubled checked in a few seconds more.

     

    The service that rightsholders wanted to block was not the IP address’s sole user. There’s a significant chance of that being the case whenever Cloudflare IPs enter the equation; blocking this IP always risked taking out the target plus all other sites using it.

     

    Why blocking went ahead anyway has no good answers; from didn’t check and don’t understand to oops, too late…, how it managed to traverse the claimed checks and balances defies logic. Giorgio Bonfiglio, Principal Technical Account Manager at Amazon Web Services, warned of this specific risk last year. Some of the best advice available, pro bono, yet simply ignored.

     

    “When I talked about the risks of the Piracy Shield last year I focused on the impossibility for an external observer to understand whether an IP is shared or not. I never expected they would block one of the top 5 CDNs in the world, an AS that does ONLY that,” Bonfiglio wrote.

    Block Party Erupts

    On February 2, 2024, developer Marco d’Itri (aka rfc1036) published a pearl of wisdom on Twitter. On Saturday, a little over three weeks later, he was the first to publicly confirm that what shouldn’t have happened, had obviously happened, to the surprise of no one.

    be-careful.png

    it-happened-piracy-shield.png

    Reports of sites suddenly going offline came in quickly. The IP address block went live at 16:13 and by 16:31, Italy was already covered head to foot in black spots indicating no connectivity (Source: RIPE via @auguzanellato).

     

    RIP-188.114.97.7.png

     

    EU citizens’ right to receive and impart information without interference often enters site-blocking discussions. Such concerns were waved away in Italy because the above would never be allowed to happen.

    Communication to the Public, By The Public

    On X, @handymenny quickly pinpointed the source of his initial connectivity problem, and then went on to discover he was more affected than first thought. That appeared to pique his curiosity, so he decided to find out who else had been blocked.

     

    His discoveries included the ODV Prison Volunteers Association, a charitable group with a key goal of improving communication between prisoners and their families. Elimobile.it, a telecoms company that relies on people communicating so that they a) buy SIM cards and b) can access Elimobile’s video services, was also blocked.

     

    4blox-piracy-shield-1536x1177.png

     

    Several schools also suffering downtime is not just a terrible look. The laws and regulations passed last year that authorize rapid blocking include a mandatory educational component for kids. If anyone can think of a statement that will resonate with kids, to explain why preventing football piracy has a negative effect on education, answers on a blackboard please.

    Block Quietly Removed, But That Won’t Be Enough

    Around five hours after the blockade was put in place, reports suggest that the order compelling ISPs to block Cloudflare simply vanished from the Piracy Shield system. Details are thin, but there is strong opinion that the deletion may represent a violation of the rules, if not the law.

     

    Another legal aspect of potential interest involves a general principle of EU law, one that requires authorities to strike a balance between the means used and the intended aim when exercising their powers.

     

    IT enthusiast Ernesto Castellotti wasted no time deciding his course of action. Since his website was also unlawfully blocked on Saturday, he’s sent a civil access request to AGCOM demanding all information held on file to show why that happened. He’s also calling for the immediate resignation of the head of AGCOM “for demonstrated negligence in the implementation of the Piracy Shield project.”

     

    As far as we’re aware, there has been no formal comment from AGCOM on Saturday’s disaster.

     

    Share information with TF in confidence here

     

    Note: An earlier version of this article reported on a Bonfiglio tweet which appeared to estimate the number of sites potentially blocked on Saturday. We’re informed the tweet used an Italian phrase that simply suggests a very large number. The direct translation lacked nuance and has since been removed.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...