Cloudflare goes berserk on next-gen patent troll, vows to utterly destroy it using prior-art bounties

Web giant wants to invalidate Blackbird Tech's designs, get them thrown out of profession

Cloudflare says it will go above and beyond to destroy what it claims is a uniquely dangerous patent troll.

The troll in question is Blackbird Technologies LLC, a law firm based in Boston, US. It has accused Cloudflare of ripping off a patent it owns on internet communications.

Crucially, Cloudflare CEO Matthew Prince said the battle between his company and Blackbird is over more than just one infringement claim: Blackbird's approach poses a serious threat to other tech companies, and, we're told, it must be stopped.

"They are a very dangerous new breed of patent troll different from what we have seen before," Prince, himself a former lawyer, told The Register. "This is a perfect innovation killing machine."

Blackbird sued California-based Cloudflare in Delaware in March, alleging the web giant's technology infringes US Patent 6,453,335.

This design dates back to 1998 and was granted in 2002. It was submitted by Oliver Kaufmann, and was transferred to Blackbird in 2016. It describes "an internet third party data channel."

In plainer English, it sets out a system that injects data from a third-party source into a connection between a client and a server. Picture a web browser fetching a page from a website's server and being fed information from a second source. This sounds kinda like how Cloudflare works, but not really.

Let's look at a really basic view of the architectures:

Cloudflare ... Website servers sit behind the distribution network

Blackbird ... Data is fetched from a second source by a load balancer-like device

With Cloudfare, browsers visiting a website first hit the distribution network, which fires cached static content back to the browser or passes through dynamic content from the site's servers. For example, The Register is a Cloudflare customer: resolves to a Cloudflare IP address, meaning your browser talks to Cloudflare first, and the web biz sorts out what pages and images to send back from its caches or on-the-fly from our backend servers.

Blackbird's patent describes something that may achieve similar results, but works in a totally different way: it sets out a means for "incorporating third party data into existing internet client/server connections." The browser connects to the website's server but a second source is allowed to inject stuff into the stream to help out the original backend.

It even recommends using special HTML tags to trigger this injection – just like old-school server side includes – which takes the technology even further away from Cloudflare's automatic handling of static and dynamic content.

In our view, from a quick read of the documentation, Blackbird's design sounds remarkably different to Cloudflare's approach. Critically, the server-side includes described in the patent have been around well before the patent was filed: Apache, for example, had them as early as 1996, meaning the design may be derailed by prior art.

But we're not lawyers, we're just scribes who understand networks. It's now up to Cloudflare and Blackbird to convince a court who is right and who is wrong.

This is the first time Cloudflare has faced a claim from a patent troll, we're told. Prince said that, while Cloudflare was ready for this kind of litigation, what he and his legal team found when he looked into Blackbird shocked them.

Rather than a corporation that hires outside lawyers to pursue infringement claims, Blackbird is a small law firm strapped to a war chest of patents. It is an all-in-one form-filling, claim-filing robot. It has no extra baggage and no expensive legal bills to pay, making it a rather lean and mean machine.

"In the past, patent trolls had to hire lawyers and law firms," Prince said. "These guys do away with it entirely and have the owner be a law firm themselves."

Because Blackbird is owned by the attorneys who pursue its cases, Prince explained, they are able to file lawsuits without having to worry about lawyer fees. This, he said, allows them to scoop up patents on the cheap and fire off multiple "lottery ticket" infringement claims for nothing more than the court filing fees. It allows for a machine-gun attack on companies, with patent infringement claims the bullets.

"This is a unique case. They pose an amplified risk to innovative companies everywhere," Prince said. "You can see by the volume of the lawsuits they filed, they have optimized patent trolling to a level that can inflict maximum damage."

Now, instead of just fighting to invalidate the single patent in their case, Cloudflare is backing a campaign to have all of Blackbird's patent holdings – roughly 70 of them – declared invalid for future litigation.

To achieve this, Cloudflare has ring-fenced $50,000 in bounties for prior-art proof to challenge Blackbird's holdings. Of that prize pot, $20,000 will pay those who find prior art on the '335 patent, and $30,000 for other patents.

In addition, Prince says Cloudflare plans to file with the state bar associations in Illinois and Massachusetts, where Blackbird's principal attorneys reside, alleging that by owning the patents they litigate, Blackbird lawyers are committing clear ethical violations.

In the end, Cloudflare is hoping that the legal offensive sends a clear message that would-be patent trolls should steer clear.

"If we invalidate every Blackbird patent, that would be a success," Prince said. "But the end game goes well beyond that, we are setting a precedent that if you come after us, we come after you."

Blackbird could not be reached for comment on Wednesday. ®


For those of you wondering if this righteous campaign to annihilate a patent troll is an atonement for throwing people to neo-Nazi wolves, we're told the above prior-art bounty has been in the works for weeks, well before Cloudflare's privacy cockup was exposed earlier this month.

Cloudflare provides its services for, among many other outfits, prominent white supremacist and neo-Nazi websites. If you complained to Cloudflare about this racist garbage, it would, as per its free-speech policies, forward those messages to the hate sites' administrators to deal with – including the complainants' names and email addresses. As a result, that's caused some people writing to Cloudflare to be harassed and abused by rather nasty pieces of work.

The San Francisco biz realized back in 2014 that this policy was flawed. By 2015, it updated its abuse report forms to read: "Cloudflare will forward all abuse reports that appear to be legitimate to the responsible hosting provider and to the website owner."

That disclaimer obviously wasn't clocked by netizens, so now Cloudflare gives people the option to disclose or withhold their contact details when submitting a complaint about a website on its network. "While we clearly had a significant blindspot in how we handled one type of abuse reports, we remain committed to our belief that it is not Cloudflare's role to make determinations on what content should and should not be online," said Prince in a blog post on Thursday.

Other stories you might like

  • Google, EFF back Cloudflare in row over pirate streams
    Ban akin to 'ordering a telephone company to prevent a person from having conversations' over its lines

    Google, EFF, and the Computer and Communications Industry Association (CCIA) have filed court documents supporting Cloudflare after it was sued for refusing to block a streaming site.

    Earlier this year, a handful of Israel-based media companies took to court, accusing it of streaming TV and movie content it had no right to distribute. The corporations — United King Film Distribution, D.B.S. Satellite Services, HOT Communication Systems, Charlton, Reshet Media and Keshet Broadcasting — won the lawsuit after's creators failed to show up to their hearings, and the judge ordered, and each pay $7,650,000 in damages. 

    In a more surprising move, however, the media outfits also won an injunction [PDF] in the United States in April against a slew of internet companies, among others, banning them from aiding in its piracy.

    Continue reading
  • Cloudflare says it thwarted record-breaking HTTPS DDoS flood
    26m requests a second? Not legit traffic, not even Bill Gates doing $1m giveaways could manage that

    Cloudflare said it this month staved off another record-breaking HTTPS-based distributed denial-of-service attack, this one significantly larger than the previous largest DDoS attack that occurred only two months ago.

    In April, the biz said it mitigated an HTTPS DDoS attack that reached a peak of 15.3 million requests-per-second (rps). The flood last week hit a peak of 26 million rps, with the target being the website of a company using Cloudflare's free plan, according to Omer Yoachimik, product manager at Cloudflare.

    Like the attack in April, the most recent one not only was unusual because of its size, but also because it involved using junk HTTPS requests to overwhelm a website, preventing it from servicing legit visitors and thus effectively falling off the 'net.

    Continue reading
  • Cloudflare explains how it managed to break the internet
    'Network engineers walked over each other's changes'

    A large chunk of the web (including your own Vulture Central) fell off the internet this morning as content delivery network Cloudflare suffered a self-inflicted outage.

    The incident began at 0627 UTC (2327 Pacific Time) and it took until 0742 UTC (0042 Pacific) before the company managed to bring all its datacenters back online and verify they were working correctly. During this time a variety of sites and services relying on Cloudflare went dark while engineers frantically worked to undo the damage they had wrought short hours previously.

    "The outage," explained Cloudflare, "was caused by a change that was part of a long-running project to increase resilience in our busiest locations."

    Continue reading
  • SpaceX: 5G expansion could kill US Starlink broadband
    It would be easier to take this complaint seriously if Elon wasn't so Elon

    If the proposed addition of the 12GHz spectrum to 5G goes forward, Starlink broadband terminals across America could be crippled, or so SpaceX has complained. 

    The Elon Musk biz made the claim [PDF] this week in a filing to the FCC, which is considering allowing Dish to operate a 5G service in the 12GHz band (12.2-12.7GHz). This frequency range is also used by Starlink and others to provide over-the-air satellite internet connectivity.

    SpaceX said its own in-house study, conducted in Las Vegas, showed "harmful interference from terrestrial mobile service to SpaceX's Starlink terminals … more than 77 percent of the time, resulting in full outages 74 percent of the time." It also claimed the interference will extend to a minimum of 13 miles from base stations. In other words, if Dish gets to use these frequencies in the US, it'll render nearby Starlink terminals useless through wireless interference, it was claimed.

    Continue reading
  • Oracle shrinks on-prem cloud offering in both size and cost
    Now we can squeeze required boxes into a smaller datacenter footprint, says Big Red

    Oracle has slimmed down its on-prem fully managed cloud offer to a smaller datacenter footprint for a sixth of the budget.

    Snappily dubbed OCI Dedicated Region Cloud@Customer, the service was launched in 2020 and promised to run a private cloud inside a customer's datacenter, or one run by a third party. Paid for "as-a-service," the concept promised customers the flexibility of moving workloads seamlessly between the on-prem system and Oracle's public cloud for a $6 million annual fee and a minimum commitment of three years.

    Big Red has now slashed the fee for a scaled-down version of its on-prem cloud to $1 million a year for a minimum period of four years.

    Continue reading
  • Mega's unbreakable encryption proves to be anything but
    Boffins devise five attacks to expose private files

    Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its "privacy by design" and user-controlled encryption keys to claim that data stored on Mega's servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.

    The design of the service, however, falls short of that promise thanks to poorly implemented encryption. Cryptography experts at ETH Zurich in Switzerland on Tuesday published a paper describing five possible attacks that can compromise the confidentiality of users' files.

    The paper [PDF], titled "Mega: Malleable Encryption Goes Awry," by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies "significant shortcomings in Mega’s cryptographic architecture" that allow Mega, or those able to mount a TLS MITM attack on Mega's client software, to access user files.

    Continue reading
  • Tesla lawsuit alleges unlawful layoffs at Nevada gigafactory
    It's the second time a Musk-owned company has been accused of WARN Act violations

    Tesla is facing another lawsuit, and it's treading over old territory with this one. Fired Gigafactory workers are alleging that the electric car maker improperly terminated more than 500 people.

    The proposed class action suit, filed on Sunday, stems from an email owner Elon Musk sent to Tesla leaders in early June – no, not the one where the billionaire said Tesla's workforce needed to be reduced by 10 percent.

    According to the lawsuit [PDF], filed by two former employees at Musk's Nevada battery plant, Tesla moved far faster than it was legally allowed to when it fired employees at the gigafactory in the city of Sparks, NV. 

    Continue reading

Biting the hand that feeds IT © 1998–2022