Cloudflare’s recent decision to deny its services to KiwiFarms – a site notorious for allowing its users to run harassment campaigns against trans people – is likely to lead to more calls for infrastructure companies to police the discourse on line. While EFF would shed no tears at the loss of KiwiFarms (which is still online as of this writing), Cloudflare’s decision again raises fundamental, and still unanswered, questions about the role of these companies in the definition of who can and cannot speak online. .
The platform followed a campaign demanding that Cloudflare start the site from its services. At first the company refused, but then, just 48 hours later, Cloudflare removed KiwiFarms from its services and issued a statement outlining their justifications for doing so.
While this recent incident serves as a particularly pointed example of the content-based interventions that infrastructure companies are increasingly making, it’s not the first:
- In 2017, GoDaddy, Google and Cloudflare cut of services for the neo-Nazi site Daily Stormer after the site published a vitriolic article about Heather Heyer, the woman killed at the Charlottesville rally. Following the incident, Cloudflare CEO Matthew Prince made famous declared“Literally, I woke up in a bad mood and decided that someone shouldn’t be allowed on the internet. No one should have this power.
- In 2018, Cloudflare preventively services denied to Switter, a decentralized platform by and for sex workers to securely connect with and review clients. Cloudy blamed the decision on the company’s “attempts to understand FOSTA”, the anti-trafficking law that had broad implications for sex workers and online sexual content more generally.
- In 2020, as Covid lockdowns made in-person events largely untenable, Zoom declined to support virtual events at three different universities, apparently because one of the speakers—Leila Khaled— was involved in hijackings fifty years ago and is associated with an organization the US government has labeled a “terrorist.” The company had previously canceled services for activists in China and the United States relating to commemorations of the Tiananmen Square massacre, citing compliance with Chinese law.
- In 2022, at the start of the Russian invasion of Ukraine, governments around the world internet service providers under pressure to block state-sponsored content by Russian media, while Ukraine has reached out to RIPEone of five regional registries for Europe, the Middle East and parts of Central Asia, asking the organization to revoke IP address delegation to Russia.
These withdrawals and requests raise thorny questions, especially when providing services to one entity risks harming others. If it is not possible to intervene in a necessary and proportionate way, as required by international human rights standards, let alone in a way that is completely transparent to users who rely on the Internet to access information and get organized, should providers intervene voluntarily? Should there be exceptions in case of emergency? How can we better identify and mitigate collateral damage, especially for less powerful communities? What happens when state actors demand similar interventions?
Spoiler: this article will not answer all these questions. But we’ve noticed that many makers, at least, are trying to do this themselves without really understanding the variety of services that work “beyond the platform.” And that, at least, is a problem we can solve right now.
The Internet is not Facebook (or Twitter, or Discord, etc.)
There are many services, mechanisms, and protocols that make up the Internet as we know it. The most essential of these are what we call infrastructure providers. You might think that infrastructure services fall into two camps: physical and logical. Physical infrastructure is the easiest to determine, such as submarine tubes, cables, servers, routers, Internet Exchange Points (IXPs), etc. These elements form the tangible backbone of the Internet. It’s easy to forget – and important to remember – that the Internet is a physical thing.
The logical layer of the Internet infrastructure is where things get a little tricky. No one will argue that Internet Protocols (like HTTP/S, DNS, IP), Internet Service Providers (ISPs), Content Delivery Networks (CDNs), and Certificate Authorities (CAs) are all examples of services necessary infrastructure. ISPs allow users to access the physical layer of the Internet, Internet Protocols provide a consistent set of rules for their computers to communicate effectively over the Internet, and CDNs and CAs provide the necessary content and validity that sites Web need to remain available to users. These are essential for the platforms to exist and for people to be able to interact with them online. This is why we advocate for positions of content neutrality for these services: they are essential to freedom of expression online and should not be given editorial capacity to decide what can and cannot exist. online, beyond what the law already dictates.
There are many other services that work behind the scenes to make the internet work as intended. These services, like payment processors, analytics plugins, behavioral tracking mechanisms, and certain cybersecurity tools, ensure the financial viability of platforms and reveal a sort of degraded gray area between what we determine to be primarily infrastructural and not . Denying their services can have varying degrees of impact on a platform. Payment processors are essential for almost every website to collect money to keep their business or organization online. On the other hand, one could argue that behavioral tracking mechanisms and ad trackers also ensure the financial viability of companies in competitive markets. We will not claim that the tracking tools are infrastructural.
But when it comes to cybersecurity tools like DDoS protection through reverse proxy servers (which Cloudflare provided KiwiFarms), it’s not that easy. A DDoS protection mechanism does not make or prevent a site from appearing online, it protects it from potential attacks that might. Also, unlike ISPs, CAs, or protocols, this type of cybersecurity tool is not a service that is closely monitored and defined by authoritative entities. This is something anyone with technical expertise (no platform is guaranteed to be entitled to good programmers) can accomplish. In the case of KiwiFarms, they have moved to using a modified fork of a free and open source load balancer to protect against DDoS attacks and other bot attacks.
Interventions beyond platforms have different consequences
It is difficult for infrastructure providers to create policies that meet content moderation requirements as established by international human rights standards. And it is particularly difficult to create these policies and monitoring systems when individual rights seem to conflict with each other. And the consequences of their decisions vary widely.
For example, it’s worth noting that Cloudflare and the tech press spilled far less ink when they made the decision to terminate the service to Switterin a single example of SESTA/FOSTA bad consequences for sex workers. However, it is these types of sites that are the most impacted. Platforms based outside of the northern hemisphere or that have more users from marginalized communities rarely have the same alternatives for infrastructure services, including security tools and server space, as sites well-resourced and even less-resourced online spaces based in the US and Europe. . For these users, policies that support fewer interventions and the ability to communicate without being vulnerable to the whims of corporate executives may be a better way to help people speak truth to power.
Online actions create harm in the real world, and it can happen in many directions. But infrastructure providers are rarely in a good position to assess this harm. They may also face conflicting demands and demands based on the rules and values of the countries in which they operate. Cloudy Noted that previous interventions have led to an increase in requests for withdrawal from the government.
We don’t have a simple solution to these complex problems, but we do have a suggestion. Given these pressures, the thorny issues they raise, and the importance of ensuring that users have the ability to speak up and express themselves without to be vulnerable to the whims of business leaders, vendors who cannot consistently answer these questions should do their best to stay focused on their core mission: providing and improving reliable services so that others can rely on them to debate, defend and organize. And policymakers should strive to ensure that internet policies support privacy, expression and human rights.