Cloudflare Enables Miscreants

Matthew Prince, founder and CEO of Cloundflare

CloudFlare provides security, a CDN-like service, high-level compression and web content optimization, according to Web Host Industry Review.

Cloudflare says

On average, a website on CloudFlare ...
... loads twice as fast
... uses 60% less bandwidth
... has 65% fewer requests
... is way more secure
All for free!

Because Cloudflare reduces bandwidth usage, obscures who is the actual hosting company of a website and offers its basic services for free, it has become popular among low-budget websites with controversial content.

An endorsement by Cloudflare's most infamous client to date, Lulzsec, helped  fuel a rapid growth that in turn helped them to secure an additional US$20 million in funding. Lulzsec's webmaster and spokesman, Jake Davis, was arrested July 28 2011 and charged with crimes relating to Lulzsec's activities. Their website was used to host documents that were obtained by stealing databases and other files from servers they had compromised by SQL injection or zero day exploits.
Cloudflare has a comprehensive terms of use policy that would seem to preclude their providing services to Lulzsec and similar sites. It states in part:

SECTION 11: PROHIBITED USES

You shall not post, transmit, retransmit, cache, or store material on or through CloudFlare's Service which, in the sole judgment of CloudFlare (a) is in violation of any local, state, federal, or foreign law or regulation, (b) is threatening, obscene, indecent, defamatory, or that otherwise could adversely affect any individual, group, or entity (collectively, "Persons"), or (c) violates the rights of any Person, including rights protected by copyright, trade secret, patent, or other intellectual property or similar laws or regulations including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for Your use. You agree that you will NOT knowingly use the Service, among other things, to:
  1. upload, post, transmit, or otherwise make available any content that is unlawful, harmful, threatening, abusive, harassing, tortious, defamatory, vulgar, obscene, libelous, invasive of another's privacy, hateful, or racially, ethnically, or otherwise objectionable;
  2. harm minors in any way;
  3. impersonate any person or entity, including but not limited to a CloudFlare official, forum leader, guide, or host, or falsely state or otherwise misrepresent your affiliation with a person or entity;
  4. forge headers or otherwise manipulate identifiers in order to disguise the origin of any content transmitted through the Service;
  5. upload, post, transmit, or otherwise make available any content that You do not have a right to make available under any law or under contractual or fiduciary relationships (such as inside information, proprietary, and confidential information learned or disclosed as part of employment relationships or under nondisclosure agreements);
  6. upload, post, transmit, or otherwise make available any content that infringes any patent, trademark, trade secret, copyright, or other proprietary rights of any party;
  7. upload, post, transmit, or otherwise make available any unsolicited or unauthorized advertising, promotional materials, "junk mail," "spam," "chain letters," "pyramid schemes," or the like;
  8. upload, post, transmit, or otherwise make available any material that contains software viruses or any other computer code, files, or programs designed to interrupt, destroy, or limit the functionality of any computer software or hardware or telecommunications equipment;
  9. interfere with or disrupt the Service or servers or networks connected to the Service, or disobey any requirements, procedures, policies, or regulations of networks connected to the Service;
  10. intentionally or unintentionally violate, attempt to violate, or avoid any applicable ICANN regulation or policy;
  11. intentionally or unintentionally violate any applicable local, state, national or international law, including, but not limited to, regulations promulgated by the U.S. Securities and Exchange Commission, any rules of any national or other securities exchange, including, without limitation, the New York Stock Exchange, the American Stock Exchange, or the NASDAQ, and any regulations having the force of law;
  12. provide material support or resources (or to conceal or disguise the nature, location, source, or ownership of material support or resources) to any organization(s) designated by the United States government as a foreign terrorist organization pursuant to section 219 of the Immigration and Nationality Act;
  13. "stalk" or otherwise harass another; or
  14. promote or provide instructional information about illegal activities, promote physical harm or injury against any group or individual, or promote any act of cruelty to animals. This may include, but is not limited to, providing instructions on how to assemble bombs, grenades, and other weapons, and creating "Crush" sites.

    SECTION 14: TERMINATION

    CloudFlare's policy is to investigate violations of these Terms of Service and terminate repeat infringers. You agree that CloudFlare may, under certain circumstances and without prior notice, immediately terminate your CloudFlare account, any associated email address, and access to CloudFlare.com and associated Services. Cause for such termination shall include, but not be limited to: (a) breaches or violations of the Terms of Service or other incorporated agreements or guidelines; (b) requests by law enforcement or other government agencies; (c) a request by you (self-initiated account deletions); (d) discontinuance or material modification to the Service (or any part thereof); (e) unexpected technical or security issues or problems; (f) extended periods of inactivity; (g) you have engaged or are reasonably suspected to be engaged in fraudulent or illegal activities; (h) having provided false information as part of your account; (i) having failed to keep your account complete, true, and accurate; (j) any use of the Service deemed at CloudFlare's sole discretion a Prohibited Use as defined above; and/or (k) nonpayment of any fees owed by you in connection with CloudFlare.com and associated Services. Further, you agree that all terminations for cause shall be made in CloudFlare's sole discretion and that CloudFlare shall not be liable to you or any third-party for any termination of your account, access to the Service, or any disruption to your services such a termination may cause. You expressly agree that in the case of a termination for cause you will not have any opportunity to cure. You further acknowledge and agree that notwithstanding any termination, your obligations to CloudFlare set forth in Sections 9, 10, 11, 12 and 13 shall survive such termination.

When asked about Lulzsec's use of their services, Cloudflare CEO Matthew Prince gave a standard response that is now used corporate wide:

"It's interesting to have public enemy number one using our service but it is important to note that we are not the hosting provider; we're much more similar to something like a network provider where traffic is passing through us and we're not actually storing any of the data," Prince says. "Importantly, if we were to kick them off of our network that wouldn't take the content off the Internet it would just be a little bit slower."
I asked Cloudflare's abuse response team by email if they have ever enforced their terms of service. They responded with the non sequitur:

We are not a web host and we don't censor content on the internet.
Even if we remove a site from CloudFlare it doesn't remove the content
from the internet in any way, shape, or form.When a complaint comes in we provide the direct IP to the site in question so that the person
with the complaint can take their complaint directly to the web host
of the site -- the only people who can ACTUALLY remove the site and
its content from the internet. We comply with every complaint that we receive.

I replied and reiterated my question, and it was ignored.


Later, The Whir reported from HostingCon that Prince said,

"… the LulzSec website had 18 million legitimate page views over 23 days. LulzSec had seven different hosts over 23 days, initially in Montreal. He says the other hosts were based in Malaysia, several US-based hosts, and ultimately had a German hosting provider."
The obvious implication, which escapes Mr. Prince, is that the lulzsecurity.com site would have had a very hard time staying online if they weren't hiding behind CloudFlare.