Italy demands Cloudflare blocks pirate sites: DNS industry on the brink of disaster?
Summary: Cloudflare has been dealt a major blow in its hard-fought legal battle with music labels in Italy, and may be forced to stop users from accessing ‘pirate’ sites already blocked by ISPs. The ruling could have far-reaching negative consequences for the whole DNS industry, especially for smaller providers.
The Court of Milan has just rejected Cloudflare’s latest challenge to its previous order requiring it to block three torrent sites:
ilcorsaronero.pro. Cloudflare was sued by music labels for allowing its users to access these sites through its publicly available DNS resolver 18.104.22.168. All three sites are already blocked by ISPs in the country, following an order from the local regulator.
This is the second time Cloudflare has appealed the ruling, and, again, unsuccesfully. The latest setback means that Cloudflare has now run out of options to challenge the order, and may have to file its own lawsuit if it wants to continue the legal battle. Previously, Cloudflare has stated that it would oppose any order that would force it to block content through its publicly available resolver, as it would be tantamount to making it off limits globally.
CloudFlare’s case is reminiscent of that of another DNS resolver, Swiss-based Quad9. In 2021, a German court ordered Quad9 to block access to an alleged pirate site following a legal challenge by Sony Music. The court rejected Quad9’s objections that it was merely a neutral online intermediary.
We’ve already commented on the Quad9 situation and what it means for the industry at large — read our full statement here. Overall, in both the Quad9 and CloudFlare cases, the court makes no distinction between DNS services and Internet Service Providers (ISPs). Let’s put aside the question of whether or not this is fair and discuss technical issues not addressed in our previous statement (which, by the way, remains highly relevant).
Every country has specific rules for blocking content. Typically, internet providers block websites at the request of local regulators, which makes sense because the rules are local and specific to that country. With providers, you can be fairly confident that there won’t be any “false positives”.
However, with DNS, this isn’t necessarily the case. Public DNS services may attempt to identify a user’s country based on their IP address, but how accurate is this identification? MaxMind claims 99.8% accuracy, but what happens if a person is using iCloud Private Relay or a VPN service? Not to say that considering the sheer number of users, even 0.2% is still quite a lot.
It all takes money
Unlike ISPs, DNS services operate in a single global market, handling requests from users around the world. Historically, DNS services have been run by small companies. This is due to the simple fact that the size of the ISP and DNS markets are vastly different (the DNS market is much smaller) and DNS services earn much less.
Now imagine that small DNS services have to handle requests from all over the world, a task that is normally distributed among the huge pool of local ISPs. If the court tries to impose “policing” functions on small DNS providers, not all of them will be able to afford it financially. This could mean that DNS services like Quad9 or AdGuard DNS may be driven out of business.
There are many other potential consequences of the ruling that could undermine the Internet infrastructure as we know it, of which DNS resolvers are an integral part.
The Italian court’s decision, and the German court’s decision before it, both set a precedent that paves the way for similar court rulings in the future. And those could potentially apply not only to DNS resolvers, but also to other online intermediaries, including browsers, antiviruses, VPNs, and so on.
Moreover, some providers might exploit these court decisions to get ahead of their competitors: for example, if one DNS provider is legally required to block a particular resource, other providers would automatically be at an advantage.
Finally, as Cloudflare rightly mentioned, DNS resolvers cannot just block a website; they must block the entire domain on which that web resource resides. For example, if someone uploads copyrighted content to Google Drive, the entire
drive.google.com domain could be blocked if a DNS provider is ordered by a court to restrict access to that content. It’s like throwing the baby out with the bathwater. While we hope it would not come to this, we can only wonder where this slippery slope might lead.
We said it before, and we’ll say it again: we oppose censorship. While we understand the importance of protecting intellectual property, we do not believe that DNS resolvers — commercial intermediaries between customers and various sources on the internet — should be responsible for enforcing these protections.