Pages

Tuesday, May 09, 2017

How can Cloudflare continue to protect terrorist group websites under US law?

In 2012, I reported that Cloudflare, a company that protects websites from denial of service attacks, was protecting Hamas websitesm which appears to be a violation of the US Patriot Act.

EoZ readers created enough of a stir that Reuters interviewed Cloudflare, where they defended their decision on freedom of speech grounds. Cloudflare's CEO, Matthew Prince, claimed that the company wasn't doing anything wrong: "We're not providing material support for anybody. We're not sending money, or helping people arm themselves."

The words "material support" are important, because that is what is prohibited to give to terrorists under the US Patriot Act. But the Patriot Act itself defines what "material support" is:

The term “material support or resources” means any property, tangible or intangible, or service, including currency or monetary instruments or financial securities, financial services, lodging, training, expert advice or assistance, safehouses, false documentation or identification, communications equipment, facilities, weapons, lethal substances, explosives, personnel (1 or more individuals who may be or include oneself), and transportation, except medicine or religious materials.
The way that Cloudflare works is that all traffic that is meant to go to these websites first goes through Cloudflare servers which decide if it is legitimate or not, and then it gets passed through to the actual website. This means that Cloudflare is providing communications equipment and services, as well as intangible property and facilities in the form of a front end to the target webservers. Their technical support teams may even be considered "personnel" under this definition if they ever work together the webmasters of terrorist organizations.

ProPublica had an article on Cloudflare recently that concentrated on a different topic: Cloudflare would provide personal information of people who complained about various white supremacist organizations to the organizations themselves, which then proceeded to harass the complainants mercilessly.

However, the article also said:
In 2015, the company came under fire from the hacker collective Anonymous for reportedly allowing ISIS propaganda sites on its network. At the time, Prince, the company’s CEO, dismissed the claim as “armchair analysis by kids,” and told Fox Business that the company would not knowingly accept money from a terrorist organization.
[CloudFlare counsel Doug] Kramer, in an interview with ProPublica, reiterated that the company would not accept money from ISIS. But he said that was not for moral or ethical reasons. Rather, he said, Cloudflare did not have dealings with terrorists groups such as ISIS because there are significant and specific laws restricting them from doing so.
The same laws that prohibit Cloudflare from giving services to ISIS are the ones that prohibit it from providing services for Palestinian terror groups.

And Cloudflare protects Hamas website Hamas.ps, the English site of the Al Qassam Brigades as well as the Arabic site, the website of Islamic Jihad's Al Quds Brigades, the Popular Front for the Liberation of Palestine site, and the Nedal Brigades website of the Al Aqsa Martyrs Brigades. (Look up the Name Server section of each of the WHOIS links provided to see for yourself that CloudFlare protects these sites.)

All of these are designated foreign terrorist organizations by the US State Department.

The penalty is $50,000 per violation, and arguably every single time someone surfs to a terrorist website and Cloudflare intercepts and inspects the traffic it is a separate violation (a "service") - which would be billions of dollars in fines.

So why has Cloudflare not been fined by the US for what appears to be clear violations of the Patriot Act?

(h/t Ben)



We have lots of ideas, but we need more resources to be even more effective. Please donate today to help get the message out and to help defend Israel.