When I published Part 1 of Taking Control of Your Chapter’s Digital Tools, I chose Cloudflare as the domain registrar and nameserver host due to their ubiquity and low cost. After I published it, a reader pointed to an article listing many issues with Cloudflare that I wasn’t aware of, and added looking at Cloudflare alternatives to my list.
This June, that topic shot to the top of my list when Cloudflare support threatened to ban my entire account.
This is the first email I got from Cloudflare’s automated systems. The blurred part contains my main email address I used to sign up for Cloudflare ages ago, not the email I used specifically for this site. I hosted other domains on Cloudflare at the time, and I felt terrified they were all now offline (and becuase Cloudflare was also my registrar, totally unavailable) because of a possible terms of service violation. Not only am I left to guess which part of the 39,000 word terms of service I violated, but I’m not even being banned for a violation – merely a possible one.
I login to the Cloudflare console. There is no warning message, no big red banner warning me of my apparent banishment from the platform. My sites are all up; I can make whatever changes I want. I now wonder if I got spooked by a phishing email (as is best practice, I didn’t click any links in the email – I went to Cloudflare directly). But after some review, the email appeared to be legit – DKIM/DMARC/SPF all checked out, the links were to real Cloudflare pages. I took the next logical step and emailed Cloudflare support.
Me: I got two emails from abuse@cloudflare telling me I was violating the TOS, but it didn’t tell me what I was violating, what domain was violating it, etc. Are these emails legit and if so what am I in violation of?
Cloudflare (a few hours later): The interstitial page on your website was automatically triggered because you are serving video or a disproportionate amount of images without paying for such services, in violation of Section 2.8 of our Terms of Service. For more information and product options, see this KB support article.
Cloudflare (a few hours after the previous message, I hadn’t seen it yet): Can you please share with us the email you received? Please share a screenshot of the email or in plain text format.
I never saw any interstitial page on my website and was never notified one was put in place. Also, why didn’t they tell me this in the alert email I got? Could Cloudflare be so hopelessly mismanaged their abuse team, support team, and platform teams are this out of sync?
Me: I made sure my video subdomain (watch.socialism.tools) is grey (DNS only) was there another subdomain serving video or too many images, and if so which one? My blog is also grey.
I got one last response, and then nothing more from that support case:
In a new email thread (the safety team doesn’t use Zendesk, evidently), I had the following exchange
Cloudflare: The account was suspended for fraud. As a security check against possible credit card fraud Cloudflare needed a few details that you failed to provide. Please refer to our previous correspondence.
Me: If my account was suspended for fraud, why can I still login in and why do I not see anything in the console? I also wasn’t asked for any details?
Cloudflare: Kindly reply to our email with requested information.
As a security check against possible credit card fraud, Cloudflare will need the following details before we can proceed with the purchase of, or upgrade to a paid level plan:
Please provide the following verification photos:
1.) photos of the front and back of the credit card you’d like to use
2.) photos of the front and back of your government issued photo ID that matches the same name on the credit card you’d like to use.
3.) photo of you holding the two pieces of information
Please email your information to firstname.lastname@example.org for review.
Once we’ve received and verified these details, you can proceed with the upgrade to a paid level plan. You have 24 hours to acknowledge this email and if you fail to respond, we will downgrade your domain to the Free service level.
At this point, my confusion is turning more into frustration because I’m being asked to email my credit card information and photo ID along with a selfie (this information and photo is what banks usually ask for to comply with federal anti-terrorism laws; there is no reason why a registrar or CDN needs this). Hopefully this is already clear to you, but just in case: do not ever put credit card details in email! You shouldn’t email your photo ID either but this is a depressingly common request. It is technically possible to remain secure and complaint when emailing sensitive data but it’s also very easy to mess up and it’s generally recommended to not do this, ever.
After being asked to trust a third party with almost all of my critical financial & identity documentation, I make a valiant effort to remain polite:
Me: I’m not trying to upgrade to a paid level plan and I’m not very comfortable emailing you credit card photos.
Cloudflare: This is a legitimate email. You may verify this through our support team should you have any concerns. We will require this information in order to verify your billing information. Once done, we will delete it. We have suspended your account until this matter has been resolved.
A few notes here: My account is still not suspended, there doesn’t appear to be anything wrong at all. I am still being asked to email extremely sensitive data for an unclear purpose. Only via email am I told my account has been banned, and the rep doesn’t appear to know that he can still visit socialism.tools for in-depth tutorials, insightful blog posts, and the left blogospheres’ most eye-searing color scheme. Jokes aside (the color scheme is flawless, obviously) I reply again:
Me: What does having my account suspended mean? I can still log in and I don’t see any changes to my sites or any notifications anywhere on the cloudflare portal.
Cloudflare: It means you will not be able to upgrade to our paid plans till you verify your billing information. You may verify this through our support team should you have any concerns. We will require this information in order to verify your billing information. Once done, we will delete it. We have suspended your account until this matter has been resolved.
At this point, I realize this is all just a hard sell for a Cloudflare paid plan. I do not have the ability to respond to an email like that kindly, so I don’t. I do not appreciate extortion threats and started looking at other providers.
I am now, happily, using Gandi to purchase domains and manage my DNS records. Gandi integrates with Cloudron, the transfer process went fine, and Gandi supports teams, so multiple people can share responsibility for DNS. I haven’t had to reach out to their support yet so I can’t speak to that yet, but there’s no way they can be worse than Cloudflare Support.
Please learn from my mistakes, and avoid Cloudflare to begin with. They do not deserve our money or our trust.