# Codeberg's Attack on Transparency and on Cloudflare Opposition

[Codeberg.org](https://web.archive.org/web/20210216153536/https://blog.codeberg.org/codebergorg-launched.html) hosted the [Crimeflare](http://crimeflare.eu.org)'s `Cloudflare-Tor` project.
In April 2021, Codeberg took down the project alleging libel.


## What the deCloudflare project is

The [deCloudflare project](http://crimeflare.eu.org) ("dCF", formerly "Cloudflare-Tor") is a non-profit charitable effort to
promote decentralization, network neutrality, and privacy with
[Cloudflare](../README.md) (a top adversary of that cause) as the core focus.
dCF project provides a variety of free software tools to help protect the
general public from Cloudflare.
An important component of protecting the community from Cloudflare is 
documenting websites that subject people to the harms of Cloudflare by 
maintaining a [massive list](../cloudflare_users/domains) of websites to avoid.

Unlike other tech giant adversaries to the dCF cause such as [GAFAM](https://en.wikipedia.org/wiki/GAFAM)
(Google, Amazon, Facebook, Apple and Microsoft), Cloudflare operates
surreptitiously and largely unknown to the general public, despite
having access to ~20-30%+ of the world's web traffic and 80%+ of CDN
market.
Their existence is so much in the shadows that privacy organizations
like "[Electronic Frontier Foundation](https://en.wikipedia.org/wiki/Electronic_Frontier_Foundation)" are largely oblivious to the threat of it.
Mainstream privacy organizations not only *neglect* to protect web users from Cloudflare,
but some of them actually naively *use* Cloudflare themselves and
unwittingly work *against* their own interest and declared purpose.
Some privacy and ethical advice sites like "Switching Software" 
actually *recommend* Cloudflare sites to those who entrust them to
give advice pursuant to their own stated purpose.

The problem is so [rampant](../PEOPLE.md) that it became important for the dCF
project's tracking of the Cloudflare problem to start keeping track of
organizations and the pseudo-anonymous aliases of representatives who
were spotted publicly promoting Cloudflare.


## Codeberg-inflicted censorship

After someone
[on Codeberg's staff](https://web.archive.org/web/20210414001524/https://codeberg.org/shadow/SpywareWatchdog/issues/77#issuecomment-188105)
was added to the Cloudflare supporter list, Codeberg shut down the dCF
project and issued
[this statement](https://web.archive.org/web/20210414001651/https://codeberg.org/Codeberg/Community/issues/423#issuecomment-187783)
to contributors, and posted
[this blog announcement](https://web.archive.org/web/20210406012737/https://blog.codeberg.org/on-the-cloudflare-tor-takedown.html),
allegedly in response to complaints.


### Analysis of Codeberg's e-mail

> "target lists", with personal data, lists of employment status,
> social media identities,

Calling it a "`target list`" entails a presumption of *how* the list is
used.  For example, if a threat actor wants to join the dCF project to
gain access to our internal operations, it is not dCF targeting them
but rather dCF *avoiding* being targeted by their adversary.  dCF has
been attacked several times and sometimes at the hands of insiders who
gained trust by posing as those who support the dCF cause.

Transparency is essential in exposing the corporate bias behind the
information and advice you are getting.  For example, a forum for talk
about bicycles might require [Brompton](https://en.wikipedia.org/wiki/Brompton_Bicycle) company representatives to be tagged as
such so that other users are aware of the bias behind their posts.  
It would actually be reckless *not* to identify such conflicts of
interest.  This is particularly important when dealing with Cloudflare
because they have *proven* to publish misinformation regularly.
Codeberg's move to *conceal* who represents a company ultimately
*promotes* corruption and deception.

Are forums hosted in Germany really forced to operate
non-transparently and conceal such conflicts of interest from the
public?  *Unlikely*.

For Codeberg to allege dCF tracks "`personal data`" with social media
identities is perversely deceptive.  dCF did not track personal data
or dox any social media identities.  The social media identities were
listed and only *public* data was shared -- data that is already
public on platforms like Twitter.  Personally identifiable information
was not collected on social media aliases even if it was public.

> Publication of such data, no matter if true or not, without the
> explicit consent of the person in question is illegal in EU.

When a user posts a tweet, they do so with consent to the publication
of that tweet.  If Codeberg's assertion above were true, then Twitter mirror sites 
would be banned in Germany for republishing the tweets of Germans.  
We know this is not true because Germans have access to the mirror sites.

Codeberg's *false* accusation of *illegal* activity came with *destructive*
removal of forked repositories
[without warning, without redress, and while refusing explanation](https://web.archive.org/web/20210414001524/https://codeberg.org/shadow/SpywareWatchdog/issues/77#issuecomment-188170)
to the users whose data they destroyed.

In response, Codeberg
[claims](https://web.archive.org/web/20210414001524/https://codeberg.org/shadow/SpywareWatchdog/issues/77#issuecomment-188178)
they had to act immediately to what they perceived as *illegal*
activity.  Even if we were to accept that the already public data
somehow became sensitive merely by replication, the *correct*
non-reckless action is to quarantine the data in a non-public state
until court proceedings or settlement could commence.  
For Codeberg to *destroy* people's work, and also destroy what they believed was
evidence of illegal activity was nothing short of reckless.
Codeberg's haphazard response has actually created a legal liability
for themselves, as they *needlessly* destroyed people's work without due
diligence.

A take-down request implemented properly and fairly to all sides is
temporary and non-destructive of the artifacts.

> - This includes using personally identifiable information of other
> people without their consent for feigned commit author names and email
> addresses, potentially incriminating non-participants of acts of
> privacy violation and leaking proprietary information.

This is just a statement of Codeberg's interpretation of law.  Note
that Codeberg does not accuse dCF of this, as doing so would be libel
against dCF.  So it's unclear what purpose this statement serves other
than to imply an accusation without stating it.  Such [weasel wording](https://en.wikipedia.org/wiki/Weasel_word)
is designed to *deceive* the public while dodging legal accountability.

> - Considering reports we received, a significant number of claims and
> statements were factually false.

dCF has received only **one** complaint.  It involved one social media
alias that was listed and it turned out to be a misunderstanding
surrounding the word "`support`".  The listed party claimed to not
personally condone Cloudflare and thus claimed to not be a Cloudflare
"supporter" on that basis.  

However, investigation of [public statements](https://web.archive.org/web/20210109122213/https://codeberg.org/swiso/website/issues/141#issuecomment-69593)
by that individual revealed that the other party *actually* supported
Cloudflare *operationally*.  Note that Codeberg *destroyed* the
investigation logs which led to the finding, so we can't cite them here.

> The pure existence of lists "Enemies of X" is by all rational means
> unlikely to have any other purpose than public shaming, defamation,
> threatening and libel. These are generally considered illegal in
> German law and elsewhere.

The mere existence of a list of Cloudflare supporters certainly does
*not* imply shaming.  The list *can potentially* be used for shaming
or praising, as well as in countless ways orthogonal to both *praise*
and *shame*.  Codeberg further produces *no evidence* that the list was
used for *shaming* (which should be quite easy to do if they've had
complaints on the scale that they allege).  

It's important to establish *bias* so that readers can assess the
accuracy of statements made by someone who is biased.  This is why
aliases of those entrusted with advice on matters of privacy were
collected.  It's important to track the underlying bias behind privacy
advocacy sites to address the problem of detrimental advice.


### Analysis of Codeberg's Blog Announcement

Codeberg [said](https://web.archive.org/web/20210406012737/https://blog.codeberg.org/on-the-cloudflare-tor-takedown.html) (emphasis added):

> In the last couple of days, we have received multiple inquiries to
> remove **sensitive information** from the crimeflare/cloudflare-tor
> repository and all clones and forks of that repository hosted on
> Codeberg.org.

Data published on Twitter and public forums is *not* sensitive.  Anyone
who posts in a *public space* and later has regrets, they have only
themselves to blame.

Once you share your information publicly, you can't control them anymore.

> We have been made aware that this repository contains lists of
> usernames that are either linked with their Codeberg profile or
> their social media accounts and allegedly blamed as Cloudflare
> supporters without an evidence

dCF was *never asked* for evidence.  Only *one complaint* was received.
It was investigated and evidence was *provided* to the subject.

> We started a discussion with the maintainers of this repository and
> asked to remove these sensitive information, that are apparently for
> **shaming** people (**defamation**),

dCF did not "`shame`" or "`defame`" anyone, and no evidence was given to
that effect.  Codeberg admitted earlier that their assumption is that
a list of Cloudflare supporters inherently shames people.  Yet the
list is objective.  It's for the reader to decide if the list is of
shame or of pride.  No value judgment was expressed by the dCF
project.

> According to GDPR, we are obligued to remove sensitive user
> information as soon as a concerned person demands us to do so.

The GDPR ([General Data Protection Regulation](https://gdpr-info.eu/)) does *not protect* legal persons (i.e. organizations) and it
[does not protect anonymous information](https://gdpr-info.eu/recitals/no-26).

Specifically:

```
The principles of data protection should therefore not apply to
anonymous information, namely information which does not relate to an
identified or identifiable natural person or to personal data rendered
anonymous in such a manner that the data subject is not or no longer
identifiable. This Regulation does not therefore concern the
processing of such anonymous information, including for statistical or
research purposes.
```

dCF's [Cloudflare supporter list](../cloudflare_users/cloudflare_supporter.md) did not contain real names; only
pseudoanonymous aliases.

The listed alias of the subject who complained did not use an alias
formed like "*firstName_lastName*", or any form that could reasonably
identify a natural individual person.

The sole complaint dCF received lead to an investigation that found
the data **accurate**.  Even though the GDPR right to be forgotten does
not have force in that case, it was *removed* anyway and therefore dCF
was (and remains) in compliance with the GDPR right to be forgotten.

Yet Codeberg still removed the project *despite* immediate compliance.

> as well as Cloudflare employee data, that are considered as **private**
> information

CloudFlare itself is
[listing](https://web.archive.org/web/20210406200322/https://www.cloudflare.com/people)
their employees, so it's already *public* information.

> People reaching out to us and to the maintainers of the repository
> itself tried to make clear that they do not consider themselves as
> Cloudflare-supporters, but critical opponents of this company, and
> thus could not even imagine a reason for being listed there.

dCF only received *one* complaint regarding *one* individual.  dCF has
*continously* been in GDPR compliance at *all times*.  Codeberg destroyed
the repository anyway.

"`Support`" comes in many forms.  You can support Cloudflare by
praising it, or you can support Cloudflare through actions (which may
even be unwitting to the supporter).  In the one case that dCF
investigated, the subject's understanding narrowly assumed "support"
was limited to philosophical praise.

> We can not accept anyone attacking and threatening us and our users
> (or anyone for that matter), or inciting others to do so.

This is weasel wording, as directly accusing dCF of attacking or
threatening Cloudflare supporters would constitute libel on the part
of Codeberg.  So they try to *imply* it.  These claims can only be
ignored in the absence of evidence.


---
by [humanacollaborator](https://git.sdf.org/humanacollaborator). [License](https://www.gnu.org/licenses/agpl-3.0.txt)