Cloudflare: Difference between revisions
Created page with "==Forced ID theft and face recognition== A full day after the sale of domain names, Cloudflare sends the customer a demand to present an ID card and their face in an automated video call with the third party Stripe within 24 hours to be analyzed by a face recognition system, threatening to cancel the sale unless the customer fulfills this requirement that the customer was not informed about before the sale, thereby making the domain names available for squatters to grab..." |
Added password scanning incident |
||
| (10 intermediate revisions by 8 users not shown) | |||
| Line 1: | Line 1: | ||
{{Incomplete}} | |||
{{InfoboxCompany | |||
|Name=Cloudflare, Inc|Type=Public|Founded=2009|Industry=Web Services|Official Website=https://www.cloudflare.com/|Logo=Cloudflare Logo.svg}} | |||
[https://en.wikipedia.org/wiki/Cloudflare Cloudflare, Inc.] is an American company that offers a wide range of web services. Due to its widespread adoption, Cloudflare's services play a critical role in the modern web infrastructure. | |||
==Consumer impact summary== | |||
{{Placeholder box|Overview of concerns that arise from the company's conduct regarding (if applicable): | |||
* User Freedom | |||
* User Privacy | |||
* Business Model | |||
* Market Control}} | |||
==Anti-consumer practices== | |||
===Forced ID theft and face recognition<!-- NEEDS more refs covering this incident -->=== | |||
A full day after the sale of domain names, Cloudflare sends the customer a demand to present an ID card and their face in an automated video call with the third party Stripe within 24 hours to be analyzed by a face recognition system, threatening to cancel the sale unless the customer fulfills this requirement that the customer was not informed about before the sale, thereby making the domain names available for squatters to grab. The customer can lose their domain names either by simply not checking their email for 24 hours, which is likely as the sale has already completed and the customer has no reason to check their email again, or by the customer not agreeing to the procedure, which the customer should not, as ID cards are not made for use online. The customer's bank already has a procedure for verifying online purchases by popping up the bank app that has already been verified by visiting the bank in person, showing an ID card to a real person and signing a paper by hand. Stripe could have done like everyone else and delegate the procedure to the bank instead of inventing their own. | A full day after the sale of domain names, Cloudflare sends the customer a demand to present an ID card and their face in an automated video call with the third party Stripe within 24 hours to be analyzed by a face recognition system, threatening to cancel the sale unless the customer fulfills this requirement that the customer was not informed about before the sale, thereby making the domain names available for squatters to grab. The customer can lose their domain names either by simply not checking their email for 24 hours, which is likely as the sale has already completed and the customer has no reason to check their email again, or by the customer not agreeing to the procedure, which the customer should not, as ID cards are not made for use online. The customer's bank already has a procedure for verifying online purchases by popping up the bank app that has already been verified by visiting the bank in person, showing an ID card to a real person and signing a paper by hand. Stripe could have done like everyone else and delegate the procedure to the bank instead of inventing their own. | ||
Cloudflare claims that any images used for verification will be deleted afterwards. This is an unverifiable claim. If Stripe for any reason does not delete the images, Stripe would surely not allow employees to disclose that this has happened. Deleting the images also | Cloudflare claims that any images used for verification will be deleted afterwards. This is an unverifiable claim. If Stripe for any reason does not delete the images, Stripe would surely not allow employees to disclose that this has happened. Deleting the images also makes the process ineffective, as anyone could present a fake ID card good enough to look real in the low quality of a web camera and then have the evidence deleted. | ||
In the case documented, the second response from “Trust & Safety” is an unhelpful repetition of the first response, coming near the end of the 24 hour window, ignoring any details added by the customer in response to the first one. It asks the customer to confirm that the customer prefers not to proceed with the verification so that steps can be taken, but time is already running out, and the account was suspended before “Trust & Safety” could respond. A month later, “Trust & Safety” has still not responded. The notice that the account was suspended states that the suspension does not impact, disable, or remove current services, contradicting the initial demand. In reality, the domain names belonging to the account were cancelled, and available for strangers to register with other registrars. | In the case documented, the second response from “Trust & Safety” is an unhelpful repetition of the first response, coming near the end of the 24 hour window, ignoring any details added by the customer in response to the first one. It asks the customer to confirm that the customer prefers not to proceed with the verification so that steps can be taken, but time is already running out, and the account was suspended before “Trust & Safety” could respond. A month later, “Trust & Safety” has still not responded. The notice that the account was suspended states that the suspension does not impact, disable, or remove current services, contradicting the initial demand. In reality, the domain names belonging to the account were cancelled, and available for strangers to register with other registrars. | ||
| Line 13: | Line 28: | ||
Image:Cloudflare_email_4.png | Image:Cloudflare_email_4.png | ||
</gallery> | </gallery> | ||
=== Password scanning of website visitors === | |||
From September to November 2024 Cloudflare was scanning the passwords users entered on websites without obtaining the users' consent<ref>https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-compromised/</ref> | |||
==References== | |||
<references /> | |||
[[Category:Cloudflare]] | |||
Latest revision as of 18:39, 18 March 2025
⚠️ Article status notice: This article has been marked as incomplete
This article needs additional work to meet the wiki's Content Guidelines and be in line with our Mission Statement for comprehensive coverage of consumer protection issues.
This notice will be removed once sufficient documentation has been added to establish the systemic nature of these issues. Once you believe the article is ready to have its notice removed, visit the discord and post to the #appeals channel.
Learn more ▼
| Basic information | |
|---|---|
| Founded | 2009 |
| Type | Public |
| Industry | Web Services |
| Official website | https://www.cloudflare.com/ |
Cloudflare, Inc. is an American company that offers a wide range of web services. Due to its widespread adoption, Cloudflare's services play a critical role in the modern web infrastructure.
Consumer impact summary[edit | edit source]
Anti-consumer practices[edit | edit source]
Forced ID theft and face recognition[edit | edit source]
A full day after the sale of domain names, Cloudflare sends the customer a demand to present an ID card and their face in an automated video call with the third party Stripe within 24 hours to be analyzed by a face recognition system, threatening to cancel the sale unless the customer fulfills this requirement that the customer was not informed about before the sale, thereby making the domain names available for squatters to grab. The customer can lose their domain names either by simply not checking their email for 24 hours, which is likely as the sale has already completed and the customer has no reason to check their email again, or by the customer not agreeing to the procedure, which the customer should not, as ID cards are not made for use online. The customer's bank already has a procedure for verifying online purchases by popping up the bank app that has already been verified by visiting the bank in person, showing an ID card to a real person and signing a paper by hand. Stripe could have done like everyone else and delegate the procedure to the bank instead of inventing their own.
Cloudflare claims that any images used for verification will be deleted afterwards. This is an unverifiable claim. If Stripe for any reason does not delete the images, Stripe would surely not allow employees to disclose that this has happened. Deleting the images also makes the process ineffective, as anyone could present a fake ID card good enough to look real in the low quality of a web camera and then have the evidence deleted.
In the case documented, the second response from “Trust & Safety” is an unhelpful repetition of the first response, coming near the end of the 24 hour window, ignoring any details added by the customer in response to the first one. It asks the customer to confirm that the customer prefers not to proceed with the verification so that steps can be taken, but time is already running out, and the account was suspended before “Trust & Safety” could respond. A month later, “Trust & Safety” has still not responded. The notice that the account was suspended states that the suspension does not impact, disable, or remove current services, contradicting the initial demand. In reality, the domain names belonging to the account were cancelled, and available for strangers to register with other registrars.
Password scanning of website visitors[edit | edit source]
From September to November 2024 Cloudflare was scanning the passwords users entered on websites without obtaining the users' consent[1]