> but hope there will always be more independent web because we exist than there would be if we didn’t.
I'm wary about joining in on Cloudflare bashing. I like Cloudflare. But...
The mark of a responsible company is that it has plans to mitigate potential harm once it stops being responsible. At one point growing up, I would have made the same arguments you make here about Google. They're not perfect, but they're better than the alternative.
The problem is that this promise essentially boils down to, "we'll try very hard not to be bad." You can't make that promise, even if you're a good person. At some point you're going to either retire or die, and your company will be handed off to other people. Your comment doesn't make me feel any better, because it reads to me like your plan is, "things won't go wrong", and you don't know that.
I'm glad Cloudflare exists, and I do think you're doing a heck of a lot more good than harm. Cloudflare is about as close as anyone can get to an ethical company. But if this is the attitude, then Cloudflare is not a responsible company, because it's not making plans for what will happen after its owners turn evil. Cloudflare is an ally for the Open Web right now. It doesn't have a backup strategy I can see for when that changes.
The Shopify analogy is actually really fitting to me. Shopify is better than Amazon, but Shopify is definitely not where I want the future of commerce to be. Many of the problems and risks inherent in Amazon's design are also inherent in Shopify -- Shopify just happens to be a more ethical company that tries harder not to exploit those flaws.
At some point in the future, once we've all centralized everything onto Shopify, that will change and Shopify will become the new Amazon. And at some point in the future, maybe even decades from now, Cloudflare will become evil. All powerful companies eventually become evil, it's inevitable.
Concretely, what are you suggesting Cloudflare is doing wrong here? What responsible things should they be doing that they aren't?
The "we try very hard not to be bad" form of mitigation is scary when the company is doing dangerous things without adequate safeguards, but I don't see how you figure Cloudflare is doing that here. Ultimately, when you've done everything you can not to put people at risk and the only remaining risk is that you'll stop being trustworthy, "We try very hard not to be bad" is all you can offer. So what more do you think they should be doing that would meaningfully reduce this risk?
If they really want to mitigate risk, then they should open up their tech, and promote competition. Not in their interests, but decentralising is the only way to safeguard against potential later abuses of power.
What I'm complaining about is a lot more broad than just the specific dangers with this service -- it has to do with how Cloudflare prioritizes what it spends it time on, and what the effects are of consolidation even with good actors. I disagree that conversation can be boiled down to, "what specifically is wrong with this particular project."
But, asking for specifics is reasonable, so very briefly, I'll describe two concrete problems I have.
----
First (and biggest), IP addresses should be hidden for everyone or no one. Cloudflare is revealing IP addresses because it doesn't want its VPN to be used as a privacy tool, just as a security tool. By positioning itself as a way to keep your data encrypted, and not as a way to bypass geo-locks, it's also less likely to be blocked by other companies. Ignoring whether or not it's a good use of resources for Cloudflare to make VPNs less private, this is on its face not unreasonable.
However, when you dig into the details, IP addresses are only exposed to websites that are using Cloudflare[0]. This creates a perverse economic incentive for sites to sign up for Cloudflare, because effectively Cloudflare is holding user data captive. If you're the NYT, and you thrive on data collection, and suddenly a huge portion of your visitors have their IP addresses hidden, and you can get those IP addresses by paying Cloudflare... that's problematic. That's Cloudflare creating a problem and then letting you pay them to solve it.
Cloudflare is looking into ways to expose IP addresses everywhere. Until they figure that out, they should either avoid launching the service, or they should hide IP addresses from Cloudflare customers.
----
Secondly, while there are people here disputing Warps performance increases, let's assume that (particularly Warp+) works as advertised and really does help make slow collections faster. It's worth noting that the majority of the underlying technology beneath Warp and Argo only works for companies of Cloudflare's scale. Cloudflare itself acknowledges this:
> There are few companies that have the breadth, reach, scale, and flexibility of Cloudflare's network. We don’t believe there are any such companies that aren't primarily motivated by selling user data or advertising. We realized a few years back that providing a VPN service wouldn’t meaningfully change the costs of the network we're already running successfully. That meant if we could pull off the technology then we could afford to offer this service.[1]
This makes it much harder for users to move away from Cloudflare or switch to an alternative VPN if Cloudflare turns evil, because unless the VPN market stays diverse, it won't get the opportunity to become diverse again in the future.
Google helped wall in its AI dominance by investing heavily into AI research that relied on massive data collection for good performance. This restricted small competitors from ever being able to compete with them, because they didn't have massive databases. That dominance became self-reinforcing, because Google's AI programs are all designed to increase the size of its database. At the same time, Google garnered good will by Open Sourcing its underlying technology, despite the fact that the technology was useless to potential competitors without large data sets.
In the same way, Cloudflare is able to wall in its dominance by primarily researching technologies that require a network of Cloudflare's scale in order to work. In effect, Cloudflare is investing a lot of effort into technologies that only work for big companies. Google can claim, "it's not our fault that we have the most data, what do you want us to do?" Cloudflare can claim, "it's not our fault that we have the biggest network. There's no switch we can flip to make the network size not matter, it's just the logistics of cost." But if a technology or service results in a natural monopoly, that's still a monopoly.
As a concrete step, to be responsible, Cloudflare should be looking for ways to allow competing 3rd-party VPNs to utilize Argo in the same way that Warp+ does. It should be possible to build a competing VPN service that gets the same speed benefits of Warp+.
There is a fundamental difference between Google and Cloudflare. Cloudflare has a real business that is based on paying customers. Google never had that. It was founded in 1998 and AdWords was introduced in 2000. Cloudflare is already 10 years old and not showing any sign that it will change its business model. As far as I am concerned, they are a trusted vendor and I will trust them with my business unless they change up.
I'm wary about joining in on Cloudflare bashing. I like Cloudflare. But...
The mark of a responsible company is that it has plans to mitigate potential harm once it stops being responsible. At one point growing up, I would have made the same arguments you make here about Google. They're not perfect, but they're better than the alternative.
The problem is that this promise essentially boils down to, "we'll try very hard not to be bad." You can't make that promise, even if you're a good person. At some point you're going to either retire or die, and your company will be handed off to other people. Your comment doesn't make me feel any better, because it reads to me like your plan is, "things won't go wrong", and you don't know that.
I'm glad Cloudflare exists, and I do think you're doing a heck of a lot more good than harm. Cloudflare is about as close as anyone can get to an ethical company. But if this is the attitude, then Cloudflare is not a responsible company, because it's not making plans for what will happen after its owners turn evil. Cloudflare is an ally for the Open Web right now. It doesn't have a backup strategy I can see for when that changes.
The Shopify analogy is actually really fitting to me. Shopify is better than Amazon, but Shopify is definitely not where I want the future of commerce to be. Many of the problems and risks inherent in Amazon's design are also inherent in Shopify -- Shopify just happens to be a more ethical company that tries harder not to exploit those flaws.
At some point in the future, once we've all centralized everything onto Shopify, that will change and Shopify will become the new Amazon. And at some point in the future, maybe even decades from now, Cloudflare will become evil. All powerful companies eventually become evil, it's inevitable.