Last week, Cloudflare continued its legal battle against "Piracy Shield,” a misguided Italian regulatory scheme designed to protect large rightsholder interests at the expense of the broader Internet. After Cloudflare resisted registering for Piracy Shield and challenged it in court, the Italian communications regulator, AGCOM, fined Cloudflare a staggering €14 million (~$17 million). We appealed that fine on March 8, and we continue to challenge the legality of Piracy Shield itself. 

While the fine is significant, the principles at stake are even larger. This case isn't just about a single penalty; it’s about whether a handful of private entities can prioritize their own economic interests over those of Internet users by forcing global infrastructure providers to block large swaths of the Internet without oversight, transparency, or due process.

To understand why we are fighting this, it’s necessary to take a step back and understand Piracy Shield. Marketed by AGCOM as an innovative tool to fight copyright infringement, the system is better understood as a blunt tool for rightsholders to control what is available on the Internet without any traditional legal safeguards.

Piracy Shield is an unsupervised electronic portal through which an unidentified set of Italian media companies can submit websites and IP addresses that online service providers registered with Piracy Shield are then required to block within 30 minutes. Piracy Shield operates as a “black box” because there is:

• No judicial oversight: Private companies, not judges or government officials, decide what gets blocked.

• No transparency: The public, and even the service providers themselves, are often left in the dark about who requested a block or why.

• No due process: There is no mechanism for a website owner to challenge a block before their site becomes unavailable on the Italian web.

• No redress: Along with a complete lack of transparency or due process, Piracy Shield offers no effective way for impacted parties to seek redress from erroneous blocking.

It’s not entirely surprising that Piracy Shield so clearly prioritizes the economic interests of media companies over the rights of Italian Internet users. The system was “donated” to the Italian government by SP Tech, an arm of the law firm that represents several of Piracy Shield’s major direct beneficiaries, including Lega Nazionale Professionisti Serie A (Italy’s major soccer league).

Almost immediately after Piracy Shield was rolled out, there were significant problems. In addition to the unworkable 30-minute deadline and the lack of safeguards described above, the scheme requires service providers to engage in IP address blocking. This creates an unavoidable risk of overblocking innocent websites due to the fact that IP addresses are regularly and necessarily shared by thousands of websites. Not surprisingly, within a few months of its launch, Piracy Shield caused major outages for people and businesses who had done nothing wrong. 

Notable failures include:

• Government and educational blackouts: Tens of thousands of legitimate sites were rendered inaccessible from Italy, including Ukrainian government websites for schools and scientific research.

• Small business & NGO disruption: A wide range of European small businesses and NGOs focused on social programs for women and children were inadvertently blocked.

• Loss of essential services: The system blocked access to Google Drive for over 12 hours, preventing thousands of Italian students and professionals from accessing critical files.

• Persistent collateral blocking: A September 2025 study by the University of Twente confirmed that the system routinely blocks legitimate websites for months at a time.

Even when faced with clear evidence that Piracy Shield has caused significant and repeated overblocking, AGCOM did not change course. Rather, it chose to expand Piracy Shield to apply to global DNS providers and VPNs, services which are closely associated with privacy and free expression. AGCOM also started taking increasingly aggressive steps to force global service providers, even ones with no legal or operational presence in Italy, to register with Piracy Shield.

Cloudflare has been clear about the risks posed by Piracy Shield from the beginning. In 2024, we met with AGCOM to highlight the scheme’s structural flaws and consequences and proposed more effective ways to collaborate that wouldn't break the Internet’s core architecture.  

When these concerns were ignored, we moved on to legal action. We challenged AGCOM’s effort to force Cloudflare to join Piracy Shield in the Italian administrative courts and, along with the Computer & Communications Industry Association (CCIA), we filed a complaint with the European Commission. More informally, we have continued to reach out to government officials both in Italy and at the EU level to explain our position and make our concerns known. Our position has been consistent and remains that Piracy Shield is incompatible with EU law, most notably the Digital Services Act (DSA), which requires that any content restriction be proportionate and subject to strict procedural safeguards.

The European Commission, following our complaint, expressed similar concerns, issuing a letter on June 13, 2025, criticizing the lack of oversight inherent in the Piracy Shield framework. And on December 23, 2025, the Italian administrative court issued an encouraging ruling requiring AGCOM to share with Cloudflare all the records that purportedly support Piracy Shield blocking orders. While we have not yet received those records, we expect them to shed significant light on Piracy Shield’s operations. 

Rather than awaiting the outcome of our legal challenges, and less than one week after being ordered to disclose Piracy Shield records to Cloudflare, AGCOM moved on December 29, 2025, to issue its fine. The fine’s timing was not the only eyebrow-raising thing about it. The math behind the penalty is as flawed as the system it is seeking to enforce.

Under Italian law, fines for non-compliance are capped at 2% of a company’s revenue within the relevant jurisdiction. Based on Cloudflare’s Italian earnings, that cap should have limited any fine to approximately €140,000. Instead, AGCOM calculated the fine based on our global revenue, resulting in a penalty nearly 100 times higher than the legal limit.

This disproportionate approach sends a chilling message to the global tech community: if you question a flawed regulatory system or defend the rights of your users and the global Internet, you risk facing punitive and excessive financial retaliation.

At the same time, AGCOM still has not shared with Cloudflare the Piracy Shield records that it was ordered to disclose. Instead, just four days before the deadline for disclosure, AGCOM informed us that it would make some of the records available for inspection at an AGCOM facility in Naples, subject to supervision by AGCOM officials. These limitations are not just unreasonably burdensome and contrary to the letter and spirit of the disclosure order; they raise real questions about why AGCOM is so intent on resisting transparency.

We are not backing down. Cloudflare is appealing the €14 million fine, pushing for full access to AGCOM’s Piracy Shield records, and will continue to challenge the underlying legality of the Piracy Shield blocking orders in the Italian administrative courts.

We recognize that rightsholders have a legitimate interest in protecting their content. In fact, we work with rightsholders every day to address infringement in ways that are precise and effective. But those interests cannot override the basic requirements of legal due process or the technical integrity of the global Internet and our network.

We will continue to pursue this challenge in the Italian courts and through the European Commission. Global connectivity is too important to be governed by "black boxes" with 30-minute deadlines that result in widespread overblocking with no means of redress. Cloudflare remains committed to building a better Internet: one where the rules are transparent, the regulators are accountable, and the infrastructure that connects the world remains free, open, and secure.

Today we’re pleased to announce that the litigation against Sable has finally concluded on terms that we believe send a strong message to patent trolls everywhere — if you bring meritless patent claims against Cloudflare, we will fight back and we will win.

We’re also pleased to announce additional prizes in Project Jengo, and to make a final call for submissions before we determine the winners of the Final Awards. As a reminder, Project Jengo is Cloudflare’s effort to fight back against patent trolls by flipping the incentive structure that has encouraged the growth of patent trolls who extract settlements out of companies using frivolous lawsuits. We do this by asking the public to help identify prior art that can invalidate any of the patents that a troll holds, not just the ones that are asserted against Cloudflare. We’ve already given out over $125,000 to individuals since the launch of Project Jengo in 2017, and we’re looking forward to celebrating the successful end of the Sable iteration of Project Jengo with our Final Awards!

To learn more about how things concluded with Sable and next steps in Project Jengo, read on.  

For anyone just joining us on this odyssey, here is a little background on how we got here:

Sable sued Cloudflare back in March 2021. Sable is a patent troll. It doesn’t make, develop, innovate, or sell anything. Sable IP is merely a shell entity formed to monetize (make money from) an ancient patent portfolio acquired by Sable Networks from Caspian Networks in 2006. Caspian Networks was a router company that went out of business nearly 20 years ago. Using Caspian’s old patents, Sable sued Cloudflare and many other companies, including Cisco, Fortinet, Check Point, SonicWall, and Juniper Networks, alleging patent infringement. While these other companies resolved their disputes with Sable out of court, Cloudflare fought back. 

Sable initially asserted around 100 claims from four different patents against Cloudflare, accusing multiple Cloudflare products and features of infringement. Sable’s patents — the old Caspian Networks patents — related to hardware-based router technologies common over 20 years ago. Sable’s infringement arguments stretched these patent claims to their limits (and beyond) as Sable tried to apply Caspian’s hardware-based technologies to Cloudflare’s modern software-defined services delivered on the cloud.

Cloudflare fought back against Sable by launching a new round of Project Jengo, Cloudflare’s prior art contest, seeking prior art to invalidate all of Sable’s patents.

After years of Cloudflare aggressively litigating against Sable’s patents before the U.S. Patent and Trademark Office and the district court, Sable was left with only one claim from one patent to assert against Cloudflare at trial. If you’d like to know more, we described those battles, in which Cloudflare successfully eliminated around 99% of Sable’s claims, in more detail in a prior blog post.

Sable and Cloudflare came together in a five-day jury trial in Waco, Texas in February 2024. At trial, Sable did its best to try to map its decades-old router technology onto Cloudflare’s modern software-based architecture. But Sable’s case was riddled with technical issues and its efforts backed only by the desire for a payout.

To defeat Sable’s claim of infringement we needed to explain to the jury — in clear and understandable terms — why what Cloudflare does is different from what was covered by claim 25 of Sable’s remaining patent, U.S. Patent No. 7,012,919 (the ’919 patent). To do this, we enlisted the help of one of our talented Cloudflare engineers, Eric Reeves, as well as Dr. Paul Min, Senior Professor of Electrical & Systems Engineering at Washington University, an expert in the field of computer networking. Eric and Dr. Min helped us explain to the jury the multiple reasons we didn’t infringe.

^{From slide deck presented by Cloudflare to the jury during the trial}

First, we explained that the accused Cloudflare products (Magic Transit and Argo for Packets) do not route “flows” or “micro-flows” as required by claim 25. Instead, they handle packets individually, on a packet-by-packet basis. Indeed, processing each packet individually is important to the functioning of these products and Cloudflare’s DDoS and security services as a whole.

Eric also helped to tell our invention story to the jury. He explained how the Cloudflare team saw problems that needed to be solved, and built unique and innovative new products to solve them. He described the work that went into developing Magic Transit and Argo for Packets, and how these products are part of Cloudflare’s modern software-based approach, which is fundamentally different from the hardware-based technology of the ’919 patent. Together, Eric and Dr. Min explained how the benefits of Magic Transit and Argo for Packets enjoyed by Cloudflare’s customers are not attributable to any technology claimed by the ’919 patent.

^{From slide deck presented by Cloudflare to the jury during the trial}

Second, we explained that Cloudflare doesn’t infringe because claim 25 of the ’919 patent requires certain processes to occur “at” ingress and egress line cards, and Cloudflare’s accused servers do not include line cards.

^{From slide deck presented by Cloudflare to the jury during the trial}

As Dr. Min explained, “line cards” are a specific type of hardware — a physical hardware “card” — that are commonly used in routers. Sable’s witnesses could not deny that the technology of the ’919 patent was tied to old router technology. After all, Caspian Networks Inc. (where the ’919 patent inventors worked) was a router company. Caspian’s core products were routers, and we showed the jury documents describing Caspian’s routers, which used “flow-based” technology on physical hardware line cards.

^{Trial exhibit, image of sample line card}

While Sable’s technical expert tried his hardest to convince the jury that various software and hardware components of Cloudflare’s servers constitute “line cards,” his explanations defied credibility. The simple fact is that Cloudflare’s servers do not have line cards.

Ultimately, the jury understood, returning a verdict that Cloudflare does not infringe claim 25 of the ‘919 patent.

^{Excerpt from Verdict Form completed by the jury}

In addition to proving that we do not infringe, we also took on the challenge of proving to the jury that claim 25 of the ’919 patent is invalid and never should have been issued.

Proving invalidity to a jury is hard. The burden on the defendant is high: Cloudflare needed to prove by clear and convincing evidence that claim 25 is invalid.  And, proving it by describing how the claim is obvious in light of the prior art is complicated.

To do this, we again relied on our technical expert, Dr. Min, to explain how two prior art references, U.S. Patent No. 6,584,071 (Kodialam) and U.S. Patent No. 6,680,933 (Cheeseman) together render claim 25 of the ’919 patent obvious. Kodialam and Cheeseman are patents from Nortel Networks and Lucent relating to router technology developed in the late 1990s. Both are prior art to the ’919 patent (i.e., they pre-date the priority date of the ’919 patent), and when considered together by a person skilled in the area of computer engineering and computer networking technology, they rendered obvious the so-called invention of claim 25.

^{Excerpt from Verdict Form completed by the jury} 

Sable’s real motivation for suing Cloudflare — its desire for a payout — was made clear by Sable’s trial witnesses, who were unified only by their desire to present a wildly inflated view of the alleged “value” of the Sable patent and the damages allegedly owed by Cloudflare. 

Sable’s attorneys tried their best to present their clients as reasonable businessmen, just trying to get what they’re owed for Cloudflare’s purported use of Sable’s patent. But Sable couldn’t hide its true colors from the jury. When Sable presented testimony from Brooks Borchers, the founder of Sable IP, Mr. Borchers was forced to admit that Sable IP is in the “business” of filing lawsuits.

^{Excerpt from Borchers trial testimony}

 In fact, Mr. Borchers was forced to admit that Sable’s approach is to sue first and ask questions later. Even among patent trolls, this is hardly a noble business practice.

^{Excerpts from Borchers trial testimony}

What's more, Mr. Borchers and his lawyers have teamed up on cases like this before, following the same sue-first-and-ask-questions-later playbook in hopes of a payout. Sable’s true motivations for suing Cloudflare were on full display after this testimony, making Sable’s damages demand all the more galling.

Sable’s damages expert, Stephen Dell, told the jury that Sable was owed somewhere between $25 million and $94.2 million in damages. But, Mr. Dell was forced to admit to multiple flaws in his damages calculation, and Cloudflare’s damages expert Chris Bakewell explained to the jury how bad inputs and faulty assumptions led Mr. Dell to a wildly inflated damages figure. Indeed, after hearing Sable’s expert’s testimony, Judge Albright said he was “very skeptical” of Mr. Dell’s opinions, explaining that he was “very concerned that there’s not support for his methodology.”

In the end, Mr. Dell’s outsized damages demand didn’t matter because the jury found that Cloudflare did not infringe and that the asserted patent claim is invalid. But, it was revealing of Sable’s motivation (greed) and the lengths that it would go to try to get a payout.

When all was said and done, after all the testimony and argument, we were thrilled when the jury returned its verdict — after less than two hours of deliberations — finding across the board for Cloudflare. The jury’s verdict is truly a validation of our strong belief in the importance of standing up to patent trolls like Sable, and we are grateful for the jury’s time, attention and consideration!

A jury verdict is not the end of the road in a patent case ... there are post-trial motions, appeals, and other procedural hurdles to jump through before a case is truly over. Tired from the fight, and smarting from its loss, Sable decided it wanted to throw in the towel and end the fight once and for all.

In the end, Sable agreed to pay Cloudflare $225,000, grant Cloudflare a royalty-free license to its entire patent portfolio, and to dedicate its patents to the public, ensuring that Sable can never again assert them against another company.

Let’s repeat that first part, just to make sure everyone understands: 

Sable, the patent troll that sued Cloudflare back in March 2021 asserting around 100 claims across four patents, in the end wound up paying Cloudflare. While this $225,000 can’t fully compensate us for the time, energy and frustration of having to deal with this litigation for nearly three years, it does help to even the score a bit. And we hope that it sends an important message to patent trolls everywhere to beware before taking on Cloudflare.

 ^{Excerpt from the Dedication to the Public and Royalty Free License Agreement between Sable and Cloudflare}

And, let’s talk a bit more about that final part:

Sable has agreed to dedicate its entire patent portfolio to the public. This means that Sable will tell the U.S. Patent and Trademark Office that it gives up all of its legal rights to its patent portfolio. Sable can never again use these patents to sue for infringement; they can never again use these patents to try to make a quick buck.

^{Excerpt from the Dedication to the Public and Royalty Free License Agreement between Sable and Cloudflare}

Cloudflare fought back against the patent troll and we won. We not only defeated Sable's claims in court, we forced Sable to pay Cloudflare for the trouble, and we got Sable's patents dedicated to the public, ensuring that it can never assert these patents against any other company ever again. It was admittedly a lot of work for Cloudflare, but totally worth it.

A crucial part of our efforts to secure this across-the-board win are our Project Jengo participants.

Since the launch of the Project Jengo for the Sable case, we’ve received hundreds of prior art references from dedicated Project Jengo participants. So far we have awarded $70,000 in prizes to the winners of Chapters 1 through 8. And we still have $30,000 in prizes to award in the Final Awards.

This blog post marks the official “Conclusion of the Case” under the Project Jengo Sable Rules. We will continue to accept submissions during the 30-day Grace Period, which lasts until November 2, 2024, and then will move on to selecting winners of the Final Awards.

We publicly celebrated the Chapter 1, Chapter 2, Chapter 3 and Chapters 4-6 winners in previous blog posts. However, as the trial approached in the Sable case, we chose not to make public announcements for the Chapter 7 and 8 winners out of respect for the judicial process. Now that the case is over, we are delighted to give a big public shout out to the winners of Project Jengo Chapters 7 and 8!

We selected four total winners in Chapters 7 and 8, each receiving prizes of $5,000, for a grand total of $20,000. Our Chapter 7 winners, George W. and Madhu, each provided helpful and detailed charts containing element-by-element comparisons of the prior art to the relevant Sable patents. George W. is an electrical engineer and lawyer, who is active in the intellectual property community. He learned about Project Jengo in an article posted online, and thought it was a clever idea. The Chapter 8 winners, Jatin and Ketan, also provided thoughtful and detailed submissions. Jatin submitted two pieces of prior art that were particularly good references for Sable’s U.S. Patent No. 7,012,919, which contains the one claim that remained asserted against Cloudflare at trial.

We also want to again thank our prior chapter winners and everyone who participated in Project Jengo! We look forward to selecting the Final Awards winners — it will be fun to take a walk down memory lane re-reviewing the fantastic prior art submitted by our prior winners, and we can’t wait to check out the new submissions, too! Please use the “Submit Prior Art” link on this page for your final entries. Once we’ve announced our Final Awards, we will also update the Sable patents prior art listing on our website, to share all the prior art submitted by our Project Jengo participants.

For almost seven years, Cloudflare has been fighting against patent trolls. We’ve been doing this successfully through the efforts of our own legal team, external counsel, and the extraordinary efforts of people on the Internet looking for prior art (and getting rewarded for it) through our Project Jengo.

While we refuse to pay trolls for their meritless claims, we’ve been happy to award prizes to Project Jengo participants who help stop the trolls through prior art that invalidates their patents or claims. Project Jengo participants helped us in the past roundly beat the patent troll Blackbird (who subsequently went out of business).

Today, we’re back to talk about yet another win thanks to a lot of work by us, our external counsel, and Project Jengo participants.

Last Thursday, on a clear, sunny morning in Waco, Texas, a jury returned a verdict after less than two hours of deliberation. The jury found that Cloudflare did not infringe the patent asserted against Cloudflare by patent trolls Sable IP and Sable Networks.

And while that would have been enough to decide the case by itself, the jury went further and found that Sable’s old and broadly-written patent claim was invalid and never should have been granted in the first place–meaning they can no longer assert the claim against anyone else. Since Sable first sued us, we’ve invalidated significant parts of three Sable patents, hamstringing their ability to bring lawsuits against other companies.

It’s worth noting that very few lawsuits ever reach a jury. Most non-lawyers are shocked to learn that only about 1% of civil cases make it to trial, because trials are generally what they see on TV or in film. But professional litigators know that almost all cases are resolved much earlier through procedures that are much less entertaining to watch on screen: written motions, delay, or settlement. A big reason for this is that taking a case to trial–even on simple matters–is extremely costly. In patent cases, that means millions of dollars.

As we described in our first Project Jengo blog post, these costs are the threat that patent trolls rely on to extract sizable settlements out of innovative technology companies. It’s often easier for technology companies to pay a settlement rather than pay millions more in litigation costs that likely can’t be recovered even if the technology company wins. Patent trolls usually don’t want to incur the costs of going to trial either, but they typically wait for the other side to blink first and pay up–especially because the company accused of infringement is the one that faces the risk of a bad verdict and damages award.

But every once in a while the target doesn’t blink. Cloudflare’s hard fought victory, the culmination of three years of litigation, is a strong warning to all patent trolls–we will not be intimidated into playing your game.  

Let’s recap how we got here. This case began in March 2021 when Sable Networks and Sable IP filed a complaint against Cloudflare in federal court. Sable asserted around 100 claims spanning four patents against multiple Cloudflare products and features. The patents relied on by Sable were filed around the turn of the century, and they addressed the hardware-based router technology of the day. More specifically, they addressed a particular type of hardware focused on “flows'' composed of multiple linked packets. This approach is not used by modern-day software-defined services delivered on the cloud, particularly not services like Cloudflare that handle traffic on a packet-by-packet basis. But that didn’t stop Sable from arguing its broadly-worded patents covered essentially all router operations, including Cloudflare’s cutting edge technology–well beyond what the asserted patent claims were ever intended to cover.

As with many patent trolls, Sable IP has never made or sold products and doesn’t employ a single person to create or design actual technology. Sable IP was created as a shell entity in 2020 to monetize the patent portfolio of Sable Networks, which itself was formed in 2006 and allegedly acquired the assets–including the patents–of Caspian Networks, a router company that had shuttered its operations. Sable IP is one of many such shell entities formed to “monetize” patents through lawyer-driven litigation campaigns.  

Cloudflare wasn’t Sable’s only target. Sable sued a number of other companies, including Cisco, Fortinet, Check Point, SonicWall, Juniper Networks, and others, each of which eventually resolved the lawsuit against them out of court. Cloudflare took a different approach.

To kick off our fight against Sable, we launched another round of Project Jengo, crowdsourcing submissions of prior art for all of Sable’s active patents–including patents not asserted against Cloudflare–and committing a $100,000 award to be split among winners that submitted strong prior art. Dedicated readers will remember Cloudflare’s first round of Project Jengo, which helped put the notorious patent troll Blackbird out of business. We’ve received dozens of submissions since we launched this Sable-focused round of Project Jengo, and have awarded \$70,000 since 2021. We will distribute the remaining \$30,000 to winners of the Final Awards which we will announce after the official conclusion of the case per the Project Jengo Rules.

Relying on prior art, we filed petitions for inter partes review to the U.S. Patent and Trademark Office (“USPTO”) seeking to invalidate Sable’s patents. The inter partes process is an administrative proceeding that involves filing briefs for administrative patent judges at the USPTO to determine if a patent should have been issued in the first place. In many cases it's a helpful process available to try and limit the threat of patent trolls. In May 2022, to avoid responding to one of those petitions–and to avoid the risk that its patent would be canceled altogether–Sable voluntarily canceled all of the claims asserted against Cloudflare under one of its patents. And in January 2023, we were successful in invalidating the portions of a second Sable patent that had been asserted against us.  

Two patents down, Sable refused to give up. By December 2023, through its petitions to the USPTO and related motions before the court, Cloudflare had successfully narrowed the number of patents and claims at issue from approximately 100 claims across four, to just five claims from two patents. Then, at the pretrial conference on December 13, 2023, the court issued summary judgment in our favor on a third Sable patent. Summary judgment is a process where the court determines that an argument is so clear that no reasonable jury could rule otherwise. This further narrowed the case to a single asserted claim on a single patent–claim 25 of U.S. Patent No. 7,012,919.

Through years of hard work, we’d successfully whittled down Sable’s case from about 100 claims across four patents to just one claim of one patent. But despite all that success, the fact remained…we were heading to trial, and it can be difficult to know what a jury will decide–and what damages they may award–on heavily technical issues.

We weren’t just heading to trial, we were heading to the Western District of Texas. Waco, Texas, to be precise, where Sable chose to file its lawsuit. The Western District of Texas has in recent years become a popular venue for patent plaintiffs, as it has a reputation for being a friendly jurisdiction for patent holders.

Sable’s trial story was not compelling. On the technical merits, Sable had the unenviable task of trying to map decades-old flow-based hardware router technology onto Cloudflare’s modern, software-defined packet-by-packet architecture. They attempted to do so through a series of hand waving exercises, equating the “line cards” required by the patent to various different software and hardware used by Cloudflare, and suggesting that any flow of packets across Cloudflare’s network could be construed as the specific “micro-flows” at the center of its patent.

Beyond the technical issues, Sable’s story was simple, though not very attractive–Sable wanted money. Having acquired rights to the patents of a failed hardware company, they were seeking to “monetize” those patents to the greatest extent possible. If that meant leveraging a patent related to decades-old router hardware to sue a cloud-based service provider, so be it. And if it required leaps of logic and untethered claims that might make a toddler blush, oh well.  

When it was our turn, we told the jury our story. How Cloudflare was founded to help build a better Internet by moving past old, hardware-based solutions to new, cloud-based solutions delivered through our global network. We explained the hard work put into building our network, and all the services that sit on top of it. One of our outstanding engineers described what it’s like to create a new product, working with teams of engineers, product managers, and others to bring something exciting to the market for the first time.

We drilled down into Sable’s twenty-year old patent, explaining the many reasons why the patent does not describe anything that Cloudflare actually does. Among other things, the patent requires various steps to be performed at a “line card,” and Cloudflare’s accused edge servers don’t include a single such line card. And while the patent focused on flow-based routing, Cloudflare designed its system to perform packet-by-packet inspection to protect against malicious traffic. We also explained that the patent claim asserted against Cloudflare is invalid–and never should have been issued–because it was obvious in view of the prior art and lacked the required written description. In fact, Sable’s patent covered, at best, only technology that had already been described by inventors at Nortel Networks and Lucent Technologies–leading routing technology companies at the time.  

During closing arguments, Cloudflare’s trial lawyer made one thing clear–this case was about more than Sable or Cloudflare. The patent system was designed to foster innovation and promote the progress of science, but what Sable was doing was exactly the opposite: bringing meritless cases in an effort to turn a buck, and stifling progress in the process. That distortion and abuse of the patent system has to stop and, ultimately, only the jury had the power to end it.

To our great satisfaction, the jury answered that call. The jury’s decision did not take long. Less than two hours after leaving the courtroom to deliberate, the jury returned with a verdict that sends a message far beyond the courthouse. No infringement by Cloudflare, and Sable’s patent is invalid.

The combined Cloudflare and external counsel team

We’ll enjoy this verdict for a long time, but the hard work doesn’t stop here. Cloudflare is dedicated to rebalancing a system that is being distorted by trolls like Sable. As part of our efforts, we look forward to announcing the final awards for Project Jengo on this blog following the conclusion of the case. We’ll also plan to share additional thoughts and insights we’ve gleaned from facing down a troll at trial.

For now, we want to express our sincere gratitude to the judge and jury for the hard work they put in at trial, including the jury weighing the evidence and understanding the complex technology at issue in the case. Cloudflare is deeply grateful for the jury’s time and efforts over the past week, its careful consideration of all the facts, and for its verdict. We also again want to thank our amazing trial lawyers from Charhon Callahan Robson & Garza PLLC, and The Dacus Firm. If you end up with a patent troll problem, we recommend them highly.

A recent decision from the Higher Regional Court of Cologne in Germany marked important progress for Cloudflare and the Internet in pushing back against misguided attempts to address online copyright infringement through the DNS system. In early November, the Court in Universal v. Cloudflare issued its decision rejecting a request to require public DNS resolvers like Cloudflare’s 1.1.1.1. to block websites based on allegations of online copyright infringement. That’s a position we’ve long advocated, because blocking through public resolvers is ineffective and disproportionate, and it does not allow for much-needed transparency as to what is blocked and why.

To see why the Universal decision matters, it’s important to understand what a public DNS resolver is, and why it’s not a good place to try to moderate content on the Internet.

The DNS system translates website names to IP addresses, so that Internet requests can be routed to the correct location. At a high-level, the DNS system consists of two parts. On one side sit a series of nameservers (Root, TLD, and Authoritative) that together store information mapping domain names to IP addresses; on the other side sit DNS resolvers (also called recursive resolvers), which query the nameservers to answer where a particular website is located. The nameservers are like the telephone book listing names and phone numbers, while recursive resolvers are like the phone operator looking up a number.

While authoritative nameservers are managed and used directly by website operators, recursive resolvers are selected and used by those browsing the Internet. If you’re reading this at work, you may have navigated to this webpage using a DNS resolver chosen by your employer. If you’re reading it on a personal device at home, it’s possible you used your ISP’s default resolver. Alternatively, with a little technical know-how, you might have built your own DNS resolver and run it yourself or you might have chosen to use one of many public DNS resolvers available on the Internet.

Cloudflare launched its public DNS resolver, 1.1.1.1 in April 2018, because we wanted to provide a fast and private way to navigate the Internet. While Cloudflare’s resolver regularly scores as the fastest around, it is one of a number of options. Other well known public resolvers include Google’s 8.8.8.8, Cisco’s OpenDNS, and Quad9. Users might choose a public DNS resolver for privacy reasons, for added safety or security, or simply because they want the best performing option available. Whatever their reason, individuals can switch their DNS resolver at any time.

Like other links in the Internet connection chain, DNS resolvers have sometimes been used as a way to try to prevent access to content. Blocking at the resolver level is like removing a listing from a phone book. By refusing to return an IP address in response to requests for a particular website, a DNS resolver can make it appear like an entire website has effectively disappeared from the Internet to an individual using that resolver. Unlike removing the content at the hosting provider, however, the content is still accessible online, just a bit harder to find. Much as having an unlisted phone number didn’t prevent a phone number from being found through other channels and called, a block in a resolver doesn’t preclude an Internet user from navigating to a website in a myriad of other ways. A user can use an alternative resolver, build their own resolver, or simply type in the website’s IP address.

Because DNS returns IP addresses for entire domains, blocking through DNS resolvers can only be done at a domain-wide level; it is not possible to block specific pieces of content, individual webpages, or even subdomains without blocking the entire website. So a blocking order seeking to remove a copyrighted image through DNS blocking — especially for a website with many contributors or user-generated content — would result in blocking all content on the entire domain. That means that unless the entire website is a problem, applying a block through DNS is likely to block access to content that has not been identified by a court as infringing or otherwise problematic.

The way DNS blocking works — declining to return an IP address — also means there is no explanation provided to an individual as to why they were unable to access the website at issue. There is no notice or transparency.  Although there have been proposals for protocols that would allow an error code to be returned in such cases, nothing has yet been implemented.

Internet Service Providers (ISPs) located in particular jurisdictions have sometimes instituted blocks through their DNS resolvers as one way to try to comply with orders that apply in that jurisdiction directing them to make certain websites inaccessible to their users. For example, a German ISP that serves only German users might have its DNS resolver refuse to return an IP address for a website when provided an order by a German court to block that entire site.

Rightsholders have recently sought to extend such blocking to public DNS resolvers. But public DNS resolvers aren’t the same as DNS resolvers operated by a local ISP. Public DNS resolvers typically operate the same way around the globe. That means that if a public resolver applied the block the way an ISP does, it would apply everywhere. So the German court ordering the block would be dictating what information is available to the resolver’s users in India, the United States, Argentina and every other country the resolver is used. Attempting to apply blocks in a more geographically targeted way based on the location of individual resolver users raises serious technical hurdles not faced by local ISPs, and it also raises privacy issues worth taking seriously.

Cloudflare built 1.1.1.1 to allow Internet users an option for DNS resolution that would be fast and wouldn’t collect their personal information.  Many DNS operators have historically sold information about users based on the websites they have queried – 1.1.1.1 is designed to prevent such information from ever being collected. Blocking orders directed at public resolvers would require the collection of information about where the requests are coming from in order to limit these negative impacts while demonstrating compliance. That would be bad for personal privacy and bad for the Internet.

These core features of public resolvers present fundamental obstacles to using such resolvers to block content.

Consider what you would expect if a website you were trying to visit had been blocked due to legal order. First, you would expect that the blocked content is genuinely prohibited by law. You would not expect an entire website to be unavailable merely because some portion of the website violated copyright, and you also would not expect a website to be blocked to a visitor in one country by virtue of an order issued in an entirely different country on the other side of the world.

Second, you would expect to be told why the website is unavailable. Rather than a blank screen or no response, you would want a message explaining that the website has been ordered blocked, and identifying the legal authority for that action.

Finally, you would expect that whatever blocking mechanism was instituted is actually effective. We should not be changing fundamental ways about how the Internet operates if it will not even have the intended effect.

Blocking through public resolvers fails all of these requirements. As discussed above, it cannot be applied narrowly to particular content or particular geographies. Unlike ISP blocking that is necessarily limited to the geographic region in which the ISP operates, blocking through global public resolvers can only be implemented in a way that extends across borders to jurisdictions that might never have sought to block the same content. That is, unless we collect more personal information than we need to about the user.  

It’s also not transparent. A user does not know that they have been blocked from seeing content by a court order. They only know that they cannot access the website.That makes it hard for the public to hold government officials accountable for errors or overblocking.  

And it’s not even effective. Traditionally, website operators or hosting providers are ordered to remove infringing or illegal content, which is an effective way to make sure that information is no longer available. A DNS block works only as long as the individual continues to use the resolver, and the content remains available and will become accessible again as soon as they switch to another resolver, or build their own.

Despite these problems, some rightsholders have insisted that public resolvers can be ordered to block websites based on online infringement. Cloudflare, along with others like Quad9 and Google, have pushed back. While there have been a limited number of preliminary rulings on this issue, the Higher Regional Court’s decision in Universal marks the first time that an appellate court in Europe has ruled on public resolver blocking in the main proceedings.

Originally filed in 2019, the Universal case was one of the first attempts by a rightsholder to obtain an order requiring blocking through a public DNS resolver. The case concerns an allegedly copyright infringing music album posted on a website that, at the time the case was filed, was using Cloudflare’s pass-through security and CDN services. The Cologne Regional Court issued a preliminary ruling directing Cloudflare to block the website through both our CDN service and our public resolver. Cloudflare has no mechanism for blocking websites through 1.1.1.1., and we have never blocked a website through our public resolver. But Cloudflare did take steps to block access to the website in Germany through our CDN and pass-through security service. The website subsequently went offline and is no longer available on the Internet. Recognizing the importance of the underlying legal principles at stake, we nonetheless continued to litigate the case.

The Higher Regional Court’s recent decision makes clear that public DNS resolvers are not an appropriate tool for seeking to address online infringement, or moderate content more generally. The court explained that “with the DNS resolver, the defendant provides a tool that is accessible to everyone free of charge, is in the public interest and is approved, and which participates purely passively, automatically and neutrally in the connection of Internet domains.” It further noted that blocking through a public resolver is not effective, because individuals can easily change resolvers.

Importantly, the court held that DNS services are protected by the EU’s Digital Services Act (DSA), which was enacted last year. Like the e-Commerce Directive before it, the DSA recognizes that different types of services have different abilities to address content issues, and it distinguishes “mere conduit” and “caching” services from “hosting” services in their roles in addressing infringing content. Helpfully, the DSA expressly lists DNS and CDN services as non-hosting services subject to different obligations than hosting services. The Higher Regional Court recognized that DNS resolvers are entitled to the same protections from liability as other “mere conduits,”  and it rejected the plaintiff's request for DNS blocking in this case.

While the Higher Regional Court’s decision represents important progress on the DNS issue, the fight over how best to address online infringement continues. Rightsholders have filed lawsuits against other DNS providers and in other jurisdictions seeking similar blocking orders. We will continue to advocate against that outcome, because we think it is bad for the Internet. We hope that the Higher Regional Court’s reasoning on the DNS issue will help persuade other courts.

At the same time, while the Universal decision on DNS is the headline, there were other parts of the opinion that raise concerns. The court affirmed the lower court judgment requiring Cloudflare to block access to the website at issue through our CDN and pass-through security service. That decision has no immediate practical effect, because the website at issue is no longer available online and Cloudflare was already in compliance with the judgment. But to the extent the decision can be read to imply a broader obligation by pass-through security and CDN services to address online content, that is inconsistent with the nature of our services and with the DSA, which expressly identifies CDN services as among the caching services entitled to a liability privilege. Cloudflare therefore plans to appeal that aspect of the decision.

We appreciate the efforts of thoughtful judges to learn about how the Internet works and make sure their decisions are consistent with the larger public benefits of a well-functioning Internet, including security, reliability, and privacy. This decision marks further progress in Cloudflare’s fight to ensure that efforts to address online infringement are compatible with the technical nature of various Internet services, and with important legal and human rights principles around due process, transparency, and proportionality. We will continue that battle both through public advocacy and, as necessary, through litigation, as one more part of helping build a better Internet.

Since the founding of the Internet, online copyright infringement has been a real concern for policy makers, copyright holders, and service providers, and there have been considerable efforts to find effective ways to combat it. Many of the most significant legal questions around what is called “intermediary liability” — the extent to which different links in the chain of an Internet transmission can be held liable for problematic online content — have been pressed on lawmakers and regulators, and played out in courts around issues of copyright.

Although section 230 of the Communications Decency Act in the United States provides important protections from liability for intermediaries, copyright and other intellectual property claims are one of the very few areas carved out of that immunity.

Over the years, copyright holders have sometimes sought to hold Cloudflare liable for infringing content on websites using our services. This never made much sense to us. We don’t host the content of the websites at issue, we don’t aggregate or promote the content or in any way help end users find it, and our services are not even necessary for the content’s availability online. Infrastructure service providers like Cloudflare are not well positioned to solve problems like online infringement.

Also, while we cannot prevent online infringement, we’ve set up abuse processes to assist copyright holders address the issue by connecting them with the hosting providers and website operators actually able to take such content off the Internet.

But the combination of decades-old copyright statutes and rapidly innovating Internet services has left some copyright holders believing they might have a viable claim against us. Add in the fact that statutory damage provisions in the United States copyright law were not written with the Internet in mind and seemingly allow for the possibility of astronomical damage awards when content is transmitted online at scale. So it’s not altogether surprising that plaintiffs are sometimes tempted to try their luck suing Cloudflare.

Yesterday, in Mon Cheri Bridals, LLC v. Cloudflare, Inc., the United States District Court for the Northern District of California rejected one such lawsuit, granting Cloudflare’s motion for summary judgment and concluding that no reasonable jury could find Cloudflare liable for the alleged copyright infringement at issue.

The plaintiffs in the case sell wedding dresses online, and they asserted that other websites illegally used their copyrighted pictures of the dresses while selling knockoff dresses. In a quirk of US copyright law, most fashion designs are not copyright protected, while pictures of those designs can be protected. Rather than pursue their claims against the website operators, their hosting providers, or any of the numerous other service providers necessary to their business, the plaintiffs targeted Cloudflare, seeking to hold us liable for contributory copyright infringement on the grounds that the websites at issue used our CDN and pass-through security services, most of them for free.

The district court rejected that claim, holding that merely providing CDN and pass-through security services to the websites did not make Cloudflare responsible for their alleged infringement. The court explained that Cloudflare’s services were not necessary to and did not “significantly magnify” any infringement. It also recognized that Cloudflare cannot eliminate infringement by websites using its CDN services, because “removing material from a cache without removing it from the hosting service would not prevent the direct infringement from occurring.” Finally, the court observed that Cloudflare’s abuse reporting system is designed to put copyright holders in the same position they would be if the websites at issue were not using our services, by connecting copyright holders with the hosting providers and website operators actually able to effectively address the issue. Notably, the court decided the case solely on the contributory infringement issue, and it did not even reach our independent arguments that we are protected from any liability by the Digital Millennium Copyright Act’s safe harbors.

Obviously, we agree with the district court’s reasoning, and we hope it goes a long way towards discouraging these types of claims in the future. Throughout this case, we’ve worked closely with our attorneys at Fenwick & West who have demonstrated great skill and diligence.  We plan to continue to fight other lawsuits of this nature. We have long understood that different types of services have different abilities and responsibilities to address online infringement, and we designed our abuse process with that in mind. Broader recognition of those principles will allow us to “help build a better Internet” by providing security and reliability services without being dragged into every dispute between third parties and someone who uses our services.  We think that will be better for the Internet.