Terrorist groups have continued to use protection from a San Francisco-based web security company to ward off attacks from anyone trying to cut off their propaganda, but the company maintains that it won’t be screening customers’ web content unless faced with “valid legal requests.”
Hackers involved in the effort to take down propaganda outlets of ISIS, al-Qaeda and similar groups charge that CloudFlare is one of the most uncooperative tech companies when it comes to stopping online terrorism.
On one July weekend, PJM captured four different extremist websites using CloudFlare to protect against Distributed Denial of Service (DDoS) attacks: Amaq Agency, an ISIS-affiliated newswire site that releases claims for various attacks and posted bloody photos of July’s Dhaka cafe attack as it was unfolding; Isdarat, essentially a YouTube for ISIS; another site that served as a comprehensive ISIS propaganda catalog with videos, audio and photos; and the Taliban’s English-language site. This was the CloudFlare protection screen on an Amaq Agency site:
In November, CloudFlare CEO Matthew Prince fired back against Anonymous hackers who said it was “shameful” that CloudFlare was continuing to give terror groups unfettered online protection.
“I did see a Twitter handle said that they were mad at us,” Prince told The Register, an IT industry site. “I’d suggest this was armchair analysis by kids – it’s hard to take seriously. Anonymous uses us for some of its sites, despite pressure from some quarters for us to take Anonymous sites offline.”
PJM reached out to CloudFlare in July, citing the sites witnessed using the company’s DDoS protection, to ask if there was any change in the company’s stance on providing services to terrorist groups.
“CloudFlare is not a host — we do not control the content on a site,” spokeswoman Daniella Vallurupalli replied. “That said, terminating a customer wouldn’t actually remove the content from the Internet. CloudFlare has millions of customers — and the vast majority of CloudFlare users utilize the automated self-service plan. As such, we do not manually review every individual website that signs up (about 8,000+ customers sign up a day).”
“That said, CloudFlare complies with all valid U.S. court orders and we work with law enforcement authorities and honor valid legal requests,” she added.
Prince told Fox Business Network in November that the company ran a list of dozens pf sites Anonymous hackers said were connected to terrorism — and protected by CloudFlare — past “law enforcement organizations.”
“We were quite surprised, not only to not have any orders to take any of the sites offline, but to see that actually a lot of the sites that Anonymous had identified actually weren’t related to ISIS at all,” Prince said. “Some were Chechnyan rebel sites, some were Kurdish sites, some were Palestinian sites.” The caliphate has drawn its share of Chechen rebels, including the infamous Batirashvili brothers.
The CEO suggested that the hackers just had “a beef to pick with us… because we’re really good at stopping denial-of-service attacks.”
Vallurupalli told PJM that Prince’s interview “continues to be our stance on the matter.”
PJM asked the FBI if federal authorities have ever asked CloudFlare to cease providing technical protection to terrorist groups. An FBI spokesman said he “cannot comment… at this time.”
The list of ISIS sites was published by GhostSec hacktivists in April “to show the world that the Islamic State is everywhere in some shape or form and that companies are unaware of their customers’ content or they turn a blind eye for easy profit and choose to accept blood money.”
“CloudFlare is by far the largest offender on this list and they have been made aware of the specified content they are protecting but chose to block us from contacting them rather than addressing the issue,” GhostSec added.
GhostSec pasted a list earlier this year of radical Islamist sites using CloudFlare, including Hizb ut-Tahrir chapters in the United States and Britain.
In a June post detailing online services supporting ISIS websites, hacktivist group BinarySec noted that CloudFlare “continues to be the #1 choice for ISIS site DDoS protection.”
BinarySec told PJM that they first “always go to the company and usually they are pretty good about removing it.”
“However, there are a handful of companies who refuse to remove it. So we just continuously [denial-of-service attack] the website until they do.”
A BinarySec operative going by the name Zombie Ghost said the group does “work through official channels where we can.”
“We have actually developed some good working relationships with some web hosts and they will take down material we identify quickly. There are other content delivery services like CloudFlare who have made public statements they will not remove ISIS materials and in these cases we have to look at alternative methods,” Zombie Ghost said.
BinarySec has also highlighted U.S. companies WordPress as “completely non-responsive to most abuse notifications” and Piradius Hosting as continuing “to give services to ISIS websites.”
Some #OpISIS hackers have added #OpCloudFlare to their online operations:
— Rellf (@Rellf_) May 31, 2016
In mid-July, Undersecretary of State for Public Diplomacy and Public Affairs Richard Stengel told a House Foreign Affairs Committee hearing on the virtual caliphate that tech companies “have stepped up their efforts at our behest” to remove and counter Islamic State propaganda online.
That program was revamped with the January launch of the Global Engagement Center. Stengel touted partnerships with tech companies such as Facebook and Twitter to ensure their platforms aren’t “polluted with this kind of noxious content” from terrorist groups.
“I think that tech companies are really aggressive in this space in ways that people don’t always realize,” Stengel said.
PJM asked CloudFlare if they were involved with the State Department’s GEC program. Vallurupalli replied that the company has “participated in a number of events on this topic,” including a January closed-door meeting in Silicon Valley between tech company leaders and FBI Director James Comey, Director of National Intelligence James Clapper and NSA Director Adm. Michael Rogers.
A State Department spokeswoman told PJM that she had “no information to share” on whether CloudFlare was involved with the GEC or not.
In January 2015, Flashpoint Intel co-founder Evan Kohlmann told the House Foreign Affairs Subcommittee on Terrorism, Nonproliferation, and Trade that CloudFlare “in essence serves as gatekeeper to control the flow of visitors to given sites and to verify that those visitors have a legitimate purpose in visiting them” and at the time was being utilized by two of ISIS’ top three chat forums.
“Without such protection from CloudFlare, these sites would almost certainly succumb to the same relentless online attacks that have completely collapsed several major jihadi web forums over the past two years,” Kohlmann said.
He cited Prince, after being contacted by journalists about CloudFlare guarding terrorist websites in 2013, saying it would not “be right for us to monitor the content that flows through our network and make determinations on what is and what is not politically appropriate — frankly, that would be creepy.”
The CloudFlare CEO also said, “A website is speech. It is not a bomb. There is no imminent danger it creates and no provider has an affirmative obligation to monitor and make determinations about the theoretically harmful nature of speech a site may contain.”
Kohlmann noted that “even as one who has repeatedly advocated leaving jihadi forums online in order to study those who use them,” there should “be a careful assessment of the potential negative policy impacts of leaving ISIS recruitment platforms online and unmolested in light of the recognition that Western security services are abjectly failing to track, identify, and stop all of those who are using these sites.”
“Permitting U.S. commercial interests to simply ignore vital national security concerns and earn profits from consciously providing high-tech services to banned terrorist organizations is not an acceptable legal framework in the 21st century,” he said.