Cloudflare & Rogue Website Enforcement: Q&A with Corsearch Experts

  • Brand Protection
  • Content Protection
Cloudflare & Rogue Website Enforcement: Q&A with Corsearch Experts

Corsearch’s latest white paper shows that a disproportionate number of websites that offer counterfeit products and pirated content use Cloudflare’s Content Delivery services (CDN). Read our key findings, recommendations, and further insights and tips from the paper’s authors.

What is a CDN?

A content delivery network or content distribution network (CDN) is defined by Amazon as a “network of interconnected servers that speeds up webpage loading for data-heavy applications”[1]. Website content, such as videos and images, is hosted on CDN servers geographically closer to the user to deliver content far faster. As of 2022, over 41% of the top 10,000 websites use a CDN[2].

Key findings and recommendations for Cloudflare

  • 71% of websites which Corsearch notified to Google for search engine demotion used Cloudflare
  • Nearly half (49%) of all websites flagged for content piracy (e.g. film, TV, music, photography) used Cloudflare
  • A quarter (23.5%) of all websites flagged for offering counterfeited goods used Cloudflare

While Google’s legal troubleshooter form can be used to request individual URLs be de-indexed from Google search results, it cannot be used to de-index entire websites dedicated to infringement. Google de-indexing also only removes the URL from search results – the website’s content remains accessible via social media, direct URLs, and other search engines.

Search engine de-indexing is a time-consuming and limited form of recourse; it would be far more efficient to tackle the issue at source. Corsearch is therefore calling on Cloudflare to stop providing services to infringing websites that put consumers at risk.

Currently, Cloudflare requires a court order before withdrawing CDN services to a website owner. Corsearch believes that Cloudflare should terminate services when it is notified that a website is offering counterfeits or pirated content. This should apply to both websites that illegitimately use a brand’s trademarks within their domain name and websites that do not but are wholly dedicated to infringement.

In addition, we ask Cloudflare to: 

  • Publish a substantive transparency report identifying the websites using its services which have been reported by rights holders
  • Implement Know-Your-Customer procedures; where operators refuse to provide correct information, or have repeatedly set up infringing websites, Cloudflare should refuse to provide services.

Q&A with Corsearch Experts

In our recent webinar, Corsearch experts discussed the white paper’s findings and recommendations for Cloudflare. In the second half of the session, we hosted a Q&A with viewers. We received a number of fantastic questions, covering topics such as the implications of recent legislation on Cloudflare’s operations, enforcement best practices and alternate forms of recourse, and further insights on what Cloudflare should be doing to tackle the issue. You can read an excerpt from the Q&A below:

Q. Will the INFORM Act recently passed in the US have any bearing on the practices Cloudflare will have to adhere to?

Mike Sweeney, Director and Senior Legal Counsel at Corsearch: “It’s still very early days for INFORM Act, only being enacted into law in December 2022. But we believe it will have bearing on Cloudflare’s practices.

Cloudflare is a listed company with its headquarters in San Francisco. The central purpose of INFORM is to provide transparency and reassurance to US consumers around the identity of the people that they are transacting with online to provide them with confidence that they are purchasing a legitimate product or service.

The INFORM Act is very much in line with one of the requests that we call out in the white paper around “Know your customer” (KYC). We encourage Cloudflare to follow strict KYC procedures when individuals and business express an interest in Cloudflare’s website services.”

Q. Other providers take a stronger stance on infringement, while Cloudflare doesn’t. Why?

Mike Sweeney: It’s very important to note that as far as the law is concerned, Cloudflare’s position is that it does exactly what it is required and nothing more. It maintains that its practices are legally compliant. It may be that other providers only offer paid plans, so it’s likely to be a return-on-investment argument.”

Joseph Cherayath, Vice President of Enforcement at Corsearch: “To add to Mike’s point, it looks like other CDN providers are more cautious and go beyond the letter of the law. Many have decided to implement robust KYCs principles. Their goal is to be reputable providers.

However, when you look back at Cloudflare and the wider issue of criminals using their services, it’s not just piracy or counterfeiting. The number of illegal websites that use Cloudflare’s services is truly alarming. For example, websites that promote terrorism. Cloudflare takes no stand at all in terms of termination. They are attempting to wash their hands of the activities of their users, while there is a lot that could be done.”        

Q. When a registrant uses Cloudflare, how does Corsearch ascertain the ultimate host to take enforcement action?

Angharad Bailey, Brand Protection Team Lead at Corsearch: “Often, Cloudflare will take a while to follow up with an explanation of who the host is. The issue is that this delays the enforcement action being taken against the host. We need to find out this information straight away to protect consumers and rights holders.”

Q. How would you recommend taking down a website when there is no response from the website owner or Cloudflare?

Angharad Bailey: “If there’s no response from the host or the registrant, then we would look at alternative avenues such as payment provider removal, security indexing, whether they have social media accounts, marketplace storefronts, and so on.”

Joseph Cherayath: “Other methods of enforcement can include reporting the infringement to the registrar, to the registry, and even to transit providers [3] in some cases, because they are part of the ecosystem of providing that service in certain jurisdictions. We send physical letters to the general counsel of the entity asking them to take an action. Picking up the phone, surprisingly, still works. If there is a trademark in the domain, a UDRP procedures can be initiated, which Corsearch supports with.

One of the most used widely recourses used by Corsearch last year was filing a reporting to law enforcement agencies such as Europol, as they can assist with a lot of domain takedowns. We’ve given them all the information. And similarly, PIPCU has relations with registrars in place which can fast track and remove these websites. We do the due diligence and bring them into the fold.”

Simon Baggs, President, Brand & Content Protection at Corsearch: “There are many things you can do pre-litigation. If it’s a problematic website, you can look to block it in many jurisdictions or you can look to go after the people behind it, assuming you can identify who they are. Site blocking is now a remedy in a large number of countries. That would be the next step, assuming the other remedies mentioned don’t bear fruit.”

Q. How easy is it to get a payment provider to remove their facilities from a website that is infringing?

Angharad Bailey: “If you provide as much evidence as possible of the infringement and show that the provider is used by that infringer, then usually providers such as PayPal will take it down quickly. But each of these payment providers have their own processes for removals. Some require you to fill in a form. Others require you to send an email with the completed form. Ultimately, as long as you’re providing clear detail and proof of infringement, then they’re pretty responsive in removing their services from a website.”

Q. What is Corsearch’s network analysis tool?

Simon Baggs: “Network analysis is a powerful tool within the Corsearch brand protection platform that allows you go after the things around a website and therefore to focus your efforts where you can have impact. For example, if you can’t identify the operative website, but you can find their Facebook identity and accounts, then tackling those can be effective because that’s the lifeblood and oxygen for the websites. Going after that can really help.”

Q. Is Corsearch currently taking any action against infringing websites that use cryptocurrency as a form of payment?

Joseph Cherayath:We’ve had some success with this. It’s certainly one of the areas where we are exploring what’s the best way to move forward and make use of our established platform contacts. Some of the cryptocurrency payment providers have been very proactive and reactive to our notices and complaints, while others completely ignore us. We are working with the industry to set that straight.”

Q. What are some of the other policy changes that Corsearch would like Cloudflare to adopt and why?

Joseph Cherayath: “The paper explores both new policy and areas where other intermediaries already have mechanisms in place. For example, if we notify Google of a website which illegitimately uses a trademark in its domain name, Google will remove it from their index completely. If Cloudflare was to adopt the same mechanism, Corsearch could then submit trademark certification that is approved by clients. There’s no reason why, at that point itself, Cloudflare wouldn’t terminate the services they provide.”

KYC is also a big focus because it would act as a gatekeeper. If you’ve got that right, the rest of it falls into place. Finally, we want to push Cloudflare to improve its transparency reports. They should include the number of rights holders that have reported particular domains. This would show the seriousness of a problem when it comes to large volumes of trademark infringement or piracy.”

Q. Has Corsearch written to Cloudflare about our white paper?

Mike Sweeney: “Yes, we did. And as of the date of this webinar [January 26, 2023], we still haven’t received a response.”

Corsearch believes that Cloudflare can and should do more.

If you are a rights holder or brand owner and have a strong view on this issue, we encourage you to join us in calling for change. Consider writing to your local politicians and legislators to raise awareness about it and demand greater scrutiny.

Access the white paper

See the full research findings, our methodology, and a comprehensive list of recommendations for Cloudflare.

Download >




[3] “The role of a transit provider, also called an upstream provider, is to connect a customer’s network or downstream ISP to the global Internet”: