Add 'subfiles/the_trouble_with_codeberg.md'

subfiles/the_trouble_with_codeberg.md

@@ -0,0 +1,254 @@
+# Codeberg's Attack on Transparency and on Cloudflare Opposition
+
+Codeberg hosted the Crimeflare's `Cloudflare-Tor` (CFT) project.
+In 2021, Codeberg took down the project alleging libel.
+
+
+## What the Cloudflare-Tor (CFT) project is
+
+The CFT project is a non-profit charitable effort to
+promote decentralization, network neutrality, and privacy with
+Cloudflare (a top adversary of that cause) as the core focus.  CFT
+project provides a variety of free software tools to help protect the
+general public from Cloudflare.  An important component of protecting
+the community from Cloudflare is documenting websites that subject
+people to the harms of Cloudflare by maintaining a massive list of
+websites to avoid.
+
+Unlike other tech giant adversaries to the CFT cause such as GAFAM
+(Google Amazon Facebook Apple Microsoft), Cloudflare operates
+surreptitiously and largely unknown to the general public, despite
+having access to ~20-30%+ of the world's web traffic and 80%+ of CDN
+market.  Their existence is so much in the shadows that privacy orgs
+like EFF are largely oblivious to the threat of it.  Mainstream
+privacy orgs not only neglect to protect web users from Cloudflare,
+but some of them actually naively use Cloudflare themselves and
+unwittingly work against their own interest and declared purpose.
+Some privacy and ethics advice sites like "Switching Software" 
+actually recommend Cloudflare sites to those who entrust them to
+give advice pursuant to their own stated purpose.
+
+The problem is so rampant that it became important for the CFT
+project's tracking of the Cloudflare problem to start keeping track of
+organizations and the pseudo-anonymous aliases of representatives who
+were spotted publicly promoting Cloudflare.
+
+
+## Codeberg-inflicted censorship
+
+After someone
+[on Codeberg's staff](https://codeberg.org/shadow/SpywareWatchdog/issues/77#issuecomment-188105)
+was added to the Cloudflare supporter list, Codeberg shut down the CFT
+project and issued
+[this statement](https://codeberg.org/Codeberg/Community/issues/423#issuecomment-187783)
+to contributors, and posted
+[this blog announcement](https://blog.codeberg.org/on-the-cloudflare-tor-takedown.html),
+allegedly in response to complaints.
+
+
+### Analysis of Codeberg's e-mail
+
+> "target lists", with personal data, lists of employment status,
+> social media identities,
+
+Calling it a "target list" entails a presumption of how the list is
+used.  For example, if a threat actor wants to join the CFT project to
+gain access to our internal operations, it is not CFT targeting them
+but rather CFT avoiding being targeted by their adversary.  CFT has
+been attacked several times and sometimes at the hands of insiders who
+gained trust by posing as those who support the CFT cause.
+
+Transparency is essential in exposing the corporate bias behind the
+information and advice you are getting.  For example, a forum for talk
+about bicycles might require Brompton representatives to be tagged as
+such so that other users are aware of the bias behind their posts.  It
+would actually be reckless *not* to identify such conflicts of
+interest.  This is particularly important when dealing with Cloudflare
+because they have proven to publish misinformation regularly.
+Codeberg's move to conceal who represents a company ultimately
+promotes corruption and deception.
+
+Are forums hosted in Germany really forced to operate
+non-transparently and conceal such conflicts of interest from the
+public?  Unlikely.
+
+For Codeberg to allege CFT tracks "personal data" with social media
+identities is perversely deceptive.  CFT did not track personal data
+or dox any social media identities.  The social media identities were
+listed and only *public* data was shared -- data that is already
+public on platforms like Twitter.  Personally identifiable information
+was not collected on social media aliases even if it was public.
+
+> Publication of such data, no matter if true or not, without the
+> explicit consent of the person in question is illegal in EU.
+
+When a user posts a tweet, they do so with consent to the publication
+of that tweet.  If Codeberg's assertion above were true, then Nitter
+would be banned in Germany for republishing the tweets of Germans.  We
+know this is not true because Germans have access to the Nitter
+network.
+
+Codeberg's false accusation of illegal activity came with destructive
+removal of forked repositories
+[without warning, without redress, and while refusing explanation](https://codeberg.org/shadow/SpywareWatchdog/issues/77#issuecomment-188170)
+to the users whose data they destroyed.
+
+In response, Codeberg
+[claims](https://codeberg.org/shadow/SpywareWatchdog/issues/77#issuecomment-188178)
+they had to act immediately to what they perceived as illegal
+activity.  Even if we were to accept that the already public data
+somehow became sensitive merely by replication, the correct
+non-reckless action is to quarantine the data in a non-public state
+until court proceedings or settlement could commence.  For Codeberg to
+destroy people's work, and also destroy what they believed was
+evidence of illegal activity was nothing short of reckless.
+Codeberg's haphazard response has actually created a legal liability
+for themselves, as they needlessly destroyed people's work without due
+diligence.
+
+A take-down request implemented properly and fairly to all sides is
+temporary and non-destructive of the artifacts.
+
+> - This includes using personally identifiable information of other
+> people without their consent for feigned commit author names and email
+> addresses, potentially incriminating non-participants of acts of
+> privacy violation and leaking proprietary information.
+
+This is just a statement of Codeberg's interpretation of law.  Note
+that Codeberg does not accuse CFT of this, as doing so would be libel
+against CFT.  So it's unclear what purpose this statement serves other
+than to imply an accusation without stating it.  Such weasel wording
+is designed to deceive the public while dodging legal accountability.
+
+> - Considering reports we received, a significant number of claims and
+> statements were factually false.
+
+CFT has received only one complaint.  It involved one social media
+alias that was listed and it turned out to be a misunderstanding
+surrounding the word "*support*".  The listed party claimed to not
+personally condone Cloudflare and thus claimed to not be a Cloudflare
+"supporter" on that basis.  But investigation of
+[public statements](https://codeberg.org/swiso/website/issues/141#issuecomment-69593)
+by that individual revealed that the other party actually supported
+Cloudflare operationally.  Note that Codeberg destroyed the
+investigation logs which led to the finding, so we can't cite them
+here.
+
+> The pure existence of lis ts "Enemies of X" is by all rational means
+> unlikely to have any other purpose than public shaming, defamation,
+> threatening and libel. These are generally considered illegal in
+> German law and elsewhere.
+
+The mere existence of a list of Cloudflare supporters certainly does
+*not* imply shaming.  The list *can potentially* be used for shaming
+or praising, as well as in countless ways orthogonal to both praise
+and shame.  Codeberg further produces no evidence that the list was
+used for shaming (which should be quite easy to do if they've had
+complaints on the scale that they allege).
+
+It's important to establish bias so that readers can assess the
+accuracy of statements made by someone who is biased.  This is why
+aliases of those entrusted with advice on matters of privacy were
+collected.  It's important to track the underlying bias behind privacy
+advocacy sites to address the problem of detrimental advice.
+
+
+### Analysis of Codeberg's Blog Announcement
+
+Codeberg [said](https://blog.codeberg.org/on-the-cloudflare-tor-takedown.html):
+
+> In the last couple of days, we have received multiple inquiries to
+> remove **sensitive information** from the crimeflare/cloudflare-tor
+> repository and all clones and forks of that repository hosted on
+> Codeberg.org.
+
+(emphasis added)
+
+Data published by Twitter and public forums is not sensitive.  Anyone
+who posts in a public space and later has regrets, they have only
+themselves to blame.
+
+Privacy is like virginity: once you lose it, you can't have it back.
+
+> We have been made aware that this repository contains lists of
+> usernames that are either linked with their Codeberg profile or
+> their social media accounts and allegedly blamed as Cloudflare
+> supporters without an evidence
+
+CFT was never asked for evidence.  Only one complaint was received.
+It was investigated and evidence was provided to the subject.
+
+> We started a discussion with the maintainers of this repository and
+> asked to remove these sensitive information, that are apparently for
+> shaming people (defamation),
+
+CFT did not "shame" or "defame" anyone, and no evidence was given to
+that effect.  Codeberg admitted earlier that their assumption is that
+a list of Cloudflare supporters inherently shames people.  Yet the
+list is objective.  It's for the reader to decide if the list is of
+shame or of pride.  No value judgment was expressed by the CFT
+project.
+
+> According to GDPR, we are obligued to remove sensitive user
+> information as soon as a concerned person demands us to do so.
+
+The GDPR does not protect legal persons (i.e. organizations) and it
+[does not protect anonymous information](https://gdpr-info.eu/recitals/no-26).
+Specifically:
+
+```
+"The principles of data protection should therefore not apply to
+anonymous information, namely information which does not relate to an
+identified or identifiable natural person or to personal data rendered
+anonymous in such a manner that the data subject is not or no longer
+identifiable. This Regulation does not therefore concern the
+processing of such anonymous information, including for statistical or
+research purposes."
+```
+CFT's Cloudflare supporter list did not contain real names; only
+pseudoanonymous aliases.
+
+The listed alias of the subject who complained did not use an alias
+formed like "firstname_lastname", or any form that could reasonably
+identify a natural individual person.
+
+The sole complaint CFT received lead to an investigation that found
+the data accurate.  Even though the GDPR right to be forgotten does
+not have force in that case, it was removed anyway and therefore CFT
+was (and remains) in compliance with the GDPR right to be forgotten.
+
+Yet Codeberg still removed the project despite immediate compliance.
+
+> as well as Cloudflare employee data, that are considered as private
+> information
+
+CloudFlare itself is
+[listing](https://web.archive.org/web/20210406200322/https://www.cloudflare.com/people)
+their employees, so it's already public information.
+
+> People reaching out to us and to the maintainers of the repository
+> itself tried to make clear that they do not consider themselves as
+> Cloudflare-supporters, but critical opponents of this company, and
+> thus could not even imagine a reason for being listed there.
+
+CFT only received one complaint regarding one individual.  CFT has
+continously been in GDPR compliance at all times.  Codeberg destroyed
+the repository anyway.
+
+"*Support*" comes in many forms.  You can support Cloudflare by
+praising it, or you can support Cloudflare through actions (which may
+even be unwitting to the supporter).  In the one case that CFT
+investigated, the subject's understanding narrowly assumed "support"
+was limited to philosophical praise.
+
+> We can not accept anyone attacking and threatening us and our users
+> (or anyone for that matter), or inciting others to do so.
+
+This is weasel wording, as directly accusing CFT of attacking or
+threatening Cloudflare supporters would constitute libel on the part
+of Codeberg.  So they try to imply it.  These claims can only be
+ignored in the absence of evidence.
+
+
+---
+Original text provided by [humanacollaborator](https://git.sdf.org/humanacollaborator) / [GNU Affero General Public License](../LICENSE.md)