Sometime last year I discussed this in more detail. I use a text only browser with Tor. Most websites (still > 80% maybe) load well, but the overwhelming majority of those that do not are served via Cloudflare.

To me, their 2016 post claiming not to "block Tor traffic" is disingenuous, since they are exceedingly hostile to it. I only ever experience Cloudflare as an obstacle and nuisance online.

I also deeply dislike their attitude and PR stand, which is essentially victim blaming and disrespectful of those who make different technological choices. Their message seems to be;

  "We make an effort to sound sorry to those who are harmed by our
  business model. But you are a minority, and we make a lot of
  money. If you want to make an omelet, you gotta break some eggs. Now
  get out of the road."

The protection Cloudflare provides is antithetical to privacy because they are in the business of detecting malicious users. To do so, they need to distinguish users (including and especially users taking active measures to fuzz their identity, since there is heavy correlation between such use and malice... i.e. there are a lot more people fuzzing their identity because they want to do something bad than there are fuzzing their identity because they're simply privacy-conscious).

This is a subset of a larger push-pull on the privacy needs of users vs. the integrity needs of service providers; the modern threat model is a lot more complicated than it was in the era where you could deal with an attack by black-holing an IP range. For example, Google's login flow requires (required? this may have changed) JavaScript because there are attacks possible in non-JS HTML that Google cannot protect against without using JS to do DOM inspection. Does enabling JS also allow for various privacy risks? Yes. But it increases user security.

Fascinating. Thanks for your thoughts. You've stated the problem, comprehensively touching on all the well known talking points, value balances and even sequencing them as if to imply causality. That's not bad. But also it doesn't advance the argument to restate the very circumstances and reasoning to which I object.

Maybe your contribution will bring clarity to others. And moreso if I also add that this is precisely the moral arithmetic, and conclusion that technical necessity excuses harms, which is unacceptable.

It's harm tradeoff, not harm excuse. It does harm user privacy.

But it's also harmful to the Internet at large (as in "all the users of the Internet") if service operators can't keep a service online because it's swamped by malicious users (or, arguably worse, it is online but the nature of its use is so badly understood by its operators that it's serving as a springboard for larger, more coherent attacks).

Services like Cloudflare allow operators to outsource the knowledge of how to mitigate those issues. This increases the total services that can be provided online by lowering the knowledge floor via specialization, which makes the Internet "bigger" (in terms of more things you can do with / on it).

> It's harm tradeoff, not harm excuse. It does harm user privacy.

I am looking from the viewpoint of someone whose privacy and opportunity are harmed, so of course I have my biases. :)

> But it's also harmful to the Internet at large

A good argument to try, but not sure this "nebulous" harm, as JS Mill might say, really works. For many reasons; "The Internet" hasn't been a coherent, level entity for some time now. No doubt you've heard the term "splinternet" - something to which I actually think problems like Cloudflare contribute. And there's an implication that a "service provider" somehow outweighs a single user. Which seems nonsense since many "services" are one man shows with a handful of users while there are some individual users of great prominence, power and value. Besides, the Internet in it's "virgin" (most unharmed) form might be said to be purely peer-to-peer. The nebulous harms you propose really apply to a certain "kind" of internet, supporting certain kinds of interests.

> Services like Cloudflare allow operators to outsource the knowledge > of how to mitigate those issues.

They are outsourcing action, not just knowledge. Like a private police force Cloudflare are actively (and literally) intervening in third party business and taking punitive actions against individuals based entirely on their judge, jury and executioner logic. That is a lot less innocent than you make it sound. The users are outsourcing their judgement, while swerving their responsibilities as netizens.

> This increases the total services that can be provided online by lowering the knowledge floor via specialisation, which makes the Internet "bigger" (in terms of more things you can do with / on it).

As we've discussed in these pages many times, and under many topics and titles, growth is not an unqualified good. Scale is not unquestionably desirable. Quality is rarely commensurate with either. So I am not swayed by the argument that having some of the network avoidably broken is justified by extending its size.

I see your concerns, but when the system was built, at the protocol level, to be heavily trust-assuming, but many individual users are untrustworthy, and you can't distinguish them without collecting information that could be considered privacy-violating, what is the solution?

I, for one, have a blog that I don't use Cloudflare for. There's a risk that my system gets hugged to death and I don't know until my service provider either notifies me or cuts me. And from a certain point of view, I might be considered a negligent actor because I'm not collecting enough information to know if somebody has breached my blog engine and turned it into part of the Low Orbit Ion Cannon. But I've chosen to value user privacy.

Point is, trade-offs. I don't think I'm in some kind of moral right space for my decisions, I've made them based on the kind of reader I expect to get.

Tradeoffs, we agree. I fight CF because I am so often on the sharp end of their stick.

I see that many of your personal concerns stem from the wish to be a good netizen yourself.

FWIW, I deeply value these discussions. You've made some new points, noted and helpful for my research, thank you.

Solving some company's CAPTCHA Sudokus and getting no compensation for your time and their training model is not freedom. I get this BS all the time because my IP isn't located in the West.