This month, CloudFlare and EFF pushed back against major music labels’ latest strategy to force Internet infrastructure companies like CloudFlare to become trademark and copyright enforcers, by challenging a broad court order that the labels obtained in secret. Unfortunately, the court denied CloudFlare’s challenge and ruled that the secretly-obtained order applied to CloudFlare. This decision, and the strategy that led to it, present a serious problem for Internet infrastructure companies of all sorts, and for Internet users, because they lay out a blueprint for quick, easy, potentially long-lasting censorship of expressive websites with little or no court review. The fight’s not over for CloudFlare, though. Yesterday, CloudFlare filed a motion with the federal court in Manhattan, asking Judge Alison J. Nathan to modify the order and put the responsibility of identifying infringing domain names back on the music labels.

We’ve reported recently about major entertainment companies’ quest to make websites disappear from the Internet at their say-so. The Internet blacklist bills SOPA and PIPA were part of that strategy, along with the Department of Homeland Security’s project of seizing websites based on unverified accusations of copyright infringement by entertainment companies. Entertainment distributors are also lobbying ICANN, the nonprofit organization that oversees the Internet’s domain name system, to gain the power to censor and de-anonymize Internet users without court review. (Fortunately, it looks like ICANN is pushing back)

The order that CloudFlare received in May is an example of another facet of the site-blocking strategy. It works like this: entertainment companies file a lawsuit in federal court against the (possibly anonymous) owners of a website they want to make disappear. The website owners typically don’t show up in court to defend themselves, so the court issues an order to the website to stop infringing some copyright or trademark. (Often this order is initially drafted by the entertainment companies.) The entertainment companies then send a copy of the order to service providers like domain name registrars, Web hosting providers, ISPs, and content delivery networks like CloudFlare, and demand that the service providers block the targeted website or domain name, as well as other websites and domains that the entertainment companies want gone.

This month’s case involved a website that called itself Grooveshark, and appeared to be a clone of the site by that name that shut down in April after settling a copyright lawsuit to the record labels. That settlement left the labels in control of Grooveshark’s trademarks, which they proceeded to use as a weapon against the copycat site. The labels applied to the U.S. District Court for the Southern District of New York for a secret order to shut down the site, which was then located at grooveshark.io. Judge Deborah A. Batts granted the order in secret. The order covered the site’s anonymous owners, and anyone “in active concert or participation” with them. The order also listed “domain name registrars . . . and Internet service providers” among those who have to comply with it. The labels sent a copy of the order to several companies, including CloudFlare.

When a federal court issues an order (called an injunction), court rules say it can apply to a party in the case or to anyone in “active concert or participation” with them. But the courts haven’t clarified what “active concert or participation” means in the Internet context. Communication over the Internet can involve dozens of service and infrastructure providers, from hosts to domain name registrars to ISPs, backbone providers, network exchanges, and CDN services. Under a broad reading, even an electric utility or a landlord that leases space for equipment could conceivably be in “active concert or participation” with a website.

CloudFlare decided to take a stand against the overbroad order, asking the court to clarify that the order did not apply to CloudFlare. As a CDN and reverse proxy service, CloudFlare makes websites faster and more secure, but can’t suspend a site’s domain name or render it unreachable. So even if making Internet intermediaries responsible for enforcing copyright and trademark laws was a good idea (it’s not), CloudFlare is not the right one to do it. And even if the mysterious owners of the “new Grooveshark” site are bad actors, CloudFlare wanted to protect its law-abiding customers by insisting on a correct and thorough court process before cutting off any customer.

Unfortunately, the court concluded that the initial order applied to CloudFlare. And even worse, the court said that CloudFlare has to block every user with a domain name that contains “grooveshark,” no matter who owns the site. That means that CloudFlare, or any Internet infrastructure company that gets served with a copy of the court order, would have to filter and ban sites called “groovesharknews,” “grooveshark-commentary,” or “grooveshark-sucks,” no matter who runs them or what they contain.

That’s a big deal. Laws like Section 512 of the Digital Millennium Copyright Act, Section 230 of the Communications Decency Act, and court decisions on trademark law, protect Internet intermediaries from legal responsibility for the actions of their users, including the responsibility to proactively block or filter users. That protection has been vital to the growth of the Internet as a medium for communication, innovation, and learning. Those laws help keep Internet companies and entertainment conglomerates from becoming the gatekeepers of speech with the power to decide what we can and can’t communicate. The record labels didn’t accuse CloudFlare of any copyright or trademark violation—nor could they, in part because of laws like the DMCA. Yet the order against CloudFlare might force CloudFlare, and other service providers, to filter its service for terms like “grooveshark”—and other words that might appear in future court orders. Service providers like CloudFlare could find themselves in the uncomfortable position of having to figure out who’s allowed to use “grooveshark” and who isn’t—or of having to block them all. Turning Internet companies into enforcers of who can say what on the Internet is exactly what laws like the DMCA were meant to avoid.

And CloudFlare is far from the only Internet company to be hit with an order like this. Many, including some domain name registrars, simply comply with overbroad court orders, asking no questions, instead of sticking up for their users.

Yesterday, CloudFlare took a new step. Represented by EFF and Goodwin Procter, CloudFlare asked the court to change the order so that in the future, CloudFlare will only be responsible for taking down user accounts that use variations on “grooveshark” if the music labels notify CloudFlare that a site is infringing. That change will put the job of enforcing trademarks back on the trademark holders, and preserve the balance created by laws like the DMCA. CloudFlare supports smart, effective, and careful trademark enforcement and wants to see it done right – not through broad orders that can impact free speech.

Other Internet companies that care about their users, and would rather not become unwilling trademark and copyright enforcers and arbiters of speech, should follow CloudFlare’s lead and push back against orders like this one.