Cloudflare’s Kiwi Farms Support May Soon Hurt Its Bottom Line

At what point should a cloud services provider assume responsibility for the actions of its users? In the U.S., internet service providers are protected under Section 230 of the Communications Decency Act (CDA) from liability that may occur from their users’ online statements. But even if a company’s hands-off policy is protected legally, hosting controversial material may end up impacting its reputation, not to mention its revenue stream.

Popular caching provider Cloudflare is coming under increasing criticism for supporting Kiwi Farms, a malicious American far-right internet forum dedicated to mocking and harassing online figures, notably those in the trans and the LGBTQ community. One of those harassed has been Liz-Fong Jones, a respected engineer in the cloud native computing community, who has shared her frustrations with Cloudflare in a series of live Twitch videos. Cloudflare offers both caching and denial-of-service prevention services to Kiwi. (Disclosure: Cloudflare has also hosted sites that illegally repost copyrighted material from TNS.)

In these videos, she accuses Cloudflare of disrupting her own life, and those of many others, by willfully ignoring complaints submitted to Cloudflare about the many forms of harassment coming from Kiwi Farms, which she described as “a watering hole for sadistic individuals who wants to get reactions out of marginalized people.” The attacks are not merely verbal, as vicious as they are, but also often use personal identifying data to harass individuals with unwanted food delivery orders and even police calls to the victim’s house. This has sparked, in some cases, traumatic responses.

There is no business case to continue to provide services to KiwiFarms. It is an explicitly political decision, and one that should be seen as a moral stain on the industry.https://t.co/dARZKlQe0e

— Emily G (@EmilyGorcenski) August 23, 2022

Cloudflare has not responded to our inquiry as of the deadline time of this post. But the company executives have responded in the past that they see Cloudflare as a champion of internet equality — that everyone should be allowed a forum online, where issues can be debated.

“I’m almost a free-speech absolutist,” Cloudflare CEO Matthew Prince had told Ars Technica, explaining his Libertarian-based reluctance to drop its support for its most infamous customer, the neo-Nazi site the Daily Stormer (which the company eventually did amidst public outcry).

But Fong-Jones argues that in cases like Kiwi Farms, such equality is anything but equal, as people must defend themselves from large-scale attacks, ones they had no interest in participating in.

“If you’re working at Cloudflare, this is what the outcome of your technical work is: You are holding up a system that is designed to, by policy, harm marginalized groups.” — @lizthegrey on @Cloudflare‘s support of KiwiFarms. https://t.co/byqydu9WVA #DropKiwifarms

— Joab Jackson (@Joab_Jackson) August 25, 2022

And, as Fong-Jones has pointed out, there is no government mandate that everyone must have access to a caching service. It is entirely Cloudflare’s choice to choose to do business with Kiwi Farms. “Cloudflare is not a monopoly,” she said. “It has competition. If Cloudflare chooses not to do business with a particular origin server, that origin server can choose to do business with other providers.”

It appears Fong-Jones will continue her campaign as long as Cloudflare supports the online forum. She plans to release another livestream/video, on Friday, 6 p.m. PT, that will offer plans on how other customers to move off Cloudflare service. The idea is to “hit Cloudflare in the pocketbook, where it hurts,” Fong-Jones said.

And if this issue continues to gain attention in the public eye, it won’t be Cloudflare’s problem alone but Cloudflare’s other customers as well, who may have to explain why they continue to use the service.

when you have a “garbage in” problem, the correct solution is not to make the garbage inalterable via an append-only database

— cathode ray theory (@said_mitch) August 22, 2022

This Week in Programming

• Bun in the Oven: Alternatives to the widely-used but sometimes-frustrating Node.js serverside runtime gaining momentum. A few weeks back, we reported that the company behind Deno (more secure, better package management) has gotten $21 million of funding (including some from TNS parent company Insight Partners). Now the fast-rising Bun (faster, more dev-friendly) has gotten a new company Oven (get it?), thanks to $7 million of investment from Kleiner Perkins, Vercel CEO Guillermo Rauch and YCombinator. Basically, Node and Deno — both designed by Ryan Dahl — both use Google’s V8 JavaScript engine, while Bun — built by Jared Sumner — uses Apple Webkit’s speedier JavaScriptCore framework, as well as the tight Zig programing language.

• Oven in the Hotseat: As soon as Bun-provider Oven announced its own existence, via Twitter, it encountered some fierce criticism. Given Bun’s still nascent stage of development, the company is hiring engineers, natch, though warned that “Oven is going to be a grind, especially the first nine months or so. If work-life balance to you means a lot of time spent not working, it’s probably not a good fit right now.” While such obsessive rock star programming was the norm a decade ago, the cultural norms around dev are currently undergoing a shift, back towards a more balanced work-life balance. And so, no surprise, this Tweet was ratio’d pretty badly, garnering many more critical responses than hearts. For our money, the most succinct response came from the honored CompSci elder Grady Booch: “It is neither a mark of honor nor a good software development practice to formalize the idea of software development death marches.” Heed Grady’s wisdom.

• Meet the New Kubernetes: Everyone’s favorite open source container orchestration tool from the Cloud Native Computing Foundation has been updated. The Kubernetes 1.25  release, nicknamed Combiner in honor of its many contributors, consists of 46 enhancements. Fifteen of these enhancements have graduated to stable, 15 enhancements are moving to beta, and 13 enhancements are entering alpha. Ephemeral containers — very handy for debugging — have also Graduate to Stable. Ephemeral containers have been made possible courtesy of Linux’s cgroups v2, which Kubernetes now supports, bringing a sigh of relief to K8s admins everywhere.
• …And That’s Not All for K8s: Another big selling point for Kubernetes 1.25 is that the messy and hard-to-work-with PodSecurityPolicy has been removed, with the Pod Security Admission taking its place. This new admission controller can enforce the pod security standards at the namespace level, when pods are created. PodSecurityPolicy had some serious issues that “could not be addressed without making breaking changes, and that’s why we got a replacement in place,” Google software engineer and Kubernetes core contributor Cici Huang explained to TNS. In particular, it was too easy for users to apply a broader set of access rights than intended, leading to security issues. And the earlier controller couldn’t do audit mode either. The new Pod Security Admission makes it “much easier for users to apply the security best practices without going too deep in understanding the product specification.”

CDC says you can use log4j again.

— Vicki (@vboykis) August 11, 2022