With the launch of 126.96.36.199, Cloudflare thumbs its nose at ISPs and the big platforms (AKA Google), and once again declares itself a business willing to start, and lead, tech’s toughest conversations
Over the past year Cloudflare became best known not for the impressive services it has built in the Internet networking space, but for an action taken by its CEO Matthew Prince during the swirl following Trump’s Charlottesville comments. After initially defending the free speech rights of its neo-Nazi customer The Daily Stormer, Prince finally had enough. When the site claimed Cloudflare secretly supported its hateful philosophy, Prince kicked the site off the company’s network.
But it was Prince’s post on the subject that really caught everyone’s attention. From it:
“Now, having made that decision, let me explain why it’s so dangerous…You, like me, may believe that the Daily Stormer’s site is vile. You may believe it should be restricted. You may think the authors of the site should be prosecuted. Reasonable people can and do believe all those things. But having the mechanism of content control be vigilante hackers launching DDoS attacks subverts any rational concept of justice.”
Prince’s actions, and his post, set off a deep conversation at the center of the technology world that continues to this day. It sits at the heart of the current Facebook controversy — what is the role of a tech platform in monitoring and editing the content which passes through its network? Even though his company now manages more than 10 percent of all Internet traffic in some form or another, Prince is deeply concerned about the power of large platforms like Google, Amazon, or his own. “Without a clear framework as a guide for content regulation, a small number of companies will largely determine what can and cannot be online,” his post continued. Prince called for a focused, global dialog on the role business should play in our society — a conversation that is still in its very early stages, and helped inform the theme of the Shift Forum earlier this year.
Today, Prince and his company announced another service, one that once again takes aim at the power of large networks. Early this morning — on Easter, of all days, and April Fools’ to boot — Prince debuted 188.8.131.52, a new kind of Domain Name Service (DNS) that guarantees privacy and speed to all who use it.
Oh, and it’s free.
You may wonder what the heck DNS is, and you’d not be the only one. The Domain Name Service is one of those deep Interweb features that nearly everyone in the industry has heard of, but most of us have never bothered to understand. Turns out, “DNS lookup” is a core feature of pretty much everything we do on the web, and it’s a rather leaky vector for mischief, privacy violations, censorship, and performance issues to boot.
The 184.108.40.206 service was created to combat those issues. You can read more about it in Prince’s introductory post here, but he was kind enough to answer a few questions for Shift readers last night — at 3 in the morning, as he was preparing to launch his service. Below is our short conversation, edited for clarity.
Why 220.127.116.11, why now? Did you come up with this quickly as a response to Facebook’s current controversy with Cambridge Analytica?
We’ve been working on this for at least the last six months, so it definitely wasn’t a direct response to Facebook’s current controversy with Cambridge Analytica. That said, we’ve been worried about Cambridge Analytica since long before they were a household name. For instance, at our Internet Summit in September, I moderated a debate between then-CTO of the firm Darren Bolding and Harvard Law Professor Larry Lessig posing the question: will data destroy democracy?
We see personally identifiable information that happens to cross our network as a toxic asset and we try and delete it as quickly as possible.
At Cloudflare, our business has never been about mining user data. We see personally identifiable information that happens to cross our network as a toxic asset and we try and delete it as quickly as possible. While a lot of tech companies have built businesses around advertising-based models, and that’s inherently lead to increasingly invasive gathering of private data, we’ve taken a different path. That’s meant that ensuring greater privacy and security has been directly aligned with our mission. We honored that in September of 2014 when we made encryption free for all of our users, doubling the size of the encrypted web in a single day. And we are doing it again today with the launch of 18.104.22.168.
Most people have no idea what DNS does, nor do they know it can be decoupled from their ISP. What is DNS, and why decouple it?
I felt really old earlier this week when I was talking to a reporter and said that DNS was the white pages of the Internet and the reporter asked: “What’s the white pages?” So I guess I need a different analogy more generally, but I’ll stick with that one here. Whenever you click on a link, or send an email, or call an Uber one of the first things that whatever device you’re using to access the Internet needs to do is look up a domain name (like google.com or hotmail.com or uber.com) and find the associated IP address. Sticking with the white pages example, domains are like people’s names and IP addresses are like phone numbers. DNS exists because domains are easier to remember than IP addresses. You can type 22.214.171.124 into your browser and get to Google’s search engine, but it’s a lot harder to remember than Google.com.
Whatever network you’re connecting to, by default, gets to decide what DNS service (aka the “white pages”) you use. And they get to log every lookup you make. A lot of consumers think that if there’s the little green lock in their browser (the symbol for a secure connection) it means no one can see what they’re doing online. And it’s true, to some extent, that lock is a strong assurance that your ISP and no one else listening in on the line is seeing the content of the sites that you visit. But, because ISPs control DNS, it means they can see a list of every site you visit.
In the US, ISPs used to have restrictions on what they could do with that data. Unfortunately, those restrictions were removed by the Senate a year ago. Now that more and more ISPs have become media companies, part of their pitch to investors is that they, like Google and Facebook, will be able to use the data they see from their users’ browsing history in order to better target advertising. To me, that’s creepy.
The problem is graver outside the US. When you read about a repressive regime shutting down the Internet, what they’re typically doing is blocking or filtering the DNS system. During the attempted coup in Turkey in 2016, DNS was blocked and people were literally spraypainting Google’s DNS service’s IPs on walls because using it was the only way to get back online. The DNS protocol is 35 years old and never included any sort of encryption. That means in addition to being a chokepoint through which governments can block the Internet, it is also a place where they can monitor it. While leaking data to Comcast may be creepy, leaking because the DNS protocol in some parts of the world, literally a matter of life and death.
Not many people think about what DNS service they’re using. Define success for this new service. Is it 1 percent of users? 10 percent?
In the short term, I think our goals are pretty modest. We think a couple million people will change their DNS settings to use 126.96.36.199 over the course of the next three months. While I’d like to say that the average consumer cares about privacy, I think the reality is they talk a good game but then go about their usual data leaking ways. We’ll get a bunch of the most privacy concerned or speed obsessed to switch, but I’d be stunned if, on a consumer-by-consumer basis, we broke 1 percent.
That said, over the long term, I think what we’re hoping is that in having built a new DNS service that supports modern protocols like DNS-over-HTTPS, which is faster and has encryption by default, that we’ll spur browsers, app developers, operating systems, and router manufacturers to support it. The Internet is full of chicken and egg problems: one side of the network doesn’t want to invest the development time until the other side does. So, with this launch, our goal is to say, “Fine, here you go, here’s a fully formed chicken. Now, let’s get on with making some eggs.” We’ve done the work and now, we hope, browsers, app developers, operating systems, and router manufacturers will have an incentive to build a more modern DNS into their systems. If that starts to happen, that’s when we’ll consider this has been a success.
Why is Google such a large DNS provider? People don’t get their Internet from them, so…how did they get in this position?
ISP’s DNS infrastructure is often really bad. It’s slow and unreliable. Google did two things right. First, they created a product that was faster and more reliable than what the ISPs were offering. Second, they were able to secure a very memorable IP address for the service: 188.8.131.52. What we’re excited about is that our service is twice as fast as Google’s. We’ve got an even more memorable IP address for it: 184.108.40.206. And, on top of that, we’re not in the advertising and data mining business, and have committed to never selling any data or logging any personally identifiable information.
What’s your business model? How does 220.127.116.11 help your business? Is this a smart marketing play to draw in B2B partners? Or a way to bring future retail shareholders into the fold?
The first consideration in building this was that our engineers saw a really hard problem and what they considered a bug in the core of the Internet and thought we could solve it. The people who work on our team could get jobs a lot of places. One of the reasons that they work for us is that when we think about what to build the consideration starts with: does this further our mission of helping build a better Internet. We already had the global network, so providing the service doesn’t add any meaningful incremental cost, and if launching it makes a handful of smart engineers more likely to come work for us then that will have justified the effort. We’re in a battle for talent with companies that have a lot more resources than we do. I think it’s telling that we’ve seen a meaningful uptick in resumes from Facebook engineers.
One of the reasons (our engineers) work for us is that when we think about what to build the consideration starts with: does this further our mission of helping build a better Internet? I think it’s telling that we’ve seen a meaningful uptick in resumes from Facebook engineers.
And, yes, this is a relatively efficient way to get Cloudflare’s name out more broadly. Driving more awareness, we’ve found, inevitably drives more customers to our core business which drives more revenue to our bottom line.
What’s the state of the dialog on the issues raised by your actions against the Daily Stormer? Did you feel heard about the true issues you raised about concentration of corporate power? How does 18.104.22.168 fit into that narrative?
I’ve spent the last six months meeting with regulators, civil society organizations, politicians, customers, and advocacy groups to talk about what the right framework is for when a company should censor content on its platform. I think it’s tempting, sitting here in San Francisco, to lean heavily on the idea of freedom of expression. I am the son of a journalist and grew up in the United States. I grew up with lively debates about the importance of the First Amendment around the dinner table. But, when you meet with German regulators, and you talk about freedom of expression as being sacrosanct they look at you with a sort of naive pity. One said to me: “I understand that’s your tradition born out of your history, but I hope you understand that we have had a very different history.” And that’s undeniable.
Whether we like it or not, freedom of expression — at least the American conception of it — is a minority opinion globally. And, if you’re an Internet company with any real scale, you’re inherently a global company. So I think you actually have to start with more foundational principles than just freedom of expression. I went back and read my Aristotle and James Madison, because both talk about where the principle of freedom of expression comes from. The idea that I keep coming back to, and seems to have a much more global appeal, is the idea of the Rule of Law. Whether you’re in the United States or Germany or Russia or China or anywhere in between, institutions that endure have a foundation in the idea of the Rule of Law.
So what does the Rule of Law entail. My simplification of people who are a lot smarter than I am is that in order to have Rule of Law you need three things: 1) transparency — you should be able to know the rules before you play the game; 2) consistency — the same rules should apply to two people in the same situation; and 3) accountability — the people enforcing the laws should be accountable for their decision. When you watch repressive regimes try and justify their actions it’s uncanny how their talking points always try and emphasize how they’ve met these three pillars. And it makes sense. Organizations that don’t follow them don’t last long.
Aristotle and Madison were thinking about Rule of Law with regard to governments, but I think it may also be instructive when talking about tech companies that have reached a certain scale. And I think it has helped me better understand why it feels wrong if Cloudflare starts to exercise editorial judgment and censor certain content, but it feels equally wrong if Facebook doesn’t. Both Cloudflare and Facebook have over 2 billion people using their services every month. The challenge is, when you’re using Cloudflare, the vast majority of people have no idea. The next time you hail a ride on an app, try and figure out whether you’re using Cloudflare’s network. In the Bay Area, about half the time you are but it’s impossible for the average user to know which half. If that’s the case, how can we ever be transparent? How can you ever know whether we’re being consistent? And how if we get something wrong will anyone ever hold us accountable?
Contrast that with Facebook. Facebook is the modern newspaper. You know when you’re using Facebook. There’s, effectively, a masthead. It’s not deep infrastructure hidden beneath the surface that is unseen. And, at its core, is the most editorial function of all: ranking things. The leadership team at Facebook is fully capable of being transparent, consistent, and accountable as they exercise their editorial judgment. That, recently, they seem not to be taking that responsibility is what feels so off.
The leadership team at Facebook is fully capable of being transparent, consistent, and accountable as they exercise their editorial judgment. That, recently, they seem not to be taking that responsibility is what feels so off.
I think the interesting contrast is Facebook versus Twitter. Facebook is a media company pretending to be a technology company. And Twitter is a technology company pretending to be a media company. In Facebook’s case, they are making editorial decisions continuously on what you see and don’t see. Twitter — or, at least, classic Twitter — is much more like a fancy RSS feed. Each user is their own editor. Twitter’s job is to get you the content of everyone you follow in chronological order. I think a lot of the ham handedness of both companies is that they’re currently denying their core. Facebook points to “the algorithm” and tries to avoid taking responsibility for editorial decisions. And Twitter inconsistently filters or doesn’t filter users and content in what feels random because it’s not what the company’s users signed up for it to do.
We’re continuing to talk with stakeholders in the discussion to make sense of what policies make the most sense for a company like Cloudflare. We’d had these conversations inside with our team almost since the day we launched in 2010. I think the mistake we made, and the mistake a lot of tech companies are continuing to make right now, is not having these conversations with a broader audience outside their four walls. Doing so has been really helpful and informative for me and the rest of our team.