Why it matters: Cloudflare has been accused of providing internet related services to terrorist organizations – again. The company, which receives more traffic than Twitter, Amazon, Apple, Instagram, Bing and Wikipedia combined, offers essential services that protect and shield websites from all sorts of attacks, most notably DDoS. If a terrorist organization needed protection from vigilante hackers, they’d be forced to go with one of the best networks out there, but why would any respected American company offer service to terrorists?
An investigation by the HuffPost has found that Cloudflare provides online protection to seven terrorist organisations. These include the Taliban, al-Shabab, the Popular Front for the Liberation of Palestine, Al Quds Brigades, the Kurdistan Worker’s Party (PKK), the al-Aqsa Martyrs Brigade and Hamas. While various experts from the US and the international Counter Extremism Project have analyzed the websites and are very certain in their findings, Cloudflare refuses to admit if they are protecting the websites, citing “privacy concerns.”
If they are providing services to these websites, it would be illegal. All these organizations are included on government terrorist lists, and that means that providing “material support” to them, including communications technology, is prohibited. 18 U.S.C. §2339B defines material support as any product or service, excluding medicine or religious materials.
“If and when you know or reasonably should know, then you’re in legal jeopardy if you continue to provide service.”
“This is not a content-based issue,” Benjamin Wittes, the editor in chief of Lawfare and a senior fellow at the Brookings Institution, told HuffPost. “[Cloudflare] can be as pure-free-speech people as they want — they have an arguable position that it’s not their job to decide what speech is worthy and what speech is not — but there is a law, a criminal statute, that says that you are not allowed to give services to designated foreign terrorist organizations. Full stop.”
Even Cloudflare agrees that providing service to these terrorist organizations is illegal. Doug Kramer, Cloudflare’s general counsel, told Cnet that it has a process for checking if a potential customer is on a terrorist list and that it will deny service if they are.
“Our policy is that if we receive new information that raises a flag or a concern about a potentially sanctioned party, then we’ll follow up to figure out whether or not that’s something that we need to take action on,” Cloudflare says. “Part of the challenge is really to determine which of those are legitimate inquiries and which of those are trying to manipulate the complaint process to take down people with whom they disagree.”
For some reason, however, their practice of providing services to terrorists has been continuing. The first reports of terrorists using their services surfaced in 2012 when Reuters confronted them with two websites which had affiliations with Hamas and al-Quds Brigades. Cloudflare’s CEO, Mathew Prince, simply said: “we are not sending money, or helping people arm themselves.”
The company continued to follow the ultra-liberal approach when they were confronted again in 2013, this time by independent journalist James Cook. He’d discovered a website managed by al-Qaeda and protected by Cloudflare. Prince once again personally responded, this time in a blog post. “A website is speech. It is not a bomb. We do not believe in ‘investigating’ if the speech that flows through our network is appropriate. In fact, we think doing so would be creepy.”
In 2015 rogue hacking group Anonymous (which some argue are terrorists themselves) accused Cloudflare of serving “dozens” of ISIS-affiliated websites. Prince called this an “armchair analysis” by “15-year-old kids in Guy Fawkes masks.” He denied that the websites were ISIS-affiliated.
The first crack in Cloudflare’s seemingly invincible – or absent – conscience came last year, in response to the Charlottesville riots. Cloudflare ended their protection of white-supremacist and neo-Nazi site the Daily Stormer. In an internal email, Prince said he “woke up in a bad mood and decided to kick them off the internet.” He explained the decision further in a public blog post, where he said the company’s perspective changed when the Daily Stormer hinted that Cloudflare might support their views.
Logically, Cloudflare should have been investigated six years ago when the first terrorist website was discovered. Inexplicably, however, Cloudflare has never seen the business end of a gavel. Prince, who by all accounts has maintained an iron grip over the company since founding it in 2009, has continued to fight this as if it were a moral debate.
Prince’s stance seems to be that simply letting hackers destroy any website Cloudflare doesn’t approve of is not real justice. The removal of a website should only be done at the direction of a court. In many ways, his statements echo the arguments for net neutrality: altering how the internet is seen and accessed should not be in the hands of a commercial body. It should, however, be in the hands of the legal system, which makes the fact that the government has never requested that Cloudflare terminate services for a webpage even more confusing.
Ultimately, however, this is not a moral debate. Several possible reasons exist for Cloudflare’s decision to continue protecting these websites. First and foremost is that Cloudflare believes it is the government’s responsibility, the government believes it is Cloudflare’s responsibility, and neither is paying attention to the matter. Hopefully, that’s not the case.
The other possibility is that despite what Cloudflare claims, they do in fact work with government agencies to monitor the websites for useful information. During an interview in 2015, Prince hinted that the government had approved them to keep certain “controversial” sites online. The FBI, Justice Department, State Department, Treasury Department and the White House all declined to comment on this speculation.
Cloudflare’s mission is to “make the internet a better place.” By protecting websites belonging to terrorists, they would not be doing that. At the end of the day, all we can do is hope that they’re doing the right thing behind closed doors.