Activists Target Cloudflare For Enabling Hate Sites

A San Francisco company providing security to websites is under pressure for the vitriol running through its network.

Activists Target Cloudflare For Enabling Hate Sites
[Photo: Flickr user Thomas Bresson]

The growth of the alt-right and other forms of nationalism have reinvigorated neo-Nazi and white supremacist movements in the U.S. and abroad over the last decade. Anders Behring Breivik, who posted on white nationalist message board Stormfront, killed 77 people in Norway in 2011. That horrific killing was enough to shock the site’s owner, Don Black, a prominent leader in the Alabama Ku Klux Klan, who later wrote in a post on the site, “This makes me want to pull the plug on this place and never look back.”


Black never pulled the plug on the site. But the Southern Poverty Law Center (SPLC) wants someone to shut it down. SPLC lists Stormfront in the annual roster of what it calls “hate groups.” Its 2017 list of U.S. organizations runs to 917–less than the record of 1,018 groups in 2011, but on the increase after a few years of decline. To bring down Stormfront and many other members of its hate group list, the SPLC is targeting a San Francisco company called Cloudflare.

If you aren’t a networking geek, it may take a moment for you to wrap your head around Cloudflare. The company’s network sits at what’s called the “edge,” between website hosts (say, GoDaddy or DreamHost) and the open Internet. There, it provides a shield against threats like distributed denial of service (DDoS) attacks, as well as “optimization” by using clever routing and caching to speed up delivery of content around the world. Cloudflare serves about 6 million websites, but it’s getting a lot of unwanted attention for a small fraction of them.

“We had figured out a year ago that Cloudflare was providing DDoS protection for almost every hate site that we monitor,” Heidi Beirich, director of SPLC’s hate-tracking Intelligence Project, told Fast Company. (SPLC dropped its own Cloudflare account based on that research.)

In March, SPLC accused Cloudflare of violating laws in several European countries, such as Germany and France, that prohibit Holocaust denial or the incitement or promotion of racial hatred. “Obviously that wouldn’t apply to the United States because we have the First Amendment,” says Beirich. But by operating data centers in Europe, Cloudflare is hosting illegal content from at least 48 hate groups, according to SPLC.

A few choice ones from the list include leading neo-Nazi site The Daily Stormer, Holocaust denier Carolyn Yeager, black separatist group Nation of Islam, and the Westboro Baptist Church, whose motto and URL are “God hates fags.” White nationalist/supremacist sites are also on board, such as American Renaissance and The Right Stuff. And Brandon Russell, member of neo-Nazi client Atomwaffen Division, was recently arrested in Florida for shooting and killing two of his roommates over a political argument, reports the Tampa Bay Times. Investigators found conventional bomb-making materials and the presence of some radioactive source. (Atomwaffen is German for atomic weapons.) Cloudflare says that it doesn’t discuss individual clients.

An alert about Cloudflare providing security to Atomwaffen Division, hosted on Iron March site.

Pressure on companies serving hate sites could grow if legislation proposed by the British Conservative Party goes into effect. The rough outlines would introduce fines or prosecution for companies that don’t remove illegal content. Social media companies like Facebook seem to be the focus, but the final law might affect other tech companies that bring the content online. Britain has several laws against hate speech, like the Public Order Act 1986, which prohibits “stirring up of racial hatred.” Later laws added religion and sexual orientation protections.


What Does “Host” Mean?

If someone were to bring legal action against Cloudflare, the company’s likely response would be that it doesn’t actually host anything. “Even if you take down our service, it doesn’t fundamentally change the relationship between the person making the [web page] query and the [site’s] host,” Cloudflare’s general counsel, Doug Kramer, told us. All these sites, hosted on different companies, would still be online, just without the benefit of Cloudflare’s security and optimization services. Content simply passes through Cloudflare’s system; it doesn’t live there, according to Kramer.

Beirich calls that explanation “bullshit,” saying that Cloudflare has to host multiple copies of these sites around the world so that they are closer to (and delivered faster to) people who visit the sites. “We believe them to be in violation of European hate speech laws based on what they copy from hate sites on to their European servers,” says Beirich.

“When you look at the nature of where we sit, we’re really providing a technical utility service sort of thing for the internet,” says Kramer. “It seems like a uniquely inappropriate place to try and solve the problem.” Though the content would be online regardless, removing Cloudflare would make it easier to find the appropriate place. Currently, checking sites with common tools like the WHOIS lookup service makes Cloudflare appear to be the host. “With a properly secured website, there’s no way for an external user to find out where a website is hosted,” says Kramer. “It is an essential element of our security that we don’t provide a shortcut that makes it easy for people to target hosts.”

Since website hosts are effectively hidden behind Cloudflare, the company passes any complaints, such as copyright infringement claims (the vast majority of complaints), offensive content, or alerts about things like child pornography on to the companies that actually host the sites. For a time, it also forwarded all complaints, complete with names and contact information, to the site owners themselves. This is to make it easier for sites to settle the disputes–which are often spurious claims such as bogus copyright violation charges, says Cloudflare. But a May 4 article by ProPublica resurfaced ugly experiences with Cloudflare customer The Daily Stormer (a movement with both a website and 31 clubs around the country).

The Oncoming Storm

This practice sent people’s personal info to Daily Stormer’s owner Andrew Anglin, leading to online harassment by him and his followers, several people told ProPublica. “It’s a very distasteful thing when that happens,” says Kramer. Since January 2015, he says, Cloudflare no longer sends contact info to website owners for reports of child pornography, violent threats, or other “sensitive” issues that could lead to retaliation.

But it still sent that information to the hosting companies, which Cloudflare does explain on its abuse policy page, and the hosts often forward the info to site owners. “We need to make it clear to all of these people that there are consequences for messing with us,” wrote Anglin in a December 2016 post on his site. In it, he detailed a complaint filed by Scott Kelley Ernest, which was passed on to him from his hosting company, complete with contact information. Anglin posted that and whatever additional contact information he could find for Ernest, including email addresses, phone numbers, and online usernames.


“[W]hy not hit this guy up?” Anglin suggested to readers in his post.

They have a record of hitting people up. Anglin is currently being sued by the SPLC on behalf of a Jewish realtor, Tanya Gersh, who says her family received over 700 harassing messages from Daily Stormer readers. They didn’t stem from a filed complaint, but rather regarding a business dispute with Sherry Spencer, the mother of white supremacist leader Richard Spencer.

In a discussion-forum post titled, “Jews Targeting CloudFlare Service for Protecting Daily Stormer,” a reader posted photos and contact information for ProPublica writer Ken Schwencke, with members hurling epithets like “nasty pieces of shit,” “faggot,” and “crypto-fag Jew.” They also expressed admiration for Cloudflare CEO Matthew Prince. “Let’s all take a second to applaud his stand (so far) of not making determinations of who can use their service based on judging people’s content,” writes the poster. “If all he hears from are the noisy kike media on this issue, he could easily cave in.”

Prince was swayed by press attention to an extent. A few days after the ProPublica article, he wrote a blog post outlining revised policies to allow fully anonymous reporting of threats and child sexual abuse material. Neither the site owner nor the hosting company will receive the name or contact information of the person making the complaint. “While we clearly had a significant blind spot in how we handled one type of abuse reports, we remain committed to our belief that it is not Cloudflare’s role to make determinations on what content should and should not be online,” writes Prince.

“Our goal is to make sure that all the stuff on the internet happens as users intended for it to happen,” says Kramer. But activists like the SPLC and sites like Daily Stormer clearly have different intentions and opinions about what is right.


About the author

Sean Captain is a Bay Area technology, science, and policy journalist. Follow him on Twitter @seancaptain.