After nearly a decade of using the web performance and security company Cloudflare for our web site security and CDN (content distribution network) needs, and despite its impeccable service and its status as an industry leader for over 20 years, we can no longer in good conscience remain a customer.
This is because the company continues to serve extremists and terrorists. It is impossible to understand how Cloudflare's major clients – including U.S. government agencies – who have vowed to fight online extremism are using its services without insisting that it stop facilitating the spread of violent extremist content.
You have likely never heard of Cloudflare – but chances are you are using its services every day – for your phone, banking, media, utilities, and other vital services. According to its website, it is "a trusted partner" that "protects millions of websites." It is also part of select group of companies trusted by the U.S. government to provide cybersecurity services, even offering a "suite of services for U.S. government and public sector agencies." But, putting revenue ahead of responsibility, Cloudflare's terms of use do not ban terrorists or any other hate groups.
Cloudflare serves websites hosting Al-Qaeda and ISIS outlets, and some of the websites most widely used by neo-Nazi, white supremacist, and antigovernment groups. Cloudflare's support for these websites directly contributes to violence on the ground.
It has been known for years that Cloudflare serves designated terror groups – for example, it protects the main Al-Qaeda-operated Rocket.Chat server – as has been widely reported by media. A December 2018 in-depth MEMRI study, Cloudflare, The U.S.-Based Leading Reverse-Proxy Service, Is Exploited By Every Major Jihadi Organization – Including ISIS, Al-Qaeda, Hamas, Taliban – Posing A Global Security Risk, found that the company provides services to nearly every major jihadi group that is active online.
Another recent MEMRI study that was released this month, Cloudflare, The U.S.-Based Leading Reverse Proxy Service, Is Favored By Prominent Neo-Nazis And White Supremacists – And Is Part Of Select Group Trusted By U.S. Government To Provide Cybersecurity Services, exposes Cloudflare's widespread use by neo-Nazis, white supremacists, and domestic terror organizations.
It was first reported back in 2017 that Cloudflare was optimizing content delivery for at least 48 hate sites across Europe. Since then, it has been serving neo-Nazi and white supremacist groups with impunity – including the 8chan website, which it did remove in 2019 due to public outrage after the El Paso Walmart mass shooter posted his manifesto there.
When leading American neo-Nazi Nick Fuentes, who made headlines when he accompanied Kanye West, aka Ye, to a private dinner with Donald Trump, livestreamed his bizarre July 16 speech calling for a "holy war" against Jews in which "we will make them die" and adding that "they have no future in America" or "in this world," it was on his website, Cozy.tv, that runs with the help of Cloudflare.
Cloudflare also protects Gab, the extremist social media platform which could be described as the No. 1 online hub for neo-Nazis – where Tree of Life synagogue shooter Robert Bowers, who now awaits sentencing, was very active, and which features daily posts calling for killing Jews, assassinating politicians, and overthrowing the U.S. government.
Nevertheless, in January 2023 Cloudflare scored a $7.2 million contract with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to provide services to the government. A year previously, Cloudflare had participated in a White House summit with top U.S. national security and cyber officials – from the Departments of Defense, Commerce, Energy, and Homeland Security, as well as CISA – and private sector tech leaders to discuss software security. In fact, Cloudflare CEO Matthew Prince is now listed as a member of the CISA Advisory Committee.
Also, in December 2022, the company announced that it had achieved a status with the U.S. Federal Risk and Authorization Management Program (FedRAMP), the government-wide program standardizing security assessment, authorization, and monitoring for cloud products and services. Cloudflare said that this reinforced its commitment to U.S. federal, state, and local government as well as to the "Defense Industrial Base."
The government's embrace of Cloudflare contradicts the stated goals of the Biden administration, whose National Strategy to Counter Antisemitism, released in May, was announced by the President as the "most ambitious and comprehensive U.S.-government-led effort to fight antisemitism in American history." The strategy calls on Congress to "hold social media platforms accountable" for "spreading antisemitism."
The strategy asks tech companies to "establish a zero-tolerance policy for hate speech on their platforms" and also to ensure that their algorithms do not promote extremist content. It also underlines the president's call for "fundamental reforms" to Section 230 of the Communications Decency Act. Yet it still fails to address the problem of bad actors such as Cloudflare which fully enables promoters and protectors of hate and terrorism, and neo-Nazis.
As part of the commitment of MEMRI's Cyber & Jihad Lab (CJL) project to assist tech companies in dealing with terrorist content on their platforms, in 2020 we briefed Cloudflare's head of public policy on our research and explained how we could help the company identify platforms hosting terrorist content so it could stop supporting them. After initial interest, when it was agreed that we would send information about extremists the company was serving, we proceeded to send numerous tips. However, the company took no measures, enacted no policy changes, and hate groups continue to use its services.
Cloudflare insists that it remains neutral and does not police the websites that it serves, asserting that it "abides by all applicable laws in the countries in which we operate and... firmly support[s] the due process of law." In August 2022, Cloudflare CEO Prince and Alissa Starzak, the company's Vice President, Global Head of Public Policy explained on the company blog: "Just as the telephone company doesn't terminate your line if you say awful, racist, bigoted things, we have concluded in consultation with politicians, policy makers, and experts that turning off security services because we think what you publish is despicable is the wrong policy."
Ignoring the difference between a telephone call, which is between two people, and a website, which incites many, they also defined activities and hate speech by organizations declared terrorist by U.S. law as merely "despicable."
The federal government, the tech industry, venture capital firms, and others involved with Cloudflare – such as the New York Stock Exchange, where it is traded, as well as the 30% of Fortune 1000 companies that, according to Cloudflare, rely on it – should know that it is providing services to extremist and terrorist entities – and that they are in a good position to pressure it to stop doing so.
At the same time, Cloudflare's provision of services to terrorists and extremists without any repercussions proves yet again that there is a need for government supervision, regulation, and ultimately industry standards that would prohibit companies that do not abide by them from working with the U.S. government and other agencies, or face penalties, which is what should happen now.
*Steven Stalinsky, Ph.D., is Executive Director of MEMRI; Yigal Carmon is President of MEMRI.