Cloudflare Suggests It Won’t Cut Off Anti-Trans Stalking Forum

Internet infrastructure and cybersecurity company Cloudflare has posted a new blog post explaining its position on when, and whether, it stops providing its services to certain sites and customers. Although the post does not name the site specifically, it comes after mounting calls for Cloudflare to stop providing its security products to Kiwi Farms, a notoriously transphobic forum with users that have stalked, harassed and doxed vulnerable people since it started in 2013 and which has been a recent hub of malicious activity towards trans streamer Clara Sorrenti, better known as Keffals.

The news signals Cloudflare’s continued reluctance to fully commit to the complicated, but commonplace, world of content moderation. Cloudflare has previously stopped providing services to neo-Nazi site the Daily Stormer and 8chan.

“Just as the telephone company doesn't terminate your line if you say awful, racist, bigoted things, we have concluded in consultation with politicians, policy makers, and experts that turning off security services because we think what you publish is despicable is the wrong policy,” says the blog post, which was written by Cloudflare CEO Matthew Prince and Alissa Starzak, the company’s vice president, global head of public policy. “To be clear, just because we did it in a limited set of cases before doesn’t mean we were right when we did. Or that we will ever do it again.”

Cloudflare provides a variety of services to different clients. In some cases, Cloudflare hosts the content directly, more akin to a traditional web host like any other on the web. In the majority of cases, Cloudflare provides its cybersecurity services, which can protect sites from distributed-denial-of-service (DDoS), mask the location of the site’s hosting servers, and serve up a cached version of the site if the original is temporarily unavailable. Kiwi Farms uses some of these security services.

In its post, Cloudflare draws a wedge between its policies for hosting content directly, and those for which clients it gives security services to. For web hosting, the company says it may remove or disable access to content that it believes “Is otherwise illegal, harmful, or violates the rights of others, including content that discloses sensitive personal information, incites or exploits violence against people or animals, or seeks to defraud the public.”

The company does not list this same reasoning when it comes to its security products. The blog post does not explicitly explain why, beyond saying “Giving everyone the ability to sign up for our services online also reflects our view that cyberattacks not only should not be used for silencing vulnerable groups, but are not the appropriate mechanism for addressing problematic content online.” The post also says that “Our guiding principle is that organizations closest to content are best at determining when the content is abusive,” meaning the web host. (Kiwi Farms’ content is widely accessible and public facing, meaning it is visible to largely any third party).

Sign up for Motherboard’s daily newsletter for a regular dose of our original reporting, plus behind-the-scenes content about our biggest stories.

Regardless, Kiwi Farms is not known only for hosting speech that is offensive or distasteful. The site’s users regularly post content that discloses sensitive personal information—including home addresses and family members—with the explicit goal of inciting or exploiting violence against trans people. Earlier this month, Sorrenti was the target of transphobic raiding and swatting—the dangerous internet harassment tactic involving prank calls to authorities that prompt police to send a SWAT team to someone’s home. Sorrenti alleges that Kiwi Farms members organized this attack, and has been campaigning for Cloudflare to drop the website as a customer.

Kiwi Farms was reportedly founded with the purpose of trolling and harassing a webcomic artist, and has since grown to become one of the biggest message boards for harassing and targeting specific people and groups, especially trans people and women.  

In 2019, Kiwi Farms founder Joshua Moon refused to cooperate with New Zealand officials when they requested he hand over information about posts related to the Christchurch mass shooting on the forum. It’s also allegedly been connected to several completed suicides by the people its users targeted. Following Sorrenti’s campaign to shut the site down and have Cloudflare drop it, more people have come forward on social media to share how the site’s members harassed and doxed them.

Cloudflare’s blog post adds that after terminating the Daily Stormer and 8chan, “we saw a dramatic increase in authoritarian regimes attempting to have us terminate security services for human rights organizations — often citing the language from our own justification back to us.” The blog post does not clearly acknowledge that Cloudflare does have the power to review complaints on a case by case basis and reject requests from authoritarian regimes if it wishes, as is common practice among tech companies. Local laws, however, may complicate these requests.

Cloudflare did not respond to a request for additional comment.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.