Dealing with abuse complaints isn’t easy, for any Internet company. The variety of subject matters at issue, the various legal and regulatory requirements, and the uncertain intentions of complaining parties combine to create a ridiculously complex situation. We often suggest to those who propose easy answers to this challenge that they spend a few hours tracking the terminal of a member of our Trust & Safety team to get a feel for how difficult it can be. Yet even we were a bit surprised by an unusual abuse report we’ve been dealing with recently.
Last week, we received what looked like a notable law enforcement request: a complaint from an entity that identified itself as the “New Jersey Office of the Attorney General” and claimed to be a notice Cloudflare was “serving files consisting of 3D printable firearms in violation of NJ Stat. Ann. § 2C:39-9 3(I)(2).” The complaint further asked us to “delete all files described within 24 hours” and threatened “to press charges in order to preserve the safety of the citizens of New Jersey.”
Because we are generally not the host of information, and are unable to remove content from the Internet that we don’t host, our abuse process is specifically set up to forward complaints about content to the website host. Cloudflare also provides the contact information for the hosting provider to the person filing the complaint so that they can address their report with the host of the content in question. That is what we did in this case.
We took no action with respect to the underlying allegation. As a preliminary matter, we confirmed we were not hosting the allegedly infringing content, and any action we might have taken would not have impacted the availability of the content online. Perhaps even more importantly, in order for an Internet infrastructure provider like Cloudflare to take action on content, we believe due process requires more than a threat of legal action.
A few days after we forwarded the complaint, we saw news reports indicating that the website operator and a number of other entities had sued the State of New Jersey over the complaint we had forwarded. That lawsuit prompted us to take a closer look at the complaint. We immediately noticed a few anomalies with the complaint.
First, when law enforcement agencies contact us, they typically reach out directly, through a dedicated email line. Indeed, we specifically encourage law enforcement to contact us directly on our abuse page, because it facilitates a personalized review and response. The NJ-related request did not come in through this channel, but was instead submitted through our general abuse form. This was one data point that raised our skepticism as to the legitimacy of this report.
Second, the IP address linked to the complaint was geo-located to the Slovak Republic, which seemed like an unlikely location for the New Jersey Attorney General to be submitting an abuse report from. This particular data point was a strong indicator that this might be a fraudulent report.
Third, while the contact information provided in the complaint appeared to be a legitimate, publicly available email address operated by the State of NJ, it was one intended for public reporting of tips of criminal misconduct, as advertised here. It seems unlikely that a state attorney general would use such an email to threaten criminal prosecution. On occasion, we see this technique used when an individual would like to have Cloudflare’s response to an abuse report sent to some type of presumably interested party. The person filing this misattributed abuse report likely hopes that the party who controls that email address will then initiate some type of investigation or action based on that abuse report.
All of these factors — which were all part of the complaint passed on to the website owner and operator — made us skeptical that the complaint was legitimate. Nonetheless, we observed that the New Jersey Attorney General’s office was aware of and participating in the litigation. This raised questions about our skepticism about the complaint’s legitimacy, and made us believe that individuals from New Jersey were likely to contact us.
On Friday, we were contacted by the New Jersey Attorney General’s office, and in response to a request, including legal process, we provided additional information about the complaint. Yesterday, the New Jersey Attorney General’s office solved the mystery for us in a submission to the court confirming the complaint was a fake.
We have investigated other abuse reports submitted from this IP address, and we have identified a clear pattern of fake abuse reports. To be clear, this IP address has never impersonated law enforcement individuals prior to this NJ-related report. We have taken steps to block this IP address from submitting any further fake abuse reports.
Why does a fake complaint matter?
Abusing the abuse process by filing fake abuse reports can be a highly effective way to silence speech on the Internet. It is effectively a form of a denial of service attack. A fake abuse report can potentially result in a hosting provider taking their customer offline based on an unconfirmed allegation. In certain contexts such as copyright claims, the hosting provider is incentivized to act first and then ask questions later so as to reduce their potential liability as the host of the problematic content. The hosting provider’s sense of urgency to block the identified content leads to the sinister effectiveness of a fake abuse complaint. The content owner can submit a counter-notice to have access to the content restored, but that can be a daunting task if the potentially fake abuse report was sent by a well-funded organization or by law enforcement.
YouTube has recently been targeted by exactly this problem as recently reported by The Verge. Bad actors are abusing their “copyright strikes” system by sending ransom demands to seemingly innocent content creators. This type of attack can best be summarized as “pay me or I’ll file an abuse complaint and get you taken down”.
We don’t know who submitted the complaint or what their motivation might have been, but the incident does remind us of the importance of proceeding carefully when we receive complaints and requests from law enforcement. Dealing with abuse complaints and requests from law enforcement is never easy. And although many complaints are legitimate, this complaint was a good reminder that at least some legal demands are just attempts to game our abuse process. We’ll continue to explore ways of minimizing the possibility that our abuse process can itself be abused by bad actors.