Update 8/16 10:00 p.m. ET: The day after this article was published, Cloudflare terminated its services for the neo-Nazi website The Daily Stormer. The move was a stark reversal from Cloudflare’s policy of non-intervention, described in detail below, and the company’s CEO said in a blog post that he believes the decision sets a dangerous precedent. For more, follow Quartz’s running list of websites, apps, and services that are banning, blocking, and dropping white supremacists in the wake of the far-right rally in Charlottesville, Virginia.
After 32-year-old Heather Heyer was killed while protesting against the “Unite the Right” rally in Charlottesville, Virginia, on Aug. 12, the American neo-Nazi website The Daily Stormer published a hate-filled article about her. The ensuing uproar led to calls for The Daily Stormer’s domain registrar, GoDaddy, to take the website down.
Although GoDaddy had previously defended its choice to provide domain services to the neo-Nazi site, citing its rights under the First Amendment, the company took a different stance this time around. Within a few hours of the article’s publication, GoDaddy dropped The Daily Stormer, saying it violated the registrar’s terms of service. The website then registered its domain with Google, which promptly dropped it as well. Other tech companies have also made moves against the far right: Airbnb banned users it suspected were traveling to attend the rally, while Discord, a chat service for online gamers, shut down a server and some accounts used for spreading extremist views.
But one company is sticking by The Daily Stormer and other far-right websites: the cloud security and performance service Cloudflare.
Cloudflare acts as a shield between websites and the outside world, protecting them from hackers and preserving the anonymity of the sites’ owners. But Cloudflare is not a hosting service: It does not store website content on its servers. And that fact, as far as the company is concerned, exempts it from judgment over who its clients are—even if those clients are literally Nazis.
In a statement Cloudflare sent to Quartz and other publications yesterday, the company refused to explicitly say it will continue to do business with sites like The Daily Stormer, but pointed out that the content would exist regardless of what Cloudflare does or doesn’t do.
Cloudflare is aware of the concerns that have been raised over some sites that have used our network. We find the content on some of these sites repugnant. While our policy is to not comment on any user specifically, we are cooperating with law enforcement in any investigation.
Cloudflare is not the host of any website. Cloudflare is a network that provides performance and security services to more than 10% of all Internet requests. Cloudflare terminating any user would not remove their content from the Internet, it would simply make a site slower and more vulnerable to attack.
That statement somewhat underplays Cloudflare’s importance. Without its shield, many websites—belonging to groups right across the political spectrum as well as companies and government agencies—would be frequently crippled by distributed-denial-of-service (DDoS) attacks, in which attackers flood a site’s servers with spurious traffic. In DDoS attacks, might is right: Only a few companies like Cloudflare have enough servers to soak up a concerted assault. If it were to drop the Daily Stormer, the site would for all intents and purposes cease to exist any time it came under concerted DDoS attack from anti-fascist activists. If the Daily Stormer lost its web hosting service, on the other hand, it would have countless others to choose from.
The statement from Cloudflare is also neutral about whether or not hate speech is dangerous. In a blog post in 2013, Cloudflare CEO Matthew Prince was more candid about his views:
A website is speech. It is not a bomb. There is no imminent danger it creates and no provider has an affirmative obligation to monitor and make determinations about the theoretically harmful nature of speech a site may contain.
Conflicts of interest
It’s not just Cloudflare’s refusal to take a stand against hate speech that has drawn criticism. Last May, ProPublica reported on a practice that made Cloudflare particularly appealing to neo-Nazi websites.
When users sent complaints to Cloudflare about content they saw on The Daily Stormer and similar sites, it would automatically send the website owners the names and email addresses of the complainants, who often then suffered prolonged harassment. After ProPublica’s article was published, Cloudflare began allowing anonymous complaints, but in a blog post about the issue, Prince maintained the tone of his 2013 post:
While we clearly had a significant blindspot in how we handled one type of abuse reports, we remain committed to our belief that it is not Cloudflare’s role to make determinations on what content should and should not be online.
Cloudflare’s indiscriminate approach to its clients appeals not only to neo-Nazis, but also to another set of bad actors: websites that provide illegal hacking services. Security journalist Brian Krebs has written at length about websites that conduct DDoS attacks for hire while using free services from Cloudflare to protect themselves from the same kinds of attacks.
Krebs argues Cloudflare has a “blatant conflict of interest” because, by protecting the DDoS-for-hire sites, it enables them to carry out the attacks from which it protects other sites, thus generating business for itself. If it stopped doing this, Krebs argues, “the DDoS-for-hire industry would quickly blast itself into oblivion because the proprietors of these attack services like nothing more than to turn their attack cannons on each other.”
We asked Cloudflare to clarify whether the statement it sent to Quartz and others means it will continue to provide protection services to The Daily Stormer and other far-right websites. A spokesperson reiterated that the company does not comment on specific users, and pointed to its terms of service. When asked whether the company had suspended its services for any website based on its content for the past 72 hours, Cloudflare did not respond. If it does, we will update this post.