Debate Surrounds Cloudflare’s Role: Free Speech Defender or Enabler of Abuse?
Cloudflare, the content delivery network renowned for protecting websites from denial-of-service attacks by masking their hosts, finds itself embroiled in a familiar controversy. Critics are questioning whether Cloudflare is a defender of free speech or an enabler of spam, malware, harassment, and the very DDoS attacks it claims to block.
Cloudflare’s Hands-Off Approach Under Fire
This isn’t a new debate for Cloudflare, which has often taken a laissez-faire approach to moderating the vast amount of traffic passing through its network. With Cloudflare handling 16% of global internet traffic, processing 57 million web requests per second, and serving between 7.6 million and 15.7 million active websites, the company’s policy of serving all actors, regardless of behavior, has sparked intense debate. Advocates of free speech and internet neutrality applaud this stance, while those combating online crime and harassment view Cloudflare as a pariah.
Spamhaus Criticizes Cloudflare’s Policies
The latest criticism comes from Spamhaus, a nonprofit that provides intelligence to combat spam, phishing, malware, and botnets. On Tuesday, Spamhaus reported that Cloudflare services 10% of the domains on its blocklist and supports sites with over 1,200 unresolved abuse complaints. The nonprofit highlighted the ease with which cybercriminals use Cloudflare-protected websites for malicious activities.
Spamhaus members stated, “Cybercriminals have been exploiting these legitimate services to mask activities and enhance their malicious operations, a tactic referred to as living off trusted services (LOTS).”
Cloudflare’s Content-Neutral Stance
Throughout its history, Cloudflare has maintained that it isn’t in a position to moderate or police the content on websites using its “pass-through” services, which utilize Cloudflare’s network to streamline delivery and prevent DDoS attacks. Cloudflare asserts that it doesn’t host content and should not be responsible for investigating abuse reports.
“Everyone benefits from a well-functioning Internet infrastructure, and we believe that infrastructure services should generally be made available in a content-neutral way,” Cloudflare’s abuse policy webpage states. Critics argue this absolves Cloudflare of responsibility for harmful content and services.
High-Profile Criticism and Support
Security reporter Brian Krebs, whose site was targeted by a massive DDoS attack in 2016, expressed reservations about Cloudflare’s tolerance of DDoS-for-hire services. Similar criticisms have been made about Cloudflare hosting sites spreading malware and phishing, and fostering harassment, particularly against vulnerable groups.
Cloudflare responded to Spamhaus’s criticism by stating it has a comprehensive abuse reporting process and engages with law enforcement as appropriate. The company emphasized that terminating users would remove security services without eliminating harmful content.
Support from EFF and Legal Experts
The Electronic Frontier Foundation (EFF) supports Cloudflare’s content-neutral policy, warning that infrastructure providers are not well-placed to evaluate harm and face conflicting requirements in different countries. Eric Goldman, an internet law professor, noted that Cloudflare’s role as an infrastructure provider limits its options for addressing abuse complaints, making content moderation decisions complex and fraught with consequences.
Past Exceptions to the Policy
While Cloudflare has occasionally deviated from its hands-off policy—terminating services for neo-Nazi site Daily Stormer in 2017 and far-right forum Kiwi Farms in 2022—the company generally resists calls to cut off other abusive sites from its pass-through services. The ongoing debate highlights the challenging balance between defending free speech and combating online abuse.