Skip to the main content.

5 min read

Cloudflare Blocks Kiwi Farms...

Security7 Networks has long prided itself on its relationship with Cloudflare. We've championed Cloudflare, not only for its decision-making process but for the transparency it offers when dealing with difficult subject matters.

Recently, Cloudflare decided to block Kiwi Farms, a forum known for trolling, doxxing, and harassing individuals both online and in real life. (Read Cloudflare's Kiwi Farms Blog Post Here)

The decision to block Kiwi Farms from the larger internet was not one that Cloudflare made lightly. Nor is it one that should be glossed over in favor of whatever comes next in the ever-evolving 24-hour news cycle we seem to be perpetually stuck in. Blocking Kiwi Farms could lead to unprecedented consequences.

Cloudflare, a company that provides security services for an estimated 20% of the internet's websites, has decided to remove a customer from their service. It's important to understand a few key points:

  • Who is Cloudflare
  • Who is Kiwi Farms
  • Why Cloudflare blocked Kiwi Farms
  • Does this set a precedent for Cloudflare to remove other websites?

Who is Cloudflare?

Starting in 2010, the San Francisco-based company has dedicated itself to providing security and network services to companies around the world, via services like:

  • Web Application Firewall (WAF)
  • Distributed Denial of Service (DDoS) Protection
  • Secure Socket Layer (SSL) Certificates
  • Website Optimization
  • Etc.

As stated above, Cloudflare claims to protect 20% of the internet's websites. If there are 193 million ACTIVE websites out there (according to the World Economic Forum), Cloudflare would be responsible for protecting about 39 million of them.

Cloudflare claims to block about 70 billion attacks on those 39 million websites every day. They are easily one of the most prominent players in the cybersecurity space. You probably encounter a website protected by Cloudflare every day (and multiple times at that) without ever knowing you've touched them.

Unfortunately, with that many websites under their protection, there are going to be a few malcontents like Kiwi Farms.

Who is Kiwi Farms

Kiwi Farms is an online forum started in 2013 by Joshua "Null" Moon, a former 8chan administrator based in New Zealand. Kiwi Farms quickly developed a reputation for targeting minorities, women, members of the LGBTQ community, and others Kiwi Farms' users have deemed to be worth their wrath.

Kiwi Farms users have routinely attacked feminists, journalists, and celebrities. The site first came to notoriety after Brenton Tarrant, a Kiwi Farms user posted a manifesto and live streamed his attack on two mosques in Christchurch, New Zealand.

51 people were killed and 41 were injured.

Kiwi Farms users have been linked to multiple suicides and swatting incidents since its founding.

Kiwi Farms, up until recently, was a Cloudflare customer.

Why Cloudflare Blocked Kiwi Farms

The public demand for Cloudflare to remove Kiwi Farms from its roster of customers has been growing exceedingly louder and louder. While many in the online community wish this had happened sooner, Cloudflare CEO Matthew Prince said on September 9th that the recent rise in escalating threats, and not a recent pressure campaign on Cloudflare itself, is what finally pushed the company over the edge, leading them to dump Kiwi Farms.

"Feeling attacked, users on Kiwi Farms became even more aggressive," Price said in the Cloudlfare blog post regarding the topic. "Over the last two weeks, we (Cloudflare) have proactively reached out to law enforcement in multiple jurisdictions highlighting what we believe are potential criminal acts and imminent threats to human life that were posted to the site (Kiwi Farms)."

Price went on to say it was slow movement on law enforcement's part that ultimately led to Cloudflare deciding Kiwi Farms' fate (if only temporarily).

"While law enforcement in these areas are working to investigate what we and others reported, unfortunately, the process is moving more slowly than the escalating risk" Price said. "While we believe that in every other situation we have faced including the Daily Stormer and 8Chan— it would have been appropriate as an infrastructure provider for us to wait for the legal process, in this case, the imminent and emerging threat to human life which continues to escalate causes us (Cloudflare) to take action."

Does this set a precedent for Cloudflare to remove other websites?

Yes and no. There is a precedent for Cloudflare removing websites that post and share potentially illegal content. Price mentioned both the Daily Stormer and 8chan in his blog article. Both sites, known far and wide for sharing some of what (Price called) the most "revolting" content on the internet, were removed from Cloudflare's roster in 2017 and 2019.

However, just because the content these sites host might be "revolting," if it doesn't cross into the realm of illegality, Cloudflare doesn't necessarily think removing them from the internet is a good idea.

In the case of The Daily Stormer, 8chan, Kiwi Farms, these three sites, according to Price, crossed that line and Cloudflare was duty bound to remove them. That said, Price acknowledges the need for some kind of mechanism (whether that be technical or legislative) that would allow infrastructure providers to work proactively with law enforcement.

Cloudflare's Acceptable Hosting Policy disallows a variety of content and allows Cloudflare to remove or disable access to content that they believe:

  • Contains, displays, distributes, or encourages the creation of child sexual abuse material, or otherwise exploits or promotes the exploitation of minors.
  • Infringes on intellectual property rights.
  • Has been determined by appropriate legal process to be defamatory or libelous.
  • Engages in the unlawful distribution of controlled substances.
  • Facilitates human trafficking or prostitution in violation of the law.
  • Contains, installs, or disseminates any active malware, or uses our platform for exploit delivery (such as part of a command and control system).
  • Is otherwise illegal, harmful, or violates the rights of others, including content that discloses sensitive personal information, incites or exploits violence against people or animals, or seeks to defraud the public.

Price stresses that the decision to remove Kiwi Farms was a hard one to make, and while justified (at least internally), the decision could lead to a more dangerous situation than originally exposed to.

"Hard cases make bad law. This is a hard case and we would caution anyone from seeing it as setting precedent," Price said. "For an infrastructure provider like Cloudflare, the legal process is still the correct way to deal with revolting and potentially illegal content online."

Conclusion

Will there ever be a legal process such as Cloudflare has requested? The First Amendment only guarantees the freedom of speech in a public forum and from harassment or persecution by the United States Congress. Some acceptances have been made over the years, for example, Hate Speech is not protected by the First Amendment

Social media, online forums, and websites in general, they're a horse of a different color. Because these types of sites and services are considered private, it's usually up to the provider to determine what's allowed and what's not allowed on their service.  Furthermore, websites like Facebook, Twitter, and Instagram (etc) are protected by Section 230 of the Communications Decency Act (CDA) codified as 47 U.S.C. § 230. This provides immunity to internet service providers from lawsuits that attempt to make them liable for the user content posted on their site.

That doesn't necessarily mean Cloudflare is protected in a similar fashion, but it does help to illustrate why sites like Kiwi Farm, the Daily Stormer, and 8chan are allowed to operate regardless of any illegality they might expose themselves to.

It's highly unlikely that Section 230 will be modified anytime soon, and legislators on both sides of the aisle have been... slow-moving when it comes to moderating speech online. The hesitancy is understandable. Once that door is opened it can never truly be shut again.

To make matters worse, or at least more complicated, the mechanism price requests would probably be limited to the United States alone. Once the site moves its hosting overseas to more friendly countries, all of that work would go right out the window. The European Union has its GDPR standard but that's really it.

Cloudflare's made their desire for a legislative apparatus known, and we wish them luck in regards to getting it. Otherwise, we acknowledge and agree with Cloudflare's stance regarding the removal of Kiwi Farms. It wasn't an easy decision for them to make. It won't be any easier the next time they have to make a similar decision.

The transparency, and thought process however, is always appreciated.

1 min read

WEBINAR: Email Security that Doesn't Suck - September 28th, at 12 p.m.

Trustifi and Security 7 present Email Security That Doesn’t Suck.  In today’s age of over-complicated security tools, it is extremely difficult to...

Read More

SMEs and SMBs are More Vulnerable to Cyberattacks...

One of the most important truths we've discovered since opening the doors here at Security 7 Networks is that Small-to-medium sized businesses (SMBs)...

Read More

Cloudflare Blocks Kiwi Farms...

Security7 Networks has long prided itself on its relationship with Cloudflare. We've championed Cloudflare, not only for its decision-making process...

Read More