BOSTON (Reuters) - The gunmen accused of attacking U.S. synagogues and New Zealand mosques over the past six months brewed their ideas on online hate sites, pulling U.S. cyber-defense firm Cloudflare Inc into a debate on the balance between online speech and security.
The attacks have prompted some investors to ask fresh questions about the company’s services allowing the sites to mask their real locations on the Internet to thwart hackers. That is one of the core services used by clients that have more than 12 million Internet properties, including government agencies and major ecommerce operations.
“The temperature has turned up,” said Doug Kramer, general counsel for the privately-held San Francisco-based company.
Investors ask questions after Cloudflare’s services were linked to reports about shooters’ activity on hate sites, Kramer said in an interview this week.
“They understandably want to know how we think about these things,” Kramer said, declining to name investors.
Fidelity Investments and Franklin Resources Inc’s Franklin Templeton funds hold stakes in Cloudflare. Both declined to comment.
The alleged gunman who killed one person and wounded three at a San Diego synagogue on Saturday, as well as one who massacred 50 people at New Zealand mosques in March, had posted hate-filled screeds on the 8chan message board, a Cloudflare client. The man accused of killing 11 people at a Pittsburgh synagogue in October did likewise on Gab, also a Cloudflare client, according to Internet records.
Cloudflare helped both those sites mask their real Internet protocol addresses. The service obfuscates where its customers are hosted, making it more difficult to hold them accountable, said Micah Schaffer, a technology policy consultant and former Snap Inc executive.
Cloudflare does not passively move information, said Alex Stamos, a Stanford University professor who previously served in top cybersecurity roles at Facebook Inc and Yahoo.
“They are cloaking these companies and cloaking the people behind them,” Stamos told the information security “Risky Business” podcast shortly after the New Zealand shootings.
Stamos squared off against Islamic State terrorists as Facebook’s chief security officer and said, compared to ISIS, white supremacist terrorists can more easily find a home on sites like 8chan.
“Nobody was willing to be the official ISIS chatboard, but 8chan is willing to be that (for white supremacists), and that changes the entire texture of the effort to fight it,” he said in a phone interview. Officials at 8chan did not respond to requests for comment.
But Kramer said Cloudflare treats all clients the same, citing far more banal content.
“It’s stuff like cat photos and family reunion photos,” Kramer said, adding that Cloudflare does not believe its role is to monitor the legality and appropriateness of content on client sites. “If we do that, it gets messy really quickly.”
One notable exception came in 2017 when Cloudflare stopped routing the traffic for neo-Nazi website Daily Stormer after the site falsely labeled the company as a secret supporter of the hate ideology.
Cloudflare is private, but the company is interested in an initial public offering that could value it at more than $3.5 billion, Reuters reported in October, citing people familiar with the matter.
Fidelity funds, including Contrafund, value their investment in Cloudflare at more than $100 million, according to disclosures with the U.S. Securities and Exchange Commission.
Cloudflare said it has never provided law enforcement with a feed of customer content. However, should law enforcement contact the company about unlawful activity, it will provide information about the hosting provider, as needed, the company said in an email.
Brittan Heller, a fellow at Harvard University’s Kennedy School of Government, said Cloudflare is in an awkward position dealing with clients that run hate sites.
“Sometimes they have to hold their nose at the clients,” she said.
Reporting By Tim McLaughlin and Ross Kerber; Editing by Scott Malone and Nick Zieminski