By Ken Schwencke, ProPublica
Since its launch in 2013, the neo-Nazi website The Daily Stormer has quickly become the go-to spot for racists on the internet. Women are whores, blacks are inferior and a shadowy Jewish cabal is organizing a genocide against white people. The site can count among its readers Dylann Roof, the white teenager who slaughtered nine African Americans in Charleston in 2015, and James Jackson, who fatally stabbed an elderly black man with a sword in the streets of New York earlier this year.
Traffic is up lately, too, at white supremacist sites like The Right Stuff, Iron March, American Renaissance and Stormfront, one of the oldest white nationalist sites on the internet.
The operations of such extreme sites are made possible, in part, by an otherwise very mainstream internet company — Cloudflare. Based in San Francisco, Cloudflare operates more than 100 data centers spread across the world, serving as a sort of middleman for websites — speeding up delivery of a site’s content and protecting it from several kinds of attacks. Cloudflare says that some 10 percent of web requests flow through its network, and the company’s mainstream clients range from the FBI to the dating site OKCupid.
The widespread use of Cloudflare’s services by racist groups is not an accident. Cloudflare has said it is not in the business of censoring websites and will not deny its services to even the most offensive purveyors of hate.
“A website is speech. It is not a bomb,” Cloudflare’s CEO Matthew Prince wrote in a 2013 blog post defending his company’s stance. “There is no imminent danger it creates and no provider has an affirmative obligation to monitor and make determinations about the theoretically harmful nature of speech a site may contain.”
Cloudflare also has an added appeal to sites such as The Daily Stormer. It turns over to the hate sites the personal information of people who criticize their content. For instance, when a reader figures out that Cloudflare is the internet company serving sites like The Daily Stormer, they sometimes write to the company to protest. Cloudflare, per its policy, then relays the name and email address of the person complaining to the hate site, often to the surprise and regret of those complaining.
This has led to campaigns of harassment against those writing in to protest the offensive material. People have been threatened and harassed.
ProPublica reached out to a handful of people targeted by The Daily Stormer after they or someone close to them complained to Cloudflare about the site’s content. All but three declined to talk on the record, citing fear of further harassment or a desire to not relive it. Most said they had no idea their report would be passed on, though Cloudflare does state on the reporting form that they “will notify the site owner.”
“I wasn’t aware that my information would be sent on. I suppose I, naively, had an expectation of privacy,” said Jennifer Dalton, who had complained that The Daily Stormer was asking its readers to harass Twitter users after the election.
Andrew Anglin, the owner of The Daily Stormer, has been candid about how he feels about people reporting his site for its content.
“We need to make it clear to all of these people that there are consequences for messing with us,” Anglin wrote in one online post. “We are not a bunch of babies to be kicked around. We will take revenge. And we will do it now.”
ProPublica asked Cloudflare’s top lawyer about its policy of sharing information on those who complain about racist sites. The lawyer, Doug Kramer, Cloudflare’s general counsel, defended the company’s policies by saying it is “base constitutional law that people can face their accusers.” Kramer suggested that some of the people attacking Cloudflare’s customers had their own questionable motives.
Hate sites such as The Daily Stormer have become a focus of intense interest since the racially divisive 2016 election — how popular they are, who supports them, how they are financed. Most of their operators supported Donald Trump and helped spread a variety of conspiracy theories aimed at damaging Hillary Clinton. But they clearly have also become a renewed source of concern for law enforcement.
In testimony Tuesday before the Senate Judiciary Committee, Chief Will D. Johnson, chair of the International Association of Chiefs of Police Human and Civil Rights Committee, highlighted the reach and threat of hate on the Internet.
“The internet provides extremists with an unprecedented ability to spread hate and recruit followers,” he said. “Individual racists and organized hate groups now have the power to reach a global audience of millions and to communicate among like-minded individuals easily, inexpensively, and anonymously.
“Although hate speech is offensive and hurtful, the First Amendment usually protects such expression,” Johnson said. “However, there is a growing trend to use the Internet to intimidate and harass individuals on the basis of their race, religion, sexual orientation, gender, gender identity, disability, or national origin.”
A look at Cloudflare’s policies and operations sheds some light on how sites promoting incendiary speech and even violent behavior can exist and even thrive.
Jacob Sommer, a lawyer with extensive experience in internet privacy and security issues, said there is no legal requirement for a company like Cloudflare to regulate the sites on their service, though many internet service providers choose to. It comes down to a company’s sense of corporate responsibility, he said.
For the most part, Sommers said, a lot of companies don’t want “this stuff” on their networks. He said those companies resist having their networks become “a hive of hate speech.”
Jonathan Vick, associate director for investigative technology and cyberhate response at the Anti-Defamation League, agrees. He said that many of the hosts they talk to want to get hate sites off their networks.
“Even the most intransigent of them, when they’re given evidence of something really problematic, they do respond,” he said.
Cloudflare has raised at least $180 million in venture capital since its inception in 2009, much of it from some of the most prominent venture capital firms and tech companies in the country. The service is what’s known as a content delivery network, and offers protection from several cyber threats including “denial of service” attacks, where hundreds of computers make requests to a website at once, overwhelming it and bringing it down.
Company officials have said Cloudflare’s core belief is in the free and open nature of the internet. But given its outsize role in protecting a range of websites, Cloudflare has found itself the target of critics.
In 2015, the company came under fire from the hacker collective Anonymous for reportedly allowing ISIS propaganda sites on its network. At the time, Prince, the company’s CEO, dismissed the claim as “armchair analysis by kids,” and told Fox Business that the company would not knowingly accept money from a terrorist organization.
Kramer, in an interview with ProPublica, reiterated that the company would not accept money from ISIS. But he said that was not for moral or ethical reasons. Rather, he said, Cloudflare did not have dealings with terrorists groups such as ISIS because there are significant and specific laws restricting them from doing so.
In the end, Kramer said, seedy and objectionable sites made up a tiny fraction of the company’s clients.
“We’ve got 6 million customers,” he told ProPublica. “It’s easy to find these edge cases.”
One of the people ProPublica spoke with whose information had been shared with The Daily Stormer’s operators said his complaint had been posted on the site, but that he was “not interested in talking about my experience as it’s not something I want to revisit.” Someone else whose information was posted on the site said that while she did get a few odd emails, she wasn’t aware her information had been made public. She followed up to say she was going to abandon her email account now that she knew.
“The entire situation makes me feel uneasy,” she said.
Scott Ernest had complained about The Daily Stormer’s conduct after Anglin, its owner, had used the site to allegedly harass a woman in the town of Whitefish, Montana. After his complaint, Ernest wound up on the receiving end of about two dozen harassing emails or phone calls.
“Fuck off and die,” read one email. “Go away and die,” read another. Those commenting on the site speculated on everything from Ernest’s hygiene to asking, suggestively, why it appeared in a Facebook post that Ernest had a child at his house.
Ernest said the emails and phone calls he received were not traumatizing, but they were worrying.
“His threats of harassment can turn into violence,” he said of Anglin.
Anglin appears quite comfortable with his arrangement with Cloudflare. It doesn’t cost him much either — just $200 a month, according to public posts on the site.
“[A]ny complaints filed against the site go to Cloudflare, and Cloudflare then sends me an email telling me someone said I was doing something bad and that it is my responsibility to figure out if I am doing that,” he wrote in a 2015 post on his site. “Cloudflare does not regulate content, so it is meaningless.”
Representatives from Rackspace and GoDaddy, two popular web hosts, said they try to regulate the kinds of sites on their services. For Rackspace, that means drawing the line at hosting white supremacist content or hate speech. For GoDaddy, that means not hosting the sort of abusive publication of personal information that Anglin frequently engages in.
“There is certainly content that, while we respect freedom of speech, we don’t want to be associated with it,” said Arleen Hess, senior manager of GoDaddy’s digital crimes unit.
Both companies also said they would not pass along contact information for people who complain about offensive content to the groups generating it.
Amazon Web Services, one of the most popular web hosts and content delivery networks, would not say how they handle abuse complaints beyond pointing to an “acceptable use” policy that restricts objectionable, abusive and harmful content. They also pointed to their abuse form, which says the company will keep your contact information private.
According to Vick at the ADL, the fact that Cloudflare takes money from Anglin is different from if he’d just used their free service.
“That’s a direct relationship,” he said. “That raises questions in my mind.”
Some companies offering other services vital to success on the web have chosen not to do business with Anglin’s The Daily Stormer. Google, PayPal and Coinbase, for instance, have chosen to cut off his accounts rather than support his activities. Getting booted around from service to service can make it hard to run a hate site, but Cloudflare gives the sites a solid footing.
And, by The Daily Stormer’s account, advice and assurances. In a post, the site’s architect, Andrew Auernheimer, said he had personal relationships with people at Cloudflare, and they had assured him the company would work to protect the site in a variety of ways — including by not turning over data to European courts. Cloudflare has data centers in European countries such as Germany, which have strict hate speech and privacy laws.
Company officials offered differing responses when asked about Auernheimer’s post. Kramer, Cloudflare’s general counsel, said he had no knowledge of employee conversations with Auernheimer. Later, in an email, the company said Auernheimer was a well-known hacker, and that as a result at least one senior company official “has chatted with him on occasion and has spoken to him about Cloudflare’s position on not censoring the internet.”
A former Cloudflare employee, Ryan Lackey, said in an interview that while he doesn’t condone a lot of what Auernheimer does, he did on occasion give technical advice as a friend and helped some of the Stormer’s issues get resolved.
“I am hardcore libertarian/classical liberal about free speech — something like Daily Stormer has every right to publish, and it is better for everyone if all ideas are out on the internet to do battle in that sphere,” he said.
Vick at the ADL agrees that Anglin has a right to publish, but said people have the right to hold to task the Internet companies that enable him.
“Andrew Anglin has the right to be out there and say what he wants to say. But the people who object to what he has to say have a right to object as well,” he said. “You should be able to respond to everybody in the chain.”
Ken Schwencke is a journalist and developer building news apps for ProPublica’s Electionland project.