The people making up the GhostSec “division” of Anonymous recently released a list of known ISIS websites used for “propaganda,
religion, recruitment, communications and intelligence gathering purposes”. Included in each line-item website is also the website’s host (be it content or other infrastructure). You can usually find current information from Anonymous about this campaign on Twitter by looking up the hashtag #OpCloudflare.
19 of the sites listed are protected by CloudFlare which “offers free and commercial, cloud-based services to help secure and accelerate websites.”. While CloudFlare does not host website content, it makes websites significantly more resilient to attacks, improves overall security, and provides content caching for both performance and up-time purposes.
Is CloudFlare aware they are protecting known ISIS sites?
Yes, Anonymous made enough waves and directly approached CloudFlare with their findings (as well as other media approaching them) – and here’s CloudFlare’s co-founder Matthew Prince’s retort (originally given to IBT):
“A website is speech. It is not a bomb. There is no imminent danger it creates and no provider has an affirmative obligation to monitor and make determinations about the theoretically harmful nature of speech a site may contain… There are lots of things on the web I find personally distasteful. I have political beliefs, but I don’t believe those beliefs should color what is and is not allowed to flow over the network. As we have blogged about before, we often find ourselves on opposite sides of political conflicts. Fundamentally, we are consistent in the fact that our political beliefs will not color who we allow to be fast and safe on the web.”
“We’re the plumbers of the internet,” Prince said. “We make the pipes work but it’s not right for us to inspect what is or isn’t going through the pipes. If companies like ours or ISPs (internet service providers) start censoring there would be an uproar. It would lead us down a path of internet censors and controls akin to a country like China.”
“Whilst we try to ensure that all our customers adhere to our acceptable use policy at all times, we host hundreds of thousands of websites and logistically speaking it’s extremely difficult for us to keep track of the content of all of them all of the time.”
Ok, so they know about the sites now but don’t believe in censoring nor in putting in effort to track down these sites through their extensive client list. I understand their issue with the logistics of finding sites, but Anonymous did just provide a short list ready for review. I don’t think anyone expects a large company to be looking through their database at random searching for hints of terrorist activity, but when someone has done the work for you then it’s a different story.
Is CloudFlare breaking the law by protecting known ISIS sites?
Warning, I am not a lawyer. Obviously… 🙂
I think they are breaking the law – and here’s why.
United States Code §2339A – Providing material support to terrorists – was included from the USA PATRIOT act.
(a)Offense.— Whoever provides material support or resources or conceals or disguises the nature, location, source, or ownership of material support or resources, knowing or intending that they are to be used in preparation for, or in carrying out, a violation of section 32, 37, 81,175, 229, 351, 831, 842 (m) or (n), 844 (f) or (i), 930 (c), 956, 1091, 1114, 1116, 1203, 1361, 1362, 1363, 1366, 1751, 1992, 2155, 2156,2280, 2281, 2332, 2332a, 2332b, 2332f, 2340A, or 2442 of this title, section 236 of the Atomic Energy Act of 1954 (42 U.S.C. 2284), section 46502 or 60123 (b) of title 49, or any offense listed in section 2332b (g)(5)(B) (except for sections 2339A and 2339B) or in preparation for, or in carrying out, the concealment of an escape from the commission of any such violation, or attempts or conspires to do such an act, shall be fined under this title, imprisoned not more than 15 years, or both, and, if the death of any person results, shall be imprisoned for any term of years or for life. A violation of this section may be prosecuted in any Federal judicial district in which the underlying offense was committed, or in any other Federal judicial district as provided by law.
(b) Definitions.— As used in this section— (1) the term “material support or resources” means any property, tangible or intangible, or service, including currency or monetary instruments or financial securities, financial services, lodging, training, expert advice or assistance, safehouses, false documentation or identification, communications equipment, facilities, weapons, lethal substances, explosives, personnel (1 or more individuals who may be or include oneself), and transportation, except medicine or religious materials;
United States Code §2339B – Providing material support or resources to designated foreign terrorist organizations – was also included from the USA PATRIOT act.
(a)Prohibited Activities.— (1)Unlawful conduct.— Whoever knowingly provides material support or resources to a foreign terrorist organization, or attempts or conspires to do so, shall be fined under this title or imprisoned not more than 15 years, or both, and, if the death of any person results, shall be imprisoned for any term of years or for life. To violate this paragraph, a person must have knowledge that the organization is a designated terrorist organization (as defined in subsection (g)(6)), that the organization has engaged or engages in terrorist activity (as defined in section 212(a)(3)(B) of the Immigration and Nationality Act), or that the organization has engaged or engages in terrorism (as defined in section 140(d)(2) of the Foreign Relations Authorization Act, Fiscal Years 1988 and 1989).
(4) the term “material support or resources” has the same meaning given that term in section 2339A (including the definitions of “training” and “expert advice or assistance” in that section);
Conclusion?
To me, this seems pretty clear-cut in that CloudFlare knowingly (see first point) provides support & services to terrorist sites as well as “conceals or disguises the nature, location, source, or ownership” of these sites and organizations. The key here is that these terrorist sites are no longer just a random site being protected by CloudFlare – they’re public record, they’re in the open, and CloudFlare has acknowledged their existence as terrorist sites. What is really to gain here by crying censorship abuse? I hate censorship as much as the next person, but protecting known terrorist sites is, IMO, crossing the line and, very possibly, breaking the law.
What do you think?