Cloudflare launched nearly twelve years ago. We’ve grown to operate a network that spans more than 275 cities in over 100 countries. We have millions of customers: from small businesses and individual developers to approximately 30 percent of the Fortune 500. Today, more than 20 percent of the web relies directly on Cloudflare’s services.

Over the time since we launched, our set of services has become much more complicated. With that complexity we have developed policies around how we handle abuse of different Cloudflare features. Just as a broad platform like Google has different abuse policies for search, Gmail, YouTube, and Blogger, Cloudflare has developed different abuse policies as we have introduced new products.

We published our updated approach to abuse last year at:

https://www.cloudflare.com/trust-hub/abuse-approach/

However, as questions have arisen, we thought it made sense to describe those policies in more detail here.  

The policies we built reflect ideas and recommendations from human rights experts, activists, academics, and regulators. Our guiding principles require abuse policies to be specific to the service being used. This is to ensure that any actions we take both reflect the ability to address the harm and minimize unintended consequences. We believe that someone with an abuse complaint must have access to an abuse process to reach those who can most effectively and narrowly address their complaint — anonymously if necessary. And, critically, we strive always to be transparent about both our policies and the actions we take.

Cloudflare provides a broad range of products that fall generally into three buckets: hosting products (e.g., Cloudflare Pages, Cloudflare Stream, Workers KV, Custom Error Pages), security services (e.g., DDoS Mitigation, Web Application Firewall, Cloudflare Access, Rate Limiting), and core Internet technology services (e.g., Authoritative DNS, Recursive DNS/1.1.1.1, WARP). For a complete list of our products and how they map to these categories, you can see our Abuse Hub.

As described below, our policies take a different approach on a product-by-product basis in each of these categories.

Hosting products are those products where Cloudflare is the ultimate host of the content. This is different from products where we are merely providing security or temporary caching services and the content is hosted elsewhere. Although many people confuse our security products with hosting services, we have distinctly different policies for each. Because the vast majority of Cloudflare customers do not yet use our hosting products, abuse complaints and actions involving these products are currently relatively rare.

Our decision to disable access to content in hosting products fundamentally results in that content being taken offline, at least until it is republished elsewhere. Hosting products are subject to our Acceptable Hosting Policy. Under that policy, for these products, we may remove or disable access to content that we believe:

• Contains, displays, distributes, or encourages the creation of child sexual abuse material, or otherwise exploits or promotes the exploitation of minors.

• Infringes on intellectual property rights.

• Has been determined by appropriate legal process to be defamatory or libelous.

• Engages in the unlawful distribution of controlled substances.

• Facilitates human trafficking or prostitution in violation of the law.

• Contains, installs, or disseminates any active malware, or uses our platform for exploit delivery (such as part of a command and control system).

• Is otherwise illegal, harmful, or violates the rights of others, including content that discloses sensitive personal information, incites or exploits violence against people or animals, or seeks to defraud the public.

We maintain discretion in how our Acceptable Hosting Policy is enforced, and generally seek to apply content restrictions as narrowly as possible. For instance, if a shopping cart platform with millions of customers uses Cloudflare Workers KV and one of their customers violates our Acceptable Hosting Policy, we will not automatically terminate the use of Cloudflare Workers KV for the entire platform.

Our guiding principle is that organizations closest to content are best at determining when the content is abusive. It also recognizes that overbroad takedowns can have significant unintended impact on access to content online.

The overwhelming majority of Cloudflare's millions of customers use only our security services. Cloudflare made a decision early in our history that we wanted to make security tools as widely available as possible. This meant that we provided many tools for free, or at minimal cost, to best limit the impact and effectiveness of a wide range of cyberattacks. Most of our customers pay us nothing.

Giving everyone the ability to sign up for our services online also reflects our view that cyberattacks not only should not be used for silencing vulnerable groups, but are not the appropriate mechanism for addressing problematic content online. We believe cyberattacks, in any form, should be relegated to the dustbin of history.

The decision to provide security tools so widely has meant that we've had to think carefully about when, or if, we ever terminate access to those services. We recognized that we needed to think through what the effect of a termination would be, and whether there was any way to set standards that could be applied in a fair, transparent and non-discriminatory way, consistent with human rights principles.

This is true not just for the content where a complaint may be filed  but also for the precedent the takedown sets. Our conclusion — informed by all of the many conversations we have had and the thoughtful discussion in the broader community — is that voluntarily terminating access to services that protect against cyberattack is not the correct approach.

Some argue that we should terminate these services to content we find reprehensible so that others can launch attacks to knock it offline. That is the equivalent argument in the physical world that the fire department shouldn't respond to fires in the homes of people who do not possess sufficient moral character. Both in the physical world and online, that is a dangerous precedent, and one that is over the long term most likely to disproportionately harm vulnerable and marginalized communities.

Today, more than 20 percent of the web uses Cloudflare's security services. When considering our policies we need to be mindful of the impact we have and precedent we set for the Internet as a whole. Terminating security services for content that our team personally feels is disgusting and immoral would be the popular choice. But, in the long term, such choices make it more difficult to protect content that supports oppressed and marginalized voices against attacks.

This isn't hypothetical. Thousands of times per day we receive calls that we terminate security services based on content that someone reports as offensive. Most of these don’t make news. Most of the time these decisions don’t conflict with our moral views. Yet two times in the past we decided to terminate content from our security services because we found it reprehensible. In 2017, we terminated the neo-Nazi troll site The Daily Stormer. And in 2019, we terminated the conspiracy theory forum 8chan.

In a deeply troubling response, after both terminations we saw a dramatic increase in authoritarian regimes attempting to have us terminate security services for human rights organizations — often citing the language from our own justification back to us.

Since those decisions, we have had significant discussions with policy makers worldwide. From those discussions we concluded that the power to terminate security services for the sites was not a power Cloudflare should hold. Not because the content of those sites wasn't abhorrent — it was — but because security services most closely resemble Internet utilities.

Just as the telephone company doesn't terminate your line if you say awful, racist, bigoted things, we have concluded in consultation with politicians, policy makers, and experts that turning off security services because we think what you publish is despicable is the wrong policy. To be clear, just because we did it in a limited set of cases before doesn’t mean we were right when we did. Or that we will ever do it again.

But that doesn’t mean that Cloudflare can’t play an important role in protecting those targeted by others on the Internet. We have long supported human rights groups, journalists, and other uniquely vulnerable entities online through Project Galileo. Project Galileo offers free cybersecurity services to nonprofits and advocacy groups that help strengthen our communities.

Through the Athenian Project, we also play a role in protecting election systems throughout the United States and abroad. Elections are one of the areas where the systems that administer them need to be fundamentally trustworthy and neutral. Making choices on what content is deserving or not of security services, especially in any way that could in any way be interpreted as political, would undermine our ability to provide trustworthy protection of election infrastructure.

Our policies also respond to regulatory realities. Internet content regulation laws passed over the last five years around the world have largely drawn a line between services that host content and those that provide security and conduit services. Even when these regulations impose obligations on platforms or hosts to moderate content, they exempt security and conduit services from playing the role of moderator without legal process. This is sensible regulation borne of a thorough regulatory process.

Our policies follow this well-considered regulatory guidance. We prevent security services from being used by sanctioned organizations and individuals. We also terminate security services for content which is illegal in the United States — where Cloudflare is headquartered. This includes Child Sexual Abuse Material (CSAM) as well as content subject to Fight Online Sex Trafficking Act (FOSTA). But, otherwise, we believe that cyberattacks are something that everyone should be free of. Even if we fundamentally disagree with the content.

In respect of the rule of law and due process, we follow legal process controlling security services. We will restrict content in geographies where we have received legal orders to do so. For instance, if a court in a country prohibits access to certain content, then, following that court's order, we generally will restrict access to that content in that country. That, in many cases, will limit the ability for the content to be accessed in the country. However, we recognize that just because content is illegal in one jurisdiction does not make it illegal in another, so we narrowly tailor these restrictions to align with the jurisdiction of the court or legal authority.

While we follow legal process, we also believe that transparency is critically important. To that end, wherever these content restrictions are imposed, we attempt to link to the particular legal order that required the content be restricted. This transparency is necessary for people to participate in the legal and legislative process. We find it deeply troubling when ISPs comply with court orders by invisibly blackholing content — not giving those who try to access it any idea of what legal regime prohibits it. Speech can be curtailed by law, but proper application of the Rule of Law requires whoever curtails it to be transparent about why they have.

While we will generally follow legal orders to restrict security and conduit services, we have a higher bar for core Internet technology services like Authoritative DNS, Recursive DNS/1.1.1.1, and WARP. The challenge with these services is that restrictions on them are global in nature. You cannot easily restrict them just in one jurisdiction so the most restrictive law ends up applying globally.

We have generally challenged or appealed legal orders that attempt to restrict access to these core Internet technology services, even when a ruling only applies to our free customers. In doing so, we attempt to suggest to regulators or courts more tailored ways to restrict the content they may be concerned about.

Unfortunately, these cases are becoming more common where largely copyright holders are attempting to get a ruling in one jurisdiction and have it apply worldwide to terminate core Internet technology services and effectively wipe content offline. Again, we believe this is a dangerous precedent to set, placing the control of what content is allowed online in the hands of whatever jurisdiction is willing to be the most restrictive.

So far, we’ve largely been successful in making arguments that this is not the right way to regulate the Internet and getting these cases overturned. Holding this line we believe is fundamental for the healthy operation of the global Internet. But each showing of discretion across our security or core Internet technology services weakens our argument in these important cases.

Cloudflare provides both free and paid services across all the categories above. Again, the majority of our customers use our free services and pay us nothing.

Although most of the concerns we see in our abuse process relate to our free customers, we do not have different moderation policies based on whether a customer is free versus paid. We do, however, believe that in cases where our values are diametrically opposed to a paying customer that we should take further steps to not only not profit from the customer, but to use any proceeds to further our companies’ values and oppose theirs.

For instance, when a site that opposed LGBTQ+ rights signed up for a paid version of DDoS mitigation service we worked with our Proudflare employee resource group to identify an organization that supported LGBTQ+ rights and donate 100 percent of the fees for our services to them. We don't and won't talk about these efforts publicly because we don't do them for marketing purposes; we do them because they are aligned with what we believe is morally correct.

While we believe we have an obligation to restrict the content that we host ourselves, we do not believe we have the political legitimacy to determine generally what is and is not online by restricting security or core Internet services. If that content is harmful, the right place to restrict it is legislatively.

We also believe that an Internet where cyberattacks are used to silence what's online is a broken Internet, no matter how much we may have empathy for the ends. As such, we will look to legal process, not popular opinion, to guide our decisions about when to terminate our security services or our core Internet technology services.

In spite what some may claim, we are not free speech absolutists. We do, however, believe in the Rule of Law. Different countries and jurisdictions around the world will determine what content is and is not allowed based on their own norms and laws. In assessing our obligations, we look to whether those laws are limited to the jurisdiction and consistent with our obligations to respect human rights under the United Nations Guiding Principles on Business and Human Rights.

There remain many injustices in the world, and unfortunately much content online that we find reprehensible. We can solve some of these injustices, but we cannot solve them all. But, in the process of working to improve the security and functioning of the Internet, we need to make sure we don’t cause it long-term harm.

We will continue to have conversations about these challenges, and how best to approach securing the global Internet from cyberattack. We will also continue to cooperate with legitimate law enforcement to help investigate crimes, to donate funds and services to support equality, human rights, and other causes we believe in, and to participate in policy making around the world to help preserve the free and open Internet.

Following Russia’s unjustified and tragic invasion of Ukraine in late February, the world has watched closely as Russian troops attempted to advance across Ukraine, only to be resisted and repelled by the Ukrainian people. Similarly, we’ve seen a significant amount of cyber attack activity in the region. We continue to work to protect an increasing number of Ukrainian government, media, financial, and nonprofit websites, and we protected the Ukrainian top level domain (.ua) to help keep Ukraine’s presence on the Internet operational.

At the same time, we’ve closely watched significant and unprecedented activity on the Internet in Russia. The Russian government has taken steps to tighten its control over both the technical components and the content of the Russian Internet. For their part, the people in Russia are doing something very different. They have been adopting tools to maintain access to the global Internet, and they have been seeking out non-Russian media sources. This blog post outlines what we’ve observed.

Over the last five years, the Russian government has taken steps to tighten its control of a sovereign Internet within Russia’s borders, including laws requiring Russian ISPs to install equipment allowing the government to monitor and block Internet activity, and requiring the establishment of an exclusively Russian DNS (outside ICANN).  And it created mechanisms for the Russian government to control how Russia was connected to the global Internet, so they could pull the plug if they wanted.

Since the Russian invasion of Ukraine, the Russian government has made a series of announcements related to implementation of its sovereign Internet laws. Russian government agencies were instructed to switch to Russian DNS servers, move public resources to Russian hosting services, and take a number of other steps designed to reduce reliance on non-Russian providers. Although some took these initiatives as an announcement that Russia intended to disconnect from the global Internet, so far Russia does not appear to have leveraged the tools it has to disconnect itself entirely from the global Internet.  We continue to see connections processing successfully in Russia through non-Russia infrastructure.

In the meantime, authorities in Russia have implemented a series of targeted blocking actions against websites and operators that they find objectionable. Initially, officials targeted popular social media sites like Facebook, Instagram, and Twitter, as well as Russian language outlets based outside the country.

We can see the effect of some of those blocks on traffic from Russian users to different news websites in Russia and Ukraine before and after blocks were implemented.  

In each case, these news sites saw exponential growth in their traffic in the days around the February 24th invasion of Ukraine.  But that increase was met within a matter of days by actions to block traffic to those sites. The blocks had varying degrees of success over the first few weeks, though each of them seem to have been eventually successful in denying access to those sources of news through traditional Internet channels.  

But that is only half the story.  As the Russian government took steps to control traditional channels for Internet access, there were shifts in the ways many Russians used the Internet.

Russians have been adopting applications and tools that allow them to engage with the Internet privately and avoid some of the mechanisms that the Russian government is using to control and monitor access to the Internet. Whereas the most popular applications in the Apple App Store in most of the world in March continue to relate to social media and games, the leaderboard in Russia looked very different:

All of the top apps in Russia in March were for private and secure Internet access or encrypted messaging apps, including the most downloaded app – Cloudflare’s own WARP / 1.1.1.1 (a privacy-based recursive DNS resolver). This list of popular apps is a stunning contrast with every other country in the world.

Because of the significant and important popularity of WARP (1.1.1.1), we’ve had some detailed insight into exactly how this has played out. If we look back to the beginning of February we see that Cloudflare’s WARP tool was little used in Russia. Its use took off from the first weekend of the war, and peaked two weeks ago. Later, after this virtual migration to such secure tools became apparent, we saw attempts to block access to the tools used to access the Internet securely.

While levels have receded from their peak, a large number of Russians continue to use Cloudflare WARP in Russia at massively higher levels than pre-war.

In addition to the ways Russians are using the Internet increasingly relying on private and encrypted communications, we’ve also seen a shift in what they are trying to access. Here’s a chart of DNS requests from Russian users for a well known US newspaper. Recent DNS traffic for the site has quintupled compared to pre-war levels, indicating Russians are trying to access that news source.

And here’s DNS traffic for a large French news source. Again, DNS lookups have grown enormously as Russians try to access it.

And here’s a British newspaper.

The picture is clear from these three charts. Russians want access to non-Russian news sources and based on the popularity of private Internet access tools and VPNs, they are willing to work to get it.

In addition to the services we’ve been able to provide average citizens in Russia, our servers at the edge of the Internet in-country have also permitted us to detect and block attacks originating there. When attacks are mitigated inside Russia, they never travel outside Russian borders. That’s always been part of the proposition of Cloudflare’s distributed network – to identify and block cyber attacks (especially DDoS attacks) locally, and before they can ever get off the ground.

Here’s what DDoS activity originating inside Russia and blocked there by Cloudflare has looked like since the beginning of February. Normal DDoS activity originating from Russian networks and blocked by Cloudflare’s servers there is relatively low throughout February but then grows massively in the middle of March.

To be clear, being able to identify where cyber attack traffic originates is not the same as being able to attribute where the attacker is located. Attributing cyber attacks is difficult, and now is a time to be particularly careful with attribution. It is relatively common for cyber attackers to launch attacks from remote locations around the world. This often happens when they are able to hijack devices in other countries through things like IoT (Internet of Things) corruptions.

But even with such subterfuge, we’ve still seen a significant increase in the number of blocked attacks that are hitting our servers inside Russia.

A few weeks ago, as the invasion of Ukraine was in its early stages, I noted that “Russia needs more Internet, not less.” At a time of unprecedented economic sanctions by the United States and Europe, there have been calls for all foreign companies to go further and exit Russia completely, including calls for Internet providers to disconnect Russia. To be clear, Cloudflare has minimal sales and commercial activity in Russia – we’ve never had a corporate entity, an office, or employees there – and we’ve taken steps to ensure that we’re not paying taxes or fees to the Russian government. But given the significant impact of our services on the availability and security of the Internet, we believe removing our services from Russia altogether would do more harm than good.

While we deeply appreciate the motivation of the calls for companies to exit Russia, this withdrawal by Internet companies can have the unintended effect of advancing and entrenching the interests of the Russian government to control the Internet in Russia. Efforts to have Russia cut off from the global Internet through ICANN and RIPE will only cut off the Russian people from information about the war in Ukraine that the Russian government doesn’t want them to access.  After a number of U.S.-based certificate authorities stopped issuing SSL certificates for Russian websites, Russia responded in early March by encouraging Russian citizens to download a Russian Root Certificate Authority instead. As observed by EFF, “the Russian state’s stopgap measure to keep its services running also enables spying on Russians, now and in the future.”

This is why there has been near universal agreement by experts that it is imperative the Russian Internet stay as open as possible for the Russian people. Dozens of civil society groups have urged governments to work to counteract authoritarian actions “and ensure that sanctions and other steps meant to repudiate the Russian government’s illegal actions do not backfire, by reinforcing Putin’s efforts to assert information control.” Russian digital rights activists have pleaded with service providers to offer Russians free VPN access, so they are not left isolated from global news sources.  Even the U.S. State Department has made clear, “It is critical to maintain the flow of information to the people of Russia to the fullest extent possible.”

Supporting our mission to help build a better Internet, it’s been a busy six weeks for our team monitoring these developments and working around the clock to make sure Ukrainian web properties are defended and that ordinary Russians can access the global Internet. We remain in awe of the brave Ukrainians standing up in defense of their homeland, and continue to hope that peace will prevail.

Unfortunately, this is not an isolated incident. Nearly the same thing happened on 8chan before the terror attack in Christchurch, New Zealand. The El Paso shooter specifically referenced the Christchurch incident and appears to have been inspired by the largely unmoderated discussions on 8chan which glorified the previous massacre. In a separate tragedy, the suspected killer in the Poway, California synagogue shooting also posted a hate-filled “open letter” on 8chan. 8chan has repeatedly proven itself to be a cesspool of hate.

8chan is among the more than 19 million Internet properties that use Cloudflare's service. We just sent notice that we are terminating 8chan as a customer effective at midnight tonight Pacific Time. The rationale is simple: they have proven themselves to be lawless and that lawlessness has caused multiple tragic deaths. Even if 8chan may not have violated the letter of the law in refusing to moderate their hate-filled community, they have created an environment that revels in violating its spirit.

We do not take this decision lightly. Cloudflare is a network provider. In pursuit of our goal of helping build a better internet, we’ve considered it important to provide our security services broadly to make sure as many users as possible are secure, and thereby making cyberattacks less attractive — regardless of the content of those websites.  Many of our customers run platforms of their own on top of our network. If our policies are more conservative than theirs it effectively undercuts their ability to run their services and set their own policies. We reluctantly tolerate content that we find reprehensible, but we draw the line at platforms that have demonstrated they directly inspire tragic events and are lawless by design. 8chan has crossed that line. It will therefore no longer be allowed to use our services.

Unfortunately, we have seen this situation before and so we have a good sense of what will play out. Almost exactly two years ago we made the determination to kick another disgusting site off Cloudflare's network: the Daily Stormer. That caused a brief interruption in the site's operations but they quickly came back online using a Cloudflare competitor. That competitor at the time promoted as a feature the fact that they didn't respond to legal process. Today, the Daily Stormer is still available and still disgusting. They have bragged that they have more readers than ever. They are no longer Cloudflare's problem, but they remain the Internet's problem.

I have little doubt we'll see the same happen with 8chan. While removing 8chan from our network takes heat off of us, it does nothing to address why hateful sites fester online. It does nothing to address why mass shootings occur. It does nothing to address why portions of the population feel so disenchanted they turn to hate. In taking this action we've solved our own problem, but we haven't solved the Internet's.

In the two years since the Daily Stormer what we have done to try and solve the Internet’s deeper problem is engage with law enforcement and civil society organizations to try and find solutions. Among other things, that resulted in us cooperating around monitoring potential hate sites on our network and notifying law enforcement when there was content that contained an indication of potential violence. We will continue to work within the legal process to share information when we can to hopefully prevent horrific acts of violence. We believe this is our responsibility and, given Cloudflare's scale and reach, we are hopeful we will continue to make progress toward solving the deeper problem.

We continue to feel incredibly uncomfortable about playing the role of content arbiter and do not plan to exercise it often. Some have wrongly speculated this is due to some conception of the United States' First Amendment. That is incorrect. First, we are a private company and not bound by the First Amendment. Second, the vast majority of our customers, and more than 50% of our revenue, comes from outside the United States where the First Amendment and similarly libertarian freedom of speech protections do not apply. The only relevance of the First Amendment in this case and others is that it allows us to choose who we do and do not do business with; it does not obligate us to do business with everyone.

Instead our concern has centered around another much more universal idea: the Rule of Law. The Rule of Law requires policies be transparent and consistent. While it has been articulated as a framework for how governments ensure their legitimacy, we have used it as a touchstone when we think about our own policies.

We have been successful because we have a very effective technological solution that provides security, performance, and reliability in an affordable and easy-to-use way. As a result of that, a huge portion of the Internet now sits behind our network. 10% of the top million, 17% of the top 100,000, and 19% of the top 10,000 Internet properties use us today. 10% of the Fortune 1,000 are paying Cloudflare customers.

Cloudflare is not a government. While we've been successful as a company, that does not give us the political legitimacy to make determinations on what content is good and bad. Nor should it. Questions around content are real societal issues that need politically legitimate solutions. We will continue to engage with lawmakers around the world as they set the boundaries of what is acceptable in their countries through due process of law. And we will comply with those boundaries when and where they are set.

Europe, for example, has taken a lead in this area. As we've seen governments there attempt to address hate and terror content online, there is recognition that different obligations should be placed on companies that organize and promote content — like Facebook and YouTube — rather than those that are mere conduits for that content. Conduits, like Cloudflare, are not visible to users and therefore cannot be transparent and consistent about their policies.

The unresolved question is how should the law deal with platforms that ignore or actively thwart the Rule of Law? That's closer to the situation we have seen with the Daily Stormer and 8chan. They are lawless platforms. In cases like these, where platforms have been designed to be lawless and unmoderated, and where the platforms have demonstrated their ability to cause real harm, the law may need additional remedies. We and other technology companies need to work with policy makers in order to help them understand the problem and define these remedies. And, in some cases, it may mean moving enforcement mechanisms further down the technical stack.

Cloudflare's mission is to help build a better Internet. At some level firing 8chan as a customer is easy. They are uniquely lawless and that lawlessness has contributed to multiple horrific tragedies. Enough is enough.

What's hard is defining the policy that we can enforce transparently and consistently going forward. We, and other technology companies like us that enable the great parts of the Internet, have an obligation to help propose solutions to deal with the parts we're not proud of. That's our obligation and we're committed to it.

Unfortunately the action we take today won’t fix hate online. It will almost certainly not even remove 8chan from the Internet. But it is the right thing to do. Hate online is a real issue. Here are some organizations that have active work to help address it:

• Anti-Defamation League

• Gen Next Foundation

• Perspective API

• 7 Cups

Our whole Cloudflare team’s thoughts are with the families grieving in El Paso, Texas and Dayton, Ohio this evening.

As program manager for Project Galileo, Cloudflare’s initiative to provide free services to vulnerable voices on the Internet, a large portion of my time is spent interacting with the project’s participants and partners. This includes a variety of activities. In my organizational role, I reach out to our partnering organizations, such as the National Democratic Institute and the Center for Democracy and Technology, about sponsoring new recipients. I also help recipients onboard their websites and technically explain our product and how it works. Answering emails from Project Galileo recipients is my favorite part of every day. I can still remember when the sense of wonder truly set in. A few weeks into my time at Cloudflare, I received a request from a local community healthcare clinic that was under attack. I was new, I didn’t have all the permissions I have now, and I didn’t fully understand how all of our systems worked (I still don’t, but I’m much better at figuring out who does). I started reaching out to other teams, all of whom eagerly volunteered their time. Within a few hours, a website that had been down for a week was back up, and best practices were being discussed to help them stay online in the future.

About a week later I received a wonderful thank you message from the group, and made sure I sent it to those who had helped out and were invested. I treasure these little reminders in my day that what I’m doing makes a difference. In fact, I frequently question my luck in receiving all the praise for a project that functions thanks to the work of countless engineers, and other teams, who work tirelessly to make our product better. I try to find ways to pass these small moments on.

It makes me laugh when participants who joined while I’ve been working on the project email me with an introduction along the lines of “I don’t know if you remember us, but…”. It makes sense, in the abstract. I receive a lot of emails, and around half of all recipients have joined since I started organizing the project. Still, I remember almost everyone who I’ve written to. How could I forget the person who signed off all their emails with something joyful they were doing at the moment, or the one who told me that they had finally made it through a week without their website going down? In many ways, on Project Galileo I interact less with organizations and more with a set of extremely passionate people. The purpose and drive of these individuals infect me with a sense of wonder and excitement, even when our only communications are virtual.

Project Galileo partners

Project Galileo doesn’t just bring out the best of the Internet through our recipients, it also brings out the best in Cloudflare. Working on Project Galileo has given me a lot of leeway to explore all aspects of the company. We don’t have a large team in DC, and most of us are on the Policy team. To do my job, I rely on being able to contact teams globally, from Support to Trust and Safety to Solutions Engineering. I’ve chatted with Support team members at 2am to fix an emergency situation, and had a Solutions Engineer on call from 11pm to 1am on a Friday night to support an organization during an event. Even when frustrating or anxiety provoking, these times make me proud to work for an organization that not only vocally supports this project, but whose members commit their time to it despite competing priorities.

At risk of being overly grandiose, there are a lot of hopes and dreams tied up in Project Galileo. There is the dream that the Internet is a place for vulnerable voices, no matter how small, to advocate for change. There is the dream that companies will use their products to help deserving groups who may not otherwise be able to afford them. As for me, I hope that every day I do something that makes the world a little better. It is an honor to carry these hopes and dreams within the company, and I strive to be a good steward.

Happy 5th Birthday, Project Galileo! Here’s to many more.

Since it launched in 2014, we haven't talked about Galileo much externally because we worry that drawing more attention to these organizations may put them at increased risk. Internally, however, it's a source of pride for our whole team and is something we dedicate significant resources to. And, for me personally, many of the moments that mark my most meaningful accomplishments were born from our work protecting Project Galileo recipients.

The promise of Project Galileo is simple: Cloudflare will provide our full set of security services to any politically or artistically important organizations at no cost so long as they are either non-profits or small commercial entities. I'm still on the distribution list that receives an email whenever someone applies to be a Project Galileo participant, and those emails remain the first I open every morning.

Five years ago, Project Galileo was born out of a mistake we made. At the time, Cloudflare's free service didn't include DDoS mitigation. If a free customer came under attack, our operations team would generally stop proxying their traffic. We did this to protect our own network, which was much smaller than it is today.

Usually this wasn't a problem. Most sites that got attacked at the time were companies or businesses that could pay for our services.

Every morning I'd receive a report of the sites that were kicked off Cloudflare the night before. One morning in late February 2014 I was reading the report as I walked to work. One of the sites listed as having been dropped stood out as familiar but I couldn't place it.

I tried to pull up the site on my phone but it was offline, presumably because we were no longer shielding the site from attack. Still curious, I did a quick search and found a Wikipedia page describing the site. It was an independent newspaper in Ukraine and had been covering the ongoing Russian invasion of Crimea.

I felt sick.

What we later learned was that this publication had come under a significant attack, most likely directly from the Russian government. The newspaper had turned to Cloudflare for protection. Their IT director actually tried to pay for our higher tier of service but the bank tied to the publication's credit card had had its systems disrupted by a cyber attack as well and the payment failed. So they’d signed up for the free version of Cloudflare and, for a while, we mitigated the attack.

The attack was large enough that it triggered an alert in our Network Operations Center (NOC). A member of our Systems Reliability Engineering (SRE) team who was on call investigated and found a free customer being pummeled by a major attack. He followed our run book and triggered a FINT — which stands for "Fail Internal" — directing traffic from the site directly back to its origin rather than passing through Cloudflare's protective edge. Instantly the site was overwhelmed by the attack and, effectively, fell off the Internet.

I should be clear: the SRE didn't do anything wrong. He followed the procedures we had established at the time exactly. He was a great computer scientist, but not a political scientist, so didn't recognize the site or understand its importance due to the situation at the time in Crimea and why a newspaper covering it may come under attack. But, the next morning, as I read the report on my walk in to work, I did.

Cloudflare's mission is to help build a better Internet. That day we failed to live up to that mission. I knew we had to do something.

It was relatively easy for us to decide to provide Cloudflare's security services for free to politically or artistically important non-profits and small commercial entities. We were confident that we could stand up to even the largest attacks. What we were less confident about was our ability to determine who was "politically or artistically important."

While Cloudflare runs infrastructure all around the world, our team is largely based in San Francisco, Austin, London, and Singapore. That certainly gives us a viewpoint, but it isn't a particularly globally representative viewpoint. We're also a very technical organization. If we surveyed our team to determine what organizations deserved protection we'd no-doubt identify a number of worthy organizations that were close to home and close to our interests, but we'd miss many others.

We also worried that it was dangerous for an infrastructure provider like Cloudflare to start making decisions about what content was "good." Doing so inherently would imply that we were in a position to make decisions about what content was "bad." While moderating content and curating communities is appropriate for some more visible platforms, the deeper you go into Internet infrastructure, the less transparent, accountable, and consistent those decisions inherently become.

So, rather than making the determination of who was politically or artistically important ourselves, we turned to civil society organizations that were experts in exactly that. Initially, we partnered with 15 organizations, including:

• Access Now

• American Civil Liberties Union (ACLU)

• Center for Democracy and Technology (CDT)

• Centre for Policy Alternatives

• Committee to Protect Journalists (CPJ)

• Electronic Frontier Foundation (EFF)

• Engine Advocacy

• Freedom of the Press Foundation

• Meedan

• Mozilla

• Open Tech Fund

• Open Technology Institute

We agreed that if any partner said that a non-profit or small commercial entity that applied for protection was "politically or artistically important" then we would extend our security services and protect them, no matter what.

With that, Project Galileo was born. Nearly 600 organizations are currently being protected under Project Galileo. We've never removed an organization from protection in spite of occasional political pressure as well as frequent extremely large attacks.

Organizations can apply directly through Cloudflare for Project Galileo protection or can be referred by a partner. Today, we've grown the list of partners to 28, adding:

• Anti-Defamation League

• Amnesty International

• Business & Human Rights Resource Centre

• Council of Europe

• Derechos Digitales

• Fourth Estate

• Frontline Defenders

• Institute for War & Peace Reporting (IWPR)

• LION Publishers

• National Democratic Institute (NDI)

• Reporters Sans Frontières

• Social Media Exchange (SMEX)

• Sontusdatos.org

• Tech Against Terrorism

• World Wide Web Foundation

• X-Lab

Some companies start with a mission. Cloudflare was not one of those companies. When Michelle, Lee, and I started building Cloudflare it was because we thought we'd identified a significant business opportunity. Truth be told, I thought the idea of being "mission driven" was kind of hokum.

I clearly remember the day that changed for me. The director of one of the Project Galileo partners called me to say that he had three journalists who had received protection under Project Galileo that were visiting San Francisco and asked if it would be okay to bring them by our office. I said sure and carved out a bit of time to meet with them.

The three journalists turned out to all be covering alleged government corruption in their home countries. One was from Angola, one was from Ethiopia, and they wouldn't tell me the name or home country of the third because he was "currently being hunted by death squads." All three of them hugged me. One had tears in his eyes. And then they proceeded to tell me about how they couldn't do their work as journalists without Cloudflare's protection.

There are incredibly brave people doing important work and risking their lives around the world. Some of them use the Internet to reach their audience. Whether it’s African journalists covering alleged government corruption, LGBTQ communities in the Middle East providing support, or human rights workers in repressive regimes, unfortunately they all face the risk that the powerful forces that oppose them will use cyber attacks to silence them.

I'm proud of the work we've done through Project Galileo over the last five years lending the full weight of Cloudflare to protect these politically and artistically important organizations. It has defined our mission to help build a better Internet.

While we respect the confidentiality of the organizations that receive support under the Project, I'm thankful that a handful have allowed us to tell their stories. I encourage you to read about our newest recipients of the Project:

• Majal

• Women's March Global

• VOST Portugal

• BullyingCanada

And, finally, if you know of an organization that needs Project Galileo's protection, please let them know we're here and happy to help.

In a blogpost yesterday, we addressed the principles we rely upon when faced with numerous and various requests to address the content of websites that use our services. We believe the building blocks that we provide for other people to share and access content online should be provided in a content-neutral way. We also believe that our users should understand the policies we have in place to address complaints and law enforcement requests, the type of requests we receive, and the way we respond to those requests. In this post, we do the dirty work of addressing how those principles are put into action, specifically with regard to Cloudflare’s expanding set of features and products.

Currently, we receive abuse reports and law enforcement requests on fewer than one percent of the more than thirteen million domains that use Cloudflare’s network. Although the reports we receive run the gamut -- from phishing, malware or other technical abuses of our network to complaints about content -- the overwhelming majority are allegations of copyright violations or violations of other intellectual property rights. Most of the complaints that we receive do not identify concerns with particular Cloudflare services or products.

In the last year or so, we’ve also launched a variety of new products, including our video product (Cloudflare Stream), a serverless edge computing platform (Cloudflare Workers), a self-serve registrar service, and a privacy-focused recursive resolver (1.1.1.1), among others. Each of these services raises its own complex set of questions.  

There is no one-size-fits-all solution to address possible abuse of our products. Different types of services come with different expectations, as well as different legal and contractual obligations. Yet as we discussed in relation to our focus on transparency on Monday, being fully transparent means being consistent and predictable so our users can anticipate how we will respond to new situations.

To help us sort through how to address both complaints and law enforcement requests, when we introduce new products or features, we ask ourselves four basic sets of questions about the relationship between the service we’re providing and potential complaints about content:

• First, how are Cloudflare’s services interacting with the website content? For example, are we doing anything more than providing security and acting as a reliable conduit from one location to another?  Are we providing definitive storage of content? Did we provide the website its domain name through our registrar service? Is the Cloudflare service or product doing anything that could be seen as organizing, analyzing, or promoting content?

• Second, what type of action might a law enforcement or private complainant want us to take and what are the consequences of it?  What sort of information might law enforcement request -- private information about the user, content of what was sent over the Internet, or logs that would track activity?  Will third parties request information about a website; would they request removal of content from the Internet? Would removing our services address the problem presented?

• Third, what laws, regulations or contractual requirements apply? Does the nature of our interaction with the online content impact our legal obligations? Has the law enforcement request or regulation satisfied basic principles of the rule of law or due process?

• Fourth, will our response to the matter presented scale to address the variety of different requests or complaints we may receive over time, covering a variety of different subject matters and viewpoints? Can we craft a principled and content-neutral process to respond to the request? Would our response have an overbroad impact, either by impacting more than the problematic content or changing the Internet in jurisdictions beyond the one that has issued the law or regulation at issue?

Although those preliminary questions help us determine what actions we must take, we also do our best to think about the broader implications on the Internet of any steps we might take to address complaints.

People often come to Cloudflare with abuse complaints because our network sits in front of our customers’ sites in order to protect them from cyber attacks and to improve the performance of their website.

There aren’t a lot of laws or regulations that impose obligations to address content on those providing security or CDN services, for good reason. Most people complaining about content are looking for someone who can take that content off the Internet entirely. As we’ve talked about on other occasions, Cloudflare is unable to remove content that we don’t host, so we therefore try to make sure that the complaint gets to its intended audience -- the hosting provider who has the ability to remove the material from the Internet. As described on our abuse page,  complaining parties automatically receive information about how to contact the hosting provider, and unless the complaining party requests otherwise, abuse complaints are automatically forwarded to both the website owner and the hosting company to allow them to take action.

This approach has another benefit, consistent with the fourth set of questions we ask ourselves. It prevents addressing content with an unnecessarily blunt tool. Cloudflare is unable to remove its security and CDN services from only a sliver of problematic content on a website.  If we remove our services, it has to be from an entire domain or subdomain, which may cause considerable collateral damage. For example, think of the vast array of sites that allow individual independent users to upload content (“user generated content”). A website owner or host may be able to curate or deal with specific content, but if companies like Cloudflare had to respond to allegations of abuse by a single user’s upload of a single piece of concerning content by removing our core services from an entire site, and making it vulnerable to a cyberattack, those sites would be much more difficult to operate and the content contributed by all other users would be put at risk.

Similarly, there are a number of different infrastructure services that cooperate to make sure each connection on the Internet can happen successfully – DNS, registrars, registries, security, etc.  If each of the providers of those services, any one of which could put the entire transmission at risk, is applying blunt tools to address content, then the aperture of what content will stay online will get smaller and smaller. Those are bad results for the Internet. Actions to address troubling content online should focus narrowly on the actual concern to avoid unintended collateral consequences.

While we are unable to remove content we do not host, we are able to take steps to address abuse of our services, such as phishing and malware attacks. Phishing attacks typically fall into two buckets -- a website that has been compromised (unintentional phishing) or a website solely dedicated to intentionally misleading others to gather information (intentional phishing). These buckets are treated differently.

We discussed earlier that we aim to use the most precise tools possible when addressing abuse, and we take a similar approach for unintentional phishing content. If a website has been compromised (typically an outdated CMS) we can place a warning interstitial page in front of that specific phishing content to protect users from accidentally falling victim to the attack. In the majority of situations, this action is taken at a URL level of granularity.

In the case of intentional phishing attacks, such a domain like  my-totally-secure-login-page{.}com in combination with our Trust & Safety team being able to confirm the presence of phishing content on the website, we take broader action including a domain-wide interstitial warning page (effectively *my-totally-secure-login-page{.}com/*), and in some cases we may terminate our services to the intentionally malicious domain. To be clear though, this does not remove the phishing content that remains hosted by the website’s hosting provider. Ultimately, action still needs to be taken by the website owner or hosting provider to fully remove the underlying issue.

We think our approach requires a different set of responses for the small, but growing, number of Cloudflare products that include some sort of storage. Cloudflare Stream, for example, allows users to store, transcode, distribute and playback their videos. And Cloudflare Workers may allow users to store certain content at the edge of our network without a core host server. Although we are not a website hosting provider, these products mean we may be the only place where a certain piece of content is stored in some cases.  

When we are the definitive repository for content through any of our services, Cloudflare will carefully review any complaints about that content and may disable access to it in response to a valid legal takedown request from either government or private actors. Most often, these legal takedown requests are from individuals alleging copyright infringement.  Under the U.S. Digital Millennium Copyright Act, there is a specific process online storage providers follow to remove or disable access to content alleged to infringe copyright and provide an opportunity for those who post the material to contest that it is infringing. We have already begun implementing this process for content stored on our network.  That’s why we’ve begun a new section of our transparency report on requests for content takedown pursuant to U.S. copyright law for content that is stored on our network.  

We haven’t received any government requests yet to take down content stored on our network. Given the significant potential impact on freedom of expression from a government ordering that content be removed, if we do receive those requests in the future, we will carefully analyze the factual basis and legal authority for the request.  If we determine that the order is valid and requires Cloudflare action, we will do our best to address the request as narrowly as possible, for example, by clarifying overbroad requests or limiting blocking of access to the content to those areas where it violates local law, a practice known as “geo-blocking”. We will also update our transparency report on any government requests that we receive in the future and any actions we take.

If you sign up for our self-serve registrar service, you’re legally bound by the terms of our contract with the Internet Corporation for Assigned Names and Numbers (ICANN), a non-profit organization responsible for coordinating unique Internet identifiers across the world, as well as our contract with the relevant domain name registry.  

Our registrar-focused web page for abuse reporting does not reference abuse complaints about a website’s content.  In our role as a domain registrar, Cloudflare has no control or ability to remove particular content from a domain. We would be limited to simply revoking or suspending the domain registration altogether which would remove the website owner’s control over the domain name. Such actions would typically only be done at the direction of the relevant domain name registry, in accordance with their registration rules associated with the Top Level Domain, or more usually to address incidents of abuse as raised by the registry or ICANN. We therefore treat content-related complaints submitted based on our registrar services the same way we treat complaints about content for sites using our CDN or proxy services.  We forward them to the website owner and the website hosting company to allow them to take action or we work in tandem with the relevant registry and at their direction.

Running a registrar service comes with other legal obligations. As an ICANN accredited registrar, part of our contractual obligations include adhering to third party dispute resolution processes regarding trademark disputes, as handled by providers such as the World Intellectual Property Organization (WIPO) and the National Arbitration  Forum. Also, we continue to be part of the ICANN community discussions on how best to handle the collection, publication and provision of access to personal data in the WHOIS database in a manner consistent with the EU’s General Data Protection Regulation (GDPR) and other privacy frameworks. We will provide more updates on that front when the discussions have ripened.

Back in September, we announced that Cloudflare would be providing a gateway to the InterPlanetary File System (IPFS). Cloudflare’s IPFS gateway is a way to access content stored on the IPFS peer-to-peer network. Because Cloudflare is not acting as the definitive storage for the IPFS network, we do not have the ability to remove content from that network. We simply operate as a cache in front of IPFS, much as we do for our more traditional customers.

Because content is stored on potentially dozens of nodes in IPFS, if one node that was caching content goes down, the network will just look for the same content on another node. That fact makes IPFS exceptionally resilient. That same resilience, however, means that unlike with our traditional customers, with IPFS, there is no single host to inform of a complaint about content stored on the IPFS network.  Cloudflare often has no knowledge of who the owner is of content being accessed through the gateway, and this makes it impossible to notify the specific owner when we receive a complaint.

The law hasn’t yet quite caught up with distributed networks like IPFS, and there’s a notable debate among IPFS users about how best to deal with abuse. Some argue that having problematic content stored on IPFS will discourage adoption of the protocol, and advocate for the development of lists of problematic hashes that  IPFS gateways could choose to block. Others point out that any mechanism intended to block IPFS content will itself be subject to abuse. We don’t have the answer to that debate, but it does demonstrate to us the importance of being thoughtful about how we proceed.

For the time being, our plan is to respond to U.S. court orders that require us to clear our cache of content stored on IPFS. More importantly, however, we intend to report in future transparency reports on any law enforcement requests we receive to clear our IPFS cache, to ensure continued public discussion.

In April of last year, we launched our first DNS resolver, 1.1.1.1.  In June, we partnered with Mozilla to provide direct DNS resolution from within the Firefox browser using the Cloudflare Resolver for Firefox. Our goal with both resolvers was to develop fast DNS services that were focused on user privacy.  

We often get questions about how how we deal with both abuse complaints and law enforcement requests related to our resolvers.  Both of our resolvers are intended to provide only direct DNS resolution. In other words, Cloudflare does not block or filter content through either 1.1.1.1 or the Cloudflare Resolver for Firefox. If Cloudflare were to receive a request from a law enforcement or government agency to block access to domains or content through one of our resolvers, Cloudflare would fight that request. At this point, we have not yet received any government requests to block content through our resolvers. Cloudflare would also document any request to block content from our resolvers in our semi-annual transparency report, unless we were legally prohibited from doing so.

Similarly, Cloudflare has not received any government requests for data about the users of our resolvers, and would fight such a request if necessary. Given our public commitment not to retain any personally identifiable information for more than 24 hours, we believe it is unlikely that we would have any information even if asked. Nonetheless, if we were to receive a government request for data about a resolver user, we would document the request in our transparency report, unless legally prohibited from doing so.    

Although new products offered by Cloudflare in the future, as well as the legal and regulatory landscape, may change over the years, we expect that our approach to thinking about new products will stand the test of time. We’re guided by some central principles -- allowing our infrastructure to be as neutral as possible, following the rule of law or requiring due process, being open about what we’re doing, and making sure that we’re consistent regardless of the wide variety of issues we face. And we will work hard to make sure that doesn’t change, because even the smallest tweaks to the way we do things can have a significant impact at the scale we operate.

Although we are focused on protecting and optimizing the operation of the Internet, Cloudflare is sometimes the target of complaints or criticism about the content of a very small percentage of the more than thirteen million websites that use our service. Our termination of services to the Daily Stormer website a year and a half ago drew significant attention to our approach to these issues and prompted a lot of thinking on our part.  

At the time, Matthew wrote that calls for service providers to reject some online content should start with a consideration of how the Internet works and how the services at issue up and down the stack interact with that content. He tasked Cloudflare’s policy team with engaging broadly to try and find an answer. With some time having passed, we want to take stock of what we’ve learned and where we stand in addressing problematic content online.  

The weeks immediately following the decision in August 2017 were filled with conversations. Matthew made sure the Cloudflare team accepted every single invitation to talk about these issues; we didn’t simply put out a press release or “no comment” anyone. Our senior leadership team spoke with the media and with our employees -- some of whom had received threats related both to Cloudflare’s provision of services to the Daily Stormer and to the termination of those services. On the policy side, we spoke with a broad range of ideologically-diverse advocacy groups who reached out to alternatively congratulate us or chastise us for the decision.

As the time stretched into months, the conversations changed. We spoke with organizations who have made it their mission to fight hate and intolerance, with human rights organizations that depend on access to the Internet, with tech companies doing their best to moderate content, with academics who think about and research all aspects of content online, and with interested government and non-governmental organizations on two continents. In the end, we spoke with hundreds of different experts, groups, and entities about how different companies and different types of services address troubling content at different places in the Internet stack.  

Our overwhelming sense from these conversations is that the Internet, and the industry that has grown up around it, is at a crossroads. Policy makers and the public are rightly upset about misuse of the Internet.  We heard repeatedly that the world is moving away from the Internet as a neutral platform for people to express themselves and access information. Many governments and many of the constituents they represent appear to want the Internet cleaned up and stripped of troubling content through any technical means necessary, even if it means that innovation will be stifled and legitimate voices will be silenced. And companies large and small seem to be going along with it.

We’ve thought long and hard about what’s next both for us and the Internet in general. Although we share concerns about the exploitation of online tools, we are convinced that there are ways forward that do not shortchange the security, availability, and promise of the Internet.

We think the right solution will take us out of the clouds and into the weeds.  We have to figure out what core functions need to be protected to have the Internet we want, and we will have to get away from the idea that there’s a one-size-fits-all solution that will address the problems we see. If we really want to address risks online while maintaining the Internet as a forum for communication, commerce, and free expression, different kinds of services are going to have to deal with abuse differently.

The more we talked to people, the more that we saw a fundamental split on the Internet between the services that substantively touch content and the infrastructure services that do not.  It’s possible that, as a company that provides largely infrastructure services ourselves, we were were looking for this distinction. But we believe the distinction is real and helps explain why different businesses make distinctly different choices. As we discuss in our blog posts on transparency this week, the approach to questions about abuse complaints will mean different things for different Cloudflare products. Although we are not at the point yet where Cloudflare’s products organize, analyze, or promote content, we are aware that this conclusion may have implications for us in the future.

The Internet has revolutionized the way we communicate and access information. Because of the way the Internet works, everyone online has the opportunity to create and consume the equivalent of their own newspaper or television network. Almost any content you could want is available, if you can find it. That idea is at the heart of a the divide between services that curate content -- like social media platforms and search engines -- and basic Internet infrastructure services.  

Content curators make content-based decisions for a business purpose. For a search engine, that might mean algorithmically reviewing content to best match what is sought by the user. For a social media site, it might be a review of content to help predict what content the user will want to see next or what advertising might be most appealing.

For these types of online products, users understand and generally expect that the services will vary based on content. Different search engines yield different results; Different social media platforms will promote different content for you to review. These services are the Internet’s equivalents of the very small circle of newspaper editors or television network executives of old, making decisions about what you see online based on what they think you’ll want to see.

The value in these content curator services depends on how well they analyze, use, and make judgments about content.  From a business perspective, that means that these services want the flexibility to include or exclude particular content from their platforms. For example, it makes perfect sense for a platform that advertises itself as building community to have rules that prevent the community from being disrupted with hate-filled messages and disturbing content.

We should expect content curator services to moderate content and should give them the flexibility to do so. If these services are transparent about what they allow and don’t allow, and how they make decisions about what to exclude, they can be held accountable the same way people hold other businesses to account. If people don’t like the judgments being made, they can take their business to a platform or service that’s a better fit.

Basic Internet services, on the other hand, facilitate the business of other providers and website owners by providing infrastructure that enables access to the Internet.  These types of services -- which Matthew described in detail in the Daily Stormer blog post -- include telecommunications services, hosting services, domain name services such as registry and registrar services, and services to help optimize and secure Internet transmissions. The core expertise of these services is not content analysis, but providing the infrastructure needed for someone else to develop and analyze that content.

Because people expect these infrastructure services to be used to provide technical access to the Internet, the notion that these numerous services might be used to monitor what you’re doing online or make decisions about what content you should be entitled to access feels like a misuse, or even an invasion of privacy.

Internet infrastructure is a lot like other kinds of physical infrastructure.  At some basic level, we believe that everyone should be allowed to have housing, electricity or telephone, no matter what they plan to do with those services. Or that individuals should be able to send packages through FedEx or walk down the street wearing a backpack with a reasonable expectation they won’t be subject to unfounded search or monitoring. Much as we believe that the companies that provide these services should provide services to all, not just those with whom they agree, we continue to believe that basic internet infrastructure services, which provide the building blocks for other people to create and access content online, should be provided in a content-neutral way.

Developing different expectations for content curation services and infrastructure services is tougher than it seems. Behemoths best known for content curation services often provide infrastructure services as well. Alphabet, for example, provides content-neutral infrastructure services to millions of customers through Google Cloud and Google Domains, while also running one of the world’s largest content curated site in YouTube. And even if companies try to distinguish their infrastructure from content curation services, their customers may not.

In a world where content needs to be on a large network to stay online, there are only a handful of companies that can satisfy. Reducing that handful to those — like Cloudflare — that fall solely into the infrastructure bucket makes the number almost impossibly small. That is why we want to do better job talking about differences in expectations not by company, but by service.

And maybe we should also recognize that having only a small number of companies with robust enough networks to keep content online--most of which do content curation--is part of the problem. If you believe that the only way to be online is to be on a platform that curates content, you’re going to be rightly skeptical of that company’s right to take down content that they don’t want on their site. That doesn’t mean that a business that depends on analyzing content has to stop doing it, but it does make it that much more important that we have neutral infrastructure. It might be impossible for an alternate platform to be built, and for certain voices to have a presence online, without it.

The good news is that we’re not alone in our view of the fundamental difference between content curators and Internet infrastructure services. From the criticism we received for the Daily Stormer decision, to the commentary of Mike Masnick at Techdirt, to the academic analysis of Yale Law Professor Jack Balkin, to the call of the Global Commission on the Security of Cyberspace (GCSC) to protect the “public core” of the Internet, there’s an increasing awareness that not protecting neutral Internet infrastructure could undermine the Internet as we know it.

In his blog post on the Daily Stormer decision, Matthew talked about the importance of due process, the idea that you should be able to know the rules a system will follow if you participate in that system. But what we’ve learned in our follow up conversations is that due process has a different meaning for content curators.

There has been a clamor for companies like Facebook and Google to explain how they make decisions about what to show their users, what they take down, and how someone can challenge those decisions. Facebook has even developed an “Oversight Board for Content Decisions” -- dubbed as Facebook’s supreme court -- that is empowered to oversee the decisions the company makes based on its terms of service. Given that this process is based on terms of service, which the company can change at will to accommodate business decisions, this mostly seems like a way to build confidence in the company’s decision-making process. Instituting an internal review process may make users feel that the decisions are less arbitrary, which may help the company keep people in their community.

That idea of entirely privatized due process may make sense for content curators, who make content decisions by necessity, but we don’t believe it makes sense for those that provide infrastructure services. When access to basic Internet services is on the line, due process has to mean rules set and adjudicated by external decision-makers.

Although we don’t believe it is appropriate for Cloudflare to decide what voices get to stay online by terminating basic Internet services because we think content is a problem, that’s far from the end of the story. Even for Internet infrastructure, there are other ways that problematic content online can be, and is, addressed.

Laws around the world provide mechanisms for addressing particular types of content online that governments decide is problematic. We can save for another day whether any particular law provides adequate due process and balances rights appropriately, but at a minimum, those who make these laws typically have a political legitimacy that infrastructure companies do not.

Tomorrow, we’ll talk about how we are operationalizing our view that it’s important to  get into the weeds by considering how different laws apply to us on a service-by-service, and function-by-function basis.

Today, Cloudflare can quantitatively confirm that Internet access has been shut down in the Democratic Republic of the Congo, information already reported by many press organisations. This shutdown occurred as the presidential election was taking place on December the 30th, and continues as the results are published.

Sadly, this act is far from unprecedented. We have published many posts about events like this in the past, including a different post about roughly three days of Internet disruption in the Democratic Republic of the Congo less than a year ago. A painfully familiar shape can be seen on our network monitoring platform, showing that the traffic in the country is barely reaching a quarter of its typical level:

Note that the graph is based on UTC and Democratic Republic of the Congo’s capital Kinshasa has the timezone of GMT+1.

The drop in bandwidth started just before midday on 31 December 2018 (around 10:30 UTC, 11:30 local time in Kinshasa). This can be clearly seen if we overlay each 24 hour day over each other:

The red line is 31 December, the gray lines the previous eight days. Looking at today’s overlay bandwidth graph, we can confirm this has continued and is an abnormal behaviour.

Other actors on the Internet have also been reporting similar figures. We hope that we can soon inform our readers the country is normally connected to the Internet again.

While 85 million people live in the country, very few people have internet access (6.21% according to Wikipedia’s List of countries by number of Internet users page). The country is also very large (2,344,858 square kms or 905,355 sq miles) and the 11th largest country in the world - around a quarter the landmass of the USA and nearly twice as big as South Africa. These facts play together and because of limited fiber deployment within the country; there are many places that still use very limited and expensive satellite Internet access. We can see in our bandwidth kgraphs that traffic to these satellite connected locations was not affected by this shutdown:

Note that the bandwidth levels are very low and represent a very small percentage of the overall traffic into Democratic Republic of the Congo.

Comparing that graph to the one from the largest mobile provider in the country; we clearly see the distinct cutoff.

15 months ago we wrote about an outage in Togo, were we noted that this adds Togo to the list of countries like Syria (twice), Iraq, Turkey, Libya, Tunisia, etc that have restricted or revoked Internet access. We have also written about unrest in Gabon (in 2016) and The Gambia (also in 2016). In Gambia’s case, the incumbent president lost the election! In fact we wrote “Rather than clamping down on the opposition by blocking the access to the Internet, it is quite possible that the blackout in Gambia may have infuriated voters and increased the vote against the president.”. Let’s see what happens in Democratic Republic of the Congo.

We'll update this blog once we see changes to these traffic levels. The Congolese government says they will restore internet access after election results are published on January 6th. That’s four days from now.

At Cloudflare, we’ll continue to do our part to try to ensure that vulnerable voices have access to the Internet. Cloudflare’s Project Galileo and Athenian Project help protect at risk websites -- such as those run by human rights organizations, journalists, and government entities reporting election results -- from being knocked offline by cyber attack.

We also support the principles for a Contract for the Web, which urge governments to commit to keeping all of the Internet available, all of the time, and Access Now’s #KeepitOn campaign. We can only hope that these efforts will yield more positive results in 2019.

Today, it appears that Internet access in the Democratic Republic of Congo has been greatly curtailed. The BBC reports that Internet access in the capital, Kinshasa was cut on Saturday and iAfrikan reports that the cut is because of anti-Kabila protests.

Our monitoring of traffic from the Democratic Republic of Congo shows a distinct drop off starting around midnight UTC on January 21, 2018. Traffic is down to about 1/3 of its usual level.

We'll update this blog once we have more information about traffic levels.

Update January 24, 2018

Internet access in the Democratic Republic of Congo looks to have been restored with traffic returning to typical levels after roughly three days of disruption.

Moderator: Matthew Prince, Co-Founder & CEO, Cloudflare

MP: Technology and law seem like they are colliding more and more. Tech companies are being asked to regulate content. For a largely non-lawyer audience, give us some foundations about basic rules when you have content on your network?

LR: Communications 2.0 makes the 1st amendment almost quaint. The vast majority of speech that we exchange happens online. When it is hosted by private companies, the 1st amendment doesn’t constrain it. So this is a space governed by norms and individual choices of people like Matthew. In the wake of Cloudflare's decision to take down the Daily Stormer, Matthew penned a piece saying it’s scary that we have this power, and I exercised it. We have a completely unaccountable private medium of communication.

MP: There are shields for companies for this; What is intermediary liability and why is this a position at Google/Stanford?

DK: No one knows what it means; it’s a set of laws that tell platforms when they have to take down user speech because that speech is illegal. In the US, platforms don't have to take anything down; but outside of the US, the rule is that when platforms discover something they have to take it down or face liability themselves. The problem is that anytime someone alleges that something is illegal, it can be taken down. So the rules about when platform should to do this are very consequential for practical free speech rights of users on the internet.

LR: We can’t undervalue how much these rules have created today’s online ecosystem: Yelp would not exist without intermediary liability. Any content provider platform exists because of these laws passed in late 90s.

MP: In both the US and the EU, laws are coming under threat; we tend to focus on US, but Germany’s top priority in the last G7 meeting was limiting intermediary liability.

LR: There’s an opportunity here for companies with ties to US to make sure that we don’t allow countries with less protected speech regimes to ratchet to the lowest common denominator. Multinational pressures risk going to that lowest common denominator. I think companies like Cloudflare have a duty to uphold the values that reflect our first amendment landscape. Do we want a world where Nazis cannot have a website? It’s not a comfortable thing to talk about; but I want the ability to see and find speech that reflects human beliefs, because that’s how we know it is out there. Enforcing that kind of purity only hides beliefs it does not change them. Companies that are part of web infrastructure have fundamental responsibility to provide neutral platform. We are providing a neutral platform and it's other people’s job to see that speech and counter it.

DK: There’s also an ugly dynamic between governments and major platforms; private companies are taking over government functions, which is weird because they are not subject to government constraints. This creates an opportunity where private companies can do things that government can't but maybe want to do e.g. collecting user data.

In Europe, the commission reached agreement with 4 big platforms on the EU hate speech code of conduct: The agreement was that they would voluntarily take down hate speech as described in the agreement, which is not the same as hate speech as defined in the law. They are voluntarily agreeing with the government to take down hateful speech. Many Americans find this odd.

MP: Is this a fight that we can win? Views on free expression ideals have changed since 4 years ago; “don’t be evil” doesn’t translate well in German; What argument persuades rest of world that we should be neutral platform?

LR: These borders have real impacts on speech; but for American consumers and companies giving internet access to American Internet users, we do have the ability to help people understand not to race to moral panics. No one is out there picketing AT&T because Richard Spencer has a cell phone account with them.

MP: We have had a tradition of newspapers having editorial perspective, conservative or liberal.Is Facebook like the modern newspaper? Or are they like the printing press? What is the analogy that makes sense?

DK: In Europe, people are inclined to say that Facebook needs to admit that it is a media company. The difference between Facebook and a media company is that the media company hand-selected everything that it published, whereas Facebook is an open platform

MP: But if you put up a link to Daily Stormer on Facebook with support for the site, it was taken down; if you were critical of the organization, however, it was kept up.That sounds like a media company.

DK: They take down a lot. That’s not the same as saying they could be legally accountable for everything that is transmitted on their platform.

LR: I do think that people on a gut level hold newspapers accountable for their world view.Facebook already exists as a content review company; they’re a platform but they've always had algorithms and curation. Each of these is a choice that affects what you hear/see.

MP: “it’s the algorithm it’s neutral”

LR: That has always struck me as horseshit...

MP: Does it surprise you there’s not a Fox News search engine?

LR: This has been constant conversation in the net neutrality debate. Internet service providers have said: we don’t discriminate: but we want the right to not take you to a certain website.

Can you have a bespoke ISP? The Disney ISP that makes for damn sure you don’t see porn? Maybe, no one has done it. People’s willingness to replicate their own bubble. There seems to be enough of a demand of that.

DK: The fact that there isn’t a Fox News search engine is actually important.

People who are saying, Facebook should not be able to take over my political speech are also noting that there is no place else to go: friends, etc. are all on Facebook. It matters when there’s somewhere else to go. If there’s only one place to go, it’s easier to imagine there being government regulations on them.

MP: The question is: is there any scale at which you think maybe it’s not the right time… Is there a time when that’s the way to think of your status? Steve Bannon is proposing that giant companies should be regulated as utilities. Is there a time when that’s the right way that this should be thought of? If you are Facebook and you are the only place to reach this audience, does that mean that you have another set of obligations?

DK: I don't think that works. This may apply to your business, but for the service that Facebook offers, the service creates a community that people want to come to because it is not full of hate speech and bullying. And without that kind of curation, they would no longer have the value proposition for their users.

MP: That suggests that there are different rules depending on where you are in the stack. What should a registrar do vs. DNS vs. browser provider? What is the framework you’d use to determine where internet is or is not neutral vs. curated?

LR: I want to admit that as a 1st amendment advocate, there are interests on the other side. I may think it is a dangerous precedent, but you have the right to decide who to keep and kick off.

For us, as ACLU, we focus on two things:Government subsidies and the kind of centrality and importance of that service.

Are you a neutral … or common carrier? Are you actively curating content?

Generally there isn’t a model where you are distinguishing based on content; this isn’t the most profitable path to success.

MP: ACLU has been force for free speech in US; who is fighting for free and open web outside of this country?

DK: There are organizations around the world that work on this. Some of the best efforts are in Brazil, Argentina, India; much smaller in EU. We're paying attention to these differences.

It's important for smaller companies, for journalistic interests to show up and let them know.

MP: What are the arguments you’ve found that are persuasive in these conversations about regulation? What works?

DK: I think people get it when you say you are sacrificing sovereignty by standing back and asking an American company to decide this for you. In some cases, the economic argument is also persuasive. Outside US, American lawyers yelling about 1st amendment do not get much respect. But there are other important points you can make

LR: Domestically, if we’re talking about convincing legislators to think about roles, there’s the Communications Decency Act. At the time in the late 90s when it was passed it was overwhelmingly bipartisan because conservatives and republicans knew Silicon Valley is liberal.

In the last 15 years, there has been moral panic about human trafficking online. Some of the unholy alliances come when women’s advocates on left and libertarians on right agree with each other. It’s the First time congress has amended SESTA since late 90s.

The only thing that’s ever effective besides a lawsuit is reminding people that they might be the goose or the gander next time. You might not always be on the right side.

Facebook agreed to the hate speech rules. So many human rights activists voices have been silenced according to that agreement. The Intercept article on human rights activists that have been silenced under over censoring.

MP: What are 1 or 2 things that you are worried about, that people aren’t thinking enough about right now?

DK: There is tremendous pressure to build technical filters to find and suppress content and widespread belief that this tech can be built to identify terrorist speech. Companies are under pressure and end up agreeing; the result is that videos documenting atrocities in Syria re-being taken down. So the push for mechanized content removal is very dangerous.

LR: I totally agree, and I also highlight the importance of due process. If someone censors our speech we can say, hey wait a minute. But you don't have that option with FB.Hand in hand, algorithmic ratcheting combined with lack of due process is a problem.

Q&A:

Q: Besides basic issue about media making judgments about censorship, there are two additional dangers: 1) what makes companies like Cloudflare more or less susceptible to pressure from governments; 2) the danger of companies colluding on these things.

DK: On vulnerability, What makes you vulnerable to pressure form a government: people on ground that can be arrested; assets that can be seized; wanting to have a market in that company, or already having a market that you are afraid to lose.In terms of collusion, I worry about monoculture that systematically discriminates against speech of particular people.

Companies that don't want to be regulated decide to self-regulate.

Q: One of the challenges with open internet is its openness; what about dark web that is encrypted? Is that potentially an answer, where regulating free speech becomes difficult because we don’t know where it comes from.

LR: I think it addresses free speech values problem; but for average internet user, probably will create less attractive ecosystem. If you want anonymity that’s great, but is it an actual useful web? If you want useful web that is free, effective, and accessible, answer is probably no.

All our sessions will be streamed live! If you can't make it to Summit, here's the link: cloudflare.com/summit17

Our terms of service reserve the right for us to terminate users of our network at our sole discretion. The tipping point for us making this decision was that the team behind Daily Stormer made the claim that we were secretly supporters of their ideology.

Our team has been thorough and have had thoughtful discussions for years about what the right policy was on censoring. Like a lot of people, we’ve felt angry at these hateful people for a long time but we have followed the law and remained content neutral as a network. We could not remain neutral after these claims of secret support by Cloudflare.

Now, having made that decision, let me explain why it's so dangerous.

There are a number of different organizations that work in concert to bring you the Internet. They include:

• Content creators, who author the actual content online.

• Platforms (e.g., Facebook, Wordpress, etc.), where the content is published.

• Hosts (e.g., Amazon Web Services, Dreamhost, etc.), that provide infrastructure on which the platforms live.

• Transit Providers (e.g., Level(3), NTT, etc.), that connect the hosts to the rest of the Internet.

• Reverse Proxies/CDNs (e.g., Akamai, Cloudflare, etc.), that provide networks to ensure content loads fast and is protected from attack.

• Authoritative DNS Providers (e.g., Dyn, Cloudflare, etc.), that resolve the domains of sites.

• Registrars (e.g., GoDaddy, Tucows, etc.), that register the domains of sites.

• Registries (e.g., Verisign, Afilias, etc.), that run the top level domains like .com, .org, etc.

• Internet Service Providers (ISPs) (e.g., Comcast, AT&T, etc.), that connect content consumers to the Internet.

• Recursive DNS Providers (e.g., OpenDNS, Google, etc.), that resolve content consumers' DNS queries.

• Browsers (e.g., Firefox, Chrome, etc.), that parse and organize Internet content into a consumable form.

There are other players in the ecosystem, including:

• Search engines (e.g., Google, Bing, etc.), that help you discover content.

• ICANN, the organization that sets the rules for the Registrars and Registries.

• RIRs (e.g., ARIN, RIPE, APNIC, etc.), which provide the IP addresses used by Internet infrastructure.

Any of the above could regulate content online. The question is: which of them should?

The rules and responsibilities for each of the organizations above in regulating content are and should be different. We've argued that it doesn't make sense to regulate content at the proxy, where Cloudflare provides service, since if we terminate a user the content won't go away it will just be slower and more vulnerable to attack.

That's true, and made sense for a long time, but increasingly may not be relevant. The size and scale of the attacks that can now easily be launched online make it such that if you don't have a network like Cloudflare in front of your content, and you upset anyone, you will be knocked offline. In fact, in the case of the Daily Stormer, the initial requests we received to terminate their service came from hackers who literally said: "Get out of the way so we can DDoS this site off the Internet."

You, like me, may believe that the Daily Stormer's site is vile. You may believe it should be restricted. You may think the authors of the site should be prosecuted. Reasonable people can and do believe all those things. But having the mechanism of content control be vigilante hackers launching DDoS attacks subverts any rational concept of justice.

In a not-so-distant future, if we're not there already, it may be that if you're going to put content on the Internet you'll need to use a company with a giant network like Cloudflare, Google, Microsoft, Facebook, Amazon, or Alibaba.

For context, Cloudflare currently handles around 10% of Internet requests.

Without a clear framework as a guide for content regulation, a small number of companies will largely determine what can and cannot be online.

The issue of who can and cannot be online has often been associated with Freedom of Speech. We think the more important principle is Due Process. I, personally, believe in strong Freedom of Speech protections, but I also acknowledge that it is a very American idea that is not shared globally. On the other hand, the concept of Due Process is close to universal. At its most basic, Due Process means that you should be able to know the rules a system will follow if you participate in that system.

Due Process requires that decisions be public and not arbitrary. It's why we've always said that our policy is to follow the guidance of the law in the jurisdictions in which we operate. Law enforcement, legislators, and courts have the political legitimacy and predictability to make decisions on what content should be restricted. Companies should not.

Beginning in 2013, Cloudflare began publishing our semi-annual Transparency Report. At the time we choose to include four statements of things that we had never done. They included:

• Cloudflare has never turned over our SSL keys or our customers' SSL keys to anyone.

• Cloudflare has never installed any law enforcement software or equipment anywhere on our network.

• Cloudflare has never terminated a customer or taken down content due to political pressure.

• Cloudflare has never provided any law enforcement organization a feed of our customers' content transiting our network.

We included them as "warrant canaries" because we thought they could help us push back against the request that governments may try to force us to make. That’s worked and all four of the warrant canaries have survived in every transparency report since 2013.

We're going to have a long debate internally about whether we need to remove the bullet about not terminating a customer due to political pressure. It's powerful to be able to say you've never done something. And, after today, make no mistake, it will be a little bit harder for us to argue against a government somewhere pressuring us into taking down a site they don't like.

Someone on our team asked after I announced we were going to terminate the Daily Stormer: "Is this the day the Internet dies?" He was half joking, but only half. He's no fan of the Daily Stormer or sites like it. But he does realize the risks of a company like Cloudflare getting into content policing.

There's a saying in legal circles that hard cases make bad law. We need to be careful of that here. What I do hope is it will allow us all to discuss what the framework for all of the organizations listed above should be when it comes to content restrictions. I don't know the right answer, but I do know that as we work it out it's critical we be clear, transparent, consistent and respectful of Due Process.

Screenshot of App Page for FFTF’s Battle for the Net app. Source code for this app.

When our co-founders launched Cloudflare in 2011, it was with a firm belief that the Internet is a place where all voices should be heard. The ability for either an ISP or government to censor the Internet based on their opinions or a profit motive rather than law could pose a huge threat to free speech on the Internet.

Cloudflare is a staunch supporter of Net Neutrality and the work done by Fight for the Future, which shows how effective Internet civic campaigns can be.

To get a heads up on Fight for the Future campaigns in the future, sign up for their mailing list.

See source code for FFTF’s Battle for the Net Cloudflare App on Github.

To make your own app, see Cloudflare Apps docs.

Souvenir Postcard by unknown

The Supreme Court issued an opinion confirming something we at Cloudflare have long believed -- that the First Amendment protects access to the Internet. Using sweeping language, Justice Kennedy compared internet access to access to a street or park, "essential venues for public gatherings to celebrate some views, to protest others, or simply to learn and inquire,” and concluded that "to foreclose access to social media altogether is to prevent the user from engaging in the legitimate exercise of First Amendment rights."

We share this view of the internet as a forum to discuss and debate ideas, and believe that the Court’s opinion is an important reaffirmation of the free speech principles we support.

Like many other First Amendment cases, the law at the heart of the Packingham v. North Carolina case presents complex questions about how to protect the community in ways consistent with the right to free speech.

In 2008, North Carolina passed a law making it a serious criminal offense for a registered sex offender to access certain social media sites that included children as members. Lester Packingham Jr., the defendant in the case, had registered as a sex offender after pleading guilty in 2002 to having sex with a 13 year old when he was a 21 year old college student.

Packingham was charged with a violation of the North Carolina law after he posted a statement on Facebook expressing his relief about the dismissal of a state court traffic ticket. After his conviction, Packingham appealed, arguing that the law was unconstitutional.

The Supreme Court struck down the law as a violation of the First Amendment, which, among other things, prohibits government action (“shall make no law”) that inhibits free expression or assembly. Although all eight justices to rule on the issue (the newest Justice, Neil Gorsuch, didn’t participate in this decision) agreed that the North Carolina law was unconstitutional, the Justices disagreed on the scope of First Amendment protections.

Writing on behalf of five members of the Court, Justice Kennedy emphasized the importance of protecting access to the internet, noting the substantial benefits it provides:

“Social media allows users to gain access to information and communicate with one another about it on any subject that might come to mind. . . . By prohibiting sex offenders from using those websites, North Carolina with one broad stroke bars access to what for many are the principal sources for knowing current events, checking ads for employment, speaking and listening in the modern public square, and otherwise exploring the vast realms of human thought and knowledge. These websites can provide perhaps the most powerful mechanisms available to a private citizen to make his or her voice heard. They allow a person with an Internet connection to ‘become a town crier with a voice that resonates farther than it could from any soapbox.’”

CC BY-SA 2.0 image by shoobydooby

The Court’s broad view of the importance of the internet also prompted the Justices to recommend exercising caution before allowing restrictions on internet speech. As described by Justice Kennedy,

“While we now may be coming to the realization that the Cyber Age is a revolution of historic proportions, we cannot appreciate yet its full dimensions and vast potential to alter how we think, express ourselves, and define who we want to be. The forces and directions of the Internet are so new, so protean, and so far reaching that courts must be conscious that what they say today might be obsolete tomorrow.”

The broad scope of the Court’s ruling suggests that the Supreme Court will look carefully at any restrictions that hinder access to the internet.

In a separate decision setting forth the opinion of the remaining three justices, Justice Alito took issue with the broad sweep and implications of the majority opinion. Because the law would have precluded access to a significant number of websites like Amazon or the Washington Post without furthering the state’s interest in protecting children, Justice Alito agreed that the law violated the First Amendment.

Justice Alito observed, however, that “if the internet or even just ‘social media’ sites are the 21st century equivalent of public streets and parks, then States may have little ability to restrict the sites that may be visited by even the most dangerous sex offenders.” And indeed, this case -- particularly when read in conjunction with other First Amendment cases -- suggests that the Court would have serious concerns about future government restrictions on speech, access, and communication on the Internet.

We recognize, of course, that, regardless of the internet’s value as a critical locale for discussion and debate, there are bad things online. But, as the Court held yesterday, significant restrictions on access to the internet are simply not an appropriate -- or constitutional -- solution. This historic decision confirms U.S. commitment to the freedom of expression online.

Let’s hope that the Court’s broad recognition of the central importance of the internet, along with its concerns about the harmful impact of access restrictions, become a central theme in ongoing discussions about regulation and control of the Internet.

I appreciate the feedback we received. How we handle abuse reports has evolved over the last six and a half years of Cloudflare's history. I wanted to take this opportunity to walk through some of the rationale that got us to this point and caused us to have a blindspot to the case that was highlighted in the article.

Cloudflare is not a hosting provider. We do not store the definitive copy of any of the content that someone may want to file an abuse claim about. If we terminate a customer it doesn’t make the content go away. Instead, we are more akin to a specialized network. One of the functions of the network that we provide is to add security to the content providers that use us. Part of doing that inherently involves hiding the location of the actual hosting provider. If we didn't do this, a malicious attacker could simply bypass Cloudflare by attacking the host directly.

That created an early question on what we should do when someone reported abusive content that was passing through our network. The first principle was we believed it was important for us to not stand in the way of valid abuse reports being submitted. The litmus test that we came up with was that the existence of Cloudflare ideally shouldn't make it any harder, or any easier, to report and address abuse.

The majority (83% over the last week) of the abuse reports that we get involve allegedly copyrighted material transiting our network. Our early abuse policy specified that if we received an abuse report alleging copyrighted material we'd turn over the IP address of the hosting provider so the person filing the abuse report could report the abuse directly.

It didn't take long for malicious attackers to realize this provided an effective way to bypass our protections. They would submit a fake report alleging some image on a legitimate site had been illegally copied, we'd turn over the IP address of our customer, and they'd attack it directly. Clearly that wasn't a workable model.

As a result, we revised our policy to instead act as a proxy for abuse reports that were submitted to us. If a report was submitted then we'd proxy the report through and forward it to the site owner as well as the site's host. We provided the contact information so the parties could address the issue between themselves.

While we have a Trust & Safety team that is staffed around the clock, for the most part abuse handling is automated. Various firms that specialize in finding and taking down copyrighted material generate such a flood, often submitting hundreds of reports for the same allegedly copyrighted item, that manual review of every report would be infeasible.

We've always treated reports of violent threats and child sexual abuse material with additional care. Understandably, from the perspective of the individuals in the ProPublica article, it seems callous and absurd that we would ever forward these reports to the site owner. However, we had a different perspective.

The vast majority of times that violent threats or child sexual abuse material were reported to us occurred on sites that were not dedicated to those topics. Imagine a social network like Facebook was a Cloudflare customer. Somewhere on the site something was posted that included a violent threat. That post was then reported to Cloudflare as the network that sits in front of the Facebook-like site.

In our early days, it seemed reasonable and responsible to pass the complaint on to the Facebook-like customer who could then follow up directly. That also met the litmus test of being what would happen if Cloudflare didn't exist. What the policy didn't account for was site owners who could not be trusted to act responsibly with abuse reports including contact information.

Beginning in 2014, we saw limited, but very concerning, reports of retaliation based on submitted abuse reports. As a result, we adjusted our process to make it so complaints about violent threats and child sexual abuse material would be sent only to the host, not to the site owner.

We’ve confirmed that in the cases reported to the site mentioned in the ProPublica article we followed this procedure. That change largely addressed the problem of people reporting abuse getting harassed. What we didn’t anticipate is that some hosts would themselves pass the full complaint, including the reporter’s contact information, on to the site owner. We assume this is what happened in the ProPublica cases.

Another change we made in 2015 was to clarify exactly what would happen when someone submitted a report by adding disclaimers to our abuse form. These disclaimers appear in multiple places throughout the abuse submission flow:

“Cloudflare will forward all abuse reports that appear to be legitimate to the responsible hosting provider and to the website owner.”

"By submitting this report, you consent to the above information potentially being released by Cloudflare to third parties such as the website owner, the responsible hosting provider, law enforcement, and/or entities like Chilling Effects."

In a world without Cloudflare, if you wanted to anonymously report something, you would use a disposable email and a fake name and submit a report to the site's hosting provider or the site itself. We didn't do anything to check that the contact information used in reports was valid so we assumed, with the disclaimer in place, if people wanted to submit reports anonymously they'd do the same thing as they would have if Cloudflare didn't exist.

That was a bad assumption. As the ProPublica article made clear, many people did not read or understand the disclaimer and were surprised that we forwarded their full abuse report to the host who then, in some cases, could forward it to the site owner.

In reevaluating our policy a key question was when it is appropriate to pass along the full report and when it is not. Again, from the perspective of the author of the ProPublica article, that may seem like an easy distinction. The reality is that requiring an individual working on our Trust & Safety team understand the nature of every site that is on Cloudflare is untenable. Moreover, adding more human intervention that slows down the process of reporting abuse, especially in cases of violent threats and child sexual abuse material, where time may be of the essence, strikes us as a step backward.

Instead, we took the suggestions of many of the comments we received and are implementing a policy where reporters of these types of abuse can choose to submit them and not have their contact information included in what we forward. The person making the abuse report seems in the best position to judge whether or not they want their information to be relayed. Making this change requires some engineering work on our part, but we have prioritized it. By the end of this week, someone submitting an abuse report for one of these categories will have the choice of whether to do so anonymously.

We are under no illusion that this latest iteration of our abuse process is perfect. In fact, we already have concerns about challenges the new system will create. Anonymous reporting opens a new vector for malicious actors to submit false reports and harass Cloudflare customers. In addition, for responsible Cloudflare customers who want to act on reports, anonymous reports may make it more difficult for them to gather more information from the reporter which may make it more difficult for well-informed action to be taken to address the issue.

We appreciate the feedback on where our previous process broke down. As new problems arise, we anticipate that we'll continue to need to make changes to how we handle abuse reports.

While we clearly had a significant blindspot in how we handled one type of abuse reports, we remain committed to our belief that it is not Cloudflare's role to make determinations on what content should and should not be online. That belief comes from a number of principles.

Cloudflare is more akin to a network than a hosting provider. I'd be deeply troubled if my ISP started restricting what types of content I can access. As a network, we don't think it's appropriate for Cloudflare to be making those restrictions either.

That is not to say we support all the content that passes through Cloudflare's network. We, both as an organization and as individuals, have political beliefs and views of what is right and wrong. There are institutions — law enforcement, legislatures, and courts — that have a social and political legitimacy to determine what content is legal and illegal. We follow the lead of those organizations in all the jurisdictions we operate. But, as more and more of the Internet sits behind fewer and fewer private companies, we're concerned that the political beliefs and biases of those organizations will determine what can and cannot be online.

If you're interested, I gave a talk a few years ago about how we think about our role in policing online content. It's about an hour long, but if you're interested in the topic, I encourage you to watch it in order to better understand our perspective.

From time to time an organization will sign up for Cloudflare that we find revolting because they stand for something that is the opposite of what we think is right. Usually, those organizations don't pay us. Every once in awhile one of them does. When that happens it's one of the greatest pleasures of my job to quietly write the check for 100% of what they pay us to an organization that opposes them. The best way to fight hateful speech is with more speech.

I appreciate the feedback on how we can improve our abuse process. We are implementing the changes that were recommended. They take engineering, so they aren't available immediately, but will be live by the end of this week. We continue to iterate and improve on our mission of helping build a better Internet.

"Tim Berners-Lee- Mosaic by Sue Edkins at Sheen Lane Centre" by Robert Smith - Own work. Licensed under CC BY-SA 4.0 via Commons

Subject: Days of future past

Folks,

One of the exciting things about working at CloudFlare is our continual push to stay on top of what's new for our customers. We've pushed things like IPv6 and SPDY in the past; and we'll soon be giving the world DNSSEC and HTTP/2. In the world of SSL we've stayed on top of changes in recommended cipher suites and offer the latest signature algorithms SHA-2 to our customers.

But as we do this we must not forget the old protocols. Because we serve a truly global audience we serve everyone on the planet. It's easy inside a Silicon Valley bubble to think that everyone is on 1Gbps Internet connection with the latest version of Chrome on a new Mac, but the worldwide reality is far different.

We see every type of machine and browser out there. And by machine I mean computers old and new, smartphones, dumb phones, command-line clients, every type of proxy server. And we see them on satellite connections from ships at sea, 3G connections in developing countries, fiber connections to the home and more.

As we keep pushing for the future we also have to look to the past and make sure we support everyone. Supporting everyone means that all CloudFlare sites are accessible to everyone who uses the web and when someone asks "Can you handle X?" we can simply answer "Yes" without any caveats. And X can be something created 15 years ago or 15 months ago.

So, when making technical decisions we need to ask ourselves "Who are we excluding if we do this?" and really push ourselves to come up with a solution if we are excluding some portion of the Internet's users and create solutions that don't compromise speed and security.

At the 2012 Olympics in London the creator of the web, Tim Berners-Lee, appeared in the opening ceremony and tweeted "This is for everyone". Let's make sure we keep the web available, secure and fast for everyone.

John.

What’s in a Name?

Earlier today, CloudFlare announced Project Galileo to protect free speech on the Web by using its sophisticated anti-DDoS resources. Seventeen (at last count) free speech, public interest, and civil society organizations are helping us identify at-risk, in-need websites for the Project. If one these websites comes under attack, CloudFlare will make sure that the website stays online.

You can read more about the story in the press in: ArsTechnica; Re/Code; Slate; TechCrunch; and The Verge.

Since we’ve launched, we keep getting asked why we called it “Project Galileo.”

In 1610, Galileo Galilei fashioned a homemade telescope and pointed it towards the heavens. He saw sights never witnessed before by human eyes: moons orbiting Jupiter, rings around Saturn, sunspots, craters on the moon, and phases of Venus.

These observations gave evidence for a dangerous truth—we are not the center of the universe, and the Earth revolves around the sun. Galileo published his discoveries in a book modestly entitled Dialogue Concerning the Two Chief World Systems. As reward for his discoveries, Galileo was labeled a heretic and his book was banned until 1718. The Earth was to revolve around the sun 107 more times before Galileo’s discoveries would reach a wider audience.

Like Galileo, websites espousing politically sensitive—even heretical—speech are often victims of suppression. Like Galileo, most of these sites don’t have the resources to protect their discoveries from being suppressed.

How would history be different if Galileo’s book had been able to stay “online”? Would we have reached the moon in July 1861, not 1969?

If you would like to help Project Galileo as a public interest organization, identifying those websites most in need, please visit: www.projectgalileo.org. If you would like to be a participating website, we suggest you contact one of our partner organizations so they can recommend you.

Over the last few years, we’ve witnessed a troubling trend: an increasing number of politically or artistically important sites targeted by very large denial of service attacks. Often these attacks appear politically motivated — going after, for instance, citizen journalists reporting on government corruption. The promise of the Internet is that it is a great leveler — that anyone with an idea can reach a global audience. These attacks threaten that promise.

CloudFlare’s mission is to build a better Internet. Fundamental to that is ensuring that bullies cannot use attacks to censor content simply because they disagree with it. We knew we needed to do something to stop this troubling trend. To that end, today we’re announcing Project Galileo.

Project Galileo’s goal is to protect free expression online. Sites can participate in Project Galileo if they meet the following criteria:

• They are engaged in news gathering, civil society, or political/artistic speech;

• They are subject to online attacks related to their news gathering, civil society, or political/artistic speech;

• They are not-for-profit organizations or small commercial entities; and

• They act in the public interest, broadly defined.

For sites that meet these criteria, CloudFlare will extend its full, enterprise-class DDoS attack protection at no cost.

As we invite sites into Project Galileo, it is important that we remain content neutral. We believe that CloudFlare should never decide, based on their content, what sites deserve protection. We’re very good at technology, but deciding what content is politically or artistically important is above our pay grade. As such, we’ve partnered with a number of civil society organizations to identify at-risk sites that qualify for Project Galileo. Our launch referring partners include:

• Access

• American Civil Liberties Union (ACLU)

• Center for Democracy and Technology (CDT)

• Centre for Policy Alternatives

• Committee to Protect Journalists (CPJ)

• Electronic Frontier Foundation (EFF)

• Engine Advocacy

• Free Press

• Freedom of the Press Foundation

• Media Investment Development Fund

• Meedan

• Mozilla

• Open Tech Fund

• Open Technology Institute

These organizations now have access to a sort of “bat phone.” If they are aware of a current CloudFlare customer that qualifies for Project Galileo, or a qualified site that is under attack and needs CloudFlare’s services, they have access to a hotline to enable our full DDoS attack protection.

If you have a site you believe qualifies for Project Galileo, you can contact one of our partner organizations to request to be included. If you don’t already have a relationship with one of our partner organizations, contact us and we’ll steer you in the right direction. Over time, we will continue to expand Project Galileo’s list of partner organizations. It’s important to us that the organizations that can refer sites span the political and artistic spectrum. If you’re an organization that would like to be listed as a partner, you can contact us using the form on the Project Galileo website.

For the last several weeks we’ve been quietly enrolling sites in Project Galileo. While, for obvious reasons, we will never publish a list of the sites we’re shielding, we’re proud of some of the voices of free expression we’ve helped protect. They include organizations advocating for LGBT rights in the Middle East, tracking political corruption in Sri Lanka, monitoring deforestation in Malaysia, exposing bribery across Africa, and reporting on the civil war in Syria. CloudFlare is helping ensure these voices will never be silenced.

When Michelle, Lee and I started CloudFlare we said that our goal was to bring the resources that were previously available only to the Internet’s giants to everyone online. I’m proud that today we took another step toward that goal.

Learn more: www.projectgalileo.org

At Cloudflare we believe in a free and open web. However, we regularly get questions about controversial content that flows through our network. Yesterday we received the questions below from the about-to-be relaunched European technology blog, The Kernel.

The questions involve one of Cloudflare's users. We have been consistent in our policy, but thought answering these questions in public presented a good opportunity to show how we think about these issues.

We do not confirm any Cloudflare user to the media without the user's permission, so I've edited the questions to remove reference to the site and group in question. That, however, should not keep you from understanding the context or our responses. Here's a way to think about it: whatever your political persuasion, there is undoubtedly some alternate political viewpoint you believe to be dangerous. Assume, for the sake of this argument, that whatever site would exemplify the opposite of your beliefs is the site this blogger is asking about.

To: Cloudflare Media Relations From: James Cook Cc: Milo Yiannopoulos Date: Thu, Aug 8, 2013 at 9:34 AM (PDT) Subject: Press enquiry - Cloudflare providing services to [controversial group]

I'm writing from The Kernel, a magazine that covers technology, media and politics.

We are preparing a report on [controversial groups] online, which will be published on Monday, 12 August.

Our enquiries have shown that your company, Cloudflare, is responsible for providing services to [some controversial website] and we have a few questions for you. 1) Are you aware that this website has been confirmed as dangerous by the U.S. Government?

I am not sure what this means. I am not aware of any website that the U.S. Government has "confirmed as dangerous." While the U.S. government does prohibit certain dealings with identified terrorist organizations and certain authoritarian regimes, it is not in the business of labeling websites as dangerous. One of the greatest strengths of the United States is a belief that speech, particularly political speech, is sacred. A website, of course, is nothing but speech. Given that the blogger asking these questions is from the UK, a bit of a misunderstanding of U.S. jurisprudence is to be tolerated, even expected.

2) Are you aware of the nature of the material this website hosts?

No, nor would it be right for us to monitor the content that flows through our network and make determinations on what is and what is not politically appropriate. Frankly, that would be creepy. The blogger may be confused about the nature of Cloudflare. We are not a hosting provider. Removing this, or any other site, from our network wouldn't remove the content from the Internet: it would simply slow its performance and make it more vulnerable to attack.

3) What safeguards do you have in place to ensure that Cloudflare does not support illegal terrorist activity?

This question assumes the answer. A website is speech. It is not a bomb. There is no imminent danger it creates and no provider has an affirmative obligation to monitor and make determinations about the theoretically harmful nature of speech a site may contain.

I'm curious if the blogger would ask the same of Google? A quick search shows that Google has about 334,000 pages from the site in question in its cache. Would the blogger suggest that Google should be required not to index this website? Should they need to do so only when ordered by a court, or should they proactively censor the network based on their own biases?

Or consider the example of Comcast, the ISP over which I just accessed the site in question. Like Cloudflare, Comcast provides a network that attempts to deliver content quickly. Comcast is not the host of the site but could, theoretically, enable filters that keep the site from being delivered through its network. Personally, I'd be uncomfortable if an ISP like Comcast did that, even under a court order. It would be tantamount to censoring the Internet and, again, it would be creepy.

4) Do you support campaigns of murder and terror waged [by some controversial group]? If not, why would you allow such hateful material to be protected by your services?

Cloudflare's mission is to build a better web. Today, approximately 4% of web requests flow through our network. And, as we are successful, more and more of the web will sit behind us. It is important, therefore, that we are good stewards maintaining the open and free nature of the Internet.

There are lots of things on the web I find personally distasteful. I have political beliefs, but I don't believe those beliefs should color what is and is not allowed to flow over the network. As we have blogged about before, we often find ourselves on opposite sides of political conflicts. Fundamentally, we are consistent in the fact that our political beliefs will not color who we allow to be fast and safe on the web.

5) Will you undertake to investigate this matter and withdraw Cloudflare's services from this [controversial] material, material which has been directly responsible for [promoting controversial behavior]?

Again, Cloudflare is not a hosting provider. If we were to terminate this, or any other customer, the material wouldn't go away, it would just be a bit slower and be more subject to attack. We do not believe that "investigating" the speech that flows through our network is appropriate. In fact, we think doing so would be creepy.

6) Have you taken legal advice concerning the laws you may be breaking by supporting this material and potentially facilitating illegal activity?

Cloudflare abides by all applicable laws in the countries in which we operate and we firmly support the due process of law. If we were to receive a valid court order that compelled us to not provide service to a customer then we would comply with that court order. We have never received a request to terminate the site in question from any law enforcement authority, let alone a valid order from a court.

7) Your CEO has in the past publicly defended providing services to websites hosting dangerous material. Would his position change if one of his own family was hurt or killed in an incident that could be reliably linked to the [controversial website]?

In a word: no. As a way of proving that point, rather than speculate on a gruesome hypothetical, let's discuss a concrete example. About a year ago, a young hacker broke into my email accounts, rummaged around, and caused a significant amount of damage and embarrassment to me. At the time, the hacker was a Cloudflare user. He even used his Cloudflare-powered site to publish details of the attack. I was furious. It was a direct attack by one of our users specifically targeting me. Despite that, we did not kick him off our network nor should we have.

Cloudflare's mission is to build a better web. Inherently, there will be things on our network that make us uncomfortable. We will continue to abide by the law, serve all customers, and hold consistently to a belief that our proper role is not that of Internet censor.

Generally, these documents have held up pretty well since December 5, 2009 when we first published them. However, today we're making some updates to address some issues that have come up over the last two years. I wanted to take the time to walk through the changes here so everyone is clear why we made the updates we have.

Many of the changes to the Terms of Service and Privacy Policy are the result of CloudFlare's Apps Marketplace. From early in our history, we realized we had an opportunity to help webmasters install services to enhance their sites. Oliver Roup, a friend of mine from business school, approached up about allowing CloudFlare's users to automatically incorporate the service of a company he'd started: Viglink. Viglink's service automatically adds an affiliate code to appropriate links on your site so you can make money when people click on a link and then go on to purchase something.

It seemed like a no-brainer that we offer Viglink as an option to our users. We always thought it would be a service that people could turn on or off, but I wanted to make sure our Terms of Service included the possibility that if someone had the service on then affiliate codes could be added. I included the following sentence in our terms: "[CloudFlare may] Add tracking codes or affiliate codes to links that do not previously have tracking or affiliate codes." That has, over time, caused endless confusion, customer service inquiries, and even conspiracy theories.

We're building a platform that, through Apps, can allow you to update your site in a wide number of ways. While we want to acknowledge that, we also want to make something clear: it is always your choice as to what apps are enabled. As a result, we updated this key section to now read:

You retain full copyrights in any materials served through CloudFlare. Depending on the features you select or Apps you enable, CloudFlare may modify the content of your site. For example, CloudFlare may detect any email addresses and replace them with a script in order to keep it from being harvested, or CloudFlare may insert code to improve page load performance or enable a Third Party App. Depending on the features you enable, you acknowledge CloudFlare may:

1. Intercept requests determined to be threats and present them with a challenge page.

2. Add cookies to your domain to track visitors, such as those who have successfully passed the CAPTCHA on a challenge page.

3. Add script to your pages to, for example, add services, Apps, or perform additional performance tracking.

4. Other changes to increase performance or security of your website.

CloudFlare will make it clear whenever a feature will modify your content and, whenever possible, provide you a mechanism to allow you to disable the feature.

We've made updates elsewhere to also reflect that we allow you to install third party apps. For example, our Privacy Policy now acknowledges that you should check the Terms of Service and Privacy Policies of these app providers since they may be different from CloudFlare's. The idea of the Apps Marketplace is something that really came into focus after our initial launch, so it's appropriate now for us to update our policies to account for it.

Section 11 of our old Terms of Service included a long list of things that, if you did on our network, we could terminate you for. The history of this section is that I searched a number of other major services to see what they had prohibited and then included just about everything that had ever been listed. This list was largely pulled from hosting providers and similar sites that actually hosted content.

This list may be appropriate for a hosting service, but it isn't as appropriate for a network provider. CloudFlare is much more akin to a network provider. People also interpreted the list as if it was self-executing computer code. Someone would find a site that told people how to build a grenade, or whatever, and write to us saying we had to terminate them. We, on the other hand, saw the list as reasons we could terminate people, not reasons we must terminate them.

Given the confusion the list created we simplified it. Today our policy remains as it was before, just without the list. If you're using CloudFlare in a way we deem inappropriate we will, at our sole discretion, terminate your use of the CloudFLare network. As I've written about before, our general position is that CloudFlare is building a better Internet and it's not our role to determine what content should or should not be allowed to be published. That said, if you're using our network solely as a file locker, distributing malware or phishing, or otherwise causing per se harm then we will terminate use.

We also updated our abuse process to reflect what we've learned about running an abuse desk in front of hundreds of thousands of websites. What we learned was that as our technical defenses improved, hackers turned to abusing our abuse process to determine the identity of sites on our network. That, effectively, was a mechanism to bypass our technical protections. Our new abuse process allows legitimate rights holders to file complaints that we relay to the owners of sites with alleged violations without compromising the technical protections we offer our customers.

There was a lot of other cruft in our terms that we cleaned up. For example, we previously included the following paragraph:

You are granted a limited, revocable, and nonexclusive right to create a hyperlink to any non-password protected directories, so long as the link does not portray CloudFlare, its affiliated websites, or its services in a false, misleading, derogatory, or otherwise offensive matter. You may not use any of CloudFlare's proprietary graphics or trademarks as part of the link without express written permission.

While most Terms of Service you'll find around the Internet include such paragraphs, they really are silly. We've deleted the paragraph so you can go ahead and link to our site, even if what you say is false, misleading, derogatory and offensive.

When we first started CloudFlare we also had something called the Automated Setup Tool that would login to your DNS provider and Registrar and make the changes for you if you gave us your username and password. While it was very cool and made the signup process even faster than it is today, we decided it was a very bad security practice to ask for people's username/password for a third party service. Much like we got rid of the Automated Setup Tool, we've now gotten rid of the section that covered how it worked. (Section 6 is now about Apps.) We also now provide software (e.g., mod_cloudflare and Railgun) so the terms were updated in various places to include that.

While I'm a recove ring lawyer, I'm not a big believer that the legal system is the best way to resolve disputes. As a result, we added an arbitration clause. Should a dispute arise in the future, it seems like a more civilized way to resolve it. We also had some problems with machine translated versions of the Terms of Service containing oddities. As a result, we added a section to make it clear that the English version of the terms is the one that is controlling. We also moved from Palo Alto, CA to San Francisco, CA more than a year ago so we finally updated the jurisdiction information.

That's the gist of the updates. For those who are interested, we'll keep the old versions of the Terms of Service and Privacy Policies available for a few months. While I'm sure we'll have to make additional updates to the Terms of Service and Privacy Policies in the future as we learn more about running a global network, I am confident that we will continue to operate as we always have: respecting our publishers and their visitors' privacy, operating a responsible network, and working toward building a faster, safer, smarter web for everyone.

CloudFlare, as a service, illustrates the power of using DNS to make the Internet better. Unfortunately, some current legislation up for consideration in the United States illustrates the power of using DNS to make the Internet worse. SOPA and PIPA aim to address the challenge of policing copyright online by monkeying with the underlying infrastructure of the Internet.

Spearheaded by Ben Huh and others, many sites are planning on "blacking out" their pages on Wednesday, January 18 to raise awareness about the dangers of laws like SOPA and PIPA. Several CloudFlare users wrote to us asking if there was a way we could help them participate in such a protest. The problem is that blacking out your site entirely can have some negative results:

1. Taking a site offline does nothing to help educate people who are not already aware of the risk about the problems of SOPA and PIPA; and

2. Removing your site from the Internet, even if for only one day, can have a significant impact on your search ranking and crawl rates.

We wanted to provide a way for people who wanted to raise awareness about SOPA and PIPA to do so effectively and without hurting themselves in the process.

What's great about the CloudFlare Anti-Censorship App is that it will work without you having to modify any of the code on your site. If you own your own domain, you can sign up for CloudFlare. And, if you sign up for CloudFlare, you can participate in the blackout with one click. This means that if you're on Tumblr, TypePad, WordPress, Posterous, or any other platform, so long as you have your own domain you can use the app.

The app is available here beginning today. If you want to participate in the blackout, you should turn it on by Wednesday, January 18. We will continue to make the app available for the next 30 days or until the threat from laws like SOPA and PIPA has passed.