I find the article hopeful for the future of free speech on the internet. Even though the ability to host content on the net is one thing and lacking access to most platforms (where the users actually are) like youtube, facebook, instagram, tiktok is another. The most important thing nowadays is access to the siloed user bases for people who try to express dissident opinions, not the access to the net as whole, even though that is important as well.
>For instance, when a site that opposed LGBTQ+ rights signed up for a paid version of DDoS mitigation service we worked with our Proudflare employee resource group to identify an organization that supported LGBTQ+ rights and donate 100 percent of the fees for our services to them.
I find this section peculiar. Why does the company have "values"? I though companies were supposed to be looking after the intrests of their shareholders, i.e., profit. Do the shareholders consent to the lost profit being donated to political motives? This broader trend of companies becoming political organizations is terrible, frankly.
But even with that said, I find their stance in the article to be hopeful, and sincerely wish that they stay true to their words in this paragraph.
>To be clear, just because we did it in a limited set of cases before doesn’t mean we were right when we did. Or that we will ever do it again.
> I find this section peculiar. Why does the company have "values"? I though companies were supposed to be looking after the intrests of their shareholders, i.e., profit. Do the shareholders consent to the lost profit being donated to political motives? This broader trend of companies becoming political organizations is terrible, frankly.
> - No tolerance to anything but work. If you sexually harrass someone, instantly fired.
> - No woke HR training (no one watches it, yet no one has the courage to say anything about it)
Given that a chunk of the HR training is about reminding people not to sexually harass, I'm not sure how you can achieve both of those? Especially when you don't have an HR department. Who's investigating the allegations? In practice this kind of culture leads to "if you are sexually harrased, you have to keep your mouth shut or you will be fired".
Bunch of this is a legal impossibility. Disparate impact jurisprudence prohibits competence based hiring. "No HR departments" increases your legal liability risks -- a company ought to have one to at least cover their asses by saying that "we followed precedents' prescribed procedures, but alas". "No woke HR training" is the same - it's literally a legal obligation, without which your liability increases by orders of magnitude.
Separation of politics from economy is an impossibilty, and the company that you are describing is only turning a blind eye to its responsibilities to society.
You want to make profit the only relevant variable, denying any moral or political factors? What you will end up with is a company that is blind to the effect it has on society and to the reasons of how and why it works.
For example, say you have a lot of Nazi customers, for whatever reason (maybe you first openend in a nazi neighborhood and they like you). They say that they want you to stop selling immigrants, and following your profit maximation rules you are happy to accept, as immigrants are a minority here and would not give as much profit as the nazis. However, your opposition has to close shop because every nazi has now flocked to you and the immigrant customers are not enough to keep it running. You end up with extreme polarisation and a lack of freedom for a group of people.
This example is super simplified and perhaps not satisfying, but in the complexity of the real world and of online businesses etc. there are so much more mechanisms that can lead to discrimination, especially if they are not reflected upon. This phenomenon, where complete rational focus on one variable is disastrous for other factors that are very important in different ways, is also known as the rationality of irrationality. Please read more about it here [1], you may find that your view of society is quite naive. I don't want to diss you, but I would not be surprised if you reckon its strictly the politics job to care about gender equality, antiracism, etc., and that you like yo blame incompetent politicians for the problems rather than rationalist business people who do not see the consequences of their actions.
While profit profit profit may have kind of worked in the sixties, it is time to use our new gained knowledge about societal mechanisms and put them to good to fight more pressing problems than growing gdp.
Caring about PR is in the interest of shareholders.
If companies had to always maximize short term profits there would be very few companies around.
wrt shareholders for public companies they have a duty not to defraud them[0]; for everything else they are another stakeholder between employees, the public, the company itself as an institution, and other.
[0] For example how Musk had Tesla overpay for the failing SolarCity to save face [1]
Regarding Cloudflare donating their service fees to an LGBTQ support org, that's some genuine D-grade advocacy. I feel bad for the ERG members who were put in the position of choosing that charity.
If someone keeps starting fires on my property, I don't want you to donate to the local fireman's fund, I want you to stop giving that person matches.
It's carbon offsets for hate. And just like carbon credits, it's not really solving any problems. It's the minimum they could do that was literally not zero.
I'm with you that they did the right thing by taking this neutral stance, the peculiar section you should see as "managing optics" and keeping hysterical activists off their backs.
There are many successful protection rackets going around that work by generating bad PR and threatening more bad or worse PR, unless you donate to them and/or hire them as consultants.
ESG is primarily a mechanism for shareholders to get even more influence. This is not altruism. On the contrary, they leverage their financial advantages. Road to hell in my opinion.
It's rather disappointing that Cloudflare's policy is to not host content that is "illegal, harmful, or violates the rights of others, including content that discloses sensitive personal information, incites or exploits violence against people or animals, or seeks to defraud the public", but they do not apply that same policy to content that they provide DDoS mitigation services for.
I don't see why their policies should differ depending on whether they are hosting or protecting the content in question. Either way, they are in part responsible for making that content accessible. I get the feeling that this is just an arbitrary distinction that they've made since hosting this content is more likely to have legal consequences for Cloudflare than simply providing DDoS mitigation services for it.
> Giving everyone the ability to sign up for our services online also reflects our view that cyberattacks not only should not be used for silencing vulnerable groups, but are not the appropriate mechanism for addressing problematic content online. We believe cyberattacks, in any form, should be relegated to the dustbin of history.
My point is this: if there are certain types of content that they deem unacceptable to host, why do they deem it acceptable to protect?
I disagree that the paragraph you quoted is relevant to that. But if it is, then it doesn't seem good that their goal of eradicating cyberattacks is more important to them than actual human lives.
I feel like this should be the end of the discussion. A crime against a criminal is still a crime. Furthermore, who decides who the ‘criminal’ is? A ‘tit for tat’ policy may leave progressive activists and whistleblowers vulnerable to DDoS.
They speak to it, I wouldn’t say that’s addressing it. They’re simply repeating a variation of the liberal viewpoint that nazis shouldn’t be punched, they should be convinced of their wrongs through peaceful social means (which invites naziism right in) or law enforcement (which, well, piggies like their own kind).
If Matt Prince were the head of the Inglorious Basterds, he’d evidently reform them to vote blue instead of scalping nazis
DDoS attacks don't just hurt the target of the attack. If any link on the path to the target is overwhelmed by the attack traffic, all users of that link are affected. Large attacks are hundreds of Gbps - a datacenter with 100Gbps of internet connectivity would be effectively offline. A datacenter with that much connectivity will likely host more than one site.
I know you aren't advocating that other sites be taken down, but that is the effect of allowing DDoS against a site. Perhaps you don't mind collateral damage but it should be acknowledged as a consequence of your suggestion.
Hosting and DDoS protection are different services. Think of them like a landlord (hosting) vs fire department (ddos) situation - one of them can morally refuse their services to people that they think are doing wrong/illegal/immoral things, the other one doesn't.
Not that I agree or disagree with this argument - just wanted to point out what their reasoning seems to be.
> Think of them like a landlord (hosting) vs fire department (ddos) situation
This is kind of a ridiculous comparison. A real-world landlord is a private individual extracting rent from their tenants while a real-world fire department is a publicly funded institution with a duty to protect everyone.
Cloudflare offers both its hosting and DDOS services as a private company. They aren't morally obligated to provide anything, regardless of whether the DDOS protection is offered for free.
I think it is good that they stay neutral and I believe even banning the Daily Stormer from their infrastructure was a mistake. As they write themselves it immediately created expectations for other content to be removed. Yes, the difference here is arbitrary, in my opinion a host should stay neutral as well.
The Daily Stormer tried to unsuccessfully groom kids with cute comics. They could not have fallen any lower. An intervention here would not be required. A negative example is also an example you can learn from.
On the one hand, websites like KF and the like are utterly reprehensible. On the other hand, Cloudflare taking it upon themselves to police the Internet is a nightmare in its own, given their bot-prevention services are effectively mandatory in order to even keep any sort of larger interactive website running.
What is permitted to say is something for the courts, not for the whims of private businesses, to decide.
Except that they don't respect court verdicts - e.g. in one case they lost against an Italian court "US-based Cloudflare disagreed. It countered that the Italian court didn’t have jurisdiction and that the e-Commerce directive didn’t apply to foreign companies, but those objections were rejected." How can you argue that a legal ruling is legally invalid (besides appealing it) and use this as a supposed justification for not complying with a court judgment?
Even in that article they say "While we will generally follow legal orders to restrict security and conduit services," - how can you say this? No other business says "while we will generally accept court judgments..."
Like with so many SaaS, CloudFlare has perhaps become too many digital eggs in one digital basket, so inevitably it will result in disappointment and bad decisions ala Twitter, GoDaddy etc.
It's really not that tricky. Few sites are peers of 8chan, kiwi farms, and the daily Stormer. When you become their peer, you have a serious discussion about whether you want them as customers with several people in the company, and you can choose "no".
They can absolutely drop kiwi farms and still be in the clear, ethically. It's not like kiwi farms is even remotely close to some sort of slippery slope. It's the goddamn burning trash pit on a FOB of internet sites.
> On the other hand, Cloudflare taking it upon themselves to police the Internet is a nightmare in its own, given their bot-prevention services are effectively mandatory in order to even keep any sort of larger interactive website running.
Maybe we should additionally also focus on that problem as well. It should not be the case that you need to pay a protection racket just to be able to survive on the Internet.
We definitely need more, also international, efforts to establish:
- baseline requirements on IT security (to reduce the impact of stuff like hacked IoT devices)
- quick and fast cooperation between governments to identify and contact owners of hacked equipment to get them off the Internet and patched. Maybe something similar in operation to firefighters - you don't have to pay for their assistance unless you actually created the fire or were grossly negligent?
- procedures to get nation states that are a clear and consistent threat to everyone else off the Internet either because they actively attack others or because they are shielding hacker groups, and judging by where a lot of attacks originate, that is Russia, China, North Korea and Iran.
Particularly regarding the last point, I'd also advocate to take factual declarations of war as what they are and strike back.
Except it's absolutely up to the whims of private businesses, if you want to be consistent with how businesses are understood in the US.
In the US corporations are people and money is speech. Cloudflare can try to become a public utility if they want but right now they're a corporation and they're making a political decision to continue to take money from customers that use their services to operate harmful social spaces that are used to coordinate targeted harassment campaigns and drive vulnerable people into suicide.
They frame selling DDoS protection as a neutral and good thing because it prevents cybercrime. But would you accept the same argument for selling ballistic vests? Plate carriers? APCs? Clearly selling defensive equipment to both sides of a conflict is still involving yourself in a conflict. If you want to be neutral, you don't involve yourself, you don't sell.
And to make matters worse, the general consensus is that the party they're selling DDoS protection to are "the bad guys" in this conflict. The guy operating it literally had to create his own hosting company because he ran out of hosting providers willing to do business with him. He had to resort to crypto wallets because payment providers have long banned his site.
Even if there wouldn't be any evidence that he encourages and participates in the harassment campaigns his site is known for (a site, by the way, that was literally created to harass one specific individual), the person maintaining that site still took a principled stand to allow this behavior to continue despite what it cost him. And now Cloudflare's CEO took the same stand to continue doing business with this person.
We should be so glad that sites like KF can even exist, where free speech is not only practiced, but the owner of the site actually stands up for their users' rights and even goes to court to fight for them when people wrongly sue and try to take things down that is not the responsibility of KF to even be policing.
You may not like the content its users choose to post, but I for one am glad sites like it exist as it gives hope that the First Amendment continues to be respected and legally tested... otherwise I fear that censorship will keep creeping up until it has gone too far.
then why don’t they publicly invite back 8chan and the daily stormer, possibly for a discount/free? similarly, are they lobbying to get FOSTA revised so they can bring back Switter?
their opinion is that it is (almost always?) ethically wrong for them to withhold security products. for the two websites i mentioned, nobody is stopping them from providing services. for a third, they could lobby to fix fosta and/or not transit switter traffic in the us.
That's what is so sad about this. Cloudflare is NOT a utility, and they don't lobby to be one. If they were, then their arguments would have some merit. Instead, they're saying "look, we're a utility! We have to act like one! But we're going to keep the benefits of being a private company; we're just not going to exercise our private discretion because then we couldn't pretend we were a utility when it suits us."
As a dev who was once entirely on board with CF and recommended their "workers" environments to anyone that would listen, I'm very sorry to have to terminate both my business with them and my evangelizing of their services. But I'm certainly not going to stay in business with or recommend a company that would rather hide from their responsibility than to take the political heat for sensible business decisions (like removing poisonous clients).
They dropped support for 8ch after successive terrorist attacks, one of which killed 50 innocent people. The CEO has stated that he regrets dropping them.
8chan users radicalize each other and encourage each other to commit mass shootings. KiwiFarms users post the personal information of people and encourage each other to harass them to the point of suicide. I don't see how they aren't comparable.
8chan literally had sub boards dedicated to child pornography. Kiwi Farms is where people make fun of other people. They're really not comparable unless you believe "not being made fun of" is a human right.
> They're really not comparable unless you believe "not being made fun of" is a human right.
This is meant to be sarcastic but a lot of people basically do believe this. Most arguments about "stochastic terrorism" would implicitly aim to devalue/censor any sort of speech that "punched down".
That depends. How many lives were ruined thanks to those boards on 8chan? It's plausible the answer is anywhere from "very many" to "zero". The harassment caused by Kiwi Farms is serious and located somewhere in between.
Remember, while they took down 8chan, they left up ISIS sites hosting ISIS-made videos of ISIS members burning people alive, popping off their heads with detcord, and the like.
8chan bad, ISIS ... well, not as bad?
I will never stop reminding people that the CEO said he woke up in a bad mood one day and took down protections for one group ... but left murdersites alone. Can't be undone.
Remember that whenever they pretend to be unbiased.
> I will never stop reminding people that the CEO said he woke up in a bad mood one day and took down protections for one group ... but left murdersites alone. Can't be undone.
> Some argue that we should terminate these services to content we find reprehensible so that others can launch attacks to knock it offline. That is the equivalent argument in the physical world that the fire department shouldn't respond to fires in the homes of people who do not possess sufficient moral character.
> For instance, when a site that opposed LGBTQ+ rights signed up for a paid version of DDoS mitigation service we worked with our Proudflare employee resource group to identify an organization that supported LGBTQ+ rights and donate 100 percent of the fees for our services to them. We don't and won't talk about these efforts publicly because we don't do them for marketing purposes; we do them because they are aligned with what we believe is morally correct.
These are the two strongest points for me. The former is one I already believed, and the latter makes me more hopeful as someone in that specific minority community.
In addition, I think it's touched on but Cloudflare is huge. Even if they changed their mind on terminating amoral customers, how would that go down? Another automated moderation system that checks for certain keywords? Ask the LGBTQ people banned from Facebook/Twitter/Reddit/Google/etc. if those systems really work all that well. All too often person A implying that X group deserves violence skirts the system, while the actual text calling out Person A's beliefs from an advocate is considered hate.
And let's be real. DDoS attacks are acts of digital terrorism. They're attacking infrastructure due to political motives.
These people who want to revoke DDoS protection for groups they don't like are essentially promoting terrorism. Why else would they fight so hard to remove DDoS protection, if not because they simply want those attacks to succeed?
The group they're trying to target here is a terrorist group. Not even in a metaphorical sense. It's people who try to harass random transgender people to the point of suicide or murder.
DDoS is a product of an inherent weakness of the internet infrastructure, namely BGP. Cloudflare "solves" this by acting as a middleman, and charging for their service.
I don't know if I would describe a DDoS attack as "digital terrorism", but it is annoying and hard to stop on an individual level because of the design of the internet.
I would call it vigilantism which is a type of definitional terrorism. People in the US don't like that word, but there's a good many things that are terrorism that we don't call such. At the end of the day, violence with political aims is terrorism.
Isn’t it a bit disingenuous to equivocate terrorism, which actively targets/kills innocent civilians, with DDOS attacks against services which are responsible for moral atrocities? Could it be compared to vigilante justice? Perhaps. But comparing it to terrorism is unfair, to put it mildly.
You seem to be treating all political conflict as terrorism. Couldn't you say the same about people who organize on Kiwifarms and flood social media with specious allegations of bad character or nefarious actions? For that matter, the site has been heavily associated with doxxing and swatting.
History has shown that reprehensible acts can be done for the greater good. Getting Kiwi Farms off the Internet at all cost might be good, digital terrorism be damned.
I just don't want to live in a world where society is governed and censored by big corporations. Wanting them to do so to further my worldview invites others to further the worldview of people I oppose. Leave the governing to the government, especially when it comes to systems with very broad usages (social networks, internet infrastructure, etc.)
Agreed. IMO, people encouraging Cloudflare and other corporations to take political stances are very short-sighted. With the amount of Saudi Arabian and Chinese investment and influence continuing to grow in major corporations, you have to imagine that large tech corporations being aligned with west-coast US Democrat politics isn't going to last forever.
As the article says, "... [not providing services based on moral character] is a dangerous precedent, and one that is over the long term most likely to disproportionately harm vulnerable and marginalized communities."
This reeks of "both-siding" which is insanely frustrating for me. Look, I get opening a can of worms and "stay out of my business" but at the same time, we need to be able as a society be able to and be unafraid to say when things are clearly bad.
> I just don't want to live in a world where society is governed and censored by big corporations.
You already do. And that's actually a good thing. It means that in free societies like the USA, these companies are free to choose to do (or not do) business with whomever they choose. They are not free from the market reacting to those decisions, though.
Cloudflare choosing to continue to provide their security services to Kiwifarms won't do anything about the fact that they're unregulated, and can offer or revoke services from whoever they choose and whatever time they wish. If you want to turn Cloudflare into a regulated monopoly, or utility company, then I would be open to that argument, but if you leave them as an unregulated, profit-seeking enterprise then you have to be critical about where that profit is coming from and what moral tactics you're okay with them to further that profit.
Cloudflare is not a public service, the comparison with firefighters is not apt.
I’ve been seeing this confusion more and more recently, probably because of the size and omnipresence of corporations.
I don’t know if this confusion is deliberate to justify certain acts or simply ignorance, but the distinction has to be emphasized. Corporations and public services are completely different beasts, with different legislations, incentives, etc.
The point here is that Cloudflare's core product, despite being run by a private for-profit company, is as close to an essential service as it gets in the digital world. This is not the same as saying "posting on Twitter is a civil right"
There are ways in which they are "completely different beasts" and ways in which they are similar.
In that they are both organizations made up of human beings providing important services to the general public, they are the similar. I think that's the similarity that was being emphasized by the analogy.
The analogy still works if you imagine private firefighters (the kind you might contract for a farming operation) instead of public firefighters.
Even an arsonist should be rescued and treated for burns. They should also be arrested, tried, and inprisoned. Only combined do public services execute the moral values of the people. An arsonist should also probably not be sold gas.
A gas station has a moral obligation to sell gas without discriminating by race, etc. A gas station does not have a moral obligation to sell gas to arsonists.
I'd be suspicious if a gas station made a press release about how they'll sell gas to anyone but also donate to charity to "make things even". Sounds like they want arsonists to know where they can buy gas.
I think this brings up an important topic though that we need to grapple with as a society - at what point do we recognize that we NEED public services related to the internet?
Something similar to basic Cloudflare but run as a public service by the government that is free to all might be a good thing to have. If there are majorly amoral actors that use it we should be going after them for their crimes (from a legal sense) which other parts of the government can of course aid with.
If a cooperation becomes a de-facto monopoly the rules that apply need to change. If there is no competition you can go to and there is no way around it then the government has to step in.
The right to speech is strong, at least in the United States, at least for now.
Seeing how vital the Internet is for participation in society, it is my opinion that the baseline for "duty to serve" is that everyone has the right to a modicum of hosting and the ability to have their site accessible. That means a FQDN, SSL certificate, and network connectivity.
Should it be a legal requirement? I'm not yet convinced. But I don't think CF is wrong to host orgs they morally oppose.
I see people are still desperately clinging to this "websites aren't public services" narrative but as the years go by it's becoming increasingly clear that it just isn't entirely true.
The whole logic behind the "it's a private space/service so they can deny service to whoever they want" argument is that, if a user is denied service, they can seek service from an alternative provider elsewhere, usually without much difficulty. If the other providers also don't want to provide the service, fair enough. But this isn't really the case in the modern web because you often don't have alternatives. If you are denied service by cloudflare, you can't just go to another cloudflare down the street. Same with many other major online services that are effectively monopolies in their field.
Maybe a better one would be privatized health care? What is the standard for who does or doesn't deserve medical care?
> I don’t know if this confusion is deliberate to justify certain acts or simply ignorance
Also, my guess is ignorance. Cloudflare is essentially restoring a platform on the internet that is difficult to get and keep for small creators. Their posts on this topic strike me as the super libertarian types who take no issue with privatizing public services.
> I don’t know if this confusion is deliberate to justify certain acts
I see more than one political group purposefully conflate this in order to push their own agendas.
For example, when a private company says that won't tolerate hate they claim "free speech" infringement but when government silences a critic they don't like it's "law and order."
> We don't and won't talk about these efforts publicly because we don't do them for marketing purposes
in a post that further goes out of its way to say, "look at these morally good things we're doing (Galileo and Athenian) that aren't themselves part of the abuse process, and then has their logos as two of the three images in the article body? Okay, sure, this may not strictly be marketing material insofar as it's not an ad the marketing team purchased, but c'mon, did ya'll put those in place to help explain the abuse process or because they're nice "but look, we also do good things!" window dressing on an article you think otherwise may not have the best reception?
I somewhat agree with these two points as well. When you're running a business, you'll often have customers you find disagreeable. That doesn't mean that they're invalid customers, but you may feel gross helping them. For the exceptionally bad cases, why not jack up the prices 10x and donate those proceeds?
> Another automated moderation system that checks for certain keywords? Ask the LGBTQ people banned from Facebook/Twitter/Reddit/Google/etc. if those systems really work all that well.
This is so, so true. Both automated and human review systems often times don't handle or protect minority users well.
(Reasonable Disclosure: I still terminated my services with CloudFlare over this.)
> ...we worked with our Proudflare employee resource group to identify an organization that supported LGBTQ+ rights and donate 100 percent of the fees for our services to them.
I'm sure their LGBTQ+ employees will appreciate that when they get doxxed, swatted, and harassed every hour of the day and night because they're providing critical resources to the groups doing so.
Their position probably really does come from genuine belief in principles of anti-censorship and free speech, but the version that LGBTQ+ people are gonna hear from them is that every death threat, every picture of them taken without their knowledge, every coordinated campaign of harassment, every SWAT officer pointing a gun at their face when they wake up, every suicide after years of abuse, has the full backing and support of a multi-billion dollar corporation, and there's nothing they can do about it. And they're kinda right.
And when that happens, Cloudflare is in the perfect position to provide evidence. Your unwittingly advocating for these websites to use more sophisticated methods, where their actions will be much harder to prove and prosecute.
If not Cloudflare, then someone else, that's the reality of it. We do not live in a world of no harm and never will we. All we can do is manage it.
KF doesn't doxx people for being gay. As far as I can tell, KF has a huge LGBT presence in their userbase. They have doxxed people who are gay, but not because they are gay.
And all that while the company refuses to acknowledge that it is full backing.
Cloudflare loves to call back on the law when defending Kiwifarms, but then equate themselves to a public utility.
If the law intended for it, DDoS protection would be a public utility or at least a protected class of service that can't refuse customers. And if you say that it should be and the law is just lagging behind (and I'd tend to agree with you), I can say the same thing about the technical legality of a website that enabled and (indirectly) incentives doxing, harassment or even swatting (except on Kiwifarms, people might technically have a case for defamation, but good luck getting that prosecuted).
I think one easy thing they could do, is stop hosting for forums dedicated to doxxing and harassing people, preferably before they inevitably bully their victims into suicide.
The whole point of my comment is that I don't think it is easy. It'd be great, but it certainly isn't easy.
If they get rid of Kiwi Farms, ultimately it's not going to fix the problem. They're going to find a new, harder to harass vendor for CDN. Cloudflare's detractors are going to find a new website to talk about.
If you're talking about all websites that do this kind of thing, I have my doubts about how this would look in practice. Take down websites that use hate speech? Work to debunk hateful myths would likely get caught in that. Suspend websites that get X number of reports? Congrats, you've given botnets a far more effective tool for DDOS. Don't suspend those websites until a human analyzes them? That'd be ideal, although it seems like that's the system they have. Those humans appear to be instructed to only intervene when Cloudflare itself is the one causing harm. Kiwi Farms is hosted elsewhere using Cloudflare as a CDN.
> Our decision to disable access to content in hosting products fundamentally results in that content being taken offline, at least until it is republished elsewhere. Hosting products are subject to our Acceptable Hosting Policy. Under that policy, for these products, we may remove or disable access to content that we believe: [...] Is otherwise illegal, harmful, or violates the rights of others, including content that discloses sensitive personal information, incites or exploits violence against people or animals, or seeks to defraud the public.
> That is the equivalent argument in the physical world that the fire department shouldn't respond to fires
This is a false equivalence, because fire departments are public utilities provided and regulated by the state. Cloudflare is a private business. If Cloudflare was democratically elected by its constituents, and it was accountable and answerable to them, then I would agree with them that they have a responsibility to make their services available to all of their constituents, subject to the due process of law.
But they aren't a public utility, and they don't get democratically elected. Cloudflare is a private business, and it exists to capture the surplus value of keeping more websites online and marketing their security products to more corporations. They can do business with whoever they choose to. And they choose to do business with Kiwifarms. Honestly: in effect, Kiwifarms functions as a free success story for Cloudflare's sales folks—"Look at how many people hate this website, and yet they're still online, thanks to Cloudflare!". I think that's probably the reason that Cloudflare's support of Kiwifarms rankles so much with people who are victims of the website—the fact that Kiwifarms is still online is Cloudflare working exactly as intended, but amorally.
> For instance, when a site that opposed LGBTQ+ rights signed up for a paid version of DDoS mitigation service we worked with our Proudflare employee resource group to identify an organization that supported LGBTQ+ rights and donate 100 percent of the fees for our services to them
Okay, you donated the fees, but why continue to accept the money from the site that opposes LGBTQ+ rights in the first place? Cloudflare still got to keep the benefit of increased revenue, and a larger customer base, and the world still got worse. Did the donation they make actually offset the harm done to the world by keeping that site (whatever it is) online? It seems unlikely.
> In addition, I think it's touched on but Cloudflare is huge. Even if they changed their mind on terminating amoral customers, how would that go down? Another automated moderation system that checks for certain keywords?
No, it would go down, ideally, the same way it does today and the same way it did for the Daily Stormer and 8chan. Terminating services for customers like Kiwifarms is a big decision, and it's one that shouldn't be made lightly, and frankly: there just aren't that many harassment websites that are as big and as long-lived as Kiwifarms. I can maybe think of one or two others off the top of my head. I'm okay if Cloudflare decides to terminate one or two of the biggest, most important harassment sites using their platform per year—doing something is better than doing nothing.
> I'm okay if Cloudflare decides to terminate one or two of the biggest, most important harassment sites using their platform per year—doing something is better than doing nothing.
I'm sorry, I'd only ever heard of Kiwifarms yesterday. I am also okay with that, but I do genuinely believe there will always be a next one. People forget they made the exact same comments before caving on 8chan and the Daily Stormer. As these incidents get closer together I predict we're reaching that 1-2 site a year rate. If I can backpeddle a little on my parent comment, I far less care about any of these specific websites than the implications of Cloudflare not giving the big "We hate to do this" speech beforehand.
You make a good point that policing who is who is difficult enough that letting bad guys pay $20 month or whatever is "cheaper" than actively validating who they are and then kicking them off your service for moral reasons. I get the feeling that 9/10 times these bad actors are on the cheapest cheapo plan available so it's actually very expensive to deal many tiny customers versus one huge one.
Oh, but wait, CloudFlare HAS the resources to validate and act, since they know whose fees to send to rights organizations.
And as for being the fire department? Excuse me? They are a company that exists to make money, not a public service beholden to a specific, lawfully mandated social contract. Their first point is a false equivalency and they can go fuck themselves for even bringing that up.
This statement from them is PR fluff.
Paradox of tolerance. You must be _intolerant_ to these intolerant people or they will fuck up everything for everyone. Cloudflare is letting cancer of society erode public trust, just like every other hyper scale tech company, because businesses exist to make money.
> They are a company that exists to make money, not a public service beholden to a specific, lawfully mandated social contract.
Part of the reason for my position as stated above and throughout the thread. I believe that SPECIFICALLY at Cloudflare's scale, they have more control than most governments in the realm of speech. Therefore, they are MORALLY (not legally) required to enact the same social contract. I believe any alternative where they break that social contract will have unintentional repercussions for minority groups.
To have my position changed, I would need to be convinced those repercussions wouldn't happen in practice.
> the latter makes me more hopeful as someone in that specific minority community.
I'm curious what you think the "balancing" donation/action/whatever cloudflare could do to counteract the very real harms kf causes are?
This isn't a political action group that takes donations and lobbies. It's a site where people's personal information is offered up to anyone who wants it, knowing that many of those people want to do harm with it. The owners and moderators know all of this and both allow and encourage it.
I think this kind of "but we donate!" approach is both an admission that they enable harm, and a completely inadequate to the situation here.
Yes, this should be an issue for law enforcement. But this has been going on for years and nothing has been done, in spite of many efforts being made and many people literally going into hiding due to harassment from this site.
So how is cloudflare going to make this one right to their ERG?
> This isn't a political action group that takes donations and lobbies. It's a site where people's personal information is offered up to anyone who wants it, knowing that many of those people want to do harm with it. The owners and moderators know all of this and both allow and encourage it.
I don't think that specific passage was in reference to KiwiFarm's paid plan.
> Yes, this should be an issue for law enforcement. But this has been going on for years and nothing has been done, in spite of many efforts being made and many people literally going into hiding due to harassment from this site.
This is the specific contradiction I'm trying to avoid. It feels incredibly odd to me to look at a coordinated campaign of harassers and think "it should be easier for organized groups of people to control the conversation". You can look at my comments in this thread or in others, I'm totally cool every time hateful shitbags are taken off the internet and I fight back when they're defended. I'm just not in favor of any broad policy that puts one organization in control of speech.
Never thought I'd see the Left trying to weaponize corporations to suppress speech they dislike. Reminds me a LOT of Evangelicals in the 2000s - I know that comparison has been made frequently but that's the last group that made a serious censorship push.
I wonder how all of this will end? I support CloudFlare here - they should act as a utility, not as an arbiter of content. This ends poorly and one day will bite the people that are pushing for this.
Yeah, I remember when "net neutrality" was something that the left was demanding.
Once they realized that they had a systematic advantage in petitioning hosting companies to deplatform disfavored content without due process, however, all of the underlying arguments for net neutrality were quietly discarded.
Net neutrality was never about deplatforming, due process, or censorship. It was about ISPs prioritizing traffic or providing free bandwidth for their own services and throttling or charging extra fees for third party services (e.g. Time Warner providing access to their own streaming service without counting towards your bandwidth cap, but not doing the same for Netflix).
It's nothing like the evangelicals by any stretch of the imagination. The fact of the matter is that Kiwi Farms is a cesspit full of people who revel in obsessing over people and then harassing them not only at their jobs but even through their private communications (phone numbers, personal email addresses, etc). How you react if dozens of people just started calling you at all hours because you're trans and are visible in a social network? How would you react to having to explain to your employer that it's just "some kids" constantly badgering you and them when you're busy doing work? How would handle the act of them calling the police with false reports that result in a SWAT raid? This isn't hypothetical, it's happened many times due to Kiwi Farms and other forums.
It's nothing like the SJWs by any stretch of the imagination. The fact of the matter is that Reddit/ResetERA/Twitter/DailyKos is a cesspit full of people who revel in obsessing over people and then harassing them not only at their jobs but even through their private communications (phone numbers, personal email addresses, etc). How you react if dozens of people just started calling you at all hours because you're Christian and are visible in a social network? How would you react to having to explain to your employer that it's just "some kids" constantly badgering you and them when you're busy doing work? How would handle the act of them calling the police with false reports that result in a SWAT raid? This isn't hypothetical, it's happened many times due to Reddit and other forums.
Yes, I remember the "Moral Majority" era. I remember the religious right, the fundies, the evangelicals, and the grasp they had on speech. I remember how they tried to ban porn in the late '90s and the courts had to smack it down. And I saw how the left has taken over institutional power since then, still crying about victimhood status while holding government majorities, running education and the media, and so on.
It looks like the pendulum has started swinging back in recent years. I don't really want to go back to the late '90s in terms of culture and government (especially culture) but I won't be at all surprised if it happens and the right shows the same lack of magnanimity as they were shown this past quarter century. And a good way to make sure that happens is to continue to stifle their speech and give them every opportunity to cry victim and wish revenge. The left made hay from these opportunities and the right has been watching. A lot of their activists have read Rules for Radicals too.
Big turn of the tables. Back in the 2000s Bush administration we had pornography site raids and suppression, now we have ideologically-motivated censorship of a different form.
> Reminds me a LOT of Evangelicals in the 2000s - I know that comparison has been made frequently but that's the last group that made a serious censorship push.
It's the exact same pattern: Zealots trying to use censorship to suppress those that don't adhere to their ideology. The reason it's confusing is because you're looking at it as a left/right issue when it's not. It's an authoritarian/libertine or extremists vs everyone else issue.
Never thought I'd see the Left trying to weaponize corporations to suppress speech they dislike.
It is a terrible fact of human psychology that being abused in a particular manner make you much more likely to abuse others in the same manner, not less.
> I support ButtFlare here - they should act as a utility, not as an arbiter of content.
So then advocate for them to actually be a utility. Right now they get to benefit from being treated like one, but not being held to the same legal standard of an actual utility.
Being a utility doesn't make them any less of a de facto arbiter or any better of a company. Utilities can suck too. And, worse, they do it with the political backing of the state.
The irony of using a throwaway account to advocate for a site that doxxes people.
You guys are the ones undermining the legitimacy of freedom of speech by passing doxxing off as merely being an opinion while it in fact surpresses actually bipartisan discussion. Disgusting.
I don't understand why Cloudflare believes it is their responsibility to protect content that they admit to finding morally reprehensible when they are under no moral or legal obligation to do so.
It seems that Cloudflare believes that they are the only ones who can protect the websites hosting this content from being DDoS'd out of existence, and thus they are protecting their right to freedom of speech. But the owners of these websites can just use a different provider that is more aligned with their sense of morality, and Cloudflare doesn't need to protect websites that they morally disagree with.
DDoS-Guard still exists and I have no doubt they would be perfectly happy to protect websites like The Daily Stormer, 8chan, and KiwiFarms. They have shown themselves to be capable at mitigating large-scale DDoS attacks against the Russian government, so it's not like Cloudflare is the only place these websites can survive.
Cloudflare should only continue to provide services to websites like these if whatever they gain by having them as customers outweighs their moral disagreement with them. And I can't see how a few thousand dollars per year does that.
Other people who might want to host content that certain groups of people and/or governments don't want kept online are surely noticing and may start or continue using CF as a result of this message. Even someone in this situation who is completely opposed to KF's content should be able feel some comfort in that.
I feel like you missed the core points of this post.
- Precedent from decisions on The Daily Stormer and 8chan was used to pressure Cloudflare to deplatform human rights organizations by authoritarian governments. Refusing to deplatform isn't about protecting Kiwifarms, but protecting other groups in a global environment where they face legal and social pressure on differing and conflicting views. A hands-off policy on moderating the content of their customers removes the possibility of using deplatforming to suppress human rights.
- They rarely get paid by any of these sites, and when they do, tend to donate the proceeds to charities opposed to such awful websites.
Precedent from decisions on The Daily Stormer and 8chan was used to pressure Cloudflare to deplatform human rights organizations by authoritarian governments.
Cloudflare isn’t a court, its decisions are not legal precedents, it can decide on a case by case basis who it wants to do business with.
If authoritarian government comes knocking, just say no. What are they gonna do?
> Precedent from decisions on The Daily Stormer and 8chan was used to pressure Cloudflare to deplatform human rights organizations by authoritarian governments. Refusing to deplatform isn't about protecting Kiwifarms, but protecting other groups in a global environment where they face legal and social pressure on differing and conflicting views. A hands-off policy on moderating the content of their customers removes the possibility of using deplatforming to suppress human rights.
Except this is a bullshit excuse, because a) you can just tell those authoritarian governments "no", and b) they have been removing customers like sex workers for many years already, this is not some novel change. The only change is that it affects literal fascists now.
"Banning nazis means we also have to ban human rights organizations" is some grade-A spin doctor bullshit, and I would expect better from people here than to fall for that.
These are all sites hosted with CF DNS, who provide services that are literally the opposite of free speech -- they are in the business of _suppressing speech_, for money (or for free!). They are the providers of the service CF protects its paying customers against. There could be no more simple definition of a shakedown racket than this: Pay us for DDoS protection, or risk being brought down by one or more of our (non-paying) customers!
For all their completely defensible talk about free speech, this is a category of customer that is indefensible, and completely identifiable.
Except for one thing: If they were "relegated to the dustbin of history", so too would be CF's business model.
So before defending CF's stance on "free speech", take a good look at their business model, and who they support.
According to completedns.com, instant-stresser.com has been using Cloudflare on and off for almost 8 years, and continuously for the last 3 years. It's also the 2nd result on Google for searching "free stresser". It seems impossible that this site hasn't been reported to Cloudflare by now, indicating that they have made the decision to continue protecting it. Very bad.
I haven't checked the other sites you mentioned, but if this pattern holds, it definitely changes my perspective on Cloudflare.
So, the claim is that Cloudflare is acting like the window glass shop that drums up business by running around smashing windows at night? That's quite the claim.
Here's a recent report on a DDoS-for-hire outfit that was criminally charged and convicted, related to downthem.org and ampnode.org
Interestingly, the affidavit in that case does note that Cloudflare provided services for downthem.org and ampnode.org. However, this is a criminal indictment of the guilty party. I suppose the issue is, what kind of 'public reporting of criminal activity' is needed to provoke CF to drop services? In cases like this I also imagine CF cooperates with FBI investigations.
> In cases like this I also imagine CF cooperates with FBI investigations.
Seems to be the case,
> The FBI’s Anchorage Field Office and its Los Angeles-based Cyber Initiative and Resource Fusion Unit investigated this matter. [...] Cloudflare, Inc. [...] assisted this investigation.
> So, the claim is that Cloudflare is acting like the window glass shop that drums up business by running around smashing windows at night? That's quite the claim.
That is not my claim; they don't operate any DDoS-for-hire sites. My claim is that their "free speech, we won't shut them down" claims are utter hypocrisy when they do nothing to shut down their support for DDoS-for-hire sites, the ultimate (on the internet, anyway) anti-free speech perpetrators.
Cloudflare has always hidden behind this stance as a way to justify doing awful things.
When I worked at Malwarebytes we had regular issues with malware being hosted on Cloudflare. Now I don't mean like "hey download this file so you can learn"- that kind of thing we fully supported. I mean that these files were being explicitly used in drive by exploit attacks- if a user with a vulnerable browser went to the wrong webpage, that webpage would load exploit scripts from the Cloudflare network and then inject the malware.
To me this is a very simple example of abusing a network. It is not a free speech issue, unless you think punching someone in the face is free speech. We proved that this was happening by providing pcap files showing the entire network transaction and the fact that users were not initiating this on purpose.
Their response was to ignore us until we started blocking their end nodes, at which point they came to our forum and straight up lied.
> Unfortunately, the new system is unlikely to resolve the current controversy which is more political than technical in nature. The current controversy involving Malwarebytes blocking CloudFlare IPs is centered around one site. To be clear, this site does not distribute malware itself and visiting it will not infect your computer. It does, however, provide information on how to create malware. Philosophically, we believe there is a difference between distributing malware -- which we will prohibit through our network -- and distributing information about malware. We do not believe our role is to play censor to any information on the Internet, even information we find disturbing. Publishing the Anarchists Cookbook does not make you a terrorist. Blocking sites based on the information they contain, as opposed to the actual harm they do, takes a step down a slippery slope I find deeply troubling.
This was a 100% dishonest lie, and it's the same pattern Cloudflare has been following for a decade now. In this case they lied claiming we were blocking educational material, which is something Malwarebytes never did. He said all of this after we sent the pcap files proving that this wasn't an issue with educational sites.
From my perspective Cloudflare has always been willing to hide behind free speech even if it isn't relevant. It's their go to excuse for any bad behavior.
Hosting a DNS zone file is not tantamount to enabling attacks. Its like saying Google enabled murder because Maps provided the directions for a murderer to get to the victim's house.
The problem isn't that certain customers are bigots, but that they actively seek to allow harm to be done by their own end users like Kiwi Farms. The fact they have an exhaustive wikipedia for one person (Chris Chan) should have been the "nope" moment for them. Like if I was a host or a provider of a service and Josh Moon came to me with his site I'd just turn him away because he's like nuclear waste dangerous. It's not a matter of morals, it's a matter of social vs anti-social. Josh Moon, his own mother, and many of the loudest users on Kiwi Farms are anti-social to such an extreme that if they even tried to do their antics in real life beyond SWATing and cyberstalking, they'd probably be in prison now. It's not a matter of dealing with something like some religious organization that thinks being gay or trans is immoral, it's a group of thugs that skirt the law through various means and sometimes even cross into illegal acts that are hard to track/monitor (ex. SWATing).
Swatting is illegal, users of the site are doing the swatting, and KF simply pretends they aren't. They aren't arrested because the reason they use swatting is so they can't be tracked and thrown in jail themselves.
Meanwhile people's lives are ruined, their friends and family contacted, harassed, and they live in terror of people who congregate, anonymously, on that site, which is hosted out in the open with large corporations providing them services. A donation to the trevor project does nothing to protect those people, it just tells them their lives are expendable and they'll try to save someone else's.
Something must be done to stop them. I haven't heard any legal arguments for what could be done to stop them - one is told simply "you can't fight back, and you can't protect yourself, legally". When people are told that, they take more drastic measures, because the system that exists won't protect them.
Honestly a good proposal I've heard is to at minimum shut down SWATTing or add consequences and tracking of the requestor. Police being able to be consistently deployed on a ruse is, to me, insane.
Honestly, I agree that there needs to be work done. I think the first step is to get the police to not be as ignorant as they are. The fact that Keffals tried to notify the police of a potential harassment effort and they chose to ignore her should've never happened. Police today are poorly trained and educated but still get an exorbitant budget. I think it's time for people to declaw them or retrain them or possibly both on top of dealing with Kiwi Farms directly.
"The problem isn't that certain customers, in my personal biased subjective opinion that is subject to no oversight whatsoever, are bad people who advocate doing bad things. The real problem is that certain customers, in my personal biased subjective opinion that is subject to no oversight whatsoever, are bad people who advocate doing bad things."
Things being subjective doesn't mean they're not true. What you mean to say is my arbitrary or biased view, which also doesn't invalidate their truthfulness. The fact that folks like you think subjectivity means arbitrary or biased or that it has no truth or factual value is disturbing and your position is also a deflection. In the United States, you can be sued at any time by other private parties. The fact that Josh Moon refuses to reign in his site users because he agrees with them (you can look in the posts he's made) means any business you do with them sets you up for liability. And guess what? Cloud Flare's CEO is endangering the bottom line and if I was a minority holder I'd be calling up the board to override his decisions, even if it meant a complete stockholder revolt against him. Letting the rejects of the most rejected group of people congregate and do misdeeds that either are explicitly illegal or border on illegality isn't a sound business decision. Wake me up you have an actual argument rather than trying to do 4chan level antics and mockery.
The CWCki is not operated by KF, and at any rate is critical of Chris but not at all wishing death or violence on him. (And it is a wiki, not "a Wikipedia." Wikipedia is itself a wiki.)
And what does Josh's mother have to do with anything?
Readit News
>For instance, when a site that opposed LGBTQ+ rights signed up for a paid version of DDoS mitigation service we worked with our Proudflare employee resource group to identify an organization that supported LGBTQ+ rights and donate 100 percent of the fees for our services to them.
I find this section peculiar. Why does the company have "values"? I though companies were supposed to be looking after the intrests of their shareholders, i.e., profit. Do the shareholders consent to the lost profit being donated to political motives? This broader trend of companies becoming political organizations is terrible, frankly.
But even with that said, I find their stance in the article to be hopeful, and sincerely wish that they stay true to their words in this paragraph.
>To be clear, just because we did it in a limited set of cases before doesn’t mean we were right when we did. Or that we will ever do it again.
This ship has sailed since about 2008: https://en.wikipedia.org/wiki/Environmental,_social,_and_cor...
I would like to see new companies that completely reject the status quo in every way:
- No HR departments
- No virtue signaling whatsoever
- Cubicles are back, no open offices
- Only hire based on competence
- Explicitly prohibit any kind of activism at work
- No politics at work
- No tolerance to anything but work. If you sexually harrass someone, instantly fired.
- No woke HR training (no one watches it, yet no one has the courage to say anything about it)
- No green washing pledges (these are not as effective as public thinks)
I'd sign up for a job there. People need to read 1970's annual reports. They were so amazing.
> - No woke HR training (no one watches it, yet no one has the courage to say anything about it)
Given that a chunk of the HR training is about reminding people not to sexually harass, I'm not sure how you can achieve both of those? Especially when you don't have an HR department. Who's investigating the allegations? In practice this kind of culture leads to "if you are sexually harrased, you have to keep your mouth shut or you will be fired".
[1]: https://www.everydaysociologyblog.com/2012/09/the-rationalit...
If companies had to always maximize short term profits there would be very few companies around.
wrt shareholders for public companies they have a duty not to defraud them[0]; for everything else they are another stakeholder between employees, the public, the company itself as an institution, and other.
[0] For example how Musk had Tesla overpay for the failing SolarCity to save face [1]
[1] https://www.youtube.com/watch?v=GSUQhfYv3wc
[2] https://www.youtube.com/watch?v=aYGgeRxVS_E
[3] https://youtube.com/playlist?list=PL-eVf9RWeoWHFuSgmmpMlMlVf...
If someone keeps starting fires on my property, I don't want you to donate to the local fireman's fund, I want you to stop giving that person matches.
They also care about providing value / reducing costs in terms of e.g. sustainability.
Lets see if these feelings over profits survive the next recession, I am press X for doubt on that one
Also, you're decades out of date on shareholder capitalism. ESG is big now. Even the shareholders don't necessarily want to you to maximize profit.
Look into ESG scores and Black Rock.
I don't see why their policies should differ depending on whether they are hosting or protecting the content in question. Either way, they are in part responsible for making that content accessible. I get the feeling that this is just an arbitrary distinction that they've made since hosting this content is more likely to have legal consequences for Cloudflare than simply providing DDoS mitigation services for it.
> Giving everyone the ability to sign up for our services online also reflects our view that cyberattacks not only should not be used for silencing vulnerable groups, but are not the appropriate mechanism for addressing problematic content online. We believe cyberattacks, in any form, should be relegated to the dustbin of history.
I disagree that the paragraph you quoted is relevant to that. But if it is, then it doesn't seem good that their goal of eradicating cyberattacks is more important to them than actual human lives.
Deleted Comment
Dead Comment
If Matt Prince were the head of the Inglorious Basterds, he’d evidently reform them to vote blue instead of scalping nazis
I know you aren't advocating that other sites be taken down, but that is the effect of allowing DDoS against a site. Perhaps you don't mind collateral damage but it should be acknowledged as a consequence of your suggestion.
Not that I agree or disagree with this argument - just wanted to point out what their reasoning seems to be.
Their reasoning is the best that they could come up with under pressure. Which is to say - lol.
This is kind of a ridiculous comparison. A real-world landlord is a private individual extracting rent from their tenants while a real-world fire department is a publicly funded institution with a duty to protect everyone.
Cloudflare offers both its hosting and DDOS services as a private company. They aren't morally obligated to provide anything, regardless of whether the DDOS protection is offered for free.
The Daily Stormer tried to unsuccessfully groom kids with cute comics. They could not have fallen any lower. An intervention here would not be required. A negative example is also an example you can learn from.
Because that's CloudFlare.
Love CloudFlare, think they are amazingly innovative, huge amount of respect for the people who work there.
I see where they're coming from, but I don't see how KF is defensible whilst 8chan et al aren't.
On the one hand, websites like KF and the like are utterly reprehensible. On the other hand, Cloudflare taking it upon themselves to police the Internet is a nightmare in its own, given their bot-prevention services are effectively mandatory in order to even keep any sort of larger interactive website running.
What is permitted to say is something for the courts, not for the whims of private businesses, to decide.
Even in that article they say "While we will generally follow legal orders to restrict security and conduit services," - how can you say this? No other business says "while we will generally accept court judgments..."
To the contrary, in this case it's exactly for Cloudflare to decide. They're not a utility.
They can absolutely drop kiwi farms and still be in the clear, ethically. It's not like kiwi farms is even remotely close to some sort of slippery slope. It's the goddamn burning trash pit on a FOB of internet sites.
Maybe we should additionally also focus on that problem as well. It should not be the case that you need to pay a protection racket just to be able to survive on the Internet.
We definitely need more, also international, efforts to establish:
- baseline requirements on IT security (to reduce the impact of stuff like hacked IoT devices)
- quick and fast cooperation between governments to identify and contact owners of hacked equipment to get them off the Internet and patched. Maybe something similar in operation to firefighters - you don't have to pay for their assistance unless you actually created the fire or were grossly negligent?
- procedures to get nation states that are a clear and consistent threat to everyone else off the Internet either because they actively attack others or because they are shielding hacker groups, and judging by where a lot of attacks originate, that is Russia, China, North Korea and Iran.
Particularly regarding the last point, I'd also advocate to take factual declarations of war as what they are and strike back.
This is bullshit, there are a plenty of alternatives.
In the US corporations are people and money is speech. Cloudflare can try to become a public utility if they want but right now they're a corporation and they're making a political decision to continue to take money from customers that use their services to operate harmful social spaces that are used to coordinate targeted harassment campaigns and drive vulnerable people into suicide.
They frame selling DDoS protection as a neutral and good thing because it prevents cybercrime. But would you accept the same argument for selling ballistic vests? Plate carriers? APCs? Clearly selling defensive equipment to both sides of a conflict is still involving yourself in a conflict. If you want to be neutral, you don't involve yourself, you don't sell.
And to make matters worse, the general consensus is that the party they're selling DDoS protection to are "the bad guys" in this conflict. The guy operating it literally had to create his own hosting company because he ran out of hosting providers willing to do business with him. He had to resort to crypto wallets because payment providers have long banned his site.
Even if there wouldn't be any evidence that he encourages and participates in the harassment campaigns his site is known for (a site, by the way, that was literally created to harass one specific individual), the person maintaining that site still took a principled stand to allow this behavior to continue despite what it cost him. And now Cloudflare's CEO took the same stand to continue doing business with this person.
You may not like the content its users choose to post, but I for one am glad sites like it exist as it gives hope that the First Amendment continues to be respected and legally tested... otherwise I fear that censorship will keep creeping up until it has gone too far.
Deleted Comment
Dead Comment
> To be clear, just because we did it in a limited set of cases before doesn’t mean we were right when we did. Or that we will ever do it again.
their opinion is that it is (almost always?) ethically wrong for them to withhold security products. for the two websites i mentioned, nobody is stopping them from providing services. for a third, they could lobby to fix fosta and/or not transit switter traffic in the us.
I stated this: "but I don't see how KF is defensible whilst 8chan et al aren't"
This meant: I don't understand how they can invoke the removal of 8chan and a neo-Nazi site, yet retain KF.
As a dev who was once entirely on board with CF and recommended their "workers" environments to anyone that would listen, I'm very sorry to have to terminate both my business with them and my evangelizing of their services. But I'm certainly not going to stay in business with or recommend a company that would rather hide from their responsibility than to take the political heat for sensible business decisions (like removing poisonous clients).
Which services was kiwifarms using? Are they now using a reduced set or none at all?
Dead Comment
This is meant to be sarcastic but a lot of people basically do believe this. Most arguments about "stochastic terrorism" would implicitly aim to devalue/censor any sort of speech that "punched down".
8chan bad, ISIS ... well, not as bad?
I will never stop reminding people that the CEO said he woke up in a bad mood one day and took down protections for one group ... but left murdersites alone. Can't be undone.
Remember that whenever they pretend to be unbiased.
Out of loop. What is this in reference to?
Deleted Comment
> For instance, when a site that opposed LGBTQ+ rights signed up for a paid version of DDoS mitigation service we worked with our Proudflare employee resource group to identify an organization that supported LGBTQ+ rights and donate 100 percent of the fees for our services to them. We don't and won't talk about these efforts publicly because we don't do them for marketing purposes; we do them because they are aligned with what we believe is morally correct.
These are the two strongest points for me. The former is one I already believed, and the latter makes me more hopeful as someone in that specific minority community.
In addition, I think it's touched on but Cloudflare is huge. Even if they changed their mind on terminating amoral customers, how would that go down? Another automated moderation system that checks for certain keywords? Ask the LGBTQ people banned from Facebook/Twitter/Reddit/Google/etc. if those systems really work all that well. All too often person A implying that X group deserves violence skirts the system, while the actual text calling out Person A's beliefs from an advocate is considered hate.
These people who want to revoke DDoS protection for groups they don't like are essentially promoting terrorism. Why else would they fight so hard to remove DDoS protection, if not because they simply want those attacks to succeed?
They're attacking KiwiFarms for their agenda of trying to drive people to commit suicide.
I don't know if I would describe a DDoS attack as "digital terrorism", but it is annoying and hard to stop on an individual level because of the design of the internet.
in my experience most of the time it's due to:
No, it's not. Not everything that's bad is terrorism.
Terrorism is specifically about using violence. Don't water down terms.
As the article says, "... [not providing services based on moral character] is a dangerous precedent, and one that is over the long term most likely to disproportionately harm vulnerable and marginalized communities."
"Nazism is bad" EOM
That wasn't so hard, was it?
You already do. And that's actually a good thing. It means that in free societies like the USA, these companies are free to choose to do (or not do) business with whomever they choose. They are not free from the market reacting to those decisions, though.
I’ve been seeing this confusion more and more recently, probably because of the size and omnipresence of corporations.
I don’t know if this confusion is deliberate to justify certain acts or simply ignorance, but the distinction has to be emphasized. Corporations and public services are completely different beasts, with different legislations, incentives, etc.
In that they are both organizations made up of human beings providing important services to the general public, they are the similar. I think that's the similarity that was being emphasized by the analogy.
The analogy still works if you imagine private firefighters (the kind you might contract for a farming operation) instead of public firefighters.
A gas station has a moral obligation to sell gas without discriminating by race, etc. A gas station does not have a moral obligation to sell gas to arsonists.
I'd be suspicious if a gas station made a press release about how they'll sell gas to anyone but also donate to charity to "make things even". Sounds like they want arsonists to know where they can buy gas.
Something similar to basic Cloudflare but run as a public service by the government that is free to all might be a good thing to have. If there are majorly amoral actors that use it we should be going after them for their crimes (from a legal sense) which other parts of the government can of course aid with.
Seeing how vital the Internet is for participation in society, it is my opinion that the baseline for "duty to serve" is that everyone has the right to a modicum of hosting and the ability to have their site accessible. That means a FQDN, SSL certificate, and network connectivity.
Should it be a legal requirement? I'm not yet convinced. But I don't think CF is wrong to host orgs they morally oppose.
Just don't justify whatever decision you make by conflating public and private services.
Do we consider stuff like DNS, BGP to be public service? I mean, Cloudflare can affect everyone who uses Internet.
Isn't it, though?
I see people are still desperately clinging to this "websites aren't public services" narrative but as the years go by it's becoming increasingly clear that it just isn't entirely true.
The whole logic behind the "it's a private space/service so they can deny service to whoever they want" argument is that, if a user is denied service, they can seek service from an alternative provider elsewhere, usually without much difficulty. If the other providers also don't want to provide the service, fair enough. But this isn't really the case in the modern web because you often don't have alternatives. If you are denied service by cloudflare, you can't just go to another cloudflare down the street. Same with many other major online services that are effectively monopolies in their field.
Illinois has to allow the Nazis to march: they are the government.
You don't have to allow nazis into your private party, nor do you have to publish their books.
You, as an individual, and corporations as entities are emphatically not the government.
> I don’t know if this confusion is deliberate to justify certain acts or simply ignorance
Also, my guess is ignorance. Cloudflare is essentially restoring a platform on the internet that is difficult to get and keep for small creators. Their posts on this topic strike me as the super libertarian types who take no issue with privatizing public services.
I see more than one political group purposefully conflate this in order to push their own agendas.
For example, when a private company says that won't tolerate hate they claim "free speech" infringement but when government silences a critic they don't like it's "law and order."
in a post that further goes out of its way to say, "look at these morally good things we're doing (Galileo and Athenian) that aren't themselves part of the abuse process, and then has their logos as two of the three images in the article body? Okay, sure, this may not strictly be marketing material insofar as it's not an ad the marketing team purchased, but c'mon, did ya'll put those in place to help explain the abuse process or because they're nice "but look, we also do good things!" window dressing on an article you think otherwise may not have the best reception?
Yes, they market some other things they do.
> Another automated moderation system that checks for certain keywords? Ask the LGBTQ people banned from Facebook/Twitter/Reddit/Google/etc. if those systems really work all that well.
This is so, so true. Both automated and human review systems often times don't handle or protect minority users well.
(Reasonable Disclosure: I still terminated my services with CloudFlare over this.)
Even paying victims can't fix all harms. Never mind donating to someone else.
I'm sure their LGBTQ+ employees will appreciate that when they get doxxed, swatted, and harassed every hour of the day and night because they're providing critical resources to the groups doing so.
Their position probably really does come from genuine belief in principles of anti-censorship and free speech, but the version that LGBTQ+ people are gonna hear from them is that every death threat, every picture of them taken without their knowledge, every coordinated campaign of harassment, every SWAT officer pointing a gun at their face when they wake up, every suicide after years of abuse, has the full backing and support of a multi-billion dollar corporation, and there's nothing they can do about it. And they're kinda right.
If not Cloudflare, then someone else, that's the reality of it. We do not live in a world of no harm and never will we. All we can do is manage it.
Cloudflare loves to call back on the law when defending Kiwifarms, but then equate themselves to a public utility.
If the law intended for it, DDoS protection would be a public utility or at least a protected class of service that can't refuse customers. And if you say that it should be and the law is just lagging behind (and I'd tend to agree with you), I can say the same thing about the technical legality of a website that enabled and (indirectly) incentives doxing, harassment or even swatting (except on Kiwifarms, people might technically have a case for defamation, but good luck getting that prosecuted).
If they get rid of Kiwi Farms, ultimately it's not going to fix the problem. They're going to find a new, harder to harass vendor for CDN. Cloudflare's detractors are going to find a new website to talk about.
If you're talking about all websites that do this kind of thing, I have my doubts about how this would look in practice. Take down websites that use hate speech? Work to debunk hateful myths would likely get caught in that. Suspend websites that get X number of reports? Congrats, you've given botnets a far more effective tool for DDOS. Don't suspend those websites until a human analyzes them? That'd be ideal, although it seems like that's the system they have. Those humans appear to be instructed to only intervene when Cloudflare itself is the one causing harm. Kiwi Farms is hosted elsewhere using Cloudflare as a CDN.
> Our decision to disable access to content in hosting products fundamentally results in that content being taken offline, at least until it is republished elsewhere. Hosting products are subject to our Acceptable Hosting Policy. Under that policy, for these products, we may remove or disable access to content that we believe: [...] Is otherwise illegal, harmful, or violates the rights of others, including content that discloses sensitive personal information, incites or exploits violence against people or animals, or seeks to defraud the public.
Or do they? The CEO said CDN isn't hosting. But it fits the common definition.
Dead Comment
Dead Comment
This is a false equivalence, because fire departments are public utilities provided and regulated by the state. Cloudflare is a private business. If Cloudflare was democratically elected by its constituents, and it was accountable and answerable to them, then I would agree with them that they have a responsibility to make their services available to all of their constituents, subject to the due process of law.
But they aren't a public utility, and they don't get democratically elected. Cloudflare is a private business, and it exists to capture the surplus value of keeping more websites online and marketing their security products to more corporations. They can do business with whoever they choose to. And they choose to do business with Kiwifarms. Honestly: in effect, Kiwifarms functions as a free success story for Cloudflare's sales folks—"Look at how many people hate this website, and yet they're still online, thanks to Cloudflare!". I think that's probably the reason that Cloudflare's support of Kiwifarms rankles so much with people who are victims of the website—the fact that Kiwifarms is still online is Cloudflare working exactly as intended, but amorally.
> For instance, when a site that opposed LGBTQ+ rights signed up for a paid version of DDoS mitigation service we worked with our Proudflare employee resource group to identify an organization that supported LGBTQ+ rights and donate 100 percent of the fees for our services to them
Okay, you donated the fees, but why continue to accept the money from the site that opposes LGBTQ+ rights in the first place? Cloudflare still got to keep the benefit of increased revenue, and a larger customer base, and the world still got worse. Did the donation they make actually offset the harm done to the world by keeping that site (whatever it is) online? It seems unlikely.
> In addition, I think it's touched on but Cloudflare is huge. Even if they changed their mind on terminating amoral customers, how would that go down? Another automated moderation system that checks for certain keywords?
No, it would go down, ideally, the same way it does today and the same way it did for the Daily Stormer and 8chan. Terminating services for customers like Kiwifarms is a big decision, and it's one that shouldn't be made lightly, and frankly: there just aren't that many harassment websites that are as big and as long-lived as Kiwifarms. I can maybe think of one or two others off the top of my head. I'm okay if Cloudflare decides to terminate one or two of the biggest, most important harassment sites using their platform per year—doing something is better than doing nothing.
I'm sorry, I'd only ever heard of Kiwifarms yesterday. I am also okay with that, but I do genuinely believe there will always be a next one. People forget they made the exact same comments before caving on 8chan and the Daily Stormer. As these incidents get closer together I predict we're reaching that 1-2 site a year rate. If I can backpeddle a little on my parent comment, I far less care about any of these specific websites than the implications of Cloudflare not giving the big "We hate to do this" speech beforehand.
Oh, but wait, CloudFlare HAS the resources to validate and act, since they know whose fees to send to rights organizations.
And as for being the fire department? Excuse me? They are a company that exists to make money, not a public service beholden to a specific, lawfully mandated social contract. Their first point is a false equivalency and they can go fuck themselves for even bringing that up.
This statement from them is PR fluff.
Paradox of tolerance. You must be _intolerant_ to these intolerant people or they will fuck up everything for everyone. Cloudflare is letting cancer of society erode public trust, just like every other hyper scale tech company, because businesses exist to make money.
Part of the reason for my position as stated above and throughout the thread. I believe that SPECIFICALLY at Cloudflare's scale, they have more control than most governments in the realm of speech. Therefore, they are MORALLY (not legally) required to enact the same social contract. I believe any alternative where they break that social contract will have unintentional repercussions for minority groups.
To have my position changed, I would need to be convinced those repercussions wouldn't happen in practice.
How much do you think Cloudflare donated for the 3 suicides caused by Kiwi Farms in the recent years?
Deleted Comment
Suicides that are awful, and were caused by Kiwi Farms. The quote I used clarified that Cloudflare's aim is to not profit from abhorrent behavior.
Dead Comment
Dead Comment
Deleted Comment
Dead Comment
I'm curious what you think the "balancing" donation/action/whatever cloudflare could do to counteract the very real harms kf causes are?
This isn't a political action group that takes donations and lobbies. It's a site where people's personal information is offered up to anyone who wants it, knowing that many of those people want to do harm with it. The owners and moderators know all of this and both allow and encourage it.
I think this kind of "but we donate!" approach is both an admission that they enable harm, and a completely inadequate to the situation here.
Yes, this should be an issue for law enforcement. But this has been going on for years and nothing has been done, in spite of many efforts being made and many people literally going into hiding due to harassment from this site.
So how is cloudflare going to make this one right to their ERG?
I don't think that specific passage was in reference to KiwiFarm's paid plan.
> Yes, this should be an issue for law enforcement. But this has been going on for years and nothing has been done, in spite of many efforts being made and many people literally going into hiding due to harassment from this site.
This is the specific contradiction I'm trying to avoid. It feels incredibly odd to me to look at a coordinated campaign of harassers and think "it should be easier for organized groups of people to control the conversation". You can look at my comments in this thread or in others, I'm totally cool every time hateful shitbags are taken off the internet and I fight back when they're defended. I'm just not in favor of any broad policy that puts one organization in control of speech.
I wonder how all of this will end? I support CloudFlare here - they should act as a utility, not as an arbiter of content. This ends poorly and one day will bite the people that are pushing for this.
Once they realized that they had a systematic advantage in petitioning hosting companies to deplatform disfavored content without due process, however, all of the underlying arguments for net neutrality were quietly discarded.
It was an economic issue, not a political one.
Deleted Comment
Yes, I remember the "Moral Majority" era. I remember the religious right, the fundies, the evangelicals, and the grasp they had on speech. I remember how they tried to ban porn in the late '90s and the courts had to smack it down. And I saw how the left has taken over institutional power since then, still crying about victimhood status while holding government majorities, running education and the media, and so on.
It looks like the pendulum has started swinging back in recent years. I don't really want to go back to the late '90s in terms of culture and government (especially culture) but I won't be at all surprised if it happens and the right shows the same lack of magnanimity as they were shown this past quarter century. And a good way to make sure that happens is to continue to stifle their speech and give them every opportunity to cry victim and wish revenge. The left made hay from these opportunities and the right has been watching. A lot of their activists have read Rules for Radicals too.
It's the exact same pattern: Zealots trying to use censorship to suppress those that don't adhere to their ideology. The reason it's confusing is because you're looking at it as a left/right issue when it's not. It's an authoritarian/libertine or extremists vs everyone else issue.
Dead Comment
It is a terrible fact of human psychology that being abused in a particular manner make you much more likely to abuse others in the same manner, not less.
So then advocate for them to actually be a utility. Right now they get to benefit from being treated like one, but not being held to the same legal standard of an actual utility.
You guys are the ones undermining the legitimacy of freedom of speech by passing doxxing off as merely being an opinion while it in fact surpresses actually bipartisan discussion. Disgusting.
Deleted Comment
Dead Comment
Dead Comment
Dead Comment
Deleted Comment
It seems that Cloudflare believes that they are the only ones who can protect the websites hosting this content from being DDoS'd out of existence, and thus they are protecting their right to freedom of speech. But the owners of these websites can just use a different provider that is more aligned with their sense of morality, and Cloudflare doesn't need to protect websites that they morally disagree with.
DDoS-Guard still exists and I have no doubt they would be perfectly happy to protect websites like The Daily Stormer, 8chan, and KiwiFarms. They have shown themselves to be capable at mitigating large-scale DDoS attacks against the Russian government, so it's not like Cloudflare is the only place these websites can survive.
Cloudflare should only continue to provide services to websites like these if whatever they gain by having them as customers outweighs their moral disagreement with them. And I can't see how a few thousand dollars per year does that.
- Precedent from decisions on The Daily Stormer and 8chan was used to pressure Cloudflare to deplatform human rights organizations by authoritarian governments. Refusing to deplatform isn't about protecting Kiwifarms, but protecting other groups in a global environment where they face legal and social pressure on differing and conflicting views. A hands-off policy on moderating the content of their customers removes the possibility of using deplatforming to suppress human rights.
- They rarely get paid by any of these sites, and when they do, tend to donate the proceeds to charities opposed to such awful websites.
Cloudflare isn’t a court, its decisions are not legal precedents, it can decide on a case by case basis who it wants to do business with.
If authoritarian government comes knocking, just say no. What are they gonna do?
Except this is a bullshit excuse, because a) you can just tell those authoritarian governments "no", and b) they have been removing customers like sex workers for many years already, this is not some novel change. The only change is that it affects literal fascists now.
"Banning nazis means we also have to ban human rights organizations" is some grade-A spin doctor bullshit, and I would expect better from people here than to fall for that.
Deleted Comment
Unless, of course, you are an _enabler_ of such attacks.
This is where CF's hypocrisy shines through.
instant-stresser.com str3ssed.co freestresser.co metastresser.com (dozens more)
These are all sites hosted with CF DNS, who provide services that are literally the opposite of free speech -- they are in the business of _suppressing speech_, for money (or for free!). They are the providers of the service CF protects its paying customers against. There could be no more simple definition of a shakedown racket than this: Pay us for DDoS protection, or risk being brought down by one or more of our (non-paying) customers!
For all their completely defensible talk about free speech, this is a category of customer that is indefensible, and completely identifiable.
Except for one thing: If they were "relegated to the dustbin of history", so too would be CF's business model.
So before defending CF's stance on "free speech", take a good look at their business model, and who they support.
According to completedns.com, instant-stresser.com has been using Cloudflare on and off for almost 8 years, and continuously for the last 3 years. It's also the 2nd result on Google for searching "free stresser". It seems impossible that this site hasn't been reported to Cloudflare by now, indicating that they have made the decision to continue protecting it. Very bad.
I haven't checked the other sites you mentioned, but if this pattern holds, it definitely changes my perspective on Cloudflare.
ddosforhire.net
They're a lovely recommendation/review site that lists a few dozen DDoS-for-hire sites. Take a random look at who hosts the individual sites' DNS.
Their business is fundamentally a shake-down racket, disguised as a free-speech defender.
Here's a recent report on a DDoS-for-hire outfit that was criminally charged and convicted, related to downthem.org and ampnode.org
https://www.malwarebytes.com/blog/news/2022/06/ddos-for-hire...
Interestingly, the affidavit in that case does note that Cloudflare provided services for downthem.org and ampnode.org. However, this is a criminal indictment of the guilty party. I suppose the issue is, what kind of 'public reporting of criminal activity' is needed to provoke CF to drop services? In cases like this I also imagine CF cooperates with FBI investigations.
Seems to be the case,
> The FBI’s Anchorage Field Office and its Los Angeles-based Cyber Initiative and Resource Fusion Unit investigated this matter. [...] Cloudflare, Inc. [...] assisted this investigation.
https://www.justice.gov/usao-cdca/pr/illinois-man-sentenced-...
Edit: And for anyone looking for the affadvit reference by parent, I believe they mean this: https://storage.courtlistener.com/recap/gov.uscourts.cacd.73...
That is not my claim; they don't operate any DDoS-for-hire sites. My claim is that their "free speech, we won't shut them down" claims are utter hypocrisy when they do nothing to shut down their support for DDoS-for-hire sites, the ultimate (on the internet, anyway) anti-free speech perpetrators.
When I worked at Malwarebytes we had regular issues with malware being hosted on Cloudflare. Now I don't mean like "hey download this file so you can learn"- that kind of thing we fully supported. I mean that these files were being explicitly used in drive by exploit attacks- if a user with a vulnerable browser went to the wrong webpage, that webpage would load exploit scripts from the Cloudflare network and then inject the malware.
To me this is a very simple example of abusing a network. It is not a free speech issue, unless you think punching someone in the face is free speech. We proved that this was happening by providing pcap files showing the entire network transaction and the fact that users were not initiating this on purpose.
Their response was to ignore us until we started blocking their end nodes, at which point they came to our forum and straight up lied.
> Unfortunately, the new system is unlikely to resolve the current controversy which is more political than technical in nature. The current controversy involving Malwarebytes blocking CloudFlare IPs is centered around one site. To be clear, this site does not distribute malware itself and visiting it will not infect your computer. It does, however, provide information on how to create malware. Philosophically, we believe there is a difference between distributing malware -- which we will prohibit through our network -- and distributing information about malware. We do not believe our role is to play censor to any information on the Internet, even information we find disturbing. Publishing the Anarchists Cookbook does not make you a terrorist. Blocking sites based on the information they contain, as opposed to the actual harm they do, takes a step down a slippery slope I find deeply troubling.
https://forums.malwarebytes.com/topic/108447-my-site-using-c...
This was a 100% dishonest lie, and it's the same pattern Cloudflare has been following for a decade now. In this case they lied claiming we were blocking educational material, which is something Malwarebytes never did. He said all of this after we sent the pcap files proving that this wasn't an issue with educational sites.
From my perspective Cloudflare has always been willing to hide behind free speech even if it isn't relevant. It's their go to excuse for any bad behavior.
They host and protect a website only dedicated to muzzling people the userbase disagrees with...
If DDoS didn't exist I'm sure CF would still thrive as a CDN and all the other services they provide (Argo, Workers, etc).
If anything, I'm sure CF would be more than happy to stop providing DDoS protection for free. They'd save a lot of money.
Maps isn't a service used for suppressing free speech. It's the hypocrisy that is galling.
If you stand up for free speech, it is inconsistent to support those whose business plan is the suppression of free speech.
Meanwhile people's lives are ruined, their friends and family contacted, harassed, and they live in terror of people who congregate, anonymously, on that site, which is hosted out in the open with large corporations providing them services. A donation to the trevor project does nothing to protect those people, it just tells them their lives are expendable and they'll try to save someone else's.
Something must be done to stop them. I haven't heard any legal arguments for what could be done to stop them - one is told simply "you can't fight back, and you can't protect yourself, legally". When people are told that, they take more drastic measures, because the system that exists won't protect them.
Honestly a good proposal I've heard is to at minimum shut down SWATTing or add consequences and tracking of the requestor. Police being able to be consistently deployed on a ruse is, to me, insane.
And what does Josh's mother have to do with anything?