The EFF wrote in their most recent newsletter:
… Because it’s your rights we’re fighting for.
- Your right to speak and learn freely online, free of government censorship
- Your right to move through the world without being surveilled everywhere you go
- Your right to use your device without it tracking your every click, purchase, and IRL movement
- Your right to control your data, including data about your body, and to know that data given to one government agency won’t be weaponized against you by another
- Your right to do what you please with the products and content you pay for …
Cloudflare has been DoSing the whole Tor community for over a decade now. Those who are not excluded from CF sites (over ⅓ of the web), who are free to move around only have that liberty because they submit to surveillance and give up their privacy.
EFF has ties to the Tor Project that are closer than most people realise. At the same time, Tor Project itself has submitted to licking Cloudflare’s boots. TP has quietly removed material from their blogs that criticises Cloudflare.
Searching EFF newsletters for Meta, Facebook, Google, Amazon, etc has no shortage of hits. But not a word about Cloudflare – the most direct adversary of what EFF claims to fight for.
People are already aware of Google and Facebook. If they choose to pawn themselves to those platforms, they know what they are signing up for. It’a waste of energy and resources to fixate on those known evils. EFF is doing a gross injustice by not informing people about Cloudflare.
Cloudflare is one of the few tech giants that wise users cannot escape. In some US states you cannot even register to vote without Cloudflare knowing. You can submit a paper registration but then the data entry worker still submits your personal data to a Cloudflare website.
It’s relatively trivial to escape Google and Facebook and protect yourself. Most of that battle is a matter of not registering and not accessing the services, and watching out for a few corner cases. Cloudflare fucks everyone by compromising websites whose admin doesn’t even know what they are signing up for and the fact that they are pawning all their own users. When your gov publishes legal statutes exclusively in Cloudflare’s walled garden or puts gov services inside CF, we’re fucked to an extent that is much more beyond our control.
I will not donate to EFF until they get their priorities straight.
I took a moment to look briefly into this. PCI is not a legal compliance. It’s contractual. Merchants violate their agreement with visa/mc all the time and it tends to go unenforced.
So the next question is whether using Cloudflare’s gratis service (thus the 1st and last diagram in your post) is PCI compliant. Having read the nerdwallet link and this link:
https://listings.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf
letting Cloudflare see card № and CVV code seems to be PCI compliant. If the 1st diagram is in play (which is unlikely), that would be non-compliant. But in most cases there will be a CF→origin tunnel (the last diagram which is incorrectly X’d out). The rules are quite loose. E.g.:
So 3rd parties are allowed to see the data. Those other standards appear to deal with data at rest not in transit, IIUC. From nerdwallet:
When the tunnel terminates at Cloudflare’s server, the supplier just has to treat CF as a 3rd party who complies with PCI DSS, PED and/or PA-DSS.
In the event of disaster, law is out of the picture and all you have is finger pointing between two sides a slippery sloppy worded private contract. PCI does not seem to have any real unambiguous force in the case of Cloudflare’s most common config.