Cloudflare, Sanctions Violations, David Ibsen|Sep 20, 2019|CEP Staff

Cloudflare Admits To Potential Sanctions Violations

Company Acknowledges it has Provided Services to Individuals, Entities Blacklisted by U.S. Government

Cloudflare Inc., a website security company, recently admitted to federal regulators that it had potentially violated economic and trade laws by providing services to sanctioned individuals or entities that are blacklisted by the United States. Cloudflare’s filing to the U.S. Securities and Exchange Commission (SEC) stated that it had “identified that our products were used by, or for the benefit of, certain individuals and entities included in OFAC’s Specially Designated Nationals and Blocked Persons List, including entities identified in OFAC’s counter-terrorism and counter-narcotics trafficking sanctions programs, or affiliated with governments currently subject to comprehensive U.S. sanctions.”

“Cloudflare has a multi-year-long history of providing services to terrorists and extremists, including ISIS and white supremacy groups. The fact that Cloudflare is only now explicitly acknowledging the misuse of its services raises additional concerning questions,” said Counter Extremism Project (CEP) Executive Director David Ibsen. “When Cloudflare was providing services to sites linked to ISIS, Hamas, and the Taliban in 2017, did the company know that they were potentially violating OFAC sanctions, or were they unaware? Or even worse, did Cloudflare know about this misuse and simply not care? How does the company plan on addressing the use of its services by terrorists and extremists? Now that Cloudflare is a publicly traded company, how will it report on such misuse in its SEC filings? Clearly, the company needs to be open and fully transparent about how terrorists and extremists have relied on Cloudflare services and about how it will actively work to remedy this problem.”

In an August op-ed, Ibsen praised Cloudflare for terminating 8chan as a customer after the El Paso terrorist attack but noted the company had “not consistently applied this policy with other far-right extremist websites.” For example, the Siege Culture website, which is dedicated to the neo-Nazi manifesto Siege, is provisioned services by Cloudflare. Siege has been linked to 21 individual extremists and 11 extremist organizations. Cloudflare has also provided services to the neo-Nazi web forum Fascist Forge, whose users have previously posted bomb-making guides and encouraged violence, including terrorism, assassinations, and the rape and murder of women.

Cloudflare has a well-documented history of providing services to online extremists. In August, CEP identified a pro-ISIS website that served as a library for violent propaganda videos, images, and news updates that was still online and using Cloudflare’s anti-DDoS protection. Cloudflare was found to have provided support to various incarnations of the website for at least two years. In July, CEP flagged that Cloudflare provides services to a website that provided direct downloads for both the New Zealand Christchurch shooting video and the shooter’s manifesto.