Cloudflare calls for regulatory harmonization amid rising internet challenges

Interview Cloudflare wants harmonization of all the regulation and compliance frameworks springing up around the world, according to the networking service provider's deputy chief legal officer and global head of public policy, Alissa Starzak.

Starzak has been with Cloudflare for more than seven years, previously serving as general counsel for the US Army and deputy general counsel for the US Department of Defense.

A large proportion of websites worldwide use plumbing provided by Cloudflare – W3Techs.com puts the figure at 19.2 percent. While an impressive figure, that ubiquity can also result in some spectacular outages when things go wrong – and fingerpointing when Cloudflare-backed sites attract controversy.

On the latter point, it is difficult to forget the example of hate site Kiwi Farms, which Cloudflare described as "revolting" when it blocked the site's content being accessed through its infrastructure. Days earlier, Starzak and Cloudflare's CEO, Matthew Prince, had insisted that since Cloudflare was not hosting the content, it wasn't its responsibility to moderate that content.

That said, the network provider has taken similar steps in the past. In 2017, it terminated content from The Daily Stormer, and in 2019, it pulled support from 8chan.

One service provided by Cloudflare is protection from DDoS attacks. Terminating that service for a customer can put sites at significant risk.

"Stopping our protection in general and leaving them open to cyber attacks – that's not the best way to manage a set of sites online that are problematic. There should be better ways," Starzak told The Register.

"I think on the regulatory side, there have been a lot of developments that have actually increased the chance that there are legal ways of doing it. So it's not a sort of 'subject a site to cyber attack' as a mechanism."

Is it better to let authorities deal with problematic content while companies like Cloudflare focus on the technical stuff?

"You have different kinds of things that are malicious online. Sometimes they're content based … sometimes they're cybersecurity-based.

"So you have technical abuse, you have phishing, you have lots of different sorts of challenges from the technical space. One of the things that's happened over the course of the past couple of years – even for entities very deep in the technical layer, there's been an agreement that there is technical abuse, for example, that should be addressed just in general.

"I think there's a lot more awareness that there are different layers that you have to think through, and you have to actually be more thoughtful about what kind of action you are trying to take, and how you make it narrow and sort of targeted to the issue."

• Cloudflare debuts one-click nuke of web-scraping AI
• FlyingYeti phishing crew grounded after abominable Ukraine attacks
• Cloudflare CEO sues over free-roaming fidos at his ski resort paradise
• Cloudflare says it has automated empathy to avoid fixing flaky hardware too often

So yes, Cloudflare and other techs can deal with the infrastructure – but governments need to consider action at other levels. Unsurprisingly, Starzak reckons the approach makes for a healthier internet ecosystem, even if users might wish it would wield a bigger stick occasionally.

She explained Cloudflare's processes around decisions made to terminate services.

"Our general thought process looks different depending on what kind of services we're providing. For example, on hosting services where you can actually remove content, we have a set of processes that are a bit more aggressive.

"When we're really just providing cybersecurity services or something that actually provides protection … we tend to be much more reluctant. It depends a little bit on how we do the services. We think through that decision tree of, 'OK, what kinds of services are we providing? What would be the consequence of the action?'"

The challenge as countries grapple with regulating the web is keeping track of the multitude of varying frameworks that have emerged. Starzak hopes that a consensus is reached over the coming years "where there is some consistency from country to country."

However, the legal eagle is also a realist: "There are lots and lots of countries that are now considering new sets of regulations. And it's going to be really interesting to watch them all sort of proliferate, and then see if they kind of eventually come back together into something that looks a little bit more like: 'Everyone agrees. This is the right kind of regulation.'"

She does see hope for cooperation between jurisdictions. "On the regulatory side, we have been pushing very hard for harmonization. GDPR was such an interesting development for us, because what you saw was people gravitating towards an idea of what you could do globally." ®