Cloudflare Under Fire for Allegedly Providing DDoS Protection for Terrorist Websites

Illustration for article titled Cloudflare Under Fire for Allegedly Providing DDoS Protection for Terrorist Websites
Photo: Getty

At a moment when free speech online and moderation policies are more controversial than ever, Cloudflare is facing accusations that it’s providing cybersecurity protection for at least seven terrorist organizations—a situation that some legal experts say could put it in legal jeopardy.


Cloudflare offers a wide-range of services that are fundamental to operating a modern website, such as DDoS protection that prevents a site from being overwhelmed by too many simultaneous requests. It’s a massive organization that claims to handle 10 percent of all internet requests and is reportedly preparing $3.5 billion IPO.

On Friday, HuffPost reported that it has reviewed numerous websites run by terrorist organizations and confirmed with four national security and counter-extremism experts that the sites are under the protection of Cloudflare’s cybersecurity services. From the report:

Among Cloudflare’s millions of customers are several groups that are on the State Department’s list of foreign terrorist organizations, including al-Shabab, the Popular Front for the Liberation of Palestine, al-Quds Brigades, the Kurdistan Workers’ Party (PKK), al-Aqsa Martyrs Brigade and Hamas — as well as the Taliban, which, like the other groups, is sanctioned by the Treasury Department’s Office of Foreign Assets Control (OFAC).


In the United States, it’s a crime to knowingly provide tangible or intangible “material support” — including communications equipment — to a designated foreign terrorist organization or to provide service to an OFAC-sanctioned entity without special permission. Cloudflare, which is not authorized by the OFAC to do business with such organizations, has been informed on multiple occasions, dating back to at least 2012, that it is shielding terrorist groups behind its network, and it continues to do so.

While private companies like Facebook place certain limits on speech in their terms of service, Cloudflare prefers to remain as hands off as possible. Being a Facebook user is a choice that anyone can make for themselves and the price of admission includes playing by its rules. But services like hosting, domain registration, and the kind of protection that Cloudflare offers go to the heart of the internet’s infrastructure. Going as far back as 2012, Cloudflare’s CEO Matthew Prince has pushed back on the idea that the company should police speech and today its policy is strictly to comply with legal obligations.

At least, that’s its operational policy. The policy from its terms of use gives Cloudflare the right to terminate services “with or without notice for any reason or no reason at all.” Last year, Prince broke with his own standards and discontinued his company’s work with the neo-Nazi website the Daily Stormer. At the time, Prince wrote to employees in an internal email: “I think the people who run The Daily Stormer are abhorrent. But again I don’t think my political decisions should determine who should and shouldn’t be on the internet.”

That doesn’t mean that Prince doesn’t consider terrorism abhorrent, which in the case of the Daily Stormer, he freely admitted, “I woke up this morning in a bad mood and decided to kick them off the Internet.” Since then, he’s remained an absolutist when it comes to free speech and neutrality towards customers.

The issue that HuffPost raises is whether Cloudflare is providing “material support” to sanctioned organizations. Some attorneys told HuffPost that it may be in violation of the law. Others, like the Electronic Frontier Foundation, argue that “material support” can and has been abused to silence speech. Cloudflare’s general counsel, Doug Kramer, told Gizmodo over the phone that the company works closely with the U.S. government to ensure that it meets all of its legal obligations. He said that it is “proactive to screen for sanctioned groups and reactive to respond when its made aware of a sanctioned group” to which it may be providing services.


HuffPost spoke with representatives from the Counter Extremism Project, who expressed frustration that they’ve sent four letters to Cloudflare over the last two years identifying seven terrorist-operated sites without receiving a reply. Kramer would not address any specific customers or situations when speaking with Gizmodo. He said that’s simply company policy for reasons of protecting privacy.

Kramer did say that just last week the company had a political pressure group request that it discontinue its services for a website that had been linked to a “warlord” on the other side of the world. He said that some people in the country were under U.S. sanctions, but not the specific person that was identified by the group, and therefore it didn’t take action.


I asked if Cloudflare ever continues to provide services for a sanctioned group at the request of a government agency, for example if that agency wants to continue monitoring a specific website. Kramer said he was “not aware” of the company ever having “a situation like that.” He did say that Cloudflare has never been sent a request from the U.S. government to discontinue services for any customer. He speculated that the reason for that is because it doesn’t provide hosting and if the government wants to take down a website they tend to go elsewhere.

Kramer says the only requests tend to come from political pressure groups and individuals. As deplatforming and boycott pressure has become an increasingly effective political tool, we’re more likely to see groups targeting infrastructure services. It’s up for debate whether that’s a good thing or not, but it will likely be much more consequential than losing your verified checkmark on Twitter.





Meanwhile, Cloudflare does its best to discourage those of us that are just trying to browse the web anonymously:

- Oh, hello! We noticed you are trying to browse the web anonymously using Tor. In order to proceed, we need to make sure you are not a pesky bot. We’re sure you understand. Please, first enable javascript and then click on all the traffic lights in the pictures that follow.

- *grunts* click, click.. click.

-No, Idiot. We mean *ALL* of the traffic lights. Those blurry pixels in the back count, too. Since you can’t read instructions or have cataracts in both eyes, now select all the chemineys in the next 5 puzzles. Nah. Make that 6.. 8. No, 10. 10 puzzles.

- You kidding me?!!

- Allright, seems like you are failing just about like a human being would fail. You may proceed.

- Oh, Thank God, f*#k!

*reads a bit*

*clicks a link*

- Oh, hello! We noticed you are trying to browse the web anonymously using Tor. In order to proceed, we need to make sure you are not a pesky bot.