Cloudflare speaks out amid allegations it safeguards banned terror gangs' websites
Policing customers is tough, censoring content would be worse, says lawyer
Analysis Cloudflare found itself underfire this month for seemingly allowing officially designated foreign terrorists to use its website protection services. Which, under US law, would be a big no-no.
A HuffPo report claimed the US-based biz is being used by the likes of al-Shabab and the Taliban to evade attempts to shutdown their sites or prevent vigilantes from knocking their sites offline.
These groups are sanctioned by US Treasury Department's Office of Foreign Access Control, making it illegal for any US company or person to provide the scumbags material support. In effect, San Francisco-headquartered Cloudflare was accused of potentially breaking American law by providing material support to designated terror rings in the form of anti-distributed-denial-of-service (DDoS) defenses and the like.
"This is not a content-based issue: [Cloudflare] can be as pure-free-speech people as they want," noted Lawfare's Ben Wittes, "but there is a law, a criminal statute, that says that you are not allowed to give services to designated foreign terrorist organizations. Full stop."
Cloudflare's general counsel Doug Kramer admitted to The Register this week that his company's relationship with customers, particularly terror groups that operate behind multiple fronts and aliases, can be difficult to police.
Where possible, though, Cloudflare cooperates with law enforcement, follows the law, and axes its services for any websites that are flagged up as illegal or run by outlawed groups, we're told.
In other words, according to Kramer, if government officials or agents tell Cloudflare it's being used by a banned gang, or carrying legally verboten content, it will pull the plug on the problematic client. Proactively identifying those groups in among all the legit users is, we're told, the hard part. The biz tries to protect more than seven million sites, and has more than 10,000 customers signup a day, apparently.
Kramer explained Cloudflare offers its services on two tiers: paid plans and free services. The free plans for things like DDoS mitigation and SSL certs are where terror groups most often use Cloudflare, and these services require little more than an email address to enroll.
"It is almost always a free user, using an email address," Kramer said of the illegal sites. "It is not always clear that we can can tie it to an individual, let alone an individual who is a member of a [terror] group."
Meanwhile, the suggestion Cloudflare helps terrorist sites evade takedowns and identification by hiding their hosts' IP addresses ignores the technical reality of the outfit's services, said Kramer.
Cloudflare: We dumped Daily Stormer not because they're Nazis but because they said we love NazisREAD MORE
The lawyer pointed out that the very point of Cloudflare's anti-DDoS safeguards is to keep the IP addresses of a website's web servers protected from being identified and bombarded with an overwhelming amount of traffic.
"That mischaracterization misses the point and is kind of dangerous," Kramer told El Reg. "It takes what are essential cybersecurity tools and casts them in a bad light."
On a wider point, there is the delicate issue of turning away or proactively weeding out websites that are pretty horrid but aren't obviously illegal, or aren't obviously crafted by a banned organization, based on their content. Cloudflare has long found itself square in the middle of free expression debates by not discriminating on content, thus allowing hate speech to flow through its networks from genuinely awful web publishers, and in effect protecting content most people would find repulsive.
In 2017, Cloudflare was thrust into the spotlight when the white supremacist outlet Daily Stormer had its hosting services cut off by other providers, but remained under the protection of Cloudflare's anti-DDoS service. It was only after the website suggested Cloudflare was secretly a supporter of the Stormer's daily bile that the protection service was revoked, and even then only after much debate internally between Cloudflare staff and their CEO Matthew Prince.
Much of the hesitance to crack down quickly and harshly on potential hate speech and illegal content is based around Cloudflare's reluctance to set a precedent for itself. In other words, it doesn't want to get into a situation where web hosting or web caching companies like Cloudflare have to, or are expected to or are told to, make purely editorial judgements on the content they carry. That internet carriers like Cloudflare get to decide what people ought to be able to see, when really they want to be pipes from A to B.
One day it might be terror-related radicalizing content that needs to be removed, the next it may be anti-unionization or anti-advertising material that someone decides should be hidden from sight. If you can be told what you can see or read, then it follows that you can be told what to say or think, as one adult flick put it. It's a difficult subject for society as a whole to tackle – should there be limits to free speech? – and Cloudflare doesn't want to play a role in deciding that for netizens.
"Without a clear framework as a guide for content regulation, a small number of companies will largely determine what can and cannot be online," as Prince put it last year.
Cynics, of course, might say this is because Cloudflare doesn't want to get into the expensive business of moderating millions of pieces of ever-changing content.
Kramer said taking an anti-censorship stance was a long-term decision by Cloudflare to keep itself from becoming an arbiter of what is acceptable speech and what should be censored. In the short term, however, that could mean being seen by the public as being soft, or even accommodating, to terror groups, hate speech, and other objectionable content.
"We are very thoughtful about those legal issues. It is easy to get these complaints and have a reaction where we distance ourselves and run away," he said. "We have to build standards that we can live up to. Not just today, but in the future." ®
Full disclosure: El Reg uses Cloudflare, though this article was written purely as an independent editorial followup to the Huffington Post's reporting.
Sponsored: Becoming a Pragmatic Security Leader