The Internet is not Facebook: Why infrastructure providers should stay out of content policy

Cloudflare’s recent decision to refuse its services to KiwiFarms, a site known for allowing its users to run harassment campaigns against trans people, will likely lead to more requests for infrastructure companies to police online speech. While EFF wouldn’t shed tears over the loss of KiwiFarms (which is still online as of this writing), Cloudflare’s decision again raises fundamental, and as of yet unanswered, questions about such companies’ role in shaping who can and can’t. can talk online .

The deplatforming followed a campaign asking Cloudflare to launch the site from its services. At first the company refused, but then, just 48 hours later, Cloudflare removed KiwiFarms from its services and issued a declaration outlining their justifications for doing so.

While this recent incident serves as a particularly prominent example of the content-driven interventions infrastructure companies are increasingly making, it is hardly the first:

  • In 2017, GoDaddy, Google and Cloudflare has terminated services for the neo-Nazi site Daily Stormer after the site published a vitriolic article about Heather Heyer, the woman killed during the Charlottesville rally. Following the incident, prominent Cloudflare CEO Matthew Prince he has declared: “Literally, I woke up in a bad mood and decided that someone shouldn’t be allowed access to the Internet. No one should have that power.”
  • In 2018, Cloudflare preemptively services denied to Swisster, a decentralized platform by and for sex workers to securely connect and vet clients. Cloudflare he blamed the decision on the company’s “attempts to understand FOSTA”, the anti-trafficking law it had broad repercussions for sex workers and online sexual content more generally.
  • In 2020, as Covid lockdowns made in-person events largely unsustainable, Zoom declined to support virtual events at three different universities, apparently because one of the speakers—Leila Khaled— participated in plane hijackings fifty years ago and is associated with an organization the US government has labeled a “terrorist.” The company had previously canceled services for activists in China and the United States regarding commemorations of the Tiananmen Square massacre, citing adherence to Chinese law.
  • In 2022, during the early stages of the Russian invasion of Ukraine, governments around the world Internet service providers under pressure to block state-sponsored content from Russian outlets, while Ukraine has contacted RIPEone of five regional registries for Europe, the Middle East and parts of Central Asia, asking the organization to revoke IP address delegation to Russia.

These takedowns and requests raise thorny issues, particularly when providing services to one entity risks causing harm to others. If it is not possible to intervene in a necessary and proportionate manner, as required by international human rights standards, let alone in a fully transparent way for – or appealable by – the users who rely on the Internet to access information and organize themselves, providers should intervene voluntarily? Should there be exceptions for emergency circumstances? How can we best identify and mitigate collateral damage, especially for less powerful communities? What happens when state actors request similar interventions?

Spoiler: This post won’t answer all of these questions. But we’ve noticed that many politicians, at least, are trying to go it alone without really understanding the variety of services that operate “beyond the platform.” And that, at least, is a problem we can address right now.

The Internet is not Facebook (or Twitter, or Discord, etc.)

There are many services, mechanisms and protocols that make up the Internet as we know it. The most essential of these are what we call infrastructure providers or infrastructure providers. We could think of infrastructure services as belonging to two fields: physical and logical. Physical infrastructure is the easiest to determine, such as undersea pipes, cables, servers, routers, Internet Exchange Points (IXPs), and the like. These things form the tangible backbone of the Internet. It’s easy to forget, and it’s important to remember, that the Internet is a physical thing.

The logical layer of the Internet infrastructure is where things get a little complicated. No one will dispute that Internet protocols (such as HTTP/S, DNS, IP), Internet Service Providers (ISPs), Content Delivery Networks (CDNs), and Certificate Authorities (CAs) are all examples of necessary infrastructure services . ISPs provide people with access to the physical layer of the Internet, Internet protocols provide a consistent set of rules to allow their computers to communicate effectively across the Internet, and CDNs and CAs provide the necessary content and validity that sites Web need to remain available to users. These are essential for the platforms to exist and for the people who interact with them online. This is why we support content-neutral positions by these services: they are essential to freedom of expression online, and they shouldn’t be endowed with editorial powers to decide what can and cannot exist online, above what the law already dictates.

There are many other services that work behind the scenes to make the internet work as intended. These services, such as payment processors, analytics plug-ins, behavioral tracking mechanisms, and some cybersecurity tools, provide platforms with financial viability and reveal a sort of nuanced gray area between what we determine as essentially infrastructural and Not. Denying their services can have varying degrees of impact on a platform. Payment processors are essential for almost any website to raise money for your business or organization to stay online. On the other hand, it could be argued that behavioral tracking mechanisms and ad trackers also provide companies with financial viability in competitive markets. We will not argue that tracking tools are infrastructural.

But when it comes to cybersecurity tools like DDoS protection through reverse proxy servers (what Cloudflare has provided to KiwiFarms), it’s not that easy. A DDoS protection mechanism does not prevent or prevent a site from appearing online, but it protects it from potential attacks that could. Also, unlike ISPs or CAs or protocols, this type of cybersecurity tool is not a tightly guarded service defined by authoritative entities. It’s something that anyone with technical skills (no platform is guaranteed the right to good programmers) can accomplish. In the case of KiwiFarms, they switched to using a modified fork of a free and open source load balancer to protect against DDoS and other bot-driven attacks.

Interventions beyond platforms have different consequences

It is difficult for infrastructure providers to create policies that meet the content moderation requirements set by international human rights standards. And it is especially difficult to create these policies and monitoring systems when individual rights seem to conflict with each other. And the consequences of their decisions vary significantly.

For example, it is notable that Cloudflare and the tech press spilled far less ink when making the decision to discontinue service to Swissterin just one example of SEXTA/FOSTA harmful consequences for prostitutes. Yet it is these types of sites that are most affected. Platforms that are based outside the global north or have more users from marginalized communities rarely have the same alternatives for infrastructure services, including security tools and server space, such as well resourced sites and even less well resourced online spaces with based in the United States and Europe. For those users, policies that support less intervention, and the ability to communicate without being vulnerable to the whims of corporate executives, may be a better way to help people speak truth to power.

Online actions create real-world harm, and this can happen in multiple directions. But infrastructure providers are rarely in the best position to assess such damage. They may also face conflicting requirements and demands based on the rules and values ​​of the countries in which they operate. Cloudflare noticed that previous interventions have led to an increase in calls for the government to remove them.

We don’t have a simple solution to these complex problems, but we do have a suggestion. Given these pressures, the thorny issues they raise and the importance of ensuring that users have the ability to speak and express themselves without be vulnerable to the whims of business executives, suppliers who are unable to answer these questions consistently should do their best to instead stay focused on their core mission: to provide and improve reliable services so that others can rely on them for discussion, support and organize. And policymakers should focus on helping ensure internet policies support privacy, expression, and human rights.