From 90ff98a29e5bc1879be427ee3a3235de2ecb50f7 Mon Sep 17 00:00:00 2001 From: "backup.humanacollaborator" Date: Tue, 13 Apr 2021 23:13:28 +0000 Subject: [PATCH] Add 'subfiles/the_trouble_with_codeberg.md' --- subfiles/the_trouble_with_codeberg.md | 254 ++++++++++++++++++++++++++ 1 file changed, 254 insertions(+) create mode 100644 subfiles/the_trouble_with_codeberg.md diff --git a/subfiles/the_trouble_with_codeberg.md b/subfiles/the_trouble_with_codeberg.md new file mode 100644 index 00000000..3e79c1e7 --- /dev/null +++ b/subfiles/the_trouble_with_codeberg.md @@ -0,0 +1,254 @@ +# Codeberg's Attack on Transparency and on Cloudflare Opposition + +Codeberg hosted the Crimeflare's `Cloudflare-Tor` (CFT) project. +In 2021, Codeberg took down the project alleging libel. + + +## What the Cloudflare-Tor (CFT) project is + +The CFT project is a non-profit charitable effort to +promote decentralization, network neutrality, and privacy with +Cloudflare (a top adversary of that cause) as the core focus. CFT +project provides a variety of free software tools to help protect the +general public from Cloudflare. An important component of protecting +the community from Cloudflare is documenting websites that subject +people to the harms of Cloudflare by maintaining a massive list of +websites to avoid. + +Unlike other tech giant adversaries to the CFT cause such as GAFAM +(Google Amazon Facebook Apple Microsoft), Cloudflare operates +surreptitiously and largely unknown to the general public, despite +having access to ~20-30%+ of the world's web traffic and 80%+ of CDN +market. Their existence is so much in the shadows that privacy orgs +like EFF are largely oblivious to the threat of it. Mainstream +privacy orgs not only neglect to protect web users from Cloudflare, +but some of them actually naively use Cloudflare themselves and +unwittingly work against their own interest and declared purpose. +Some privacy and ethics advice sites like "Switching Software" +actually recommend Cloudflare sites to those who entrust them to +give advice pursuant to their own stated purpose. + +The problem is so rampant that it became important for the CFT +project's tracking of the Cloudflare problem to start keeping track of +organizations and the pseudo-anonymous aliases of representatives who +were spotted publicly promoting Cloudflare. + + +## Codeberg-inflicted censorship + +After someone +[on Codeberg's staff](https://codeberg.org/shadow/SpywareWatchdog/issues/77#issuecomment-188105) +was added to the Cloudflare supporter list, Codeberg shut down the CFT +project and issued +[this statement](https://codeberg.org/Codeberg/Community/issues/423#issuecomment-187783) +to contributors, and posted +[this blog announcement](https://blog.codeberg.org/on-the-cloudflare-tor-takedown.html), +allegedly in response to complaints. + + +### Analysis of Codeberg's e-mail + +> "target lists", with personal data, lists of employment status, +> social media identities, + +Calling it a "target list" entails a presumption of how the list is +used. For example, if a threat actor wants to join the CFT project to +gain access to our internal operations, it is not CFT targeting them +but rather CFT avoiding being targeted by their adversary. CFT has +been attacked several times and sometimes at the hands of insiders who +gained trust by posing as those who support the CFT cause. + +Transparency is essential in exposing the corporate bias behind the +information and advice you are getting. For example, a forum for talk +about bicycles might require Brompton representatives to be tagged as +such so that other users are aware of the bias behind their posts. It +would actually be reckless *not* to identify such conflicts of +interest. This is particularly important when dealing with Cloudflare +because they have proven to publish misinformation regularly. +Codeberg's move to conceal who represents a company ultimately +promotes corruption and deception. + +Are forums hosted in Germany really forced to operate +non-transparently and conceal such conflicts of interest from the +public? Unlikely. + +For Codeberg to allege CFT tracks "personal data" with social media +identities is perversely deceptive. CFT did not track personal data +or dox any social media identities. The social media identities were +listed and only *public* data was shared -- data that is already +public on platforms like Twitter. Personally identifiable information +was not collected on social media aliases even if it was public. + +> Publication of such data, no matter if true or not, without the +> explicit consent of the person in question is illegal in EU. + +When a user posts a tweet, they do so with consent to the publication +of that tweet. If Codeberg's assertion above were true, then Nitter +would be banned in Germany for republishing the tweets of Germans. We +know this is not true because Germans have access to the Nitter +network. + +Codeberg's false accusation of illegal activity came with destructive +removal of forked repositories +[without warning, without redress, and while refusing explanation](https://codeberg.org/shadow/SpywareWatchdog/issues/77#issuecomment-188170) +to the users whose data they destroyed. + +In response, Codeberg +[claims](https://codeberg.org/shadow/SpywareWatchdog/issues/77#issuecomment-188178) +they had to act immediately to what they perceived as illegal +activity. Even if we were to accept that the already public data +somehow became sensitive merely by replication, the correct +non-reckless action is to quarantine the data in a non-public state +until court proceedings or settlement could commence. For Codeberg to +destroy people's work, and also destroy what they believed was +evidence of illegal activity was nothing short of reckless. +Codeberg's haphazard response has actually created a legal liability +for themselves, as they needlessly destroyed people's work without due +diligence. + +A take-down request implemented properly and fairly to all sides is +temporary and non-destructive of the artifacts. + +> - This includes using personally identifiable information of other +> people without their consent for feigned commit author names and email +> addresses, potentially incriminating non-participants of acts of +> privacy violation and leaking proprietary information. + +This is just a statement of Codeberg's interpretation of law. Note +that Codeberg does not accuse CFT of this, as doing so would be libel +against CFT. So it's unclear what purpose this statement serves other +than to imply an accusation without stating it. Such weasel wording +is designed to deceive the public while dodging legal accountability. + +> - Considering reports we received, a significant number of claims and +> statements were factually false. + +CFT has received only one complaint. It involved one social media +alias that was listed and it turned out to be a misunderstanding +surrounding the word "*support*". The listed party claimed to not +personally condone Cloudflare and thus claimed to not be a Cloudflare +"supporter" on that basis. But investigation of +[public statements](https://codeberg.org/swiso/website/issues/141#issuecomment-69593) +by that individual revealed that the other party actually supported +Cloudflare operationally. Note that Codeberg destroyed the +investigation logs which led to the finding, so we can't cite them +here. + +> The pure existence of lis ts "Enemies of X" is by all rational means +> unlikely to have any other purpose than public shaming, defamation, +> threatening and libel. These are generally considered illegal in +> German law and elsewhere. + +The mere existence of a list of Cloudflare supporters certainly does +*not* imply shaming. The list *can potentially* be used for shaming +or praising, as well as in countless ways orthogonal to both praise +and shame. Codeberg further produces no evidence that the list was +used for shaming (which should be quite easy to do if they've had +complaints on the scale that they allege). + +It's important to establish bias so that readers can assess the +accuracy of statements made by someone who is biased. This is why +aliases of those entrusted with advice on matters of privacy were +collected. It's important to track the underlying bias behind privacy +advocacy sites to address the problem of detrimental advice. + + +### Analysis of Codeberg's Blog Announcement + +Codeberg [said](https://blog.codeberg.org/on-the-cloudflare-tor-takedown.html): + +> In the last couple of days, we have received multiple inquiries to +> remove **sensitive information** from the crimeflare/cloudflare-tor +> repository and all clones and forks of that repository hosted on +> Codeberg.org. + +(emphasis added) + +Data published by Twitter and public forums is not sensitive. Anyone +who posts in a public space and later has regrets, they have only +themselves to blame. + +Privacy is like virginity: once you lose it, you can't have it back. + +> We have been made aware that this repository contains lists of +> usernames that are either linked with their Codeberg profile or +> their social media accounts and allegedly blamed as Cloudflare +> supporters without an evidence + +CFT was never asked for evidence. Only one complaint was received. +It was investigated and evidence was provided to the subject. + +> We started a discussion with the maintainers of this repository and +> asked to remove these sensitive information, that are apparently for +> shaming people (defamation), + +CFT did not "shame" or "defame" anyone, and no evidence was given to +that effect. Codeberg admitted earlier that their assumption is that +a list of Cloudflare supporters inherently shames people. Yet the +list is objective. It's for the reader to decide if the list is of +shame or of pride. No value judgment was expressed by the CFT +project. + +> According to GDPR, we are obligued to remove sensitive user +> information as soon as a concerned person demands us to do so. + +The GDPR does not protect legal persons (i.e. organizations) and it +[does not protect anonymous information](https://gdpr-info.eu/recitals/no-26). +Specifically: + +``` +"The principles of data protection should therefore not apply to +anonymous information, namely information which does not relate to an +identified or identifiable natural person or to personal data rendered +anonymous in such a manner that the data subject is not or no longer +identifiable. This Regulation does not therefore concern the +processing of such anonymous information, including for statistical or +research purposes." +``` +CFT's Cloudflare supporter list did not contain real names; only +pseudoanonymous aliases. + +The listed alias of the subject who complained did not use an alias +formed like "firstname_lastname", or any form that could reasonably +identify a natural individual person. + +The sole complaint CFT received lead to an investigation that found +the data accurate. Even though the GDPR right to be forgotten does +not have force in that case, it was removed anyway and therefore CFT +was (and remains) in compliance with the GDPR right to be forgotten. + +Yet Codeberg still removed the project despite immediate compliance. + +> as well as Cloudflare employee data, that are considered as private +> information + +CloudFlare itself is +[listing](https://web.archive.org/web/20210406200322/https://www.cloudflare.com/people) +their employees, so it's already public information. + +> People reaching out to us and to the maintainers of the repository +> itself tried to make clear that they do not consider themselves as +> Cloudflare-supporters, but critical opponents of this company, and +> thus could not even imagine a reason for being listed there. + +CFT only received one complaint regarding one individual. CFT has +continously been in GDPR compliance at all times. Codeberg destroyed +the repository anyway. + +"*Support*" comes in many forms. You can support Cloudflare by +praising it, or you can support Cloudflare through actions (which may +even be unwitting to the supporter). In the one case that CFT +investigated, the subject's understanding narrowly assumed "support" +was limited to philosophical praise. + +> We can not accept anyone attacking and threatening us and our users +> (or anyone for that matter), or inciting others to do so. + +This is weasel wording, as directly accusing CFT of attacking or +threatening Cloudflare supporters would constitute libel on the part +of Codeberg. So they try to imply it. These claims can only be +ignored in the absence of evidence. + + +--- +Original text provided by [humanacollaborator](https://git.sdf.org/humanacollaborator) / [GNU Affero General Public License](../LICENSE.md) \ No newline at end of file