Last week, internet infrastructure and security company Cloudflare deviated from its traditionally neutral stance of making its free security tools as widely available as possible when it blocked the online forum Kiwi Farms. The decision is the third time since 2017 that Cloudflare has terminated or blocked access to its services and reflects a growing and concerning trend of deplatforming campaigns going beyond where the content is hosted and targeting essential pieces of internet infrastructure such as security providers.
Defenders of Kiwi Farms argue that it’s one of the few sites that allows true free speech online. The most popular content on the site is usually discussions of online personalities such as commentators and streamers. However, critics of Kiwi Farms argue that it’s a hate site that enables harassment, doxxing, (the online publication of private personal information, such as personal addresses and phone numbers, without consent), and swatting (a harassment technique where false crime reports are made with the intent of eliciting an armed police response against an innocent target).
In the weeks leading up to Cloudflare blocking Kiwi Farms, criticism of the site had gone mainstream after transgender activist Keffals and Congresswoman Marjorie Taylor Greene blamed the site for targeting them with swattings. This culminated in a “#DropKiwiFarms” campaign which demanded that Cloudflare and other digital service providers cut off Kiwi Farms. Cloudflare initially resisted the pressure but ultimately blocked Kiwi Farms.
While deplatforming has become pervasive on social media, the unique position of Cloudflare’s security services in the internet infrastructure stack makes being blocked from these services much more consequential.
Cloudflare’s free security services protect more than 20% of the internet from distributed denial of service (DDoS) attacks and other types of cyberattacks. Without this protection, most of these sites would be targeted by activists, flooded with malicious traffic and quickly taken offline. This makes Cloudflare’s protection akin to an essential internet utility that’s necessary for sites to stay online.
Cloudflare has acknowledged this utility-like quality of its security services and stated that the power to terminate security services” is “not a power Cloudflare should hold.”
Cloudflare’s reasoning is based on its guiding principle that organizations that host content are closer to the content and therefore well positioned to make content moderation decisions. Security services, on the other hand, are much further away from the content and most closely resemble internet utilities which should remain neutral and follow legal and due process.
“Just as the telephone company doesn’t terminate your line if you say awful, racist, bigoted things, we have concluded in consultation with politicians, policy makers, and experts that turning off security services because we think what you publish is despicable is the wrong policy,” Cloudflare said in a recent blog post.
Cloudflare has said that cyberattacks are “not the appropriate mechanism for addressing problematic content online” and argued that selectively pulling its security services sets a dangerous precedent:
“Some argue that we should terminate these services to content we find reprehensible so that others can launch attacks to knock it offline. That is the equivalent argument in the physical world that the fire department shouldn’t respond to fires in the homes of people who do not possess sufficient moral character. Both in the physical world and online, that is a dangerous precedent, and one that is over the long term most likely to disproportionately harm vulnerable and marginalized communities.”
Yet, despite this guiding principle, there are two previous moments where Cloudflare has deviated from this neutral stance. In 2017, it terminated the Neo-Nazi site The Daily Stormer and in 2019 it terminated the online imageboard 8chan.
Cloudflare has acknowledged that these decisions resulted in a “deeply troubling response” where it saw “a dramatic increase in authoritarian regimes attempting to have us terminate security services for human rights organizations.” When blocking Kiwi Farms, Cloudflare also admitted that the decision only “temporarily addresses the situation” and “by no means solves the underlying problem.”
Cloudflare’s infrequent but repeated abandonment of this neutrality is just one of many examples of pressure campaigns going beyond hosting providers. In many cases, these campaigns have been successful and resulted in users losing access to the internet infrastructure that’s necessary to connect to the internet or stay online.
Recently, several websites were taken offline in Austria after a sweeping block against Cloudflare internet protocol (IP) addresses. The blocking instructions were supposed to target pirate websites but because Cloudflare IP addresses were included in the order, a wide range of non-piracy websites were also blocked. In this instance, no explanation was given until the internet service providers (ISPs) published the blocking instructions.
Shortly after Russia invaded Ukraine, Cloudflare was asked to stop providing security services to websites in Russia and Belarus. The decision would have resulted in many Russian citizens losing access to the information on sites protected by Cloudflare. However, Cloudflare rejected the request and argued that “Russia needs more internet, not less.”
And over the last few years, Cloudflare has faced increased pressure from large copyright holders who attempt to get Cloudflare to block access to sites, even when it hosts none of the infringing content. In 2020, Cloudflare set a new precedent by blocking a piracy site and in 2021, it was ordered to block a pirate site, despite hosting none of the site’s content.
These attempts to target important pieces of internet infrastructure aren’t just aimed at Cloudflare. The Internet Archive, which is supposed to be a neutral historical archive of webpages, has also removed content on copyright grounds. After mainstream media outlets complained that its archives were allowing “misinformation” to spread, the Internet Archive started adding warning labels and “fact-checks” to its archives. Several sites, including Kiwi Farms, have even been outright excluded from the Internet Archive.
ISPs, which are supposed to be neutral providers of access to the internet, are another example where a crucial piece of internet infrastructure is losing its impartiality. They regularly face lawsuits from movie producers that pressure them to disconnect alleged copyright infringers from the internet. Some ISPs have cut off internet access for alleged infringers and one court has ruled that ISPs can avoid liability if they disconnect alleged infringers.
Copyright is just one of the arguments that’s used to justify the targeting of internet connectivity. Quinnipiac University recently threatened to cut off internet access for unvaccinated students and other universities have also introduced similar policies.
While these examples are currently the exception rather than the rule, the tide is turning and pressure campaigns are becoming increasingly successful at getting essential internet infrastructure providers to abandon their neutrality.