========
Why a Hunger Games-Like Vision for the Internet is Wrong
Earlier this afternoon Brian Krebs, a well-respected security writer, published a story which, in part, calls for CloudFlare to censor the websites of a handful of our users [http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gb...]. These websites are known as "booter" sites. The sites claim to offer point-and-click DDoS services. The thrust of Brian's argument is that CloudFlare is a hypocrite for allowing these sites that advertise DDoS services to be protected by our network while, at the same time, offering as a core feature the ability to stop DDoS attacks.
Brian acknowledges that there's a bit more nuance to the argument. He understands that CloudFlare is not a hosting provider and that terminating any customer wouldn't make the content of the booter sites go away, it would just make them slower and more vulnerable to attack. He also acknowledges that no attack traffic actually originates from CloudFlare's network. His assumption, which we discussed at length before he published the article, is that if CloudFlare weren't in the equation then the booter sites would simply DDoS each other into oblivion.
Stop for a second and think about that: Brian is arguing for a Hunger Games-like vision of the Internet. It's the functional equivalent of if the police stopped prosecuting crimes committed against people they suspected to be criminals.
Brian is not the first person to make this argument and he won't be the last. A few weeks ago Kayne West's attorneys contacted CloudFlare insisting that we terminate protection for a customer they said was causing irreparable harm to their client: the parody crypto currency called Coinye. Ken Carter, our legal counsel, explained to Mr. West's lawyers that terminating the Coinye CloudFlare account wouldn't make it go away, it would just make it more vulnerable to attack. They thought that would be terrific. Ken respectfully disagreed.
CloudFlare's mission is to build a better Internet. Inherently there is content on our network that I find distasteful or even harmful. In the past, we've been called to task by other journalists [http://blog.cloudflare.com/cloudflare-and-free-speech] for allowing controversial websites to use our network. There is currently a campaign that has gathered over 22,000 signatures [http://www.change.org/petitions/matthew-prince-remove-chimpm...] for us to terminate the account of what I consider a horribly racist and distasteful website.
While I, personally, agree that the site the petition was started over is truly awful, I don't believe my personal opinion of what is good or bad content should be what governs what is allowed online. If CloudFlare succeeds, even in small part, at building a better Internet, inherently we must honor and respect one of the Internet's greatest qualities: that it is a network open to anyone.
Note that this isn't everyone's policy. Amazon, for instance, terminated Wikileak's account after political pressure [http://www.theguardian.com/technology/2010/dec/11/wikileaks-...]. More recently an article circulated that they were censoring books where people fantasized about having sex with dinosaurs [http://observationdeck.io9.com/amazon-now-at-war-with-dinosa...]. Other CDN providers are notorious for taking content offline at the first hint of pressure. We don't do that, even when the pressure comes from someone we truly respect like Brian. Fundamentally, we won't play the role of the Internet's morality cops. It's above our pay grade.
Booter sites, you may argue, are different. But the key question is where do you draw the line. If a site says you can push a button and launch an attack should we take that down? What about one that has a phone number you can call? Or gives you instructions on launching the attack yourself? CloudFlare is many things, but one thing we are not is the Internet cops.
Don't get me wrong, we don't believe in a lawless frontier. While we believe deeply in principles of due process and will push back against what we deem abusive legal requests [http://blog.cloudflare.com/fighting-back-responsibly], ultimately if ordered by a court through valid legal process we will comply. While booter sites may be successful at using us to protect their content from being knocked offline by a DDoS attack, they will not be successful at using us to hide from law enforcement if they are breaking the law.
Brian and I have known each other for almost a decade. He left the Washington Post and started Krebs On Security around the same time as we were launching CloudFlare. I actually tried to hire him back then. Thankfully he didn't accept the offer because he has become one of the leading security journalists writing anywhere today. He breaks important stories, which is something we need in the security space.
On this issue, I respect Brian's opinion but think he's ultimately wrong, That said, I have no problem with him fostering the debate. I think the discussion is hard, but it is healthy and important. To that end, if there are any large security or technology conferences that would like to host such a debate between me and Brian on stage, just let me know when and where and I'm in.
I do however think that there is a material difference between hosting unpleasant speech (to which the counter is speech pointing out that the speaker is wrong/idiotic/etc) and hosting malware/botnet sites (to which the counter is... what? what IS the counter to a sufficiently large botnet? ultimately we all have a limit at which point we can receive no more traffic. You might not have hit it - yet - but you will).
The internet - as you are aware - is based on protocols not designed with any significant security in mind. No-one in their right mind would today sit down and design something like BGP, for example. With that in mind, any large provider (or large consumer with capability to cause harm) has the responsibility to be a good citizen of the internet, and not to (by action or inaction) advance the agendas of those who would see its demise. As much as it might be convenient from an operational POV, and justifiable from a moral POV, washing your hands of responsibility and saying "It's not up to us, it's up to the courts" just doesn't work when the infrastrucure we're all building on is so very fragile. I'd also like to note that there's a semi-hidden US bias here - what if the target of a botnet, who's admin interface is hosted by CF - is based in a country where there is no reasonable ability to recourse to the US courts? Iran, for example?
It's admirable that you do not censor content in response to political pressure, but there IS a difference between protecting freedom of speech and protecting malware, and saying that censoring the malware is a slippery slope is at least partly disingenuous - any vaguely controversial decision can be described as a slippery slope to something else. Please at least consider making it easier for those of us who are trying to fight malware, botnets, etc, etc to get the original source of the content. I know this will involve some human judgement, and invetiably some mistakes and poor descions - but that would still in my view be far prefferable to what we have now. Thanks.
http://blog.cloudflare.com/thoughts-on-abuse
Malware and sites advertising so-called "booter" services are different discussions.
Booter services are so incredibly common that the police aren't going waste their time on them, especially since once the cops get the real IP from your convenient obfuscation service, it's likely hosted in China, Russia, or some other country where no action will be taken.
That is incredibly disingenuous. It's simple: if you knowingly facilitate an illegal service on your site, your service gets terminated. Every other reputable CDN and hosting provider can figure this out but somehow you can't? Give me a break.
So I don't see anything disingenuous whether you disagree or not.
