Please note that all submissions to the site are subject to the wiki's licence, CC 4.0 BY-SA, as found here

Cloudflare

From Consumer Action Taskforce
Jump to navigationJump to search

Forced ID theft and face recognition[edit | edit source]

A full day after the sale of domain names, Cloudflare sends the customer a demand to present an ID card and their face in an automated video call with the third party Stripe within 24 hours to be analyzed by a face recognition system, threatening to cancel the sale unless the customer fulfills this requirement that the customer was not informed about before the sale, thereby making the domain names available for squatters to grab. The customer can lose their domain names either by simply not checking their email for 24 hours, which is likely as the sale has already completed and the customer has no reason to check their email again, or by the customer not agreeing to the procedure, which the customer should not, as ID cards are not made for use online. The customer's bank already has a procedure for verifying online purchases by popping up the bank app that has already been verified by visiting the bank in person, showing an ID card to a real person and signing a paper by hand. Stripe could have done like everyone else and delegate the procedure to the bank instead of inventing their own.

Cloudflare claims that any images used for verification will be deleted afterwards. This is an unverifiable claim. If Stripe for any reason does not delete the images, Stripe would surely not allow employees to disclose that this has happened. Deleting the images also make the process ineffective, as anyone could present a fake ID card good enough to look real in the low quality of a web camera and then have the evidence deleted.

In the case documented, the second response from “Trust & Safety” is an unhelpful repetition of the first response, coming near the end of the 24 hour window, ignoring any details added by the customer in response to the first one. It asks the customer to confirm that the customer prefers not to proceed with the verification so that steps can be taken, but time is already running out, and the account was suspended before “Trust & Safety” could respond. A month later, “Trust & Safety” has still not responded. The notice that the account was suspended states that the suspension does not impact, disable, or remove current services, contradicting the initial demand. In reality, the domain names belonging to the account were cancelled, and available for strangers to register with other registrars.