Fundamentally, it costs Paul time and money to serve Peter a webpage, and that becomes a problem when millions of "people" (read: bots) show up and ask to be served every webpage on Paul's website. That's where the nature of "free speech" ends, when your actions impact someone else negatively (which is why, even in the US, you have the right to speak freely but not the right to force others to listen).

Solving this in a way that doesn't block tons of regular users (since doing so would cause the site owners to drop Cloudflare) is precisely where nearly all of Cloudflare's $15B market cap comes from.

> Solving this in a way that doesn't block tons of regular users [...] is precisely where nearly all of Cloudflare's $15B market cap comes from.

It's not a binary solution. Cloudflare very much does block tons of regular users, which is where all the hate is coming from in this thread. If the solution is in the domain of "a bag or squishy heuristics" it's going to be somewhat inaccurate, so then the only question is tuning... how many false positives are acceptable, which depending on the area could be anything from "how many can you get away with" to ">0 hurts our bottom line".

To reframe the problem in the latter, consider "The optimal amount of fraud is non-zero" [0]. Where it's understood the cost of inconvenience to customers ultimately will also hurt the business's bottom line. So instead the balance is very much in the favour of the customer, to make sure the wheels stay greased businesses eat the vast majority of the fraud where they could employ stricter but slower methods to verify funds etc.

There is this cost benefit balance in many things. Some things naturally balance themselves, especially when the ultimate bottom line is monetary... others not so much.

I suppose the problem with serving requests is twofold: firstly it's not necessarily a business, and even if it is, an individual visor represent a very tiny peace of the pie over their entire life. Second, bandwidth is paid for twice, by both the visitor and the provider... It could be argued this whole problem wouldn't exist if it weren't for the latter. At most DDoS problem may still exist. Either way the ultimate cost is to fairness, people are discriminated arbitrarily. It also depends on awareness of the site owner, if they care about fairness and know the cost of using cloudflare is potentially unfair to visitors, they may not bother... unfortunately I think most site owners don't realise how many false positives there are, and I'm not even sure Cloudflare does, I mean how would they, you get blocked enough you just give in and close the page, and they think they did a good job it's a negative feedback loop.

[0] https://www.bitsaboutmoney.com/archive/optimal-amount-of-fra...

Well, that applies the other way around as well. How many false positives can the Austrian authorities accept when it comes to blocking illegal web sites? After all, those sites are obviously using a provider that also hosts illegal sites.

> millions of "people" (read: bots)

If cloudflare actually only blocked bots, a lot of criticism towards them wouldn't exist. Personally, I have some more abstract concerns about the position they occupy, but the primary reason that I emotionally dislike them is because they like to block me and then pretend that it's my fault ("are you sure you aren't infected with malware?").

Yeah, no.

1. The internet worked fine before Cloudflare, and there was no mass blocking of IPs before that.

2. Websites are commerce based. Their operating costs are already far covered by their income (ads or a service)

3. Cloudflare is a CDN so customers feel no impact from excessive traffic unless their site - which 99% of the time is pure static content - is poorly designed

4. Cloudflare could just choose to throttle the highest traffic IPs to one particular site (the one being attacked) during an actual attack, which is what DDoS mitigation companies do. Instead they just block every shared IP address forever (or force them to solve captchas, which after 8 years of bad implementation, moved from from wasting tons of the users time to being just barely acceptable)

Don't give me any further lectures on how businesses work until you understand how technology works.

You know, the funny thing is that we used to largely mitigate such things in the old days with this thing called a Postage Stamp. If the stamp costs enough, spammers have a tendency to stop spamming. In fact, the only reason most of them continue to spam by post is because the postal service offers them discounted rates.

It's almost like all intermediaries are responsible for this damn mess.

> That's where the nature of "free speech" ends, when your actions impact someone else negatively (which is why, even in the US, you have the right to speak freely but not the right to force others to listen).

Nit pick: it's not "actions" impacting others. It's when person A exercises their rights to impede anothers. This kind of argumentation that cloud providers don't provide conduit or extenders for free speech is pretty lost on me, but I'm also of the opinion that all of these services should be highly regulated or government owned so that these silly pedantic, and at times opportunistic, arguments stop. It's become the wedge issue of the internet.

The issue with regulation in this space is that the arguments won't stop, and the free speech angle is the worst thing to address with this. Once we force providers over $x billion in revenue to conform their social media platforms to abide by US free speech standards, do they now have to divert to law enforcement before they can remove anything that might be considered illegal, or at least riot-inciting? Can they no longer ban bots if those bots are ran by a US citizen? Even if you do, and everyone's in agreement, you're effectively sanctioning off the social media sites to only allow posts from US nationals, unless there's some framework for allowing US free speech to proliferate alongside the strict antisemitic hate speech laws of Germany.

> do they now have to divert to law enforcement before they can remove anything that might be considered illegal, or at least riot-inciting

The courts have precedent that would cover this if online speech equals free speech. Part of the reason I want the government to assume responsibility is because it'll either force them to acknowledge they're the same or craft specific laws for online speech. Part of people's frustration is that the rules are all over the place.

> Even if you do, and everyone's in agreement, you're effectively sanctioning off the social media sites to only allow posts from US nationals

That's a silly conclusion. Do US companies only enforce US fraud or sanction laws despite operating in another country? The answer is no. There's regionalization baked into services operated on other regions. I've worked on such services.

Websites, as they globalize, have to do this with regular frequency.

Yes, but Peter wants the webpage from Paul not from cloudfare.

Is cloudflare self appointed? I was under the impression that they were a service provider that people hired/employed/used?

You are right. They are "appointed" by the website owner. And the website owner can go another way if they don't like what Cloudflare is doing.

Cloudflare's power fundamentally comes from the good job they do protecting website owners. GP may not like it, but many website owners clearly feel they need the protection.

There is no Grand Moral dilemma here, just basic tradeoffs between costs and availability. No different than a shop not shipping to a country with high shipping costs.

> power fundamentally comes from the good job they do protecting website owners

The power came from "free" CDN as loss leader (which is clever because the long tail of readerless sites costs essentially nil to cache but will still bump up the NPS).

Other than the grand moral dilemma of Cloudflare hosting (protecting) DDoS-for-hire sites, and deliberately ignoring requests to stop.

But why can't you read it? Have you made the choice to route via tor?