With millions of developers around the world building on Cloudflare, we are constantly inspired by what you all are building with us. Every Developer Week, we’re excited to get your hands on new products and features that can help you be more productive, and creative, with what you’re building. But we know our job doesn’t end when we put new products and features in your hands during Developer Week. We also need to cultivate welcoming community spaces where you can come get help, share what you’re building, and meet other developers building with Cloudflare.

We’re excited to close out Developer Week by sharing updates on our Workers Launchpad program, our latest Developer Challenge, and the work we’re doing to ensure our community spaces – like our Discord and Community forums – are safe and inclusive for all developers.

In late 2022, we initiated the $2 billion Workers Launchpad Funding Program aimed at aiding the more than one million developers who use Cloudflare's Developer Platform. This initiative particularly benefits startups that are investing in building on Cloudflare to propel their business growth.

The Workers Launchpad Program offers a variety of resources to help builders scale faster and reach more customers. The program includes, but is not limited to:

• Fostering a community of like-minded founders

• Facilitating introductions to the Launchpad’s VC partner network of 40+ leading investors

• Company-building support and mentorship through virtual Founders Bootcamp sessions

• Organizing technical office hours with our engineers

• Access to preview upcoming Cloudflare products and Product Managers

• Culminating in a Demo Day, for participants to share their stories globally with investors and prospective customers.

So far, 50 amazing startups from 13 countries have successfully graduated from the Workers Launchpad program. We finished up Cohort #1 in March 2023, and Cohort #2 wrapped up August 2023.

Since the end of Cohort #2, we have received hundreds of new applications from startups across the globe. Startup applicants showcased incredible tools and software across a variety of industries, including AI, SaaS, Supply Chain, Media, Gaming, Hospitality, and Developer Productivity. While we were encouraged by this wave of applicants' ability to build amazing technology, there were a few that stood out that are leveraging Cloudflare’s Developer Suite to scale their business.

With that being said, we would like to introduce you to the 29 startups that have been chosen to participate in Cohort #3 of Workers Launchpad:

Below, you will find a brief summary of what problems these startups are looking to solve:

The Cloudflare team is looking forward to working with Cohort #3 participants and sharing what they are building on Cloudflare. To follow along with Cohort #3 of Workers Launchpad, follow @CloudflareDev and join our Developer Discord server.

Are you a startup and interested in joining Cohort #4? Apply here!

Now that Workers AI is GA, we’re excited to see what our community can build.  We’ve teamed up with our friends at DEV who will be running an AI Developer challenge, which officially launched on Wednesday, April 3, and runs until Sunday, April 14, 2024, when submissions close.

For this challenge, you will build a Workers AI application that makes use of AI task types from Cloudflare’s growing catalog of Open Models. Apps will be evaluated on innovation, creativity, and demonstration of underlying technology with prizes awarded by DEV for the best overall app, as well as projects leveraging multiple models and tasks. For more information and details on how to participate, including DEV’s rules and requirements, head over to the official challenge page.

Our community has been growing really fast over the past year, so fast that it’s becoming more difficult to welcome each new member that joins our Discord server every day, and Developer Week has always been one of the main drivers of this growth.

When you come into the Cloudflare developer community, it’s important to us that you’re entering a space that is safe and welcoming. Even though we already have rules for the server and community forums, we needed guidelines for our community programs, so that’s why we’ve created a new Code of Conduct that promotes inclusivity, respect, and will help us create a better community for everyone.

Do you want to be part of this and help us create a more inclusive and helpful community? Then please share your feedback and tell us what you would like to see improved in our community and our Discord server in this thread.

Today, Cloudflare – in partnership with Vercel, Shopify, and individual core contributors to both Node.js and Deno – is announcing the establishment of a new Community Group focused on the interoperable implementation of standardized web APIs in non-web browser, JavaScript-based development environments.

The W3C and the Web Hypertext Application Technology Working Group (or WHATWG) have long pioneered the efforts to develop standardized APIs and features for the web as a development environment. APIs such as fetch(), ReadableStream and WritableStream, URL, URLPattern, TextEncoder, and more have become ubiquitous and valuable components of modern web development. However, the charters of these existing groups have always been explicitly limited to considering only the specific needs of web browsers, resulting in the development of standards that are not readily optimized for any environment that does not look exactly like a web browser. A good example of this effect is that some non-browser implementations of the Streams standard are an order of magnitude slower than the equivalent Node.js streams and Deno reader implementations due largely to how the API is specified in the standard.

Serverless environments such as Cloudflare Workers, or runtimes like Node.js and Deno, have a broad wide range of requirements, issues, and concerns that are simply not relevant to web browsers, and vice versa. This disconnect and the lack of clear consideration of these differences while the various specifications have been developed, has led to a situation where the non-browser runtimes have implemented their own bespoke, ad-hoc solutions for functionality that is actually common across the environments.

This new effort is changing that by providing a venue to discuss and advocate for the common requirements of all web environments, deployed anywhere throughout the stack.

Developers want their code to be portable. Once they write it, if they choose to move to a different environment (from Node.js to Deno, for instance) they don't want to have to completely rewrite it just to make it keep doing the exact same thing it already was.

One of the more common questions we get from Cloudflare users is how they can make use of some arbitrary module published to npm that makes use of some set of Node.js-specific or Deno-specific APIs. The answer usually involves pulling in some arbitrary combination of polyfill implementations. The situation is similar with the Deno project, which has opted to integrate a polyfill of the full Node.js core API directly into their standard library. The more these environments implement the same common standards, the more the developer ecosystem can depend on the code they write just working, regardless of where it is being run.

Cloudflare Workers, Node.js, Deno, and web browsers are all very different from each other, but they share a good number of common functions. For instance, they all provide APIs for generating cryptographic hashes; they all deal in some way with streaming data; they all provide the ability to send an HTTP request somewhere. Where this overlap exists, and where the requirements and functionality are the same, the environments should all implement the same standardized mechanisms.

The new Web-interoperable Runtimes Community Group (or "WinterCG") operates under the established processes of the W3C.

The naming of this group is something that took us a while to settle on because it is critical to understand the goals the group is trying to achieve (and what it is not). The key element is the phrase "web-interoperable".

We use "web" in exactly the same sense that the W3C and WHATWG communities use the term – precisely: web browsers. The term "web-interoperable", then, means implementing features in a manner that is either identical or at least as consistent as possible with the way those features are implemented in web browsers. For instance, the way that the new URL() constructor works in browsers is exactly how the new URL() constructor should work in Node.js, in Deno, and in Cloudflare Workers.

It is important, however, to acknowledge the fact that Node.js, Deno, and Cloudflare Workers are explicitly not web browsers. While this point should be obvious, it is important to call out because the differences between the various JavaScript environments can greatly impact the design decisions of standardized APIs. Node.js and Deno, for instance, each provide full access to the local file system. Cloudflare Workers, in contrast, has no local file system; and web browsers necessarily restrict applications from manipulating the local file system. Likewise, while web browsers inherently include a concept of a website's "origin" and implement mechanisms such as CORS to protect users against a variety of security threats, there is no equivalent concept of "origins" on the server-side where Node.js, Deno, and Cloudflare Workers operate.

Up to now, the W3C and WHATWG have concerned themselves strictly with the needs of web browsers. The new Web-interoperable Runtimes Community Group is explicitly addressing and advocating for the needs of everyone else.

It is not intended that WinterCG will go off and publish its own set of independent standard APIs. Ideas for new specifications that emerge from WinterCG will first be submitted for consideration by existing work streams in the W3C and WHATWG with the goal of gaining the broadest possible consensus. However, should it become clear that web browsers have no particular need for, or interest in, a feature that the other environments (such as Cloudflare Workers) have need for, WinterCG will be empowered to move forward with a specification of its own – with the constraint that nothing will be introduced that intentionally conflicts with or is incompatible with the established web standards.

WinterCG will be open for anyone to participate; it will operate under the established W3C processes and policies; all work will be openly accessible via the "wintercg" GitHub organization; and everything it does will be centered on the goal of maximizing interoperability.

WinterCG has already started work on a number of important work items.

From the introduction in the current draft of the specification:

"The Minimum Common Web Platform API is a curated subset of standardized web platform APIs intended to define a minimum set of capabilities common to Browser and Non-Browser JavaScript-based runtime environments."

Or put another way: It is a minimal set of existing web APIs that will be implemented consistently and correctly in Node.js, Deno, and Cloudflare Workers. Most of the APIs, with some exceptions and nuances, already exist in these environments, so the bulk of the work remaining is to ensure that those implementations are conformant to their relative specifications and portable across environments.

The table below lists all the APIs currently included in this subset (along with an indication of whether the API is currently or likely soon to be supported by Node.js, Deno, and Cloudflare Workers):

Whenever one of the environments diverges from the standardized definition of the API (such as Node.js implementation of setTimeout() and setInterval()), clear documentation describing the differences will be made available. Such differences should only exist for backwards compatibility with existing code.

The Web Cryptography API provides a minimal (and very limited) APIs for  common cryptography operations. One of its key limitations is the fact that – unlike Node.js' built-in crypto module – it does not have any support for streaming inputs and outputs to symmetric cryptographic algorithms. All Web Cryptography features operate on chunks of data held in memory, all at once. This strictly limits the performance and scalability of cryptographic operations. Using these APIs in any environment that is not a web browser, and trying to make them perform well, quickly becomes painful.

To address that issue, WinterCG has started drafting a new specification for Web Crypto Streams that will be submitted to the W3C for consideration as part of a larger effort currently being bootstrapped by the W3C to update the Web Cryptography specification. The goal is to bring streaming crypto operations to the whole of the web, including web browsers, in a way that conforms with existing standards.

With the recent release of version 18.0.0, Node.js has joined the collection of JavaScript environments that provide an implementation of the WHATWG standardized fetch() API. There are, however, a number of important differences between the way Node.js, Deno, and Cloudflare Workers implement fetch() versus the way it is implemented in web browsers.

For one, server environments do not have a concept of "origin" like a web browser does. Features such as CORS intended to protect against cross-site scripting vulnerabilities are simply irrelevant on the server. Likewise, where web browsers are generally used by one individual user at a time and have a concept of a globally-scoped cookie store, server and serverless applications can be used by millions of users simultaneously and a globally-scoped cookie store that potentially contains session and authentication details would be both impractical and dangerous.

Because of the acute differences in the environments, it is often difficult to reason about, and gain consensus on, proposed changes in the fetch standard. Some proposed new API, for instance, might be fantastically relevant to fetch users on a server but completely useless to fetch users in a web browser. Some set of security concerns that are relevant to the Browser might have no impact whatsoever on the server.

To address this issue, and to make it easier for non-web browser environments to implement fetch consistently, WinterCG is working on documenting a subset of the fetch standard that deals specifically with those different requirements and constraints.

Critically, this subset will be fully compatible with the fetch standard; and is being cooperatively developed by the same folks who have worked on fetch in Node.js, Deno, and Cloudflare Workers. It is not intended that this will become a competing definition of the fetch standard, but rather a set of documented guidelines on how to implement fetch correctly in these other environments.

The Web-interoperable Runtimes Community Group is just getting started, and we have a number of ambitious goals. Participation is open to everyone, and all work will be done in the open via GitHub at https://github.com/wintercg. We are actively seeking collaboration with the W3C, the WHATWG, and the JavaScript community at large to ensure that web features are available, work consistently, and meet the requirements of all web developers working anywhere across the stack.

For more information on the WinterCG, refer to https://wintercg.org. For details on how to participate, refer to https://github.com/wintercg/admin.

Interested in learning more about building with Cloudflare Pages? If you’re based in the New York City area, join us on Thursday, May 12th for a series of workshops on how to build a full stack application on Pages! Follow along with a fully hands-on lab featuring Pages in conjunction with other products like Workers, Images and Cloudflare Gateway, and hear directly from our product managers. Register now!

The Cloudflare Workers team is excited to announce the opening of our Discord channel! You can join right away by going here.

Through our Discord channel, you can now connect with the team to ask questions, show off what you’re building, and discuss the platform with other developers.

Sometimes you just need to talk to another human being. Our developer docs will always be the source of truth on the mechanics of Workers, but we want to provide quicker help if you need it.

Over the past three years, Cloudflare Workers evolved from an initial sandbox for enterprise customers writing edge code to a developer platform for creating new applications and systems.

“We bet our whole business on Workers and it paid off big time,” said Hamlet Batista, CEO of RankSense, a SEO automation platform. “We've been saving a lot of money on infrastructure costs and DevOps resources we no longer need.”

Our team is constantly surprised by the palette of use cases from those developing on Workers. For example, a developer in Belgium created a static Workers site that teaches an online tutorial in three different languages on how to make your own face mask, which earned the approval of the Belgian government.

Discord provides a medium that allows users to openly share their thoughts while maintaining anonymity. It’s also really fast — partially due to Discord’s use of Workers and Cloudflare’s network.

“Workers are in the path of virtually all Discord requests,” said Mark Smith, Director of Infrastructure at Discord. “We are longtime users of Workers and big fans of the power and flexibility they give us to continue building great things for our users.”

As we continue to build the ecosystem of developer tools, we’d love to hear what you’re building, whether it’s a personal site of your pet or an API gateway. Come say hi today.

This was an internship unlike any other. With a backdrop of a pandemic, protests, and a puppy that interrupted just about every Zoom meeting, it was also an internship that demonstrated Cloudflare’s leadership in giving students meaningful opportunities to explore their interests and contribute to the company’s mission: to help build a better Internet.

For the past twelve weeks, I’ve had the pleasure of working as a Legal Intern at Cloudflare. A few key things set this internship apart from even those in which I’ve been able to connect with people in-person:

• Communication

• Community

• Commingling

• Collaboration

Ever since I formally accepted my internship, the Cloudflare team has been in frequent and thorough communication about what to expect and how to make the most of my experience. This approach to communication was in stark contrast to the approach taken by several other companies and law firms. The moment COVID-19 hit, Cloudflare not only reassured me that I’d still have a job, the company also doubled down on bringing on more interns. Comparatively, a bunch of my fellow law school students were left in limbo: unsure of if they had a job, the extent to which they’d be able to do it remotely, and whether it would be a worthwhile experience.

This approach has continued through the duration of the internship. I know I speak for my fellow interns when I say that we were humbled to be included in company-wide initiatives to openly communicate about the trying times our nation and particularly members of communities of color have experienced this summer. We weren’t left on the sidelines but rather invited into the fold. I’m so grateful to my manager, Jason, for clearing my schedule to participate in Cloudflare’s “Day On: Learning and Inclusion.” On June 18, the day before Juneteenth, Cloudflare employees around the world joined together for transformative and engaging sessions on how to listen, learn, participate, and take action to be better members of our communities. That day illustrated Cloudflare’s commitment to fostering communication as well as to building community and diversity.

The company’s desire to foster a sense of community pervades each team. Case in point, members of the Legal, Policy, and Trust & Safety (LPT) team were ready and eager to help my fellow legal interns and me better understand the team’s mission and day-to-day activities. I went a perfect 11/11 on asks to LPT members for 1:1 Zoom meetings -- these meetings had nothing to do with a specific project but were merely meant to create a stronger community by talking with employees about how they ended up at this unique company.

From what I’ve heard from fellow interns, this sense of community was a common thread woven throughout their experiences as well. Similarly, other interns shared my appreciation for being given more than just “shadowing” opportunities. We were invited to commingle with our teammates and encouraged to take active roles in meetings and on projects.

In my own case, I got to dive into exciting research on privacy laws such as the GDPR and so much more. This research required that I do more than just be a fly on the wall, I was invited to actively converse and brief folks directly involved with making key decisions for the LPT. For instance, when Tilly came on in July as Privacy Counsel, I had the opportunity to brief her on the research I’d done related to Data Privacy Impact Assessments (DPIAs). In the same way, when Edo and Ethan identified some domain names that likely infringed on Cloudflare’s trademark, my fellow intern, Elizabeth, and I were empowered to draft WIPO complaints per the Uniform Domain Name Dispute Resolution Policy. Fingers crossed our work continues Cloudflare’s strong record before the WIPO (here’s an example of a recent favorable division). These seemingly small tasks introduced me to a wide range of fascinating legal topics that will inform my future coursework and, possibly, even my career goals.

Finally, collaboration distinguished this internship from other opportunities. By way of example, I was assigned projects that required working with others toward a successful outcome. In particular, I was excited to work with Jocelyn and Alissa on research related to the intersection of law and public policy. This dynamic duo fielded my queries, sent me background materials, and invited me to join meetings with stakeholders. This was a very different experience from previous internships in which collaboration was confined to just an email assigning the research and a cool invite to reach out if any questions came up. At Cloudflare, I had the support of a buddy, a mentor, and my manager on all of my assignments and general questions.

When I walked out of Cloudflare’s San Francisco office back in December after my in-person interview, I was thrilled to potentially have the opportunity to return and help build a better Internet. Though I’ve yet to make it back to the office due to COVID-19 and, therefore, worked entirely remotely, this internship nevertheless allowed me and my fellow interns to advance Cloudflare’s mission.

Whatever normal looks like in the following weeks, months, and years, so long as Cloudflare prioritizes communication, community, commingling, and collaboration, I know it will be a great place to work.

In 2010, within months of Cloudflare’s launch, we connected with the National Center for Missing and Exploited Children (NCMEC) and started a collaborative process to understand our role and how we could cooperate with them. Over the years, we have been in regular communication with a number of government and advocacy groups to determine what Cloudflare should and can do to respond to reports about CSAM that we receive through our abuse process, or how we can provide information supporting investigations of websites using Cloudflare’s services.

Recently, 36 tech companies, including Cloudflare, received this letter from a group of U.S Senators asking for more information about how we handle CSAM content. The Senators referred to influential New York Times stories published in late September and early November that conveyed the disturbing number of images of child sexual abuse on the Internet, with graphic detail about the horrific photos and how the recirculation of imagery retraumatizes the victims. The stories focused on shortcomings and challenges in bringing violators to justice, as well as efforts, or lack thereof, by a group of tech companies including Amazon, Facebook, Google, Microsoft, and Dropbox, to eradicate as much of this material as possible through existing processes or new tools like PhotoDNA that could proactively identify CSAM material.  

We think it is important to share our response to the Senators (copied at the end of this blog post), talk publicly about what we’ve done in this space, and address what else we believe can be done.

From our work with NCMEC, we know that they are focused on doing everything they can to validate the legitimacy of CSAM reports and then work as quickly as possible to have website operators, platform moderators, or website hosts remove that content from the Internet. Even though Cloudflare is not in a position to remove content from the Internet for users of our core services, we have worked continually over the years to understand the best ways we can contribute to these efforts.

The first prong of Cloudflare’s response to CSAM is proper reporting of any allegation we receive. Every report we receive about content on a website using Cloudflare’s services filed under the “child pornography” category on our abuse report page leads to three actions:

1. We forward the report to NCMEC. In addition to the content of the report made to Cloudflare, we provide NCMEC with information identifying the hosting provider of the website, contact information for that hosting provider, and the origin IP address where the content at issue can be located.

2. We forward the report to both the website operator and hosting provider so they can take steps to remove the content, and we provide the origin IP of where the content is located on the system so they can locate the content quickly. (Since 2017, we have given reporting parties the opportunity to file an anonymous report if they would prefer that either the host or the website operator not be informed of their identity).

3. We provide anyone who makes a report information about the identity of the hosting provider and contact information for the hosting provider in case they want to follow up directly.

Since our founding, Cloudflare has forwarded 5,208 reports to NCMEC. Over the last three years, we have provided 1,111 reports in 2019 (to date), 1,417 in 2018, and 627 in 2017.  

Reports filed under the “child pornography” category account for about 0.2% of the abuse complaints Cloudflare receives. These reports are treated as the highest priority for our Trust & Safety team and they are moved to the front of the abuse response queue. We are generally able to respond by filing the report with NCMEC and providing the additional information within a matter of minutes regardless of time of day or day of the week.

The second main prong of our response to CSAM is operation of our “trusted  reporter” program to provide relevant information to support the investigations of nearly 60 child safety organizations around the world. The "trusted reporter" program was established in response to our ongoing work with these organizations and their requests for both information about the hosting provider of the websites at issue as well as information about the origin IP address of the content at issue. Origin IP information, which is generally sensitive security information because it would allow hackers to circumvent certain security protections for a website, like DDoS protections, is provided to these organizations through dedicated channels on an expedited basis.

Like NCMEC, these organizations are responsible for investigating reports of CSAM on websites or hosting providers operated out of their local jurisdictions, and they seek the resources to identify and contact those parties as quickly as possible to have them remove the content. Participants in the “trusted reporter” program include groups like the Internet Watch Foundation (IWF), the INHOPE Association, the Australian eSafety Commission, and Meldpunt. Over the past five years, we have responded to more than 13,000 IWF requests, and more than 5,000 requests from Meldpunt. We respond to such requests on the same day, and usually within a couple of hours. In a similar way, Cloudflare also receives and responds to law enforcement requests for information as part of investigations related to CSAM or exploitation of a minor.

Among this group, the Canadian Centre for Child Protection has been engaged in a unique effort that is worthy of specific mention. The Centre’s Cybertip program operates their Project Arachnid initiative, a novel approach that employs an automated web crawler that proactively searches the Internet to identify images that match a known CSAM hash, and then alerts hosting providers when there is a match. Based on our ongoing work with Project Arachnid, we have responded to more than 86,000 reports by providing information about the hosting provider and provide the origin IP address, which we understand they use to contact that hosting provider directly with that report and any subsequent reports.

Although we typically process these reports within a matter of hours, we’ve heard from participants in our “trusted reporter” program that the non-instantaneous response from us causes friction in their systems. They want to be able to query our systems directly to get the hosting provider and origin IP  information, or better, be able to build extensions on their automated systems that could interface with the data in our systems to remove any delay whatsoever. This is particularly relevant for folks in the Canadian Centre’s Project Arachnid, who want to make our information a part of their automated system.  After scoping out this solution for a while, we’re now confident that we have a way forward and informed some trusted reporters in November that we will be making available an API that will allow them to obtain instantaneous information in response to their requests pursuant to their investigations. We expect this functionality to be online in the first quarter of 2020.

Cloudflare takes steps in appropriate circumstances to terminate its services from a site when it becomes clear that the site is dedicated to sharing CSAM or if the operators of the website and its host fail to take appropriate steps to take down CSAM content. In most circumstances, CSAM reports involve individual images that are posted on user generated content sites and are removed quickly by responsible website operators or hosting providers. In other circumstances, when operators or hosts fail to take action, Cloudflare is unable on its own to delete or remove the content but will take steps to terminate services to the  website.  We follow up on reports from NCMEC or other organizations when they report to us that they have completed their initial investigation and confirmed the legitimacy of the complaint, but have not been able to have the website operator or host take down the content. We also work with Interpol to identify and discontinue services from such sites they have determined have not taken steps to address CSAM.

Based upon these determinations and interactions, we have terminated service to 5,428 domains over the past 8 years.

In addition, Cloudflare has introduced new products where we do serve as the host of content, and we would be in a position to remove content from the Internet, including Cloudflare Stream and Cloudflare Workers.  Although these products have limited adoption to date, we expect their utilization will increase significantly over the next few years. Therefore, we will be conducting scans of the content that we host for users of these products using PhotoDNA (or similar tools) that make use of NCMEC’s image hash list. If flagged, we will remove that content immediately. We are working on that functionality now, and expect it will be in place in the first half of 2020.

Cloudflare’s approach to addressing CSAM operates within a comprehensive legal and policy backdrop. Congress and the law enforcement and child protection communities have long collaborated on how best to combat the exploitation of children. Recognizing the importance of combating the online spread of CSAM, NCMEC first created the CyberTipline in 1998, to provide a centralized reporting system for members of the public and online providers to report the exploitation of children online.

In 2006, Congress conducted a year-long investigation and then passed a number of laws to address the sexual abuse of children. Those laws attempted to calibrate the various interests at stake and coordinate the ways various parties should respond. The policy balance Congress struck on addressing CSAM on the Internet had a number of elements for online service providers.

First, Congress formalized NCMEC’s role as the central clearinghouse for reporting and investigation, through the CyberTipline. The law adds a requirement, backed up by fines, for online providers to report any reports of CSAM to NCMEC. The law specifically notes that to preserve privacy, they were not creating a requirement to monitor content or affirmatively search or screen content to identify possible reports.

Second, Congress responded to the many stories of child victims who emphasized the continuous harm done by the transmission of imagery of their abuse. As described by NCMEC, “not only do these images and videos document victims’ exploitation and abuse, but when these files are shared across the internet, child victims suffer re-victimization each time the image of their sexual abuse is viewed” even when viewed for ostensibly legitimate investigative purposes. To help address this concern, the law directs providers to minimize the number of employees provided access to any visual depiction of child sexual abuse.  

Finally, to ensure that child safety and law enforcement organizations had the records necessary to conduct an investigation, the law directs providers to preserve not only the report to NCMEC, but also “any visual depictions, data, or other digital files that are reasonably accessible and may provide context or additional information about the reported material or person” for a period of 90 days.

Because Cloudflare’s services are used so extensively—by more than 20 million Internet properties, and based on data from W3Techs, more than 10% of the world’s top 10 million websites—we have worked hard to understand these policy principles in order to respond appropriately in a broad variety of circumstances. The processes described in this blogpost were designed to make sure that we comply with these principles, as completely and quickly as possible, and take other steps to support the system’s underlying goals.

We are under no illusion that our work in this space is done. We will continue to work with groups that are dedicated to fighting this abhorrent crime and provide tools to more quickly get them information to take CSAM content down and investigate the criminals who create and distribute it.

Cloudflare's Senate Response (PDF)

Cloudflare's Senate Res... by Cloudflare on Scribd

Employees approached this challenge with gusto; global participation meant plenty of high quality submissions to vote on. In addition to being featured here, the winning designs will be displayed in Cloudflare offices throughout 2020 and the creators will be on the decision panel for next year’s winners. Three rose to the top, highlighting creativity and style that is uniquely Cloudflarian. I sat down with the winners to talk through their thoughts on security and what all companies can do to drive awareness.

Security Haiku

_Wipe that whiteboard clean_‌‌Visitors may come and seeSecrets not for them

No tailgating pleaseYou may be a nice person_But I don’t know that_‌‌‌‌‌‌

Eugene: The friendly "Welcome" cloud seen in our all company slides was a jumping off point. It seemed like a great character that embodied being a Cloudflarian and had tons of potential to get into adventures. I also wanted security to be a bit fun, where appropriate. Instead of a serious breach (though it could be), here it was more a minor annoyance personified by a wannabe-sneaky alligator. Add a pun, and there you go—poster design!

Sílvia: What inspired my design was the cute Cloudflare mascot the otter since there are so many otters in SF. Also, security can be fun and I added a pun for all the employees to remember the security system in an entertaining and respectful way. This design is very much my style and I believe making things cute and bright can really grab attention from people who are so busy in their work. A bright, orange, leopard print poster cannot be missed!

Scott: I have always loved the haiku form and poems were allowed!

Eugene: Make them realize and identify the threats that can happen everyday, and their role in keeping things secure. Cute characters and puns help.

Sílvia: Make it more accessible for people to engage and understand it, possibly making more activities, content, and creating a fun environment for people to be aware but also be mindful.

Scott: Use whatever means available to keep the idea of being security conscious in everyone's active awareness. This can and should be done in a variety of different ways so as to engage everyone in one way or another, visually with posters and signs, mentally by having contests, multi-sensory through B.E.E.R. meeting presentations and yes, even through a careful use of fear by periodically giving examples of what can happen if security is not followed...I believe that people like working here and believe in what we are doing and how we are doing it, so awareness mixed in with a little fear can reach people on a more visceral and personal level.

Eugene: Look at the destination of the return email.

Sílvia: LastPass. Oh my lord. I cannot remember one single password since we need to make them so difficult! With numbers, caps, symbols, emojis (ahaha). LastPass makes it easier for me to be secure and still be myself and not remembering any password without freaking out.

**Scott: “**See something, say something" because it both reflects our basic responsibility to each other and exhibits a pride that we have as being part of a company we believe in and want to protect.‌‌

‌‌For security practitioners and engagement professionals, it's easy to try to boil the ocean when Security Awareness Month comes around. The list of potential topics and guidance is endless. Focusing on two or three key messages, gauging the maturity of your organization, and encouraging company-wide participation makes it a company-wide effort. Extra recognition and glory for those that go over and above never hurts either.

Want to run a security awareness design contest at your company? Reach out to us at securityawareness@cloudflare.com for tips and best practices for getting started, garnering support, and encouraging participation.

‌‌

Remember 2016? Pokemon Go was all the rage, we lost Prince, and there were surprising election results in both the UK and US. Back in 2016, Blackbird Technologies was notorious in the world of patent litigation. It was a boutique law firm that was one of the top ten most active patent trolls, filing lawsuits against more than 50 different defendants in a single year.

In October 2016, Blackbird was looking to acquire additional patents for their portfolio when they found an incredibly broad software patent with the ambiguous title, “PROVIDING AN INTERNET THIRD PARTY DATA CHANNEL.” They acquired this patent from its owner for $1 plus “other good and valuable consideration.” A little later, in March 2017, Blackbird decided to assert that patent against Cloudflare.

As we have explained previously, patent trolls benefit from a problematic incentive structure that allows them to take vague or abstract patents that they have no intention of developing and assert them as broadly as possible. Instead, these trolls collect licensing fees or settlements from companies who are otherwise trying to start a business, produce useful products, and create good jobs. Companies facing such claims usually convince themselves that settlements in the tens or hundreds of thousands of dollars are quicker and cheaper outcomes than facing years of litigation and millions of dollars in attorneys fees.  

The following is how we worked to upend this asymmetric incentive structure.  

After we were sued by Blackbird, we decided that we wouldn’t roll over. We decided we would do our best to turn the incentive structure on its head and make patent trolls think twice before attempting to take advantage of the system. We created Project Jengo in an effort to remove this economic asymmetry from the litigation. In our initial blog post we suggested we could level the playing field by: (i) defending ourselves vigorously against the patent lawsuit instead of rolling over and paying a licensing fee or settling, (ii) funding awards for crowdsourced prior art that could be used to invalidate any of Blackbird’s patents, not just the one asserted against Cloudflare, and (iii) asking the relevant bar associations to investigate what we considered to be Blackbird’s violations of the rules of professional conduct for attorneys.

How’d we do?

As promised, we fought the lawsuit vigorously. And as explained in a blog post earlier this year, we won as convincing a victory as one could in federal litigation at both the trial and appellate levels. In early 2018, the District Court for the Northern District of California dismissed the case Blackbird brought against us on subject matter eligibility grounds in response to an Alice motion. In a mere two-page order, Judge Vince Chhabria held that “[a]bstract ideas are not patentable” and Blackbird’s assertion of the patent “attempts to monopolize the abstract idea of monitoring a preexisting data stream between a server and a client.” Essentially, the case was rejected before it ever really started because the court found Blackbird’s patent to be invalid.

Blackbird appealed that decision to the Court of Appeals for the Federal Circuit, which unceremoniously affirmed the lower court decision dismissing the appeal just three days after the appellate argument was heard. Following this ruling, we celebrated.  

Killed another Blackbird. pic.twitter.com/xSNQbHbl6Y

— Matthew Prince ? (@eastdakota) February 15, 2019

As noted in our earlier blog post, although we won the litigation as quickly and easily as possible, the federal litigation process still lasted nearly two years, involved combined legal filings of more than 1,500 pages, and ran up considerable legal expenses. Blackbird’s right to seek review of the decision by the US Supreme Court expired this summer, so the case is now officially over. As we’ve said from the start, we only intended to pursue Project Jengo as long as the case remained active.  

Even though we won decisively in court, that alone is not enough to change the incentive structure around patent troll suits. Patent trolls are repeat players who don’t have significant operations, so the costs of litigation and discovery are much less for them.

An integral part of our strategy against Blackbird was to engage our community to help us locate prior art that we could use to invalidate all of Blackbird’s patents. One of the most powerful legal arguments against the validity of a patent is that the invention claimed in the patent was already known or made public somewhere else (“prior art”). A collection of prior art on all the Blackbird patents could be used by anyone facing a lawsuit from Blackbird to defend themselves. The existence of an organized and accessible library of prior art would diminish the overall value of the Blackbird patent portfolio. That sort of risk to the patent portfolio was the kind of thing that would nudge the incentive structure in the other direction. Although the financial incentives made possible by the US legal system may support patent trolls, we knew our secret weapon was a very smart, very motivated community that loathed the extortionary activities of patent trolls and wanted to fight back.

And boy, were we right! We established a prior art bounty to pay cash rewards for prior art submissions that read on the patent Blackbird asserted against Cloudflare, as well as any of Blackbird’s other patents.  

We received hundreds of submissions across Blackbird’s portfolio of patents. We were very impressed with the quality of those submissions and think they call the validity of a number of those patents into question. All the relevant submissions we collected can be found here sorted by patent number, and we hope they are put to good use by other parties sued by Blackbird. Additionally, we’ve already forwarded prior art from the collection to a handful of companies and organizations that reached out to us because they were facing cases from Blackbird.

A high-level breakdown of the submissions:

• We received 275 total unique submissions from 155 individuals on 49 separate patents, and we received multiple submissions on 26 patents.

• 40.1% of the total submissions related to the ’335 patent asserted against Cloudflare.

• The second highest concentration of prior art submissions (14.9% of total) relate to PUB20140200078 titled “Video Game Including User Determined Location Information.” The vast majority of these submissions note the similarity between the patent’s claims and the Niantic game Ingress.

A few interesting examples of prior art that were submitted that we think are particularly damaging to some of the Blackbird patents:

• Internet based resource retrieval system (No. 8996546)The first two sentences of this 2004 patent’s abstract summarize the patent as a “resource retrieval system compris[ing] a server having a searchable database wherein users can readily access region-based publications similar to, but not necessarily limited to, printed telephone directories. The resource retrieval system communicates with at least one user system, preferably via the Internet.”The Project Jengo community reviewed the incredibly broad language in the patent claims and submitted a reference to an online phone book that allowed for the searching of local results from an online AT&T database. The submission is a link to an archive of a webpage from the year 2000, potentially calling into question the Blackbird patent on eligibility grounds.

• Illuminated product packaging (No. 7086751)This patent seeks protection for packaging “intended to hold a product for sale. The product package includes one or more light sources disposed therein and configured to direct light through one or more openings in the exterior of the product package, in order to entice customers to purchase the product.”

  In one of the more interesting Project Jengo submissions we received, the following information was provided: The CD packaging for Pink Floyd’s ‘Pulse’ included a blinking LED within the cardboard box that was active and visible on store shelves. We felt that this also spoke to the heart of this broad and seemingly obvious patented product. 

• Sports Bra (No. 7867058)This Blackbird patent involves a “sports bra having an integral storage pouch.”

  The Project Jengo community found that a submission on a public discussion forum that pre-dates the ’058 patent and disclosed an idea of modifying a bra by creating an incision in the inner lining and applying a velcro strip so as to form a resealable pocket within the bra… Or essentially the same invention.  

Almost immediately after we announced Jengo, we received an anonymous donation from someone who shared our frustration with patent trolls. As we announced, this gift allowed us to expand Jengo by using some of the prior art to directly challenge other Blackbird patents in administrative proceedings.

We initiated an administrative challenge against Blackbird Patent 7,797,448 (“GPS-internet Linkage”). The patent describes in broad and generic terms “[a]n integrated system comprising the Global Positioning System and the Internet wherein the integrated system can identify the precise geographic location of both sender and receiver communicating computer terminals.” You don’t have to be particularly technical to realize how largely obvious and widely applicable such a concept would be, as many modern Internet applications attempt to integrate some sort of location services using GPS. This was a dangerous patent in the hands of a patent troll.

Based on the strength of the prior art we received from the Project Jengo community and the number of times Blackbird had asserted the ’448 Patent to elicit a settlement from startups, we filed for an ex parte reexamination (EPR) of the ’448 Patent by the US Patent & Trademark Office (USPTO). The EPR is an administrative proceeding that can be used to challenge obviously deficient patents in a less complex, lengthy, or costly exercise than federal litigation.

We submitted our EPR challenge in November 2017. Blackbird responded to the ex parte by attempting to amend their patent’s claims to make them more narrow in an effort to make their patent more defensible and avoid the challenge. In March 2018, the USPTO issued a Non-Final Office Action that proposed rejecting the ’448 Patent’s claims altogether because the claims were found to be preempted by prior art submitted by Project Jengo. Blackbird did not respond to the Office Action. And a few months later, in August 2018, the USPTO issued a final order in line with the office action, which cancelled the ’448 Patent’s claims. The USPTO’s decision means the ‘448 patent is invalid and no one can assert the incredibly broad terms of the ‘448 patent again.

As promised, Cloudflare distributed more than $50,000 in cash awards to eighteen people who submitted prior art as part of the crowdsourced effort. We gave out more than \$25,000 to people in support of their submissions related to the ’335 patent asserted against Cloudflare. Additionally, we awarded more than \$30,000 to submitters in support of our efforts to invalidate the other patents in Blackbird’s portfolio.

In general, we awarded bounties based on whether we incorporated the art found by the community into our legal filings, the analysis of the art as provided in the submission, whether someone else had previously submitted the art, and the strength and number of claims the art challenged in the specified Blackbird patent.

We asked many of the recent bounty winners why they decided to submit prior art to Project Jengo and received some of the following responses:  

"Over the years I've been disappointed and angered by a number of patent cases where I feel that the patent system has been abused by so-called ‘patent trolls’ in order to stifle innovation and profit from litigation. With Jengo in particular, I was a fan of what Cloudflare had done previously with Universal SSL. When the opportunity arose to potentially make a difference with a real patent troll case, I was happy to try and help."

— Adam, Security Engineer

"I read the ’335 patent and thought it basically described a fundamental design principle of the world wide web (proxy servers). I was pretty sure such software was in widespread use by the priority date of the patent (1998). At that point I was curious if that was true so I did some Googling."

– David, Software Developer

"Personally, I believe the vast majority of software patents are obvious and trivial. They should have never been granted. At the same time, fighting a patent claim is costly and time consuming regardless of the patent’s merit, while filing the claim is relatively cheap. Patent trolls exploit this imbalance and, in turn, they stifle innovation. Project Jengo was a great opportunity to use my knowledge of prior academic work for a good cause."

– Kevin, Postdoctoral Research Scientist

"I'm pretty excited, I've never won a single thing in my life before. And to do it in service of taking down evil patent trolls? This is one of the best days of my life, no joke. I submitted because software patents are garbage and clearly designed to extort money from productive innovators for vague and obvious claims. Also, I was homeless at the time I submitted and was spending all day at the library anyway."

— Garrett, San Francisco

The whole point of Project Jengo was to flip the incentive structure around patent trolls, who assume they can buy broad patents, spend a little money to initiate litigation, and then sit back and expect that a great percentage of defendants will send them a check. Under a proper incentive structure, they should have to expend some effort to prove their claims have merit, and we wanted to make available information that would support other potential defendants who may want to push back against claims under Blackbird patents.

One very simple measure of the impact is to review the number of new lawsuits Blackbird is bringing with its patent portfolio, which is a public record. So what does Blackbird’s activity look like on that point?

In the one-year period immediately preceding Project Jengo, (Q2’16-Q2’17) Blackbird filed more than 65 cases. Since Project Jengo launched more than 2.5 years ago, the number of cases Blackbird has filed has fallen to an average rate of 10 per year.  

Not only are they filing fewer cases, but Blackbird as an organization seems to be operating with fewer resources than they did at their peak. When we launched Project Jengo in May 2017, the Blackbird website identified a total team of 12: six lawyers, including two co-founders, four litigation counsel, as well as a patent analysis group of 6. Today, based on a review of the website and LinkedIn, it appears only three staff remain: one co-founder, one litigation counsel, and one member of the patent analysis group.  

Ethics Complaints (section submitted by Cloudflare’s General Counsel, Doug Kramer)

We filed ethics complaints against both of Blackbird’s co-founders before the bar associations in Massachusetts, Illinois, and the USPTO based on their self-described “new model” of pursuing intellectual property claims. Our complaints were based on rules of professional conduct prohibiting lawyers from acquiring a cause of action to assert on their own behalf, or in the alternative, rules prohibiting attorneys to split contingency fees with a non-attorney.

We did not file such complaints lightly, as we take ethical standards seriously and don’t think such proceedings should be used merely to harass. In this case, we think the public perception of patent trolls, who are seen as lawyers chasing an easy buck by taking advantage of distortions in the litigation process, has damaged the public perception of attorneys and respect for the legal profession--the exact sort of values the ethical rules and bar associations are meant to protect.

We based our complaints on the assignment agreement we found filed with the USPTO, where Blackbird purchased the ’335 patent from an inventor in October 2016 for \$1. It seemed apparent that the actual but undisclosed compensation between the parties was considerably more than \$1, so Blackbird may have simply acquired the cause of action or the agreement involved an arrangement where Blackbird would split a portion of any recovered fees with the inventor. Such agreements are generally prohibited by the ethical rules.

In public statements, Blackbird’s defense to these allegations was that it (i) was not a law firm (despite the fact it is led exclusively by lawyers who are actively engaged in the litigation it pursues) and (ii) does not use contingency fee arrangements for the patents it acquires, but does use something “similar.” Both defenses were rather surprising to us. Isn’t an organization led and staffed exclusively by lawyers who are drafting complaints, filing papers with courts, and arguing before judges amount to a “law firm”? In fact, we found pleadings in other Blackbird cases where the Blackbird leadership asked to be treated as lawyers so they could have access to sensitive technical evidence in those cases that is usually off-limits to anyone but the lawyers. And what does it mean for an agreement to be merely “similar” to a contingency agreement?

The disciplinary proceedings in front of bar associations are generally confidential, so we are limited in our ability to report out developments in those cases. But regardless of the outcome, we’ve only approached bar associations in two states. Getting this back on the right track will require more than successful adjudications in front of such committees. Instead, it will take a broader change in orientation by these professional associations across the country to view such matters as more than mere political disputes or arguments between active litigants.  

Our questions go to the very heart of ensuring an ethical legal profession, they are meant to determine what safeguards should be put in place to make sure that attorneys who take the oath are held to a standard beyond mere greed or base opportunism. They go to the question of whether being an attorney is merely a job or if there are higher standards they should be held to, making sure their monopoly over the ability to bring lawsuits as officers of the court (and all the implications, costs, and power that represents) is only wielded by people who can be trusted to do so responsibly. Otherwise, what’s the point of ethical standards?

We’ve said from the beginning that Project Jengo was a response to the patent troll litigation and we would end it as soon as the case was over. And now it is. Although we are proud of our work on this issue, we need to turn our focus back to the company’s mission -- to help build a better Internet. But we may be back at some point. Patent trolls remain a risk to growing companies like Cloudflare and nothing in this experience has persuaded us that settling a patent lawsuit is ever the right answer. We don’t plan to settle, and if brought into such litigation again at some point in the future, we think we have a pretty good blueprint for how to respond.

The Blackbird prior art will remain available here, and we remain available to consult with our colleagues at other companies who face these issues, as we have done many times over the past few years.

Finally, we would like to express our sincere gratitude to the community who researched the Blackbird patent portfolio and helped us fight this troll. It was our confidence in all of you that inspired the idea of Project Jengo in the first place, so its success belongs to you.

Thank you.

Unfortunately, this is not an isolated incident. Nearly the same thing happened on 8chan before the terror attack in Christchurch, New Zealand. The El Paso shooter specifically referenced the Christchurch incident and appears to have been inspired by the largely unmoderated discussions on 8chan which glorified the previous massacre. In a separate tragedy, the suspected killer in the Poway, California synagogue shooting also posted a hate-filled “open letter” on 8chan. 8chan has repeatedly proven itself to be a cesspool of hate.

8chan is among the more than 19 million Internet properties that use Cloudflare's service. We just sent notice that we are terminating 8chan as a customer effective at midnight tonight Pacific Time. The rationale is simple: they have proven themselves to be lawless and that lawlessness has caused multiple tragic deaths. Even if 8chan may not have violated the letter of the law in refusing to moderate their hate-filled community, they have created an environment that revels in violating its spirit.

We do not take this decision lightly. Cloudflare is a network provider. In pursuit of our goal of helping build a better internet, we’ve considered it important to provide our security services broadly to make sure as many users as possible are secure, and thereby making cyberattacks less attractive — regardless of the content of those websites.  Many of our customers run platforms of their own on top of our network. If our policies are more conservative than theirs it effectively undercuts their ability to run their services and set their own policies. We reluctantly tolerate content that we find reprehensible, but we draw the line at platforms that have demonstrated they directly inspire tragic events and are lawless by design. 8chan has crossed that line. It will therefore no longer be allowed to use our services.

Unfortunately, we have seen this situation before and so we have a good sense of what will play out. Almost exactly two years ago we made the determination to kick another disgusting site off Cloudflare's network: the Daily Stormer. That caused a brief interruption in the site's operations but they quickly came back online using a Cloudflare competitor. That competitor at the time promoted as a feature the fact that they didn't respond to legal process. Today, the Daily Stormer is still available and still disgusting. They have bragged that they have more readers than ever. They are no longer Cloudflare's problem, but they remain the Internet's problem.

I have little doubt we'll see the same happen with 8chan. While removing 8chan from our network takes heat off of us, it does nothing to address why hateful sites fester online. It does nothing to address why mass shootings occur. It does nothing to address why portions of the population feel so disenchanted they turn to hate. In taking this action we've solved our own problem, but we haven't solved the Internet's.

In the two years since the Daily Stormer what we have done to try and solve the Internet’s deeper problem is engage with law enforcement and civil society organizations to try and find solutions. Among other things, that resulted in us cooperating around monitoring potential hate sites on our network and notifying law enforcement when there was content that contained an indication of potential violence. We will continue to work within the legal process to share information when we can to hopefully prevent horrific acts of violence. We believe this is our responsibility and, given Cloudflare's scale and reach, we are hopeful we will continue to make progress toward solving the deeper problem.

We continue to feel incredibly uncomfortable about playing the role of content arbiter and do not plan to exercise it often. Some have wrongly speculated this is due to some conception of the United States' First Amendment. That is incorrect. First, we are a private company and not bound by the First Amendment. Second, the vast majority of our customers, and more than 50% of our revenue, comes from outside the United States where the First Amendment and similarly libertarian freedom of speech protections do not apply. The only relevance of the First Amendment in this case and others is that it allows us to choose who we do and do not do business with; it does not obligate us to do business with everyone.

Instead our concern has centered around another much more universal idea: the Rule of Law. The Rule of Law requires policies be transparent and consistent. While it has been articulated as a framework for how governments ensure their legitimacy, we have used it as a touchstone when we think about our own policies.

We have been successful because we have a very effective technological solution that provides security, performance, and reliability in an affordable and easy-to-use way. As a result of that, a huge portion of the Internet now sits behind our network. 10% of the top million, 17% of the top 100,000, and 19% of the top 10,000 Internet properties use us today. 10% of the Fortune 1,000 are paying Cloudflare customers.

Cloudflare is not a government. While we've been successful as a company, that does not give us the political legitimacy to make determinations on what content is good and bad. Nor should it. Questions around content are real societal issues that need politically legitimate solutions. We will continue to engage with lawmakers around the world as they set the boundaries of what is acceptable in their countries through due process of law. And we will comply with those boundaries when and where they are set.

Europe, for example, has taken a lead in this area. As we've seen governments there attempt to address hate and terror content online, there is recognition that different obligations should be placed on companies that organize and promote content — like Facebook and YouTube — rather than those that are mere conduits for that content. Conduits, like Cloudflare, are not visible to users and therefore cannot be transparent and consistent about their policies.

The unresolved question is how should the law deal with platforms that ignore or actively thwart the Rule of Law? That's closer to the situation we have seen with the Daily Stormer and 8chan. They are lawless platforms. In cases like these, where platforms have been designed to be lawless and unmoderated, and where the platforms have demonstrated their ability to cause real harm, the law may need additional remedies. We and other technology companies need to work with policy makers in order to help them understand the problem and define these remedies. And, in some cases, it may mean moving enforcement mechanisms further down the technical stack.

Cloudflare's mission is to help build a better Internet. At some level firing 8chan as a customer is easy. They are uniquely lawless and that lawlessness has contributed to multiple horrific tragedies. Enough is enough.

What's hard is defining the policy that we can enforce transparently and consistently going forward. We, and other technology companies like us that enable the great parts of the Internet, have an obligation to help propose solutions to deal with the parts we're not proud of. That's our obligation and we're committed to it.

Unfortunately the action we take today won’t fix hate online. It will almost certainly not even remove 8chan from the Internet. But it is the right thing to do. Hate online is a real issue. Here are some organizations that have active work to help address it:

• Anti-Defamation League

• Gen Next Foundation

• Perspective API

• 7 Cups

Our whole Cloudflare team’s thoughts are with the families grieving in El Paso, Texas and Dayton, Ohio this evening.

Want to get right to the feedback? Click here.

As you’ve probably noticed over the years, we’re always evolving and improving the look and feel of different aspects of the Cloudflare experience. Sometimes it’s more about function, other times it’s more about form, and most of the time it’s a combination of both. But there’s one area of the site that many users visit even more frequently than they visit the homepage or their dashboard, and strangely enough it hasn’t really seen any major updates in years. And if you’re reading this, that means you're looking at it.

With more than 150 current contributors, and more than 1,000 posts, we have a lot of people dedicating a lot of their time to writing blog posts. And based on the responses I see in the comments, and on Twitter, there are a lot of people who really like to read what these authors have to say (whether it has much to do with Cloudflare or not).

Well, we’d like to finally give some love to the blog. And we really want to know what you, our loyal (or even occasional) readers, think. There are two options to choose from. Simply click the feedback button below and you can either answer some questions on a survey, or if you want to really go the extra mile you can choose to participate in a short, remote, user study with one of our researchers. Either way, we want to know what you think!

Since we first started reporting in 2013, our transparency report has focused on requests from U.S. law enforcement. Previous versions of the report noted that, as a U.S. company, we ask non-U.S. law enforcement agencies to obtain formal U.S. legal process before providing customer data.

As more countries pass laws that seek to extend beyond their national borders and as we expand into new markets, the question of how to handle requests from non-U.S. law enforcement has become more complicated. It seems timely to talk about our engagement with non-U.S. law enforcement and how our practice is changing. But first, some background on the changes that we’ve seen over the last year.

The explosion of cloud services -- and the fact that data may be stored outside the countries of residence of those who generated it -- has been a challenge for governments conducting law enforcement investigations. A number of U.S. laws, like the Stored Communications Act or the Electronic Communications Privacy Act restrict companies from providing particular types of data, such as the content of communications, to any person or entity, including foreign law enforcement agencies, without U.S. legal process. To get access to electronic data stored outside their home borders, law enforcement agencies around the world have long used Mutual Legal Assistance Treaties (MLATs) that allow one country to ask for another country’s help to get access to evidence. Unfortunately, the MLAT process can be slow and cumbersome.

Countries frustrated by the inability of law enforcement to quickly gather evidence held outside their borders have taken matters into their own hands. Some have proposed laws mandating that important data about their citizens remain in country, where it can be easily accessed when requested. Others have proposed laws that would allow law enforcement to get access to data wherever it is stored, which puts companies in the position of potentially violating one country’s laws in order to comply with another’s.

In short, a new paradigm that allows law enforcement to access appropriate digital evidence across borders, with sufficient procedural safeguards to protect our users’ privacy and ensure due process, is long overdue.

In March 2018, the U.S. Congress passed the Clarifying Lawful Overseas Use of Data (CLOUD) Act as part of a large bill funding the government. The idea behind the law is that governments that protect their citizens’ due process rights and civil liberties should be able to get access to electronic content related to their citizens when conducting law enforcement investigations, wherever that data is stored.

The CLOUD Act anticipates that the U.S. government will enter into agreements with other countries’ governments to give each of the participating governments access to data stored in other participating countries for the purpose of investigating and prosecuting certain crimes. Under the law, the U.S. government will have to determine that a country has “robust substantive and procedural protections for privacy and civil liberties” before entering into an agreement with that country. After a country enters a formal agreement with the United States, U.S. companies would no longer be restricted by U.S. law from providing that country’s law enforcement with access to content data in response to a valid law enforcement request.

From a practical standpoint, the CLOUD Act envisions that U.S. companies like Cloudflare will be providing information directly to governments that have entered into agreements with the U.S. government. The idea is to change the relevant question away from “where is the data stored?” to “is the person being investigated a citizen or resident of the country asking for the information?”, recognizing every government’s right to investigate crimes that occur within its borders or affect its citizens.

Governments outside the United States have also moved forward with proposals that would provide law enforcement agencies authority to obtain information related to their citizens across borders. The United Kingdom, for example, has been working to update their laws and negotiate a bilateral agreement with the United States for access to data maintained by U.S. companies, consistent with the framework established in the CLOUD Act.

The European Union has also been active in moving forward with a framework on obtaining electronic evidence across borders. Much like the U.S. CLOUD Act, the European Commission’s eEvidence Regulation would allow EU Member States to seek digital evidence outside of their national borders provided that fundamental rights are protected. The European Commission also envisions entering into negotiations with U.S. authorities on data sharing arrangements under the mandate of EU Member States.

As a U.S. company that stores customer records inside the United States, Cloudflare has long held the view that non-U.S. governments should have to follow U.S. due process requirements in order to obtain any records about our customers. When non-U.S. governments have come to us requesting records, we have explained the nature of our service and, to the extent they were interested in obtaining data, encouraged them to submit a request to the U.S. Department of Justice through the MLAT process.

But it’s important to note that these processes serve an important function and are not just intended to delay the efforts of foreign law enforcement. They have helped us address some of the more challenging requests that we have seen. Let’s say, for example, law enforcement from an otherwise-respected nation sent us a court order demanding information about websites run by a vocal group of dissenters or even the organizers of a separatist referendum and also asked us to redirect that website to a location of their choosing. In that case, we would direct that foreign agency to submit an MLAT request. In situations like this, we might not receive subsequent legal process from the U.S. government, either because the government declined to ask the Department of Justice for an MLAT related to activity that could be viewed as political or because the Department of Justice declined to process it.

With the changing legal and policy landscape, as well as our increased presence in non-U.S. locations, we think it’s time to take a step towards the new framework that is taking shape.

The overwhelming majority of information that U.S. law enforcement seeks from Cloudflare through legal process is what we consider to be basic subscriber data -- the type of information that customers give us when they sign up for service. That includes things like name, email address, physical address, phone number, the means and source of payment, and non-content information about a customer’s account, such as data about login times and IP addresses used to login to the account.

Although we consider this account information to be private customer data, worthy of protection, we share the commonly held view that it is less sensitive than information considered to be content, such as email communications or documents created by users. In fact, U.S. law allows law enforcement to compel us to provide basic subscriber data with a subpoena, a type of legal process that does not require prior judicial review.

Recent policy discussions have convinced us that there may be situations where it is appropriate to provide this type of basic subscriber information to non-U.S law enforcement in response to non-U.S. legal process similar to a subpoena, a view in line with that of many other tech companies. We may therefore respond to requests for subscriber information if a government is seeking information about a crime in its country or about its citizens, we have employees in the country, and appropriate due process requirements and international standards have been met. We will also consider whether the country has signed a CLOUD Act agreement with the United States.

The CLOUD Act and other existing U.S. laws govern the provision of more sensitive, content data to non-U.S. law enforcement. U.S. companies are legally prohibited from providing content data to a non-U.S. government absent a U.S. CLOUD Act agreement with that country. Given the nature of our service, however, we rarely have records that constitute content that we could provide to law enforcement regardless of jurisdiction.

When we talk about our relationship with law enforcement, we often say that it is not Cloudflare's intent to make law enforcement's work any harder or any easier. We respect both that law enforcement agencies have a job to do and that our customers have rights relating to how their data is shared with law enforcement.

Regardless of what government is asking, there are certain standards we believe must be followed before we turn over customer data. Our goal is to maintain a healthy and open relationship with law enforcement officials so that they understand and respect our positions on each of these standards. The principles which remain important to us are as follows:

• Require Due Process. Cloudflare requires government entities seeking access to personal customer information to obtain appropriate legal process, including prior independent judicial review of any request for content.

• Provide Notice. We believe our customers deserve to be notified when we receive legal requests for their information, whether the requests come from law enforcement or private parties involved in civil litigation. We will provide that notice before we disclose the information, unless prohibited by law.

• Protect Privacy and User Rights. Whether inside or outside the United States, Cloudflare will fight law enforcement requests that we believe are overbroad, illegal, or wrongly issued. This includes requests to delay or prevent notice that appear unnecessarily broad, given the government interests at stake.

• Be Transparent. We believe the ability to report on the numbers and types of requests that we get from law enforcement, as well as how we respond, is critical to building trust with our customers. We will fight requests that unnecessarily restrict our ability to be transparent with our users.

Consistent with the last standard, we also intend to update our transparency report to reflect any requests that we receive from non-U.S. law enforcement authorities, whether for user information or anything else.

In a blogpost yesterday, we addressed the principles we rely upon when faced with numerous and various requests to address the content of websites that use our services. We believe the building blocks that we provide for other people to share and access content online should be provided in a content-neutral way. We also believe that our users should understand the policies we have in place to address complaints and law enforcement requests, the type of requests we receive, and the way we respond to those requests. In this post, we do the dirty work of addressing how those principles are put into action, specifically with regard to Cloudflare’s expanding set of features and products.

Currently, we receive abuse reports and law enforcement requests on fewer than one percent of the more than thirteen million domains that use Cloudflare’s network. Although the reports we receive run the gamut -- from phishing, malware or other technical abuses of our network to complaints about content -- the overwhelming majority are allegations of copyright violations or violations of other intellectual property rights. Most of the complaints that we receive do not identify concerns with particular Cloudflare services or products.

In the last year or so, we’ve also launched a variety of new products, including our video product (Cloudflare Stream), a serverless edge computing platform (Cloudflare Workers), a self-serve registrar service, and a privacy-focused recursive resolver (1.1.1.1), among others. Each of these services raises its own complex set of questions.  

There is no one-size-fits-all solution to address possible abuse of our products. Different types of services come with different expectations, as well as different legal and contractual obligations. Yet as we discussed in relation to our focus on transparency on Monday, being fully transparent means being consistent and predictable so our users can anticipate how we will respond to new situations.

To help us sort through how to address both complaints and law enforcement requests, when we introduce new products or features, we ask ourselves four basic sets of questions about the relationship between the service we’re providing and potential complaints about content:

• First, how are Cloudflare’s services interacting with the website content? For example, are we doing anything more than providing security and acting as a reliable conduit from one location to another?  Are we providing definitive storage of content? Did we provide the website its domain name through our registrar service? Is the Cloudflare service or product doing anything that could be seen as organizing, analyzing, or promoting content?

• Second, what type of action might a law enforcement or private complainant want us to take and what are the consequences of it?  What sort of information might law enforcement request -- private information about the user, content of what was sent over the Internet, or logs that would track activity?  Will third parties request information about a website; would they request removal of content from the Internet? Would removing our services address the problem presented?

• Third, what laws, regulations or contractual requirements apply? Does the nature of our interaction with the online content impact our legal obligations? Has the law enforcement request or regulation satisfied basic principles of the rule of law or due process?

• Fourth, will our response to the matter presented scale to address the variety of different requests or complaints we may receive over time, covering a variety of different subject matters and viewpoints? Can we craft a principled and content-neutral process to respond to the request? Would our response have an overbroad impact, either by impacting more than the problematic content or changing the Internet in jurisdictions beyond the one that has issued the law or regulation at issue?

Although those preliminary questions help us determine what actions we must take, we also do our best to think about the broader implications on the Internet of any steps we might take to address complaints.

People often come to Cloudflare with abuse complaints because our network sits in front of our customers’ sites in order to protect them from cyber attacks and to improve the performance of their website.

There aren’t a lot of laws or regulations that impose obligations to address content on those providing security or CDN services, for good reason. Most people complaining about content are looking for someone who can take that content off the Internet entirely. As we’ve talked about on other occasions, Cloudflare is unable to remove content that we don’t host, so we therefore try to make sure that the complaint gets to its intended audience -- the hosting provider who has the ability to remove the material from the Internet. As described on our abuse page,  complaining parties automatically receive information about how to contact the hosting provider, and unless the complaining party requests otherwise, abuse complaints are automatically forwarded to both the website owner and the hosting company to allow them to take action.

This approach has another benefit, consistent with the fourth set of questions we ask ourselves. It prevents addressing content with an unnecessarily blunt tool. Cloudflare is unable to remove its security and CDN services from only a sliver of problematic content on a website.  If we remove our services, it has to be from an entire domain or subdomain, which may cause considerable collateral damage. For example, think of the vast array of sites that allow individual independent users to upload content (“user generated content”). A website owner or host may be able to curate or deal with specific content, but if companies like Cloudflare had to respond to allegations of abuse by a single user’s upload of a single piece of concerning content by removing our core services from an entire site, and making it vulnerable to a cyberattack, those sites would be much more difficult to operate and the content contributed by all other users would be put at risk.

Similarly, there are a number of different infrastructure services that cooperate to make sure each connection on the Internet can happen successfully – DNS, registrars, registries, security, etc.  If each of the providers of those services, any one of which could put the entire transmission at risk, is applying blunt tools to address content, then the aperture of what content will stay online will get smaller and smaller. Those are bad results for the Internet. Actions to address troubling content online should focus narrowly on the actual concern to avoid unintended collateral consequences.

While we are unable to remove content we do not host, we are able to take steps to address abuse of our services, such as phishing and malware attacks. Phishing attacks typically fall into two buckets -- a website that has been compromised (unintentional phishing) or a website solely dedicated to intentionally misleading others to gather information (intentional phishing). These buckets are treated differently.

We discussed earlier that we aim to use the most precise tools possible when addressing abuse, and we take a similar approach for unintentional phishing content. If a website has been compromised (typically an outdated CMS) we can place a warning interstitial page in front of that specific phishing content to protect users from accidentally falling victim to the attack. In the majority of situations, this action is taken at a URL level of granularity.

In the case of intentional phishing attacks, such a domain like  my-totally-secure-login-page{.}com in combination with our Trust & Safety team being able to confirm the presence of phishing content on the website, we take broader action including a domain-wide interstitial warning page (effectively *my-totally-secure-login-page{.}com/*), and in some cases we may terminate our services to the intentionally malicious domain. To be clear though, this does not remove the phishing content that remains hosted by the website’s hosting provider. Ultimately, action still needs to be taken by the website owner or hosting provider to fully remove the underlying issue.

We think our approach requires a different set of responses for the small, but growing, number of Cloudflare products that include some sort of storage. Cloudflare Stream, for example, allows users to store, transcode, distribute and playback their videos. And Cloudflare Workers may allow users to store certain content at the edge of our network without a core host server. Although we are not a website hosting provider, these products mean we may be the only place where a certain piece of content is stored in some cases.  

When we are the definitive repository for content through any of our services, Cloudflare will carefully review any complaints about that content and may disable access to it in response to a valid legal takedown request from either government or private actors. Most often, these legal takedown requests are from individuals alleging copyright infringement.  Under the U.S. Digital Millennium Copyright Act, there is a specific process online storage providers follow to remove or disable access to content alleged to infringe copyright and provide an opportunity for those who post the material to contest that it is infringing. We have already begun implementing this process for content stored on our network.  That’s why we’ve begun a new section of our transparency report on requests for content takedown pursuant to U.S. copyright law for content that is stored on our network.  

We haven’t received any government requests yet to take down content stored on our network. Given the significant potential impact on freedom of expression from a government ordering that content be removed, if we do receive those requests in the future, we will carefully analyze the factual basis and legal authority for the request.  If we determine that the order is valid and requires Cloudflare action, we will do our best to address the request as narrowly as possible, for example, by clarifying overbroad requests or limiting blocking of access to the content to those areas where it violates local law, a practice known as “geo-blocking”. We will also update our transparency report on any government requests that we receive in the future and any actions we take.

If you sign up for our self-serve registrar service, you’re legally bound by the terms of our contract with the Internet Corporation for Assigned Names and Numbers (ICANN), a non-profit organization responsible for coordinating unique Internet identifiers across the world, as well as our contract with the relevant domain name registry.  

Our registrar-focused web page for abuse reporting does not reference abuse complaints about a website’s content.  In our role as a domain registrar, Cloudflare has no control or ability to remove particular content from a domain. We would be limited to simply revoking or suspending the domain registration altogether which would remove the website owner’s control over the domain name. Such actions would typically only be done at the direction of the relevant domain name registry, in accordance with their registration rules associated with the Top Level Domain, or more usually to address incidents of abuse as raised by the registry or ICANN. We therefore treat content-related complaints submitted based on our registrar services the same way we treat complaints about content for sites using our CDN or proxy services.  We forward them to the website owner and the website hosting company to allow them to take action or we work in tandem with the relevant registry and at their direction.

Running a registrar service comes with other legal obligations. As an ICANN accredited registrar, part of our contractual obligations include adhering to third party dispute resolution processes regarding trademark disputes, as handled by providers such as the World Intellectual Property Organization (WIPO) and the National Arbitration  Forum. Also, we continue to be part of the ICANN community discussions on how best to handle the collection, publication and provision of access to personal data in the WHOIS database in a manner consistent with the EU’s General Data Protection Regulation (GDPR) and other privacy frameworks. We will provide more updates on that front when the discussions have ripened.

Back in September, we announced that Cloudflare would be providing a gateway to the InterPlanetary File System (IPFS). Cloudflare’s IPFS gateway is a way to access content stored on the IPFS peer-to-peer network. Because Cloudflare is not acting as the definitive storage for the IPFS network, we do not have the ability to remove content from that network. We simply operate as a cache in front of IPFS, much as we do for our more traditional customers.

Because content is stored on potentially dozens of nodes in IPFS, if one node that was caching content goes down, the network will just look for the same content on another node. That fact makes IPFS exceptionally resilient. That same resilience, however, means that unlike with our traditional customers, with IPFS, there is no single host to inform of a complaint about content stored on the IPFS network.  Cloudflare often has no knowledge of who the owner is of content being accessed through the gateway, and this makes it impossible to notify the specific owner when we receive a complaint.

The law hasn’t yet quite caught up with distributed networks like IPFS, and there’s a notable debate among IPFS users about how best to deal with abuse. Some argue that having problematic content stored on IPFS will discourage adoption of the protocol, and advocate for the development of lists of problematic hashes that  IPFS gateways could choose to block. Others point out that any mechanism intended to block IPFS content will itself be subject to abuse. We don’t have the answer to that debate, but it does demonstrate to us the importance of being thoughtful about how we proceed.

For the time being, our plan is to respond to U.S. court orders that require us to clear our cache of content stored on IPFS. More importantly, however, we intend to report in future transparency reports on any law enforcement requests we receive to clear our IPFS cache, to ensure continued public discussion.

In April of last year, we launched our first DNS resolver, 1.1.1.1.  In June, we partnered with Mozilla to provide direct DNS resolution from within the Firefox browser using the Cloudflare Resolver for Firefox. Our goal with both resolvers was to develop fast DNS services that were focused on user privacy.  

We often get questions about how how we deal with both abuse complaints and law enforcement requests related to our resolvers.  Both of our resolvers are intended to provide only direct DNS resolution. In other words, Cloudflare does not block or filter content through either 1.1.1.1 or the Cloudflare Resolver for Firefox. If Cloudflare were to receive a request from a law enforcement or government agency to block access to domains or content through one of our resolvers, Cloudflare would fight that request. At this point, we have not yet received any government requests to block content through our resolvers. Cloudflare would also document any request to block content from our resolvers in our semi-annual transparency report, unless we were legally prohibited from doing so.

Similarly, Cloudflare has not received any government requests for data about the users of our resolvers, and would fight such a request if necessary. Given our public commitment not to retain any personally identifiable information for more than 24 hours, we believe it is unlikely that we would have any information even if asked. Nonetheless, if we were to receive a government request for data about a resolver user, we would document the request in our transparency report, unless legally prohibited from doing so.    

Although new products offered by Cloudflare in the future, as well as the legal and regulatory landscape, may change over the years, we expect that our approach to thinking about new products will stand the test of time. We’re guided by some central principles -- allowing our infrastructure to be as neutral as possible, following the rule of law or requiring due process, being open about what we’re doing, and making sure that we’re consistent regardless of the wide variety of issues we face. And we will work hard to make sure that doesn’t change, because even the smallest tweaks to the way we do things can have a significant impact at the scale we operate.

Although we are focused on protecting and optimizing the operation of the Internet, Cloudflare is sometimes the target of complaints or criticism about the content of a very small percentage of the more than thirteen million websites that use our service. Our termination of services to the Daily Stormer website a year and a half ago drew significant attention to our approach to these issues and prompted a lot of thinking on our part.  

At the time, Matthew wrote that calls for service providers to reject some online content should start with a consideration of how the Internet works and how the services at issue up and down the stack interact with that content. He tasked Cloudflare’s policy team with engaging broadly to try and find an answer. With some time having passed, we want to take stock of what we’ve learned and where we stand in addressing problematic content online.  

The weeks immediately following the decision in August 2017 were filled with conversations. Matthew made sure the Cloudflare team accepted every single invitation to talk about these issues; we didn’t simply put out a press release or “no comment” anyone. Our senior leadership team spoke with the media and with our employees -- some of whom had received threats related both to Cloudflare’s provision of services to the Daily Stormer and to the termination of those services. On the policy side, we spoke with a broad range of ideologically-diverse advocacy groups who reached out to alternatively congratulate us or chastise us for the decision.

As the time stretched into months, the conversations changed. We spoke with organizations who have made it their mission to fight hate and intolerance, with human rights organizations that depend on access to the Internet, with tech companies doing their best to moderate content, with academics who think about and research all aspects of content online, and with interested government and non-governmental organizations on two continents. In the end, we spoke with hundreds of different experts, groups, and entities about how different companies and different types of services address troubling content at different places in the Internet stack.  

Our overwhelming sense from these conversations is that the Internet, and the industry that has grown up around it, is at a crossroads. Policy makers and the public are rightly upset about misuse of the Internet.  We heard repeatedly that the world is moving away from the Internet as a neutral platform for people to express themselves and access information. Many governments and many of the constituents they represent appear to want the Internet cleaned up and stripped of troubling content through any technical means necessary, even if it means that innovation will be stifled and legitimate voices will be silenced. And companies large and small seem to be going along with it.

We’ve thought long and hard about what’s next both for us and the Internet in general. Although we share concerns about the exploitation of online tools, we are convinced that there are ways forward that do not shortchange the security, availability, and promise of the Internet.

We think the right solution will take us out of the clouds and into the weeds.  We have to figure out what core functions need to be protected to have the Internet we want, and we will have to get away from the idea that there’s a one-size-fits-all solution that will address the problems we see. If we really want to address risks online while maintaining the Internet as a forum for communication, commerce, and free expression, different kinds of services are going to have to deal with abuse differently.

The more we talked to people, the more that we saw a fundamental split on the Internet between the services that substantively touch content and the infrastructure services that do not.  It’s possible that, as a company that provides largely infrastructure services ourselves, we were were looking for this distinction. But we believe the distinction is real and helps explain why different businesses make distinctly different choices. As we discuss in our blog posts on transparency this week, the approach to questions about abuse complaints will mean different things for different Cloudflare products. Although we are not at the point yet where Cloudflare’s products organize, analyze, or promote content, we are aware that this conclusion may have implications for us in the future.

The Internet has revolutionized the way we communicate and access information. Because of the way the Internet works, everyone online has the opportunity to create and consume the equivalent of their own newspaper or television network. Almost any content you could want is available, if you can find it. That idea is at the heart of a the divide between services that curate content -- like social media platforms and search engines -- and basic Internet infrastructure services.  

Content curators make content-based decisions for a business purpose. For a search engine, that might mean algorithmically reviewing content to best match what is sought by the user. For a social media site, it might be a review of content to help predict what content the user will want to see next or what advertising might be most appealing.

For these types of online products, users understand and generally expect that the services will vary based on content. Different search engines yield different results; Different social media platforms will promote different content for you to review. These services are the Internet’s equivalents of the very small circle of newspaper editors or television network executives of old, making decisions about what you see online based on what they think you’ll want to see.

The value in these content curator services depends on how well they analyze, use, and make judgments about content.  From a business perspective, that means that these services want the flexibility to include or exclude particular content from their platforms. For example, it makes perfect sense for a platform that advertises itself as building community to have rules that prevent the community from being disrupted with hate-filled messages and disturbing content.

We should expect content curator services to moderate content and should give them the flexibility to do so. If these services are transparent about what they allow and don’t allow, and how they make decisions about what to exclude, they can be held accountable the same way people hold other businesses to account. If people don’t like the judgments being made, they can take their business to a platform or service that’s a better fit.

Basic Internet services, on the other hand, facilitate the business of other providers and website owners by providing infrastructure that enables access to the Internet.  These types of services -- which Matthew described in detail in the Daily Stormer blog post -- include telecommunications services, hosting services, domain name services such as registry and registrar services, and services to help optimize and secure Internet transmissions. The core expertise of these services is not content analysis, but providing the infrastructure needed for someone else to develop and analyze that content.

Because people expect these infrastructure services to be used to provide technical access to the Internet, the notion that these numerous services might be used to monitor what you’re doing online or make decisions about what content you should be entitled to access feels like a misuse, or even an invasion of privacy.

Internet infrastructure is a lot like other kinds of physical infrastructure.  At some basic level, we believe that everyone should be allowed to have housing, electricity or telephone, no matter what they plan to do with those services. Or that individuals should be able to send packages through FedEx or walk down the street wearing a backpack with a reasonable expectation they won’t be subject to unfounded search or monitoring. Much as we believe that the companies that provide these services should provide services to all, not just those with whom they agree, we continue to believe that basic internet infrastructure services, which provide the building blocks for other people to create and access content online, should be provided in a content-neutral way.

Developing different expectations for content curation services and infrastructure services is tougher than it seems. Behemoths best known for content curation services often provide infrastructure services as well. Alphabet, for example, provides content-neutral infrastructure services to millions of customers through Google Cloud and Google Domains, while also running one of the world’s largest content curated site in YouTube. And even if companies try to distinguish their infrastructure from content curation services, their customers may not.

In a world where content needs to be on a large network to stay online, there are only a handful of companies that can satisfy. Reducing that handful to those — like Cloudflare — that fall solely into the infrastructure bucket makes the number almost impossibly small. That is why we want to do better job talking about differences in expectations not by company, but by service.

And maybe we should also recognize that having only a small number of companies with robust enough networks to keep content online--most of which do content curation--is part of the problem. If you believe that the only way to be online is to be on a platform that curates content, you’re going to be rightly skeptical of that company’s right to take down content that they don’t want on their site. That doesn’t mean that a business that depends on analyzing content has to stop doing it, but it does make it that much more important that we have neutral infrastructure. It might be impossible for an alternate platform to be built, and for certain voices to have a presence online, without it.

The good news is that we’re not alone in our view of the fundamental difference between content curators and Internet infrastructure services. From the criticism we received for the Daily Stormer decision, to the commentary of Mike Masnick at Techdirt, to the academic analysis of Yale Law Professor Jack Balkin, to the call of the Global Commission on the Security of Cyberspace (GCSC) to protect the “public core” of the Internet, there’s an increasing awareness that not protecting neutral Internet infrastructure could undermine the Internet as we know it.

In his blog post on the Daily Stormer decision, Matthew talked about the importance of due process, the idea that you should be able to know the rules a system will follow if you participate in that system. But what we’ve learned in our follow up conversations is that due process has a different meaning for content curators.

There has been a clamor for companies like Facebook and Google to explain how they make decisions about what to show their users, what they take down, and how someone can challenge those decisions. Facebook has even developed an “Oversight Board for Content Decisions” -- dubbed as Facebook’s supreme court -- that is empowered to oversee the decisions the company makes based on its terms of service. Given that this process is based on terms of service, which the company can change at will to accommodate business decisions, this mostly seems like a way to build confidence in the company’s decision-making process. Instituting an internal review process may make users feel that the decisions are less arbitrary, which may help the company keep people in their community.

That idea of entirely privatized due process may make sense for content curators, who make content decisions by necessity, but we don’t believe it makes sense for those that provide infrastructure services. When access to basic Internet services is on the line, due process has to mean rules set and adjudicated by external decision-makers.

Although we don’t believe it is appropriate for Cloudflare to decide what voices get to stay online by terminating basic Internet services because we think content is a problem, that’s far from the end of the story. Even for Internet infrastructure, there are other ways that problematic content online can be, and is, addressed.

Laws around the world provide mechanisms for addressing particular types of content online that governments decide is problematic. We can save for another day whether any particular law provides adequate due process and balances rights appropriately, but at a minimum, those who make these laws typically have a political legitimacy that infrastructure companies do not.

Tomorrow, we’ll talk about how we are operationalizing our view that it’s important to  get into the weeds by considering how different laws apply to us on a service-by-service, and function-by-function basis.

Last December, Cloudflare announced the Athenian Project to help protect U.S. state and local election websites from cyber attack.

Since then, the need to protect our electoral systems has become increasingly urgent. As described by Director of National Intelligence Dan Coats, the “digital infrastructure that serves this country is literally under attack.” Just last week, we learned new details about how state election systems were targeted for cyberattack during the 2016 election. The U.S. government’s indictment of twelve Russian military intelligence officers describes the scanning of state election-related websites for vulnerabilities and theft of personal information related to approximately 500,000 voters.

This direct attack on the U.S. election systems using common Internet vulnerabilities reinforces the need to ensure democratic institutions are protected from attack in the future. The Athenian Project is Cloudflare’s attempt to do our part to secure our democracy.

Since announcing the Athenian Project, we’ve talked to state, county, and municipal officials around the country about protecting their election and voter registration websites. Today, we’re proud to report that we have Athenian Project participants in 19 states, and are in talks with many more. We have also strategized with civil society organizations, government associations, and federal government officials who share the goal of ensuring state and local officials have the tools they need to protect their institutions from cyberattack.

Working with state and local election officials has given us new appreciation for the dedication of those who serve as election officials, and how difficult it can be for those officials to identify and get the resources they need.

Local election officials — like ordinary voters — are the foundation of democracy. They guard the infrastructure of our constitutional system. Many officials juggle multiple roles within local government. They may manage multiple election websites, with limited information technology staff. Yet they know that their community, and sometimes the entire country, is relying on them to protect election integrity from countless global threats against it. The Athenian Project is about giving these dedicated professionals the tools they need to fight back and secure their systems.

A county Clerk-Recorder and Registrar of Voters, who is responsible for a number of election-related websites, told us that election officials worry about drawing attention to themselves, for fear they may be targeted for attack. Although cybersecurity is only one of the many responsibilities on her plate, this official is determined protect the county, using all the resources at her disposal. But without dedicated information technology staff, she has had difficulty identifying how best to protect county infrastructure.

Cloudflare can help, with both tools and know how.

Given the current threats, we think it’s important to provide more details about what our services do, and how they can help election officials. We’ve understood since the beginning that election websites would benefit from Cloudflare’s security features, including our DDoS mitigation, Web Application Firewall (WAF), IP reputation database, and ability to block traffic by country or IP address. In fact, reports of DDoS attacks on state and local government websites often get the most coverage because the impact — loss of service to the site — is visible to the public. Until our conversations, however, we did not fully appreciate how our services could solve other common problems for state and local government officials.

For election officials, the last day of voter registration and election day are often nerve-wracking events. Their websites can see more traffic in an hour than they’ve seen all year. For example, when the Special Election in Alabama in 2017 drew traffic from around the country, Alabama needed a distributed network and a CDN to ensure that the nearly 5 million Alabamians and everyone else in the U.S. could follow along.

Cloudflare’s other features can also help state and local election websites. The Senate Select Committee on Intelligence summary of the 2016 election hacking attempts concluded that the majority of malicious access attempts on voting-related websites were perpetrated using SQL injection. Cloudflare’s WAF protects against SQL injection, as well as other forms of attack.

Recently, one of the states whose election websites are part of the Athenian Project was attacked and two non-election related websites were defaced. Website defacement occurs when someone who is not authorized to make website changes alters the content on the site, often changing the home page to display the hacker’s logo or other material. Although the state’s election websites saw a 100-fold increase in threat traffic, our WAF helped prevent a similar defacement on those sites.

For election websites that are not already running on HTTPS, Cloudflare can also simplify the process of transitioning to use of SSL. With Google Chrome’s new initiative to mark non-HTTPS sites as insecure, potential voters visiting non-encrypted voter registration websites will be warned not to enter sensitive information on the site “because it could be stolen by attackers.” That is not the message officials want to send to a public nervous about cyberattacks on election infrastructure. Adding a security certificate can be a daunting task for local officials without IT resources, but for Athenian Project participants, it’s available at the click of a button. Athenian Project participants who need help with certificate management are given dedicated, auto-renewed certificates to improve the security of their sites. Cloudflare page rules can then direct all traffic to the HTTPS site.

We’ve also tailored the Athenian Project to better address the needs of those we are serving. So what have we done?

• More tools: We wanted to provide more tools for those who want to learn about and set up our service. We’ve therefore revamped our website to be more intuitive to navigate and to provide more information. We’ve created a new, interactive guide discussing website protection and a short video sharing the experience of current Athenian Project participants.

• How-to videos: There are videos to not only walk new participants through creating an account and transitioning their DNS servers, but also to provide best practices so that new participants can identify and turn on important features.

Getting Started

Best Practices

• Support help: We have found that state and local election officials often have challenges at the onboarding stage that are best addressed through personal attention. We’ve therefore added support features — including Athenian-specific support — to increase the personal interaction we have with officials and to provide them an opportunity to describe their own situation and needs.

• Set up flexibility: We’ve learned to be flexible with how we set up our service. While some counties were eager to leverage as much of the service as possible, including using full DNS delegation and dedicated certificates, others preferred to pick and choose between options. Depending on the circumstances for a given jurisdiction, we customize protection so they can use Cloudflare without needing to change the IT system for the whole state or county.

• Athenian Project-specific terms of service: To address common government contracting restrictions, we’ve drafted an Athenian Project-specific terms of service.

We hope these new details will make it even easier for election officials to get access to tools that can help them fulfill their critical responsibility to protect our elections.

In November, every state and district in the country will hold congressional elections. Election officials — and all of us — want to make sure that voter information remains secure and that websites stay online as voters seek out information on polling places and voting requirements, and anxiously refresh results pages on election night.

The entire American experiment is built on a simple act: a vote. To work as designed, citizens must trust the electoral system, its strength, integrity, and the people who protect it. Cloudflare is proud to support local officials on the front lines of election security.

And we, like election officials, know that building a resilient system requires long-term commitment. We are committed to continuing to do our part to keep U.S. election websites secure in this election and beyond.

If you would like more information about the Athenian Project, please visit our website cloudflare.com/athenian.

Photo of Indian Spices, by Joe mon bkk. Wikimedia Commons, CC BY-SA 4.0.

Share your Cloudflare Workers recipes with the Cloudflare Community. Developers in Cloudflare’s community each bring a unique perspective that would yield use cases our core team could never have imagined. That is why we invite you to share Workers recipes that are useful in your own work, life, or hobby.

We’ve created a new tag “Recipe Exchange” in the Workers section of the Cloudflare Community Forum. We invite you to share your work, borrow / get inspired by the work of others, and upvote useful recipes written by others in the community.

Recipe Exchange in Cloudflare Community

We will be highlighting interesting and/or popular recipes (with author permission) in the coming months right here in this blog.

Cloudflare Workers let you run JavaScript in Cloudflare’s hundreds of data centers around the world. Using a Worker, you can modify your site’s HTTP requests and responses, make parallel requests, or generate responses from the edge. Cloudflare Workers has been in open beta phase since February 1st. Read more about the launch in this blog post.

Cloudflare has an incredibly powerful global network of 151 data centers, where you can put compute anywhere and you can write with a language you’re familiar with (JavaScript) with a standard API you're familiar with (Service Workers). You can move your compute to be super low latency, to be much nearer to your end user, your database, your embedded device, or anything else you want faster round trips for.

You may access and leverage the power of Cloudflare’s network for your next applications or as an add-on for optimizing the performance of your existing projects by running JavaScript on Cloudflare’s edge network.

The next product that leverages Cloudflare's infrastructure to create security, performance, usability, and other optimizations for the Internet should have the lowest possible barriers to entry. Millions of customers should have access to those products on day one. That's how the Internet should work.

For inspiration, the Workers core team baked up some recipes to highlight a few popular use cases:

• A/B Testing You can create a Cloudflare Worker to control A/B tests.

• Aggregating Multiple Requests Here, we make multiple requests to different API endpoints, aggregate the responses and send it back as a single response.

• Conditional Routing The easiest way to deliver different content based on the device being used is to rewrite the URL of the request based on the condition you care about.

• Custom responses that don't hit origin servers You can return responses directly from the edge. No need to hit your origin.

• Hot-link Protection You can use Cloudflare Workers to protect your hot-links on your web properties.

• Post Requests Reading content from an HTTP POST request

• Random Content Cookies You can create random content cookies using Cloudflare Workers.

• Signed Requests A common URL authentication method known as request signing1 can be implemented in a worker with the help of the Web Crypto API.

• Streaming Responses Minimize the visitor’s time-to-first-byte and the amount of buffering done in the worker script.

That’s great! I’ve created this thread in the Cloudflare Community forum so anyone can submit a recipe idea, comment on one, and anyone can volunteer to write a recipe that there is a ready audience for.

Share your recipe in the Community Recipe Exchange

Project Jengo arose from a sense of immense frustration over the way that patent trolls purchase over-broad patents and use aggressive litigation tactics to elicit painful settlements from companies. These trolls know that the system is slanted in their favor, and we wanted to change that. Patent lawsuits take years to reach trial and cost an inordinate sum to defend. Knowing this, trolls just sit back and wait for companies to settle. Instead of perpetuating this cycle, Cloudflare decided to bring the community together and fight back.

After Blackbird filed a lawsuit against Cloudflare alleging infringement of a vague and overly-broad patent (‘335 Patent), we launched Project Jengo, which offered a reward to people who submitted prior art that could be used to invalidate any of Blackbird’s patents. Through this program, we wanted to make sure Blackbird couldn’t use any of its patents to attack other innovating companies. So far, the project has been a great success. We’ve received hundreds of prior art submissions from the Project that read across much of Blackbird’s patent portfolio.

Today we are releasing the core of the prior art we have collected, reviewed, and organized. In this way, other innovators can benefit from the efforts of Project Jengo. If at any point you are sued by Blackbird, you can go here to find the list of approximately 200 pieces of prior art that apply to 34 Blackbird patents. If you find yourself on the wrong end of a Blackbird patent troll lawsuit asserting one of those patents, this free information may be what you need to defend yourself.

So far, our legal arguments against Blackbird’s patents have been very well received by courts and administrative officials. This supports our assertion that patent trolls raise claims of dubious merit and hope that parties will settle with them to avoid the cost of defense.

Blackbird’s case against Cloudflare: As readers of this blog already know, in February 2018 the U.S. District Court for the Northern District of California short-circuited Blackbird’s lawsuit against Cloudflare by granting Cloudflare’s Motion to Dismiss on an Alice motion, which means that the court ruled the '335 Patent was too abstract to be valid because abstract ideas are not patentable. In granting Cloudflare’s motion, Judge Chhabria noted that Blackbird’s assertion of the patent “attempts to monopolize the abstract idea of monitoring a preexisting data stream between a server.”

But there’s an update. Blackbird recently appealed the ruling to the United States Court of Appeals for the Federal Circuit, a special federal court that hears all appeals related to patents. Currently, the parties are submitting briefs to the court and expect to participate in a hearing on the issue in December. Cloudflare will continue our fight to show that Blackbird’s '335 Patent is a non-patentable abstract idea and its lawsuit is meritless.

In addition, there have been updates from the U.S. Supreme Court that relate to our fight. In April, the Supreme Court decided the Oil States case maintaining the constitutionality of the inter partes review (IPR) process. As we have previously discussed, the IPR process is an administrative method for invalidating a patent outside of litigation, by going back to the Patent Office and petitioning them to review the validity of the patent based on the invention’s novelty or obviousness. To keep the pressure on Blackbird, Cloudflare filed an IPR related to the '335 Patent. The Patent Trial and Appeal Board (PTAB) will likely decide whether to grant the petition by October 2018 and, if granted, a hearing about invalidating the '335 Patent would be scheduled for approximately a year later. The legal and administrative challenges to the validity of the '335 Patent will proceed in parallel; they present slightly different goals but seek the same outcome -- to invalidate a bad patent.

Project Jengo strikes its first target: We wrote previously about Project Jengo’s intention to challenge other clearly invalid patents in the Blackbird portfolio before they could be used to victimize other innovative companies. The first target of Project Jengo apart from the patent asserted against Cloudflare was U.S. Patent 7,797,448 (“GPS-internet Linkage”).

This patent described an “integrated system comprising the Global Positioning System and the Internet wherein the integrated system can identify the precise geographic location of both sender and receiver communicating computer terminals.” This broadly-worded patent could potentially be used to sue a massive number of technology products that involve GPS or other location technology. In July 2016, Blackbird sued and settled with six companies under a lawsuit relying on the '448 Patent. Even though Blackbird had not sued Cloudflare under this patent, and it seemed an unlikely threat to us directly, we made it a target of Project Jengo because we thought this patent was terrible and posed a unique threat to others in the tech industry. That’s the spirit and larger mission that brought so many of you to this effort.

We have good news to report on this front as well.

Based on the strength of the prior art we received through Project Jengo and the number of times Blackbird had used the ‘448 Patent to elicit a settlement, we filed for an ex parte reexamination (EPR) of the ‘448 Patent by the US Patent and Trademark Office (“USPTO”). The EPR is another--less formal--administrative proceeding that can be used to challenge obviously deficient patents. In March, the USPTO issued a Non-Final Office Action that proposed rejecting the ‘448 Patent, noting, “the ‘448 Patent does not have support for the new or amended claims.” In rejecting the ‘448 claims, USPTO relied heavily on prior art submitted by the Project Jengo community.

In response to the Non-FInal Office Action, Cloudflare supplied additional briefs for the USPTO to consider. After considering those briefs, the USPTO will decide whether or not to change its initial conclusions and issue a final order.

And we’re not done. As we’ve said from the beginning, our goal in this effort is to collect prior art on all of Blackbird’s patents. The window is still open. You’re welcome to submit additional prior art that will be considered for the bounty awards, added to the arsenal, and most importantly, earn you a nifty Project Jengo t-shirt.

T-shirt arrived really quickly and I appreaciate how accommodating you were with organising my payment, it's helped to chip away at my student loan :)

Cheers!Adam

We’ve awarded more than $7,500 to participants so far and plan to distribute more than $40,000 more before Project Jengo is done. If you would like to join Project Jengo, please submit any prior art you think will be relevant here and stay tuned for more awards and updates.

Finally, Matthew wouldn’t let us post another Jengo update without including a public appeal to our friends at Raytheon. You see, Raytheon, a company holding thousands of patents and headquartered in Massachusetts, bought a company called Blackbird Technologies in 2014 and still owns the trademark. When Blackbird Technologies, a notorious patent troll holding hundreds of patents and also based in Massachusetts, sued Cloudflare last year, we were briefly confused whether there was a connection ... there isn’t. So we’re looking for a senior executive at Raytheon with a sense of humor or a protective Raytheon lawyer without one that would be willing to give us a license to the trademark they hold for Blackbird Techologies® for a very limited and particular use. We’d suggest a fee of “$1 and other good and valuable consideration,” the same amount the patent troll claims they paid for the patent they used as the basis for their lawsuit against Cloudflare.

And this shouldn’t even need to engage the sense of humor over at Raytheon, we definitely think the attorneys on their IP team should be concerned that a company in their own backyard is infringing on and disparaging the name of one of their brands. This is especially the case since the patent troll holds a number of broad patents on things like determining travel time, utilizing GPS data, and dealing with electronic equipment, that could be understood as overlapping with Raytheon’s business. It’s a lawsuit with much more legal merit and actual injury than the overwhelming number of cases brought by Blackbird Technologies, the patent troll. If any of you have friends at Raytheon who may be willing to help us use the intellectual property system to shut down or force the rebranding of a notorious patent troll, let us know in the comments.

At the end of March, Kenton Varda, tech lead and architect for Cloudflare Workers, traveled to London and led a talk about the Rise of Edge Compute where he laid out our vision for the future of the Internet as a platform.

Several of those who were unable to attend on-site asked for us to produce a recording. Well, we've completed the audio edits, so here it is!

Visit the Workers category on Cloudflare's community forum to learn more about Workers and share questions, answers, and ideas with other developers.

Visit the Community Forum Here »

Photo by Nick Karvounis / Unsplash

Are you based in Copenhagen or London? Drop by one or all of these five events.

Ross Guarino and Terin Stock, both Systems Engineers at Cloudflare are traveling to Europe to lead Go and Kubernetes talks in Copenhagen. They'll then join Junade Ali and lead talks on their use of Go, Kubernetes, and Cloudflare’s Mobile SDK at Cloudflare's London office.

My Developer Relations teammates and I are visiting these cities over the next two weeks to produce these events with Ross, Terin, and Junade. We’d love to meet you and invite you along.

Our trip will begin with two meetups and a conference talk in Copenhagen.

Tuesday, 1 May: 17:00-21:00

Location: Trifork Copenhagen - Borgergade 24B, 1300 København K

How to extend your Kubernetes cluster

A brief introduction to controllers, webhooks and CRDs. Ross and Terin will talk about how Cloudflare’s internal platform builds on Kubernetes.

Speakers: Ross Guarino and Terin Stock

View Event Details & Register Here »

Wednesday, 2 May: 18:00-21:00

Location: Falcon.io - H.C. Andersen Blvd. 27, København

Talk 1: Building Go with Bazel

Fast and Reproducible go builds with Bazel. Learn how to remove Makefiles from your repositories.

Speaker: Ross Guarino

Talk 2: Internationalization in Go

Explore making effective use of Go’s internationalization and localization packages and easily making your applications world-friendly.

Speaker: Terin Stock

View Event Details & Register Here »

Friday, 4 May: 14:45-15:20

Location: KubeCon + CloudNativeCon 2018 - Bella Center, Center Blvd. 5, 2300 København

If you happen to be attending KubeCon + CloudNativeCon 2018, check out Terin and Ross’s conference talk as well.

This session demonstrates how to leverage Kubernetes Controllers and Initializers as a framework for building transparent extensions of your Kubernetes cluster. Using a live coding exercise and demo, this presentation will showcase the possibilities of the basic programming paradigms the Kubernetes API server makes easy.

Speakers: Ross Guarino and Terin Stock

View Event Details & Register Here »

Photo by Paul Buffington / Unsplash

When KubeCon + CloudNativeCon 2018 concludes, we're all heading to the Cloudflare London office where we are hosting two more meetups.

Wednesday, 9 May: 18:00-20:00

Location: Cloudflare London - 25 Lavington St, Second floor | SE1 0NZ London

This session demonstrates how to leverage Kubernetes Controllers and Initializers as a framework for building transparent extensions of your Kubernetes cluster. Using a live coding exercise and demo, this presentation will showcase the possibilities of the basic programming paradigms the Kubernetes API server makes easy. As an SRE, learn to build custom integrations directly into the Kubernetes API that transparently enhance the developer experience.

Speakers: Ross Guarino and Terin Stock

View Event Details & Register Here »

Thursday, 10 May: 18:00-20:00

Location: Cloudflare London - 25 Lavington St, Second floor | SE1 0NZ London

Whether you're building an e-commerce app or a new mobile game, chances are you'll be needing some network functionality at some point when building a mobile app. Network performance can vary dramatically between carriers, networks, and APIs, but far too often mobile apps are tested inconsistent conditions with the same decent network performance. Fortunately we can iterate on our apps by collecting real-life performance measurements from your users; however, unfortunately existing mobile app analytics platforms only provide visibility into in-app performance but have no knowledge about outgoing network call.

This talk will cover how you can easily collect vital performance data from your users at no cost and then use this data to improve your apps' reliability and experience, discussing the tips and tricks needed to boost app performance.

Speaker: Junade Ali

View Event Details & Register Here »

Ross Guarino is a Systems Engineer at Cloudflare in charge of the technical direction of the internal platform. He’s determined to improve the lives of developers building and maintaining everything from a simple function to complex globally distributed systems.

Terin Stock is a long-time engineer at Cloudflare, currently working on building an internal Kubernetes cluster. By night, he hacks on building new hardware projects. Terin is also a member of gulp.js core team and the author of the Sticker Standard.

Junade Ali is a software engineer who is specialised in computer security and software architecture. Currently, Junade works at Cloudflare as a polymath, and helps make the Internet more secure and faster; prior to this, he was a technical lead at some of the UK's leading digital agencies before moving into architecting software for mission-critical road-safety systems.

We'll hope to meet you soon!

Photo by Karsten Würth (@inf1783) / Unsplash

Cloudflare's mission is to help build a better Internet. While working toward our goals, we want to make sure our processes are conducted in a sustainable manner.

In an effort to do so, we’ve reduced Cloudflare’s environmental impact by contracting to purchase regional renewable energy certificates, or “RECs,” to match 100% of the electricity used in our North American data centers as well as our U.S. offices. Cloudflare now has servers in 154 unique cities around the world, with 38 located in North America. Cloudflare has opted to support geographically diverse projects in proximity to our office and data center electricity usage. This renewable energy initiative reduces our electricity-based carbon footprint by 5,561 tons of CO2 which has a positive environmental impact. The impact can be compared to growing 144,132 trees seedlings for 10 years, or taking 1,191 cars off the road for one year.

How does buying a REC help reduce Cloudflare's carbon footprint you may ask? When 1MWh of electricity is produced from a renewable generator, such as a wind turbine, there are two products: the energy, which is delivered to the grid and mixes with other forms of energy, and the REC. When renewable energy is delivered to the grid, it cannot be distinguished from electrons from non-renewable sources. The REC is a way to track the renewable electricity and is like a receipt for owning the environmental benefits associated with the generation of renewable energy. RECs allow individuals and businesses to support renewable energy development and help to make renewable energy projects financially viable while lowering carbon footprints.

This purchase is an important step on our sustainability path. It is part of a broader sustainability effort which includes working with more data centers that specialize in lowering their PUE (Power Usage Effectiveness), as well as waste diversion and energy efficiency measures already in place in our offices worldwide. Moving forward, we plan to increase our renewable energy commitment to match energy used in our data centers and offices globally. We look forward to this and other opportunities to increase support of renewable energy and reduce our carbon footprint!

ARP you going to be there? We R going to have three epoch sessions by Cloudflare speakers. Ifdown, seems apt you could SELECT to JOIN. Cat make it? Not a bg deal, wget it (though it mega hertz we won’t C you). All the audio from the three sessions will be recorded, you can listen to the cd.

WPS! I almost forgot to tel(net) you whois going to be there, and WAN and where to go.

On Friday, March 9, I’m moderating a panel with Emily Schechter from Google, Aaron DeVera from Deloitte and Gabe Kassel from eero about how Wi-Fi networks work and WEP happens when attackers coax people into joining insecure networks. It’s at Salon K in the Hilton at 3:30PM.

On Sunday the 11th, Nitin Rao is on a panel with Heather West from Mozilla, Stefan Lederer from Bitmovin and Fred Benenson from Unlimited Liability Corporation LLC about the impact of the recent revocation of Net Neutrality rules on online video streaming. It’s at 11AM at Salon J in the Hilton. Nitin is really good at putting concepts in a GNU frame, so I expect this to be a bit (g)rate. Whoami kidding? It will be emacs-ulate.

And then on Thursday March 15th, Marc Rogers is giving a talk about how he hacked the Tesla Model S and the current state of automotive security. (The TLD(r) is that it’s a long road ahead, but automotive companies are driven to make it better). It’s at 11am in Room 203-204 at the JW Marriot. He gave a similar talk at Defcon so this is kind of a SQL.

There’s a lot but looking forward to packet all in. IEEE hope you can join!

--

MAR 9, 2018 | 3:30PM – 4:30PM | HILTON AUSTIN DOWNTOWN SALON KShould I Use This Wi-Fi?

You’re sitting at the gate, about to connect to the free airport Wi-Fi when you stop and think. You’ve heard something about insecure public Wi-Fi before, but could using a bad Wi-Fi network really leak your data or let someone hack your Facebook? Just as there will never be perfect code, there will always be inherent flaws in the tools we use to communicate, work and pay our bills. Find out how vulnerabilities in the web are exploited and what that means in the future of our online privacy.

MAR 11, 2018 | 11:00AM – 12:00PM | HILTON AUSTIN DOWNTOWN SALON JFighting the Demise of Net Neutrality w/Innovation

As consumer demand for streaming video explodes, digital publishers are scrambling to upgrade their video production capabilities in the fight for viewer eyeballs. But in light of eroding net neutrality protections, publishers must ensure their streaming infrastructure delivers a stellar consumer experience in order to stay relevant and compete with giants like Netflix and YouTube. Hear from industry leaders on how the war on net neutrality will alter how audiences consume video.

MAR 15, 2018 | 11:00AM – 12:00PM | JW MARRIOTT ROOM 203-204Who’s Really in Control of Self-Driving Cars?

A few years back, I hacked the Tesla Model S. Scary, right? Actually, it’s not as scary as it seems. In this session, I’ll discuss the current state of automotive security as I see it and give a deep dive discussion on where security needs to be moving forward. I’ll discuss the steps needed to hack a car, the cars that are most vulnerable, the security of self-driving cars, and how concerned consumers can protect themselves.

There’s a special place in our heart for all the open source projects that support the Internet and improve the lives of everyone in the developer community, and today seems like an appropriate time to express the gratitude we have for the non-profit / volunteer-run projects that hold everything together.

Cloudflare uses a lot of open source software and also contributes to open source. Informally, Cloudflare has already been upgrading the plans of certain eligible open source projects that have reached out to us or that we have interfaced with. Here are some of the projects whose landing pages are already protected by Cloudflare.

To really pay the goodwill forward, we want to make this opportunity common knowledge in the developer community. In 2018, we intend to provide free Cloudflare Pro Plan upgrades to eligible open source projects (subject to a case-by-case evaluation) that:

1. provide engineering tools or resources to the developer community; and

2. are volunteer-run or working on a non-profit basis.

Are you an open source project using @Cloudflare? We want to give you a free Pro Plan to thank you for your work for the community.  ? -> os-sponsorship@cloudflare.com Please RT!

— Cloudflare (@Cloudflare) January 30, 2018

Making core contributions to a qualifying open source project? Drop a line to os-sponsorship@cloudflare.com with a link to the project’s landing page, repo, and a description of what engineering tools or resources your project provides to the developer community.

And please RT this opportunity, and share it with all the open source contributors in your life. Thanks!