Cloudflare Must Block 'Piracy Shield' Domains and IP Addresses Across Its Service 15
An anonymous reader quotes a report from TorrentFreak: In a landmark ruling, the Court of Milan has ordered (PDF) Cloudflare to block pirate streaming services that offer Serie A football matches. The court found that Cloudflare's services are instrumental in facilitating access to live pirate streams, undermining Italy's 'Piracy Shield' legislation. The order, which applies in Italy, affects Cloudflare's CDN, DNS resolver, WARP and proxy services. It also includes a broad data disclosure section. [...]
The Court of Milan's decision prohibits Cloudflare from resolving domain names and routing internet traffic to IP addresses of all services present on the "Piracy Shield" system. This also applies to future domains and aliases used by these pirate services. The order applies to Cloudflare's content delivery network (CDN), DNS services, and reverse proxy services. The order also mentions Cloudflare's free VPN among the targets, likely referring to the WARP service. If any of the targeted pirate streaming providers use Cloudflare's services to infringe on Serie A's copyrights, the company Cloudflare must stop providing CDN, authoritative DNS, and reverse proxy services to these customers. (Note: This is an Italian court order and Cloudflare previously used geotargeting to block sites only in Italy. It may respond similarly here, but terminating customer accounts only in Italy might be more complicated. )
Finally, the order further includes a data disclosure component, under which Cloudflare must identify customers who use Cloudflare's services to offer pirated streams. This should help Serie A to track down those responsible. The data disclosure section also covers information related to the 'VPN' and alternative public DNS services, where these relate to the IPTV platforms identified in the case. That covers traffic volume and connection logs, including IP-addresses and timestamps. In theory, that could also cover data on people who accessed these services using Cloudflare's VPN and DNS resolver. [...] The court ordered Cloudflare to cover the costs of the proceeding and if it doesn't implement the blocking requirements in time, an additional fine of 10,000 euros per day will apply.
The Court of Milan's decision prohibits Cloudflare from resolving domain names and routing internet traffic to IP addresses of all services present on the "Piracy Shield" system. This also applies to future domains and aliases used by these pirate services. The order applies to Cloudflare's content delivery network (CDN), DNS services, and reverse proxy services. The order also mentions Cloudflare's free VPN among the targets, likely referring to the WARP service. If any of the targeted pirate streaming providers use Cloudflare's services to infringe on Serie A's copyrights, the company Cloudflare must stop providing CDN, authoritative DNS, and reverse proxy services to these customers. (Note: This is an Italian court order and Cloudflare previously used geotargeting to block sites only in Italy. It may respond similarly here, but terminating customer accounts only in Italy might be more complicated. )
Finally, the order further includes a data disclosure component, under which Cloudflare must identify customers who use Cloudflare's services to offer pirated streams. This should help Serie A to track down those responsible. The data disclosure section also covers information related to the 'VPN' and alternative public DNS services, where these relate to the IPTV platforms identified in the case. That covers traffic volume and connection logs, including IP-addresses and timestamps. In theory, that could also cover data on people who accessed these services using Cloudflare's VPN and DNS resolver. [...] The court ordered Cloudflare to cover the costs of the proceeding and if it doesn't implement the blocking requirements in time, an additional fine of 10,000 euros per day will apply.
First we fought the RIAA (Score:5, Funny)
...now we have to fight UEFA & FIFA?
Bring it on.
IANAL (Score:5, Interesting)
Of course I could be completely wrong or missing the point.
Re:IANAL (Score:4, Informative)
Of course I could be completely wrong or missing the point.
Anyone operating in Italy is subject to their laws (just like Apple removes apps from the app store in China to comply with the laws there). Cloudflare could leave Italy entirely, but then all the local ISPs will probably end up blocking all of Cloudflare's IP ranges across all locations (which will impact more than just the targeted domains/services). While I am sure Cloudflare will appeal, there does not appear to be any great option for Cloudflare in this ruling if it is upheld.
Re: (Score:3)
Re:IANAL (Score:5, Informative)
Hey, I think your heart is definitely in the right place—thinking about practical solutions and the bigger picture. But let me help clarify a couple of things about the new legislation and its implications for Cloudflare.
You are absolutely correct that shutting down operations in Milan might technically sidestep direct enforcement. However, the new law doesn’t just target companies with a physical presence in Italy—it’s aimed at anyone providing services to Italian users. So, even if Cloudflare pulled up stakes in Milan, they’d still be expected to comply with the Piracy Shield if their services were accessible to Italian customers. That’s the one of the really pernicious things about this legislation: it effectively operates at the network level, not just the business level.
Another particularly pernicious aspect is the redress mechanism. While there is a provision to unblock IP addresses or domains that were mistakenly or temporarily flagged, the blocks last for six months—even if the infringing use stops or was wrongly attributed. For VPN providers with users in Italy, this is going to be a major headache. VPNs use pools of IP addresses that are routinely reassigned as customers start and end sessions. It’s like a game of musical chairs: the chairs are IP addresses, but the Italian government keeps removing them—and holds onto them for six months after the party is over. I can almost hear the heavy sighs from VPN engineers as they scramble to rejigger their pool assignment algorithms.
You are spot on about the downside. Losing local infrastructure would hurt Cloudflare’s ability to fend off DDoS attacks and optimize content delivery for companies in Italy. Plus, let’s be real—Cloudflare has a global reputation to think about, and pulling out of a country entirely over legal disagreements could set a precedent they’d rather avoid. Imagine the front page of Corriere della Sera: “Cloudflare dice addio a Milano.” It’s the kind of headline that might get a chuckle from pirates but a groan from the rest of us trying to keep the internet running smoothly.
You’re not missing the point entirely—this legislation is as much about making examples as it is about enforcement. The real issue is how it forces companies like Cloudflare into the role of copyright cops, with barely any judicial oversight. It’s a lose-lose: the pirates won’t care, but legitimate users and platforms could end up as collateral damage.
CloudFlare alternatives (Score:5, Interesting)
CloudFlare has been a single point of failure issue for way too long. It's about time people were incentivized to create an alternative. Cloudflare's scale is the main ingredient in their DDoS mitigation. Alternatives are sorely needed.
This is why we need to adopt Source Address Validation Everywhere (SAVE). Mandate ISPs to implement BCP 38 (Best Current Practice 38), which blocks traffic with spoofed source IP addresses. This prevents amplification attacks like DNS and NTP reflection.
But I doubt they really want to do this because IP spoofing is something we use in national defense... and other uses. It's a huge issue when it comes to state-level threats, undermining the internet completely and the only reason it hasn't been a disaster yet is simply the complications required to really do a good job of screwing over any random person.
Re: (Score:2)
Cloudflare can eat shit and die so far as I'm concerned for any of a number of reasons. But whatever happens to them, the fundamental problem would remain: Nations presuming to export their laws beyond their borders and claiming universal jurisdiction over everything and everyone everywhere worldwide. That needs to end. It's bullshit when Italy does it. It's bullshit when any other nation in Europe does it. It's bullshit when the US does it. It's bullshit when the BRICs do it. Any and every nation s
Re: (Score:3)
Re: (Score:1)
That's good to hear.
Nothings screams judicial corruption more ... (Score:5, Insightful)
In order for a blanket court order to basically accuse Cloudflare of proactively aiding and abetting potential occurrences of piracy (how's Cloudflare supposed to know? they aren't private copyright lawyers! they don't control anyone's perceived intellectual property catalog!)....... this local court/judge must already be in the back pocket of these media companies.
Although, to be fair to Italy, there's some strange bedfellows between Berlusconi's media empire and reframing of what's legal/illegal for the purposes of increasing his own wealth. So maybe this is perfectly legal.
This is not going to end well for anybody... (Score:5, Informative)
Italy's Piracy Shield system, operational since early 2024, has recently been bolstered by new legislative amendments that expand its enforcement capabilities. While I have no sympathy for pirates, the collateral damage from this overreach is deeply concerning. This system mandates the near-instantaneous (within 30 minutes) blocking of domains, IP addresses, and even DNS and VPN services without prior judicial oversight—a safeguard retained in the U.S.’s DMCA and similar anti-piracy measures in countries like the UK and Australia, albeit imperfectly. Italy’s approach bypasses even these flawed systems, opting for automation and speed at the expense of precision and fairness.
The DMCA, for all its issues, relies on notice-and-takedown mechanisms with judicial recourse. This keeps enforcement targeted and allows challenges to abuse. Italy’s approach, by contrast, automates blocking at a systemic level. Piracy Shield's early missteps, like inadvertently blocking Google Drive, demonstrate how overblocking can harm legitimate users and services.
For me, the lack of guardrails for intermediaries like Cloudflare and the impact on privacy-focused services like private DNS resolvers and VPNs are especially alarming. These tools are widely used for lawful purposes, yet Italy’s draconian new legislation expanding the Piracy Shield framework risks chilling their adoption and trust. Worse, these legislative changes appear to conflict with existing EU safe harbor laws established under the E-Commerce Directive, which shield intermediaries from liability if they act as passive conduits and take appropriate action when notified. By mandating proactive measures like automated 30-minute blocks, the new law undermines the principle of proportionality that is a central tenet in EU law. While other EU countries, such as the UK, France, and Germany, employ judicial oversight to ensure anti-piracy measures are targeted and fair, Italy has chosen a path that sidesteps these safeguards, leaving legitimate users and platforms caught in the crossfire.
History has shown us that heavy-handed enforcement, like the MPAA/RIAA lawsuits back in the day, often alienates users while failing to meaningfully curb piracy. Italy should heed this lesson: a system without judicial review or robust safeguards will do more harm than good to legitimate users while undermining its own credibility.
Worked well for Google Drive a little while ago (Score:2)