For Cloudflare, is hate speech too profitable to give up?

Web security and performance company Cloudflare has now terminated its relationship with notorious online imageboard 8chan, firing the customer in the wake of the mass shooting in El Paso.

Three days ago, a gunman walked into a Wal-Mart in El Paso, Texas and opened fire, killing at least 20 people. Shortly before the attack, a post allegedly written by the suspected shooter, 21-year-old Patrick Crusius, appeared on 8chan, outlining his motivations for carrying out the attack: Fighting back against "the Hispanic invasion of Texas".

Crusius is the third mass shooter this year to post his manifesto to 8chan immediately prior to carrying out an attack. He was preceded by 19-year-old John T Earnest, who opened fire on worshippers at Poway Synagogue in San Diego on 27 April. Ernest was in turn inspired by Christchurch shooter Brenton Tarrant, who attacked a New Zealand mosque on 15 March and killed 51 people.

All three men allegedly posted manifestos on 8chan, with each subsequent document citing the previous shooter or shooters as a direct inspiration for their attack. While the anonymous nature of posts on 8chan (along with its progenitor, 4chan) make it difficult to confirm the attribution of these manifestos, details included in the El Paso manifesto provide strong evidence for its legitimacy.

8chan is notorious for hosting some of the internet's worst excesses; It's a hotbed of radicalisation and recruitment for far-right white supremacist groups, and in addition to frequent hateful and racist language, it's also regularly accused of being used to share images of child abuse.

The site is available on the open internet (as opposed to having a Tor address), and was serviced by Cloudflare, which provides DDoS mitigation services to large portions of the web. The fact that 8chan was one of Cloudflare's customers prompted outrage and condemnation from many in the wake of the El Paso attack on Saturday, with accusations that by retaining the forum as a customer, Cloudflare was enabling - or even tacitly endorsing - the violence it caused.

In a statement about the decision, Cloudflare CEO Matthew Prince said: "The rationale is simple. They have proven themselves to be lawless and that lawlessness has caused multiple tragic deaths. Even if 8chan may not have violated the letter of the law in refusing to moderate their hate-filled community, they have created an environment that revels in violating its spirit ... we draw the line at platforms that have demonstrated they directly inspire tragic events and are lawless by design. 8chan has crossed that line. It will therefore no longer be allowed to use our services."

Stormer in a teacup

The shooting in El Paso is not the first of its kind. A similar incident (cited in Prince's post) occurred two years ago when the murder of Heather Heyer by a white supremacist at a rally in Charlottesville, Virginia led to widespread condemnation of Cloudflare's relationship with Neo-Nazi website the Daily Stormer.

Public outcry prompted the company to drop that site, just as it has done with 8chan, although in both cases, the company's executives raised a number of concerns. One of Cloudflare's common arguments is that it perceives itself as a neutral party and does not wish to become the arbiter of what is or isn't acceptable online.

"Cloudflare is not a government," Prince wrote at the time. "While we've been successful as a company, that does not give us the political legitimacy to make determinations on what content is good and bad. Nor should it."

More specifically in the cases of 8chan and the Daily Stormer, Prince has argued that dropping support for the websites won't take them offline or have any impact on their general level of availability - it will merely force them to move to an alternative provider. This was an accurate assessment: Both sites are now customers of BitMitigate, a Cloudflare rival that has explicitly stated its "commitment to liberty" in the form of accepting the customers deemed too toxic for other providers.

The evident level of Cloudflare's deliberation around these two specific cases indicates that the decisions on which customers to kick off its platform are being assessed on a case-by-case basis. However, this has also prompted questions over what makes a website too harmful for Cloudflare to tolerate.

For instance, numerous reports have alleged that multiple terrorist organisations, paedophiles and violent misogynist groups all use Cloudflare's service to protect their websites. Neo-nazi outfits Stormfront and the Nordic Resistance Movement, as well as Islamist organisations like Hamas, the Taliban and even ISIS were cited by the Counter Extremism Project. As of March last year, Stormfront was still a Cloudflare customer, according to posts on the site by the organisation's founder.

When concerns have been raised in the past, Cloudflare has indicated it retains these customers in part to allow it to monitor them for "content that contained an indication of potential violence", allowing it to alert law enforcement in advance.

"I think the idea is preposterous," says Ian Thornton-Trump, a cyber security expert who has worked with law enforcement on a number of operations. "Content is generated in too great a number for law enforcement organisations to look at or review 1% of it ... the law is not at present equipped to deal with the ethics and ramifications of activity in cyberspace except for some very clear cut computer abuse acts, child exploitation and fraud."

Irrespective of this, these two statements - that Cloudflare wants to support law enforcement, and that 8chan was dropped because it inspired violence - are inherently contradictory. If Cloudflare wants to keep hold of extreme sites in order to monitor them for violence, then 8chan must surely qualify too.

Rather than any moral or legal obligation, it would appear that the reason behind the decisions to drop both 8chan and The Daily Stormer, was simply put, public pressure. As Thornton-Trump notes: "[Cloudflare] valued the reputation of its business, which was more important than a customer whose content was divisive and dangerous".

Who watches the watchmen

All of which raises the question as to whether tech companies should be responsible for policing their customers. At present, the US government does not officially recognise domestic terrorist organisations, and does not apply any official sanctions to terrorist groups like white nationalists. This means there is no legal obligation compelling companies like Cloudflare to drop organisations like Stormfront as customers.

The decision as to when to drop a perceived domestic extremist organisation as a customer, therefore, rests with the companies themselves, which have so far demonstrated an unwillingness to voluntarily sever ties with extremist groups unless forced to do so by public outcry.

Jason Blazakis, who ran the US State Department office responsible for terrorist designations for over a decade, has previously argued the United States "urgently needs a domestic terrorism law that allows a federal agency to officially label an individual or group as a Specially Designated American Terrorist (SDAT) or Domestic Terrorist Organization (DTO)".

For Blazakis, this ability to officially treat right-wing violence as domestic terrorism - which would also allow the government to enforce embargoes on tech companies providing services to them - is an essential part of curbing this activity.

"Critics will argue that taking the step of labeling Americans as terrorists will lead us down a slippery slope," he wrote in December last year. "As very recent events illustrate, America is already slipping down this slope."

We have to face the fact that allowing tech companies to self-regulate simply doesn't work. As we've seen with mass data harvesting, more often than not, Silicon Valley companies will take the most profitable path even in the face of ethical concerns. Until the reputational damage becomes great enough to outweigh the revenue that a morally questionable practice earns, they will not stop.

While this is evidently somewhat tolerable when it comes to topics like data privacy, we simply cannot allow this attitude to hold sway in matters of public safety. If Cloudflare and providers like it cannot deduce for themselves that entities like Stormfront, 8chan and are not appropriate partners to do business with, then legislators must take the decision out of their hands.

Adam Shepherd

Adam Shepherd has been a technology journalist since 2015, covering everything from cloud storage and security, to smartphones and servers. Over the course of his career, he’s seen the spread of 5G, the growing ubiquity of wireless devices, and the start of the connected revolution. He’s also been to more trade shows and technology conferences than he cares to count.

Adam is an avid follower of the latest hardware innovations, and he is never happier than when tinkering with complex network configurations, or exploring a new Linux distro. He was also previously a co-host on the ITPro Podcast, where he was often found ranting about his love of strange gadgets, his disdain for Windows Mobile, and everything in between.

You can find Adam tweeting about enterprise technology (or more often bad jokes) @AdamShepherUK.