At CloudFlare, we have a Trust & Safety team dedicated to dealing with the abuse of our network. We sit in front of more than 2 million sites. The vast majority of them are not controversial (the site you're reading this on, for instance), but some are not.
The majority of the abuse requests we receive are DMCA requests, but we get other reports as well. Dealing with these requests is a hard problem because a large number of the abuse requests we receive turn out to be attackers trying to get the origin IP in order to circumvent our protection. As I've blogged about before (http://blog.cloudflare.com/thoughts-on-abuse), we've designed an abuse system that attempts to act as a proxy: passing abuse requests to the customer and their host without exposing the customer's origin to attack.
Malware is one of the situations where we'll actually take content down because it is, per se, harmful. However, we also don't think terminating the customer who has malware hosted on their site is a good solution. Since we're a proxy, terminating the customer doesn't remove the malware from the Internet but instead just kicks the problem down the road to the host. Instead, we developed a system that replaces the infected URLs with a warning page to protect users. This has the ancillary benefit when a site is being used for botnet command and control of allowing us to gather data on machines that make up the botnet. This data is fed back into our system in order to better protect our customers and we're talking other organizations about a way of responsibly sharing this data.
Our Trust & Safety team works with trusted malware reporters regularly, including the team at Microsoft that handled the no-ip.com takedown. We will continue to adjust our process to walk the careful line between ensuring our network isn't causing per se harm while, at the same time, avoiding the risk of becoming a censor.
Sure. Pardon the copy-and-paste reply, but it's a perfect opportunity for me to publish up a draft blog post I wrote half a year ago in anticipation of a Brian Krebs post on the topic of Booter sites. Brian's article didn't turn out nasty enough to warrant a response, but I've had the post sitting around in by drafts folder for a while and it addresses your points as well.
========
Why a Hunger Games-Like Vision for the Internet is Wrong
Earlier this afternoon Brian Krebs, a well-respected security writer, published a story which, in part, calls for CloudFlare to censor the websites of a handful of our users [http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gb...]. These websites are known as "booter" sites. The sites claim to offer point-and-click DDoS services. The thrust of Brian's argument is that CloudFlare is a hypocrite for allowing these sites that advertise DDoS services to be protected by our network while, at the same time, offering as a core feature the ability to stop DDoS attacks.
Brian acknowledges that there's a bit more nuance to the argument. He understands that CloudFlare is not a hosting provider and that terminating any customer wouldn't make the content of the booter sites go away, it would just make them slower and more vulnerable to attack. He also acknowledges that no attack traffic actually originates from CloudFlare's network. His assumption, which we discussed at length before he published the article, is that if CloudFlare weren't in the equation then the booter sites would simply DDoS each other into oblivion.
Stop for a second and think about that: Brian is arguing for a Hunger Games-like vision of the Internet. It's the functional equivalent of if the police stopped prosecuting crimes committed against people they suspected to be criminals.
Brian is not the first person to make this argument and he won't be the last. A few weeks ago Kayne West's attorneys contacted CloudFlare insisting that we terminate protection for a customer they said was causing irreparable harm to their client: the parody crypto currency called Coinye. Ken Carter, our legal counsel, explained to Mr. West's lawyers that terminating the Coinye CloudFlare account wouldn't make it go away, it would just make it more vulnerable to attack. They thought that would be terrific. Ken respectfully disagreed.
CloudFlare's mission is to build a better Internet. Inherently there is content on our network that I find distasteful or even harmful. In the past, we've been called to task by other journalists [http://blog.cloudflare.com/cloudflare-and-free-speech] for allowing controversial websites to use our network. There is currently a campaign that has gathered over 22,000 signatures [http://www.change.org/petitions/matthew-prince-remove-chimpm...] for us to terminate the account of what I consider a horribly racist and distasteful website.
While I, personally, agree that the site the petition was started over is truly awful, I don't believe my personal opinion of what is good or bad content should be what governs what is allowed online. If CloudFlare succeeds, even in small part, at building a better Internet, inherently we must honor and respect one of the Internet's greatest qualities: that it is a network open to anyone.
Note that this isn't everyone's policy. Amazon, for instance, terminated Wikileak's account after political pressure [http://www.theguardian.com/technology/2010/dec/11/wikileaks-...]. More recently an article circulated that they were censoring books where people fantasized about having sex with dinosaurs [http://observationdeck.io9.com/amazon-now-at-war-with-dinosa...]. Other CDN providers are notorious for taking content offline at the first hint of pressure. We don't do that, even when the pressure comes from someone we truly respect like Brian. Fundamentally, we won't play the role of the Internet's morality cops. It's above our pay grade.
Booter sites, you may argue, are different. But the key question is where do you draw the line. If a site says you can push a button and launch an attack should we take that down? What about one that has a phone number you can call? Or gives you instructions on launching the attack yourself? CloudFlare is many things, but one thing we are not is the Internet cops.
Don't get me wrong, we don't believe in a lawless frontier. While we believe deeply in principles of due process and will push back against what we deem abusive legal requests [http://blog.cloudflare.com/fighting-back-responsibly], ultimately if ordered by a court through valid legal process we will comply. While booter sites may be successful at using us to protect their content from being knocked offline by a DDoS attack, they will not be successful at using us to hide from law enforcement if they are breaking the law.
Brian and I have known each other for almost a decade. He left the Washington Post and started Krebs On Security around the same time as we were launching CloudFlare. I actually tried to hire him back then. Thankfully he didn't accept the offer because he has become one of the leading security journalists writing anywhere today. He breaks important stories, which is something we need in the security space.
On this issue, I respect Brian's opinion but think he's ultimately wrong, That said, I have no problem with him fostering the debate. I think the discussion is hard, but it is healthy and important. To that end, if there are any large security or technology conferences that would like to host such a debate between me and Brian on stage, just let me know when and where and I'm in.
First off, thankyou for a detailed and well laid out post.
I do however think that there is a material difference between hosting unpleasant speech (to which the counter is speech pointing out that the speaker is wrong/idiotic/etc) and hosting malware/botnet sites (to which the counter is... what? what IS the counter to a sufficiently large botnet? ultimately we all have a limit at which point we can receive no more traffic. You might not have hit it - yet - but you will).
The internet - as you are aware - is based on protocols not designed with any significant security in mind. No-one in their right mind would today sit down and design something like BGP, for example. With that in mind, any large provider (or large consumer with capability to cause harm) has the responsibility to be a good citizen of the internet, and not to (by action or inaction) advance the agendas of those who would see its demise. As much as it might be convenient from an operational POV, and justifiable from a moral POV, washing your hands of responsibility and saying "It's not up to us, it's up to the courts" just doesn't work when the infrastrucure we're all building on is so very fragile.
I'd also like to note that there's a semi-hidden US bias here - what if the target of a botnet, who's admin interface is hosted by CF - is based in a country where there is no reasonable ability to recourse to the US courts? Iran, for example?
It's admirable that you do not censor content in response to political pressure, but there IS a difference between protecting freedom of speech and protecting malware, and saying that censoring the malware is a slippery slope is at least partly disingenuous - any vaguely controversial decision can be described as a slippery slope to something else.
Please at least consider making it easier for those of us who are trying to fight malware, botnets, etc, etc to get the original source of the content. I know this will involve some human judgement, and invetiably some mistakes and poor descions - but that would still in my view be far prefferable to what we have now. Thanks.
(Sorry I'm just responding to all this now, 15 hours later)
> Malware and sites advertising so-called "booter" services are different discussions.
There's an important distinction here. You refer to "sites advertising so-called "booter" services." However, with the kind of sites I speak of, "sites providing so-called "booter" services" would be a better description. They aren't just advertising it; enter a valid username and password, enter an IP, click the "attack" button and an attack is launched, all from that single site.
Malware, phishing, and booters have two things in common: they have far-reaching effects (that is, they affect other, unrelated/unwilling people) and they are not in any way good for the target of the effort. Malware is only good for the operator who benefits from the keylogger, showing ads, or whatever; phishing is only good for the operator who benefits from the stolen information; booters are only good for the booter operator (who profits from selling it) and for the user who paid for it to attack a target. Based on that, it's difficult for me to see the difference between the harmfulness of any of these.
In your post, the standard you applied to malware and phishing was "harmfulness" (in your opinion). I agree with that standard, and I think you'll be hard-pressed to find a single person who agrees that any of these three issues are not harmful. So, in your opinion, what makes booters less harmful than malware and phishing sites, which you are willing to take offline?
Censorship is a slippery slope, indeed. But I think it is generally accepted that _some_ basic level of what is effectively censorship, is a necessary evil for the health of the Internet. For example, malware and phishing sites, as you mentioned; spam; DDoS attacks. That's why laws exist in so many jurisdictions to prohibit all of these, and why the AUP of every single reputable ISP in existence prohibits them. This isn't uncharted territory, this isn't something new CloudFlare is just getting into - the industry standard (and legal standard) is to prohibit all of these.
I find it interesting he never responded to this. He was on the site the next day, so he must have seen your comment.
His refusal to remove booter sites from CloudFlare is completely indefensible. Any attempt on his part to suggest otherwise can only be interpreted as evidence of guilt. There is no possible arrangement of words which can make it okay.
What makes a site hosting malware per se harmful, and how can you consider malware per se harmful while booters avoid being classified identically? Malware is illegal and obviously a detriment to the internet, as are booter services. Perhaps you're just willing to deal with malware so you don't end up in the same boat as No-IP did here.
Booter services are so incredibly common that the police aren't going waste their time on them, especially since once the cops get the real IP from your convenient obfuscation service, it's likely hosted in China, Russia, or some other country where no action will be taken.
> Booter sites, you may argue, are different. But the key question is where do you draw the line. If a site says you can push a button and launch an attack should we take that down? What about one that has a phone number you can call? Or gives you instructions on launching the attack yourself? CloudFlare is many things, but one thing we are not is the Internet cops.
That is incredibly disingenuous. It's simple: if you knowingly facilitate an illegal service on your site, your service gets terminated. Every other reputable CDN and hosting provider can figure this out but somehow you can't? Give me a break.
He appears to choose to let the decision as to whether they 'knowingly facilitate an illegal service' be taken by law enforcement rather than by Cloudflare.
So I don't see anything disingenuous whether you disagree or not.
Trust & Safety maybe, but it's still impossible to use CloudFlare in Russia, due to harboring some drug-selling websites at your services. ISPs ban them by IP, and taking whole subnetworks of websites that reside on the same IP down with them too.
As much as I love your services, it's not possible to use them here, and ministry of communication even issued a recomendation not to use your services due to your unresponsiveness about takedown requests.
The majority of the abuse requests we receive are DMCA requests, but we get other reports as well. Dealing with these requests is a hard problem because a large number of the abuse requests we receive turn out to be attackers trying to get the origin IP in order to circumvent our protection. As I've blogged about before (http://blog.cloudflare.com/thoughts-on-abuse), we've designed an abuse system that attempts to act as a proxy: passing abuse requests to the customer and their host without exposing the customer's origin to attack.
Malware is one of the situations where we'll actually take content down because it is, per se, harmful. However, we also don't think terminating the customer who has malware hosted on their site is a good solution. Since we're a proxy, terminating the customer doesn't remove the malware from the Internet but instead just kicks the problem down the road to the host. Instead, we developed a system that replaces the infected URLs with a warning page to protect users. This has the ancillary benefit when a site is being used for botnet command and control of allowing us to gather data on machines that make up the botnet. This data is fed back into our system in order to better protect our customers and we're talking other organizations about a way of responsibly sharing this data.
Our Trust & Safety team works with trusted malware reporters regularly, including the team at Microsoft that handled the no-ip.com takedown. We will continue to adjust our process to walk the careful line between ensuring our network isn't causing per se harm while, at the same time, avoiding the risk of becoming a censor.
Matthew Prince / Co-founder & CEO, CloudFlare