The hacker group called CloudFlare "shameful."

By Robert Hackett
November 18, 2015

Anonymous, the notorious hacker collective, recently declared cyber war on the self-identified Islamic State in Iraq and Syria after the radical extremist group claimed responsibility for last week’s terror attacks in Paris. (ISIS shot back, calling the group “idiots.”)

Now Anonymous has called out CloudFlare, a content distribution company that delivers website content using a global network of computers, for allegedly supporting pro-ISIS websites alongside its usual customers. A Twitter account associated with Anonymous posted a tweet this week saying that, “Once again, @CloudFlare have been found to be providing services to pro-#IslamicState websites. Shameful. #OpISIS #Daesh #Anonymous

This isn’t the first time that Anonymous has name-checked the San Francisco, Calif.-based “unicorn” startup, now valued at $1 billion or more, for providing infrastructure to the terror outfit. A couple of months ago, an account administrator posted a similar condemnation to that same Anonymous-affiliated Twitter account.

“It is shameful that @CloudFlare continue to provide services to #IslamicState websites,” the tweet read. “Tweet to them to complain. #Anonymous #OpCloudFlare.”

Other Twitter accounts associated with Anonymous have also piled on criticism in the past.

Matthew Prince, co-founder and CEO of CloudFlare, spoke to Fortune about the vitriol his company has received. He calls the Anonymous members’ gripes “absurd.” (Prince’s words have been lightly edited for length and clarity.)

Fortune: Why would Anonymous be angry with CloudFlare?

Prince: Well, the first thing is, what is Anonymous? Anyone with a Guy Fawkes mask. Anonymous is a user of us, and is at some level somewhat associated with us.

Okay, so what happened?

There was a Twitter account that alleged that a number of ISIS-related sites—it published about 40 sites—are using CloudFlare, and that CloudFlare should kick them off the network. The thing is that there are very few ISIS-related sites [on that list]. Some were Kurdish separatists, some sites supported Chechnyan independence, some sites supported Palestinian independence. There were some that appeared to be related to some of the topics that ISIS supports as well. I don’t know any organizations that hate ISIS more than the Kurds. The only thing I could see that these sites have in common is that they’re largely written in Arabic.

(Fortune reached out to the administrator of the Twitter handle in question, @WauchulaGhost, the hacker who spread the list, for comment. He wrote: “Some sites listed might appear to be non ISIS sites but after looking closer you can see the Propaganda being spread. Some sites have small amounts and other are basically Front Page advertising. Either way, they are Spreading propaganda and recruitment for the Islamic State. However, we will review this list again and double check every site. We have noticed some sites actually do take down ISIS content on the main page, giving the illusion that they do not support them. We have even had site admins contact us asking for us to stop attacking, stating they do not support ISIS. We agreed and let site come back. Sure enough they removed the ISIS content from the main page. Fortunately, we Screen cap all sites before they are attacked. Proof is in the pudding. We are here to remove All Islamic Extremest content. If you support them in any way, shape or form, you can expect us. After the innocent lives were lost in Paris, enough is enough.”)

How do you feel about the criticism?

I don’t think we should have 15-year-old kids in Guy Fawkes masks substitute for the opinion of experts in foreign policy. What is important is to turn to actual State Department or actual law enforcement experts. The State Department also happens to be CloudFlare customer, so we know who to call there. Whenever we regularly have concerns like this, we call actual anti-terrorism experts and ask them what their preference for what we do is. We abide by the law.

(Fortune has reached out to the U.S. State Department and will update this post with any additionally relevant information should the agency respond.)

What if the U.S. State Department determined that you were serving legitimate ISIS websites?

If a U.S. authority told us to terminate any of them as a customer, we would. But the world is often complicated. Some things that look like ISIS may not actually be ISIS. I can’t go into much more detail than that. But you can imagine how—if you are an organization trying to disrupt ISIS—you may in fact want to monitor people who self-identify as ISIS members.

What would happen if you did stop serving these sites?

If you turn CloudFlare off, it doesn’t make them go away. It’s different from YouTube and Twitter that way. It doesn’t turn the sites off, it just makes them harder to monitor. (Editor’s note: CloudFlare’s technology protects its customers from distributed denial-of-service attacks in which hackers use a flood of Internet traffic to knock a target offline—an impediment to Anonymous attacks.)

Have you ever had to stop serving a site?

We did receive an order to terminate service for Grooveshark during a copyright infringement case. We didn’t like it, but we comply with the U.S. law. Obviously, that’s not related to this.

Should CloudFlare have responsibility for the websites it serves?

I think we have a responsibility to comply with U.S. law and the law of any of the countries in which we operate. When we have a customer who we think might be engaged in an illegal act, we consult with law enforcement organizations. We are not anarchists, unlike some members of Anonymous. We’re not hard to find. We comply with legal orders. In some cases, we’ve been specifically ordered not to terminate customers that may from an outside perspective seem objectionable.

The other allegation is that we profit from this. But it’s worth noting that we have a free version of our service. The vast majority of these sites sign up for our free version. Ones that do sign up for the paid version usually do so with stolen credit cards, which means negative revenue for us.

Which sites did the State Department tell you not to take down?

I can’t reveal that. “By the way, here’s an FBI honeypot!”

Sounds like this has been a frustrating morning for you.

No, it’s not frustrating. Just absurd. Literally, this is just—we’re going to take our policy advice from a kid in a Guy Fawkes mask with 100,000 Twitter followers? Seriously.

It’s very dangerous if we say that anyone who speaks Arabic is bad. That’s exactly the goal of ISIS at some level. The goal is to isolate the muslim community. I’m surprised that we’re playing a small role in holding the line to say, No, just because something is written in Arabic doesn’t mean there are bad people behind it. We should rely on the rule of law to say who is a good guy and who is bad guy, frankly.

It would certainly be easier for us to say, Okay, let’s take all these sites off. They contribute zero revenue, and it would cause the kids on Twitter to shut up.

I see. Any final thoughts?

I hope you convey that we’re not cavalier or thoughtless in how we approach this, but that we have been thoughtful and talked to real experts.

(Fortune has reached out to the U.S. State Department and will update this post with any additionally relevant information should the agency respond.)

Subscribe to Data Sheet, Fortune’s daily newsletter on the business of technology.

For more on the cyberwar between Anonymous and ISIS, watch this video.

SPONSORED FINANCIAL CONTENT

You May Like