• United States



Christopher Burgess
Contributing Writer

Transparency and policy shapes Cloudflare’s Kiwi Farms decisions

Sep 06, 20225 mins
SecuritySecurity Infrastructure

Cloudflare's blocking of hate-based forum Kiwi Farms is the latest in a string of controversial actions and inactions around bad behaving customers. Agree or disagree, the company has stuck to its policy throughout.

rules procedures manuals code of conduct
Credit: Thinkstock

Cloudflare percolated back into the news cycle last week when the company, which provides security services to websites, blocked Kiwi Farms as a client. Kiwi Farms has a reputation as being the worst trolling site on the internet, where individuals meet to collate and create action plans targeting individuals for both online and physical harassment including doxing and swatting (taking action that results in a police SWAT team arriving at a given address to neutralize the reported threat to life).

Social networks were aflame with calls for Cloudflare to cease providing their services to Kiwi Farms. Indeed, a recent Vice article highlighted the case of Clara Sorrenti, also known as Keffals, an online streamer who has been doxed multiple times and was arrested on August 5 amidst a raid on her home as a result of swatting, highlighted how there have been at least three cases of individuals committing suicide as a result of the targeted harassment received as a result of the actions taking place on Kiwifarms.

Cloudflare explains its abuse policy

On August 31, Cloudflare issued a blog post attributed to Matthew Prince, CEO Cloudflare, and Alissa Starzak vice president, global head of public policy Cloudflare, that discussed the company’s “abuse policy” and which was tagged “abuse, freedom of speech, legal” which did not mention Kiwi Farms by name yet highlighted how the company had a policy that they followed (the blog provided a process diagram) and that they were following the processes. Their penultimate paragraph summed up their position:

“There remain many injustices in the world, and unfortunately much content online that we find reprehensible. We can solve some of these injustices, but we cannot solve them all. But, in the process of working to improve the security and functioning of the Internet, we need to make sure we don’t cause it long-term harm.”

The bottom line, Kiwi Farms remained a Cloudflare client, receiving the services of the company.

Social pressure on Cloudflare to drop Kiwi Farms increases

The social networks doubled down, catching the eye of mainstream media and highlighting the relationship between Cloudflare and Kiwi Farms.

Four days later, on September 3, Prince pens another blog post, “Blocking Kiwifarms” in which Price highlights the revolting content of Kiwi Farms and acknowledges the public pressure Cloudflare had received to deplatform Kiwi Farms, noting that they provide services, to many sites including those like Kiwi Farms that contain revolting content. He continued how Cloudflare’s actions were not a result of the pressure campaign, rather, “The rhetoric on the Kiwifarms site and specific, targeted threats have escalated over the last 48 hours to the point that we believe there is an unprecedented emergency and immediate threat to human life unlike we have previously seen from Kiwi Farms or any other customer before.” Price noted that Cloudflare has reached out to law enforcement in multiple locales highlighting what the company believes were potential criminal acts or threats to life.

Cloudflare transparency on conflict

This is not the first time Cloudflare has found itself amid public opinion crossing paths with its corporate ethos of providing services to those that others find reprehensible. Indeed, following the Russian invasion of Ukraine, Cloudflare received a request on February 28 from the Ukrainian government requesting the company to remove their services from Russian customers and block the Russian sites from using Cloudflare. No doubt, Cloudflare’s presence was making it difficult for the Ukrainian cyberwarriors to attack Russia’s sites.

Since the company received the Ukrainian request, they have published multiple blog posts that discuss Russia and Ukraine. The first post published on March 6 highlighted how they were assisting Ukraine in protecting their infrastructure web presence and had moved out of Russia “customer encryption key material.” Furthermore, should the Cloudflare servers in Ukraine, Belarus or Russia lose power, they are configured to “brick themselves.”

The piece continues that Cloudflare is working with U.S. government entities to ensure compliance with sanctions and are terminating customers related to “Russian financial institutions, Russian influence campaigns, and the Russian-affiliated Donetsk and Luhansk governments.” It ends with how the calls to terminate services in Russia have been seen and considered: “Our conclusion, in consultation with those experts, is that Russia needs more internet access, not less. As the conflict has continued, we’ve seen a dramatic increase in requests from Russian networks to worldwide media, reflecting a desire by ordinary Russian citizens to see world news beyond that provided within Russia “

In early April, Cloudflare highlighted how it continues to provide services in Russia and how individual Russian citizens were using the Cloudflare WARP tool to access information in the West. The company also highlighted how it was stopping cyberattacks originating from within Russia (caveat, “To be clear, being able to identify where cyberattack traffic originates is not the same as being able to attribute where the attacker is located.”

Bottom line, companies such as Cloudflare that provide intermediary services will continue to have to thread the needle between business decisions and moral decisions. Who is acceptable as a customer is not without consequences, and no doubt every company will always have those who disagree with a given decision. To Cloudflare’s credit, their explanations of how they have arrived at their business decisions that address moral outcries are commendable.

Christopher Burgess
Contributing Writer

Christopher Burgess is a writer, speaker and commentator on security issues. He is a former senior security advisor to Cisco, and has also been a CEO/COO with various startups in the data and security spaces. He served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Cisco gave him a stetson and a bottle of single-barrel Jack upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit, Senior Online Safety.

More from this author