Cloudflare’s recent decision to deny its services to KiwiFarms—a site infamous for allowing its users to run transgender harassment campaigns—may have led infrastructure companies to call the Internet speech police. Although the EFF did not mourn the loss of KiwiFarms (which is still online as of this writing), the Cloudflare decision also raised important questions, still unanswered, about the role of these companies in shaping who can and cannot speak online. .
The deplatforming followed a campaign calling for Cloudflare to drop the site from its services. At first the company refused, however, after just 48 hours, Cloudflare removed KiwiFarms from its operations and issued statement stating their reasons for doing so.
While this latest incident serves as a clear example of content-based interventions that infrastructure companies are increasingly implementing, it is not the first:
- In 2017, GoDaddy, Google, and Cloudflare cut off the services of the neo-Nazi site Daily Stormer after the site published a vitriolic article about Heather Heyer, the woman who was killed during the Charlottesville rally. After this incident, the famous Cloudflare CEO Matthew Prince said: “Actually, I woke up in a bad mood and decided that someone should not be allowed on the Internet. No one should have that power.”
- In 2018, Cloudflare by default denied services on Switter, a decentralized platform for prostitutes to securely communicate and vet clients. Cloudflare he blamed the decision “in the company’s efforts to understand FOSTA,” the anti-trafficking law it has had wider consequences for prostitutes and online sexual content in general.
- In 2020, with the Covid shutdown making in-person events impossible, Zoom refused to support virtual events at three different universities, apparently because one of the speakers—Leila Khaled-participated in hijackings over the past fifty years and is associated with an organization that the US government has labeled “terrorists”. The company previously canceled services for activists in China and the United States in connection with the Tiananmen Square massacre commemoration, citing adherence to Chinese law.
- In 2022, during the initial stages of Russia’s invasion of Ukraine, governments around the world suppressed internet service providers blocking state-sponsored content by Russian outlets, while Ukraine has reached RIPEone of the five Regional Registries for Europe, the Middle East and parts of Central Asia, asking the organization to withdraw the transfer of IP addresses to Russia.
These reductions and demands raise difficult questions, especially when providing a service at the risk of one business allowing harm to others. If intervention is not possible in a necessary and proportionate manner, as required by international human rights standards, let alone in a manner that is fully transparent—or attractive—to users who rely on the Internet for information and planning, should providers intervene voluntarily? Should there be an exception for emergencies? How can we identify and reduce collateral damage, especially in less powerful communities? What happens when state actors seek similar interventions?
Spoiler: this post won’t answer all those questions. But we noticed that many policy makers, at least, try to do it themselves without really understanding the variety of services that work “beyond the field.” And that, at least, is a problem we can deal with right now.
The Internet Is Not Facebook (or Twitter, or Discord, etc)
There are many resources, methods, and regulations that make up the Internet as we know it. The most important of these is what we call infrastructure, or infrastructure providers. We may think of infrastructure services as belonging to two fields: physical and logical. Physical infrastructure is the easiest to determine, such as underwater pipes, cables, servers, routers, Internet exchange points (IXPs), and the like. These things form the tangible backbone of the Internet. It’s easy to forget—and important to remember—that the Internet is a virtual entity.
The logical layer of the Internet infrastructure is where things get complicated. No one would argue that Internet protocols (such as HTTP/S, DNS, IP), Internet service providers (ISPs), content delivery networks (CDNs), and certificate authorities (CAs) are all examples of necessary infrastructure services. ISPs provide people with access to the physical layer of the Internet, Internet protocols provide a consistent set of rules for their computers to communicate effectively across the Internet, and CDNs and CAs provide the necessary content and legitimacy that websites need to remain available to users. This is important for platforms to exist and for people to interact with them online. That is why we advocate content neutrality positions on these services: they are essential to freedom of expression on the Internet and should not be given the power to decide what can or cannot exist on the Internet, beyond what the law already states.
There are a number of other services that work in the background to make the Internet work as expected. These services, such as payment processors, analytics plugins, behavior tracking methods, and other Internet security tools, provide platforms with financial efficiency and reveal a kind of gray area between what we determine as infrastructure and the opposite. Refusing their services may have various effects on the site. Payment processors are essential for almost any website to collect money to keep their business or organization online. On the other hand, one can argue that behavioral tracking methods and advertising trackers also give companies financial performance in competitive markets. We cannot argue that tracking tools are infrastructure.
But when it comes to cybersecurity tools like DDoS protection with reverse proxy servers (what Cloudflare has provided for KiwiFarms), it’s not that easy. DDoS protection doesn’t make or break a site from the Internet—it protects it from potential attacks. Also, unlike ISPs or CAs or protocols, this type of cybersecurity tool is not a service that is heavily monitored and defined by authoritative entities. It’s something that can be accomplished by anyone with the skills (no platform is guaranteed right for good programmers). In the case of KiwiFarms, they have switched to using i fixed fork for free and open load balancer protection against DDoS and other bot-driven attacks.
Interventions Outside the Fields Have Different Effects
It is difficult for infrastructure providers to develop policies that raise content moderation requirements as established by international human rights standards. And it is especially challenging to create these policies and monitoring systems when human rights appear to be in conflict. And the consequences of their decisions vary greatly.
For example, it’s worth noting that very little ink was spilled by Cloudflare and the tech press when they made the decision terminate service on Switterin just one example of SESTA/FOSTA’s dangerous consequences prostitutes. However it is these types of sites that are most affected. Platforms based outside the global north or with many users from underserved communities rarely have the same alternatives to infrastructure services—including security tools and server space—as resourced sites and underserved internet spaces based in the US and Europe. . For those users, policies that support minimal intervention, and the ability to communicate without the risk of being demanded by company executives, may be the best way to help people speak truth to power.
Online actions cause real harm in the world—and that can happen in many ways. But infrastructure providers are rarely well placed to assess that damage. They may also face conflicting requirements and demands based on the laws and values of the countries in which they operate. Cloudflare noted that previous interventions led to increased government demands for reductions.
We don’t have an easy solution to these complex problems, but we do have a suggestion. Given these pressures, the difficult questions they raise, and the importance of ensuring that users have the ability to speak up and express themselves to be vulnerable to the desires of company managers, providers who cannot answer those questions consistently must do their best to stay focused on their main goal: to provide and develop reliable services for others to build upon to speak, advocate, and organize. And policymakers should focus on helping to ensure that Internet policies support privacy, expression, and human rights.