12:17 PM
Selling DDoS Flak Jackets in the Cyberwars
SAN FRANCISCO -- When the Israeli army and Hamas trade virtual blows in cyberspace, or when hacker groups like Anonymous rise from the digital ether, or when WikiLeaks dumps a trove of classified documents, some see a lawless Internet.
But Matthew Prince, chief executive at CloudFlare, a little-known Internet start-up that serves some of the Web's most controversial characters, sees a business opportunity.
Founded in 2010, CloudFlare markets itself as an Internet intermediary that shields websites from distributed denial-of-service, or DDoS, attacks, the crude but effective weapon that hackers use to bludgeon websites until they go dark. The 40-person company claims to route up to 5 percent of all Internet traffic through its global network.
Prince calls his company the "Switzerland" of cyberspace - assiduously neutral and open to all comers. But just as companies like Twitter, YouTube and Facebook have faced profound questions about the balance between free speech and openness on the Internet and national security and law enforcement concerns, CloudFlare's business has posed another thorny question: what kinds of services, if any, should an American company be allowed to offer designated terrorists and cyber criminals?
CloudFlare's unusual position at the heart of this debate came to the fore last month, when the Israel Defense Forces sought help from CloudFlare after its website was struck by attackers based in Gaza. The IDF was turning to the same company that provides those services to Hamas and the al-Quds Brigades, according to publicly searchable domain information. Both Hamas and al-Quds, the military wing of the Palestinian Islamic Jihad, are designated by the United States as terrorist groups.
Under the USA Patriot Act, U.S. firms are forbidden from providing "material support" to groups deemed foreign terrorist organizations. But what constitutes material support - like many other facets of the law itself - has been subject to intense debate.
CloudFlare's dealings have attracted heated criticism in the blogosphere from both Israelis and Palestinians, but Prince defended his company as a champion of free speech.
"Both sides have an absolute right to tell their story," said Prince, a 38-year old former lawyer. "We're not providing material support for anybody. We're not sending money, or helping people arm themselves."
Prince noted that his company only provides defensive capabilities that enable websites to stay online.
"We can't be sitting in a role where we decide what is good or what is bad based on our own personal biases," he said. "That's a huge slippery slope."
Many U.S. agencies are customers, but so is WikiLeaks, the whistle-blowing organization. CloudFlare has consulted for many Wall Street institutions, yet also protects Anonymous, the "hacktivist" group associated with the Occupy movement.
Prince's stance could be tested at a time when some lawmakers in the United States and Europe, armed with evidence that militant groups rely on the Web for critical operations and recruitment purposes, have pressured Internet companies to censor content or cut off customers.
Last month, conservative political lobbies, as well as seven lawmakers led by Ted Poe, a Republican from Texas, urged the FBI to shut down the Hamas Twitter account. The account remains active; Twitter declined to comment.
MATERIAL SUPPORT
Although it has never prosecuted an Internet company under the Patriot Act, the government's use of the material support argument has steadily risen since 2006. Since Sept. 11, 2001, more than 260 cases have been charged under the provision, according to Fordham Law School's Terrorism Trends database.
Catherine Lotrionte, the director of Georgetown University's Institute for Law, Science and Global Security and a former Central Intelligence Agency lawyer, argued that Internet companies should be more closely regulated.
"Material support includes web services," Lotrionte said. "Denying them services makes it more costly for the terrorists. You're cornering them."
But others have warned that an aggressive government approach would have a chilling effect on free speech.
"We're resurrecting the kind of broad-brush approaches we used in the McCarthy era," said David Cole, who represented the Humanitarian Law Project, a non-profit organization that was charged by the Justice Department for teaching law to the Kurdistan Workers' Party, which is designated by the United States as a terrorist group. The group took its case to the Supreme Court but lost in 2010.
The material support law is vague and ill-crafted, to the point where basic telecom providers, for instance, could be found guilty by association if a terrorist logs onto the Web to plot an attack, Cole said.
In that case, he asked, "Do we really think that AT&T or Google should be held accountable?"
CloudFlare said it has not been contacted about its services by the U.S. government. Spokespeople for Hamas and the Palestinian Islamic Jihad, told Reuters they contracted a cyber-security company in Gaza that out-sources work to foreign companies, but declined to comment further. The IDF confirmed it had hired CloudFlare, but declined to discuss "internal security" matters.
CloudFlare offers many of its services for free, but the company says websites seeking advanced protection and features can see their bill rise to more than $3,000 a month. Prince declined to discuss the business arrangements with specific customers.
While not yet profitable, CloudFlare has more than doubled its revenue in the past four months, according to Prince, and is picking up 3,000 new customers a month. The company has raked in more than $22 million from venture capital firms including New Enterprise Associates, Venrock and Pelion Venture Partners.
Prince, a Midwestern native with mussed brown hair who holds a law degree from the University of Chicago, said he has a track record of working on the right side of the law.
A decade ago, Prince provided free legal aid to Spamhaus, an international group that tracked email spammers and identity thieves. He went on to create Project Honey Pot, an open source spam-tracking endeavor that turned over findings to police.
Prince's latest company, CloudFlare, has been hailed by groups such as the Committee to Protect Journalists for protecting speech. Another client, the World Economic Forum, named CloudFlare among its 2012 "technology pioneers" for its work. But it also owes its profile to its most controversial customers.
CloudFlare has hosted 4Chan, the online messaging community that spawned Anonymous. LulzSec, the hacker group best known for targeting Sony Corp, is another customer. And since last May, the company has propped up WikiLeaks after a vigilante hacker group crashed the document repository.
Last year, members of the hacker collective UgNazi, whose exploits include pilfering user account information from eBay and crashing the CIA.gov website, broke into Prince's cell phone and email accounts.
"It was a personal affront," Prince said. "But we never kicked them off either."
Prince said CloudFlare would comply with a valid court order to remove a customer, but that the Federal Bureau of Investigation has never requested a takedown. The company has agreed to turn over information to authorities on "exceedingly rare" occasions, he acknowledged, declining to elaborate.
"Any company that doesn't do that won't be in business long," Prince said. But in an email, he added: "We have a deep and abiding respect for our users' privacy, disclose to our users whenever possible if we are ordered to turn over information and would fight an order that we believed was not proper."
Juliannne Sohn, an FBI spokeswoman, declined to comment.
Michael Sussmann, a former Justice Department lawyer who prosecuted computer crimes, said U.S. law enforcement agencies may in fact prefer that the Web's most wanted are parked behind CloudFlare rather than a foreign service over which they have no jurisdiction.
Federal investigators "want to gather information from as many sources as they can, and they're happy to get it," Sussmann said.
In an era of rampant cyber warfare, Prince acknowledged he is something of a war profiteer, but with a wrinkle.
"We're not selling bullets," he said. "We're selling flak jackets."
Copyright 2010 by Reuters. All rights reserved.