Introduction
Background
The January 2022 Open Source Software Security Summit at the White House[1] brought together top U.S. national security and cyber officials as well as private sector tech leaders to discuss open-source software security, following the discovery of a vulnerability which threatened millions of devices and applications and remains a threat to this day.[2] According to National Security Advisor Jake Sullivan, the summit was a "constructive discussion" about helping the public and private work together to become more resilient. Participating in the conference were officials from multiple federal agencies – the Department of Defense, the Department of Commerce, the Department of Energy, and the Department of Homeland Security, as well as representatives from the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology, and the National Science Foundation, and representatives from Amazon, Apple, Facebook/Meta, Google, IBM, the Linux Foundation, the Open Source Security Foundation, Microsoft, and Oracle – and U.S.-based reverse proxy service Cloudflare.[3]
On January 13, 2023, Cloudflare announced that CISA had awarded it a $7.2 million contract to provide Registry and Authoritative DNS services to the .gov TLD (Top Level Domain). It explained that CISA, which makes .gov domains available for U.S.-based government organizations, is the nation's risk advisor that works with partners to defend against threats, and that Cloudflare will provide registry and DNS (Domain Name System) services to "simplify security operations for .gov domain users." It added that with this contract, Cloudflare will support CISA's goals, including reducing the vulnerabilities of .gov-related infrastructure and government organizations.[4]
Cloudflare is used by a host of ecommerce businesses. It was reported in March 2022 that the top 20 ecommerce companies protected by Cloudflare are Etsy, Walmart, Best Buy, Dell, Nike, Doordash, and H&M, as well as Taylor & Francis Online (tfandonline.com), the journal content platform of one of the world's leading academic publishers.[5]
Cloudflare's History Of Serving Jihadis
Another sector that is protected by Cloudflare to protect websites and forums is jihadi terrorist organizationss. A 2018 in-depth study by the Middle East Media Research Institute (MEMRI) Cyber & Jihad Lab (CJL) on jihadi use of Cloudflare found that for years the company had been providing services to nearly every major jihadi group (see Cloudflare, The U.S.-Based Leading Reverse-Proxy Service, Is Exploited By Every Major Jihadi Organization – Including ISIS, Al-Qaeda, Hamas, Taliban – Posing A Global Security Risk).
According to the MEMRI study, between 2012 and 2017, Cloudflare was reported to be providing services to Hamas, the Palestinian Islamic Jihad's Al-Quds Brigades – both designated by the U.S. as terrorist groups – to the Al-Qaeda-affiliated KavkazCenter, the Islamic State (ISIS) and ISIS affiliates, the Taliban, Jaish-e-Mohammad, and many others involved in terrorism, including in the U.S. and the West. In response to each of these accusations, Cloudflare insisted that it seeks to remain neutral and not police the websites that it protects, asserting that it "abides by all applicable laws in the countries in which we operate and... firmly support[s] the due process of law."[6]
Today, Cloudflare continues to provide services to terrorist groups. Recent examples found by MEMRI researchers include the Specially Designated Global Terrorist group Al-Nojaba.com, which is owned and operated by Harakat Hezbollah Al-Nujaba, an Iran-backed Iraqi Shi'ite militia. Its first domain had been seized by the U.S. government in 2019, following its designation[7]; its new website is hosted and protected by Cloudflare.
Al-Nojaba.com and Cloudflare hosting information
Another example of jihadi websites protected by Cloudflare is Mranjemchoudary.com, belonging to Anjem Choudary, a British-Pakistani Islamic extremist who, according to media reports, has been "linked to 15 terrorist plots."[8] Through organizations he cofounded and headed, including the banned U.K. groups Al-Muhajiroun,[9] Islam4UK,[10] and Muslims Against Crusades,[11] Choudary is according to media reports, "believed to have motivated at least 100 people from Britain to pursue terrorism."[12] It was also reported, in 2016, that "documents from intelligence sources say his groups were at the heart of the Islamist movement in Britain, which has been left facing a 'severe' threat of jihadi attack."[13] Choudary was arrested and convicted in 2016 of "inviting support for Islamic State" in the U.K. and released "on licence" in 2018, halfway through his five-and-a-half-year sentence."[14] Upon his release, he was temporarily banned from public speaking and using social media.[15] Soon after the ban expired in August 2021, he returned to social media.[16]
Mranjemchoudary.com and Cloudflare hosting information
Cloudflare also protects the main Al-Qaeda-operated Rocket.Chat server, Talk.gnews.to/. In mid-April 2023 this website was down, and the error message showed that this jihadi website is also protected by Cloudflare, stating that "the origin web server is not reachable."[17] Rocket.Chat is one of the main platforms used by Al-Qaeda for its online activity, and thus the organization is heavily reliant upon Cloudflare.
Cloudflare's Terms Of Use Do Not Ban Jihadis Or Any Other Hate Groups – And The Company Defends Its Provision Of Services To Them
Cloudflare states on its website that it is "Making the Internet Work the Way It Should for Anything Online."[18] Its CEO, Matthew Prince, explained that Cloudflare "makes sites faster, we help them stay online, we stop big cyber attacks launched against them, and... a huge portion of the internet, most of our big customers, are big Fortune 500 companies."[19]
According to Cloudflare's website, the service is "one of the largest global networks" and "a trusted partner to millions." It improves website and application performance, accelerates Internet applications, secures websites and APIs, mitigates DDoS attacks, stops malicious bot abuse, augments security with threat intelligence, and more.[20] In its August 2019 registration statement with the U.S. Securities and Exchange Commission, it stated that its mission is "to help build a better Internet" and added: "We have built a global cloud platform that delivers a broad range of network services to businesses of all sizes and in all geographies—making them more secure, enhancing the performance of their business-critical applications, and eliminating the cost and complexity of managing individual network hardware."[21]
Cloudflare.com/network
Putting revenue ahead of responsibility, Cloudflare does not, in its terms of use, ban terrorists or any other hate groups. They do, however, state that users "have not previously been suspended or removed from the Websites and Online Services." They add: "We may at our sole discretion suspend or terminate your access to the Website at any time, with or without notice for any reason or no reason at all. We also reserve the right to modify or discontinue the Website at any time (including, without limitation, by limiting or discontinuing certain features of the Website) without notice to you."[22]
They add: "Cloudflare retains the right (but not the obligation) to block content... that Cloudflare determines (in its sole discretion) to be illegal, harmful, or in violation of these Terms." This includes "content that discloses sensitive personal information, incites or exploits violence, or is intended to defraud the public."[23]
It should be mentioned that Cloudflare is continuing to grow. On February 10, 2023, Cloudflare CEO Matthew Prince announced that it had had "a most excellent 2021, capping off the year with fourth quarter revenue growth up 54% year-over-year" with "a 71% year-over-year increase in large customer growth." He added that this "was also the fifth straight year we achieved 50 percent, or greater, compounded growth."[24]
Cloudflare Has A Long History Of Assisting Neo-Nazis Online
On several occasions, Cloudflare has come under significant pressure to drop clients that disseminate hate and actively harm people, and has vigorously defended the company's decision to continue to provide services to them.
In 2016, Cloudflare was found to be providing services to the notorious neo-Nazi Andre Anglin's Daily Stormer website. Following the August 11-12, 2017 Unite the Right rally, Daily Stormer founder Andrew Anglin used the site to mock Heather Heyer, who was killed when a car driven by James Fields plowed into a crowd of counterdemonstrators, writing that she was "fat and a drain on society” because she was unmarried and childless.[25]
Daily Stormer flyers
On August 16, 2017, Cloudflare CEO Matthew Prince announced on the company's blog that the company had terminated the Daily Stormer's account, and followed that with a lengthy essay prefaced with the statement: "Now, having made that decision, let me explain why it's so dangerous."[26] Prince also wrote in an internal memo that "Literally, I woke up in a bad mood and decided someone shouldn't be allowed on the Internet" but added that "no one should have that power."[27] He said in an August 18, 2017 interview that around May of that year Cloudflare had become aware that The Daily Stormer was "going after and attacking... people who were submitting complaints about them," that "over the course of the next few months there was a series of other events that caused them to be a massive distraction to us and to our team." He added that "the tipping point for me" was when "the Daily Stormer site was bragging on their bulletin boards about how Cloudflare was one of them," adding that "life was too short to deal with jerks like this" – but that it was "important that what we did today not set a precedent."[28]
Prince in August 18, 2017 interview (Source: Cnbc.com/2017/08/18/cloudflare-ceo-we-terminated-a-neo-nazi-site-after-it-became-a-distraction.html)
Also in 2017, Cloudflare was reported to be optimizing content delivery for at least 48 hate sites across Europe. Since then, it has been serving neo-Nazi and white supremacist groups with impunity, including the 8chan website, which it removed in 2019 following public outrage after the El Paso Walmart mass shooter posted his manifesto on it.[29]
In August 2022, in response to outrage over its services to Kiwifarms, a forum that facilitated doxing, extreme harassment, and stalking, including of transgender people, Matthew Prince, co-founder and CEO, and Alissa Starzak, Vice President, Global Head of Public Policy of Cloudflare, explained on the company blog why abusive websites are eligible to receive the company's services.
The blog post stated that although some websites it serves may host abhorrent content, it would be wrong to fail to provide security services. "Just as the telephone company doesn't terminate your line if you say awful, racist, bigoted things, we have concluded in consultation with politicians, policy makers, and experts that turning off security services because we think what you publish is despicable is the wrong policy," However, in the face of continuing pressure, Cloudflare dropped Kiwifarms as a client the following month.[30]
In 2017, Cloudflare even became known for turning over to neo-Nazi and other hate sites that it hosted the personal information of anyone protesting to Cloudflare for hosting this content. Per its policy, Cloudflare would then relay the name and email address of the person complaining to the offending site itself. This, naturally, led to campaigns of harassment against those writing in to protest the offensive material. Andrew Anglin, the owner of the Daily Stormer, which, as noted, was for years hosted by Cloudflare, wrote about such complaints in a December 2016 post on the site: "We need to make it clear to all of these people that there are consequences for messing with us." He then posted contact information of people who complained that had been passed on to him by Cloudflare.[31] Following media coverage of this situation, Cloudflare announced that it planned to allow people, under certain circumstances, such as in the case of threats and child sexual abuse material, to complain anonymously, and that it would be more selective in its decisions to share with its clients the personal information of people who reported objections.[32]
Neo-Nazi And White Supremacist Websites – As Well As Jihadis – Are Protected By Cloudflare Today
Just as jihadi organizations found a safe haven with Cloudflare, so too have neo-Nazis and white supremacists. In 2020, MEMRI published an in-depth report with these findings, Cloudflare, The U.S.-Based Leading Reverse-Proxy Service, Is Exploited By Numerous White Supremacists And Neo-Nazis.
One leading white supremacist with a website currently served by Cloudflare is white supremacist Nick Fuentes, who shot to fame in late 2022 when he accompanied Kanye West to a dinner at Donald Trump's Mar-a-Lago and who later apparently encouraged West's descent into violently conspiratorial antisemitism. His Cozy.tv, a video-sharing and live-streaming platform, hosts high-profile extremists (more information on this later in this report).
Nick Fuentes's Cozy.tv
In addition to Stormfront and Cozy.tv, Cloudflare is being used by the most virulent neo-Nazi and white supremacist groups and platforms. It is known to be hosting Gab, the social media platform widely favored by hate groups, as well as Alex Jones' Infowars, the video-sharing platform Bitchute which is widely popular among extremists and conspiracy theorists, 8chan successor 4chan, the virulently anti-black Chimpmania, the former KKK Grand Wizard's DavidDuke.com, the U.S. white supremacist Patriot Front, the white nationalist and antisemitic Vanguard News Network, and many others.
Other hate organizations and individuals protecting their websites with Cloudflare are the Nation of Islam – noi.org – and kanyewest.com.
Noi.org, accessed January 30, 2023; Who.is/whois/noi.org
Who.is/whois/kanyewest. Com
The MEMRI Cyber & Jihad Lab Shows How Easy It Is To Have Extremist Websites Protected By Cloudflare
Registering a neo-Nazi website for Cloudflare services is easy. For the "Ilovehitler.org" website, created by the MEMRI Cyber & Jihad Lab expressly in order to demonstrate this (and deactivated immediately thereafter), the CJL carried out the following steps:
MEMRI Meets With Cloudflare And Offers To Assist It With Tackling Extremists Using Its Services – And Is Ultimately Ignored
In 2020, I briefed Cloudflare's head of public policy on MEMRI research, with a focus on jihadi terrorism and on our newly launched project on neo-Nazi and white supremacist extremism, and how our research could help the company stop hosting jihadi content in Arabic of which they might not be aware or be unable to recognize. We also stressed that we could also keep them up to date on domestic extremism.
This briefing came nearly two years after the publication of a MEMRI study in December 2018 on Cloudflare's use by every major jihadi organization,[33] about which Cloudflare had been informed. During these two years, there had been considerable media coverage of Cloudflare's hosting many different types of extremist groups, and MEMRI had reached out to the company to offer its assistance. This outreach was part of our longstanding policy to initiate contact with tech companies to help them identify terrorist content and offer advice and strategies to tackle it.
I was optimistic about what would happen from this meeting, but it proved to be very disappointing. At the meeting, the Cloudflare official expressed interest in removing this extremist content, and it was agreed that we would send them tips and alerts on an ongoing basis regarding extremists – including designated terrorists – using Cloudflare Tips that we sent included research on jihadi use of bots as well as information on the use of Cloudflare by David Duke, the American white supremacist and former Grand Wizard of the Ku Klux Klan; Stormfront, Nazi forum; and BitChute, the video hosting platform with massive amounts of neo-Nazi and white supremacist content. During the first few months, the company responded, and we thought this content would be removed. However, after a time, we no longer received responses, and we saw that no action was ever taken.
Government And Industry Can Pressure Cloudflare To Stop Hosting Hate Sites
A major question that needs to be asked is how Cloudflare, which protects designated terrorist groups, now assists the U.S. government and is even tasked with providing it with cybersecurity services. CEO Matthew Prince himself is a member of the Council on Foreign Relations.[34]
In September 2022, Cloudflare announced that 26 venture capital firms were partnering with it, with a $1.25 billion investment.[35] Additionally, Cloudflare has become deeply involved with enterprises across the U.S., and is authorized to help the U.S. government. In March 2022, the company announced that it would provide four months of free services to U.S. hospitals and utilities to prevent Russian hacking attempts against them, in light of the outbreak of the Russia-Ukraine war. The offer was in response to security concerns raised by the U.S. government.
In December, Cloudflare announced that it had achieved Moderate Status in the U.S. Federal Risk and Authorization Management Program (FedRAMP). It wrote on its blog that this "reinforces Cloudflare's commitment to the Public Sector and the U.S. federal agencies, U.S. state and local governments and the Defense Industrial Base (DIB)" and that it "supports these critical organizations as they aim to provide a faster and safer online experience for constituents, secure remote workforces, and protect network and critical infrastructure."
Cloudflare also partners with other leading tech companies; on January 10, 2023, the major American software company Palantir announced its strategic partnership with Cloudflare, and two days later, Cloudflare announced "an expansion of its relationship with Microsoft." In early November 2022, with nearly $254 million in revenue,[36] it announced that it could achieve an annual revenue run rate of $5 billion over the next five years.[37]
The federal government, the tech industry, these VC firms, and others who are deeply involved with Cloudflare need to know that the company is providing services for hate. Although it appears that the more power Cloudflare has the less responsible it needs to be, these entities are actually in a good position to pressure the company to stop providing services to support hate and terror. Additionally, Cloudflare stock is traded on the New York Stock Exchange, which should be informed that the platform is supporting and hosting websites of hate groups and designated terrorist organizations. This is not to mention that the hundreds of diverse Cloudflare employees would also likely not be happy to learn that the company is serving terrorists and extremists.
One way to prompt Cloudflare to become proactive and change it policies so that it stops protecting this hatred and extremism is through government officials' parallel activity fighting extremism. The same month that Cloudflare announced its Moderate Status with FedRAMP, in December 2022, Second Gentleman Doug Emhoff convened, at the White House, a roundtable discussion on antisemitism, at which he stressed the "epidemic of hate facing our country" and the "rapid rise in antisemitic rhetoric and acts." He added: "People are no longer saying the quiet parts out loud. They are literally screaming them."[38]
More significantly, on May 25, President Biden unveiled his administration's "whole of society" plan to combat antisemitism, billing it as the "most ambitious and comprehensive U.S.-government-led effort to fight antisemitism in American history." According to officials, the plan includes "10 separate calls to tech companies to establish a zero-tolerance policy for hate speech on their platforms to ensure that their algorithms do not pass along hate speech and extreme content to users, and to listen more closely to Jewish groups to better understand how antisemitism manifests itself on their platforms."[39]
It should be emphasized to Cloudflare how much of this hate content it is protecting and that continuing to provide services to these extremists will endanger its work with the government. It should be made clear to Cloudflare that if it does not take action, it could be barred from working with the government in cybersecurity issues.
Cloudflare's provision of services to terrorists and neo-Nazis should mean that its seat at the table is removed until it no longer these services to these entities. This is part of a larger debate on industry standards that must be held also in the tech industry about industry standards.
About This Report
This report details the many websites and platforms used by and belonging to neo-Nazis and white supremacists around the world to which Cloudflare provides cybersecurity services. They include video-hosting websites, social media platforms, message boards, websites selling merchandise, and websites promoting virulently racist ideologies. As of January 2023, all websites in the report were active and protected by Cloudflare over the preceding year, unless otherwise noted.
YOU MUST BE SUBSCRIBED TO THE MEMRI DOMESTIC TERRORISM THREAT MONITOR (DTTM) TO READ THE FULL REPORTS. GOVERNMENT AND MEDIA CAN REQUEST A COPY BY WRITING TO DTTMSUBS@MEMRI.ORG WITH THE REPORT TITLE IN THE SUBJECT LINE. PLEASE INCLUDE FULL ORGANIZATIONAL DETAILS AND AN OFFICIAL EMAIL ADDRESS IN YOUR REQUEST. NOTE: WE ARE ABLE TO PROVIDE A COPY ONLY TO MEMBERS OF GOVERNMENT, LAW ENFORCEMENT, MEDIA, AND ACADEMIA, AND TO SUBSCRIBERS; IF YOU DO NOT MEET THESE CRITERIA PLEASE DO NOT REQUEST.