Tag Archives: Legal

The Project Jengo Saga: How Cloudflare Stood up to a Patent Troll – and Won!

Post Syndicated from Alex Krivit original https://blog.cloudflare.com/the-project-jengo-saga-how-cloudflare-stood-up-to-a-patent-troll-and-won/

The Project Jengo Saga: How Cloudflare Stood up to a Patent Troll – and Won!

The Project Jengo Saga: How Cloudflare Stood up to a Patent Troll – and Won!

Remember 2016? Pokemon Go was all the rage, we lost Prince, and there were surprising election results in both the UK and US. Back in 2016, Blackbird Technologies was notorious in the world of patent litigation. It was a boutique law firm that was one of the top ten most active patent trolls, filing lawsuits against more than 50 different defendants in a single year.

In October 2016, Blackbird was looking to acquire additional patents for their portfolio when they found an incredibly broad software patent with the ambiguous title, “PROVIDING AN INTERNET THIRD PARTY DATA CHANNEL.” They acquired this patent from its owner for $1 plus “other good and valuable consideration.” A little later, in March 2017, Blackbird decided to assert that patent against Cloudflare.

As we have explained previously, patent trolls benefit from a problematic incentive structure that allows them to take vague or abstract patents that they have no intention of developing and assert them as broadly as possible. Instead, these trolls collect licensing fees or settlements from companies who are otherwise trying to start a business, produce useful products, and create good jobs. Companies facing such claims usually convince themselves that settlements in the tens or hundreds of thousands of dollars are quicker and cheaper outcomes than facing years of litigation and millions of dollars in attorneys fees.  

The following is how we worked to upend this asymmetric incentive structure.  

The Game Plan

After we were sued by Blackbird, we decided that we wouldn’t roll over. We decided we would do our best to turn the incentive structure on its head and make patent trolls think twice before attempting to take advantage of the system. We created Project Jengo in an effort to remove this economic asymmetry from the litigation. In our initial blog post we suggested we could level the playing field by: (i) defending ourselves vigorously against the patent lawsuit instead of rolling over and paying a licensing fee or settling, (ii) funding awards for crowdsourced prior art that could be used to invalidate any of Blackbird’s patents, not just the one asserted against Cloudflare, and (iii) asking the relevant bar associations to investigate what we considered to be Blackbird’s violations of the rules of professional conduct for attorneys.

How’d we do?

The Lawsuit

As promised, we fought the lawsuit vigorously. And as explained in a blog post earlier this year, we won as convincing a victory as one could in federal litigation at both the trial and appellate levels. In early 2018, the District Court for the Northern District of California dismissed the case Blackbird brought against us on subject matter eligibility grounds in response to an Alice motion. In a mere two-page order, Judge Vince Chhabria held that “[a]bstract ideas are not patentable” and Blackbird’s assertion of the patent “attempts to monopolize the abstract idea of monitoring a preexisting data stream between a server and a client.” Essentially, the case was rejected before it ever really started because the court found Blackbird’s patent to be invalid.

Blackbird appealed that decision to the Court of Appeals for the Federal Circuit, which unceremoniously affirmed the lower court decision dismissing the appeal just three days after the appellate argument was heard. Following this ruling, we celebrated.  


As noted in our earlier blog post, although we won the litigation as quickly and easily as possible, the federal litigation process still lasted nearly two years, involved combined legal filings of more than 1,500 pages, and ran up considerable legal expenses. Blackbird’s right to seek review of the decision by the US Supreme Court expired this summer, so the case is now officially over. As we’ve said from the start, we only intended to pursue Project Jengo as long as the case remained active.  

Even though we won decisively in court, that alone is not enough to change the incentive structure around patent troll suits. Patent trolls are repeat players who don’t have significant operations, so the costs of litigation and discovery are much less for them.

Funding Crowdsourced Prior Art to Invalidate Blackbird Patents

Prior Art

An integral part of our strategy against Blackbird was to engage our community to help us locate prior art that we could use to invalidate all of Blackbird’s patents. One of the most powerful legal arguments against the validity of a patent is that the invention claimed in the patent was already known or made public somewhere else (“prior art”). A collection of prior art on all the Blackbird patents could be used by anyone facing a lawsuit from Blackbird to defend themselves. The existence of an organized and accessible library of prior art would diminish the overall value of the Blackbird patent portfolio. That sort of risk to the patent portfolio was the kind of thing that would nudge the incentive structure in the other direction. Although the financial incentives made possible by the US legal system may support patent trolls, we knew our secret weapon was a very smart, very motivated community that loathed the extortionary activities of patent trolls and wanted to fight back.

And boy, were we right! We established a prior art bounty to pay cash rewards for prior art submissions that read on the patent Blackbird asserted against Cloudflare, as well as any of Blackbird’s other patents.  

We received hundreds of submissions across Blackbird’s portfolio of patents. We were very impressed with the quality of those submissions and think they call the validity of a number of those patents into question. All the relevant submissions we collected can be found here sorted by patent number, and we hope they are put to good use by other parties sued by Blackbird. Additionally, we’ve already forwarded prior art from the collection to a handful of companies and organizations that reached out to us because they were facing cases from Blackbird.

A high-level breakdown of the submissions:

  • We received 275 total unique submissions from 155 individuals on 49 separate patents, and we received multiple submissions on 26 patents.
  • 40.1% of the total submissions related to the ’335 patent asserted against Cloudflare.
  • The second highest concentration of prior art submissions (14.9% of total) relate to PUB20140200078 titled “Video Game Including User Determined Location Information.” The vast majority of these submissions note the similarity between the patent’s claims and the Niantic game Ingress.

A few interesting examples of prior art that were submitted that we think are particularly damaging to some of the Blackbird patents:

  • Internet based resource retrieval system (No. 8996546)
    The first two sentences of this 2004 patent’s abstract summarize the patent as a “resource retrieval system compris[ing] a server having a searchable database wherein users can readily access region-based publications similar to, but not necessarily limited to, printed telephone directories. The resource retrieval system communicates with at least one user system, preferably via the Internet.”

    The Project Jengo community reviewed the incredibly broad language in the patent claims and submitted a reference to an online phone book that allowed for the searching of local results from an online AT&T database. The submission is a link to an archive of a webpage from the year 2000, potentially calling into question the Blackbird patent on eligibility grounds.

  • Illuminated product packaging (No. 7086751)
    This patent seeks protection for packaging “intended to hold a product for sale. The product package includes one or more light sources disposed therein and configured to direct light through one or more openings in the exterior of the product package, in order to entice customers to purchase the product.”

    In one of the more interesting Project Jengo submissions we received, the following information was provided: The CD packaging for Pink Floyd’s ‘Pulse’ included a blinking LED within the cardboard box that was active and visible on store shelves. We felt that this also spoke to the heart of this broad and seemingly obvious patented product.

  • Sports Bra (No. 7867058)
    This Blackbird patent involves a “sports bra having an integral storage pouch.”

    The Project Jengo community found that a submission on a public discussion forum that pre-dates the ’058 patent and disclosed an idea of modifying a bra by creating an incision in the inner lining and applying a velcro strip so as to form a resealable pocket within the bra… Or essentially the same invention.  

As a Bonus – an Ex Parte Victory

Almost immediately after we announced Jengo, we received an anonymous donation from someone who shared our frustration with patent trolls. As we announced, this gift allowed us to expand Jengo by using some of the prior art to directly challenge other Blackbird patents in administrative proceedings.

We initiated an administrative challenge against Blackbird Patent 7,797,448 (“GPS-internet Linkage”). The patent describes in broad and generic terms “[a]n integrated system comprising the Global Positioning System and the Internet wherein the integrated system can identify the precise geographic location of both sender and receiver communicating computer terminals.” You don’t have to be particularly technical to realize how largely obvious and widely applicable such a concept would be, as many modern Internet applications attempt to integrate some sort of location services using GPS. This was a dangerous patent in the hands of a patent troll.

Based on the strength of the prior art we received from the Project Jengo community and the number of times Blackbird had asserted the ’448 Patent to elicit a settlement from startups, we filed for an ex parte reexamination (EPR) of the ’448 Patent by the US Patent & Trademark Office (USPTO). The EPR is an administrative proceeding that can be used to challenge obviously deficient patents in a less complex, lengthy, or costly exercise than federal litigation.

We submitted our EPR challenge in November 2017. Blackbird responded to the ex parte by attempting to amend their patent’s claims to make them more narrow in an effort to make their patent more defensible and avoid the challenge. In March 2018, the USPTO issued a Non-Final Office Action that proposed rejecting the ’448 Patent’s claims altogether because the claims were found to be preempted by prior art submitted by Project Jengo. Blackbird did not respond to the Office Action. And a few months later, in August 2018, the USPTO issued a final order in line with the office action, which cancelled the ’448 Patent’s claims. The USPTO’s decision means the ‘448 patent is invalid and no one can assert the incredibly broad terms of the ‘448 patent again.

Rewarding the Crowd

As promised, Cloudflare distributed more than $50,000 in cash awards to eighteen people who submitted prior art as part of the crowdsourced effort. We gave out more than $25,000 to people in support of their submissions related to the ’335 patent asserted against Cloudflare. Additionally we awarded more than $30,000 to submitters in support of our efforts to invalidate the other patents in Blackbird’s portfolio.

In general, we awarded bounties based on whether we incorporated the art found by the community into our legal filings, the analysis of the art as provided in the submission, whether someone else had previously submitted the art, and the strength and number of claims the art challenged in the specified Blackbird patent.

We asked many of the recent bounty winners why they decided to submit prior art to Project Jengo and received some of the following responses:  


"Over the years I’ve been disappointed and angered by a number of patent cases where I feel that the patent system has been abused by so-called ‘patent trolls’ in order to stifle innovation and profit from litigation. With Jengo in particular, I was a fan of what Cloudflare had done previously with Universal SSL. When the opportunity arose to potentially make a difference with a real patent troll case, I was happy to try and help."

Adam, Security Engineer


"I read the ’335 patent and thought it basically described a fundamental design principle of the world wide web (proxy servers). I was pretty sure such software was in widespread use by the priority date of the patent (1998). At that point I was curious if that was true so I did some Googling."

David, Software Developer


"Personally, I believe the vast majority of software patents are obvious and trivial. They should have never been granted. At the same time, fighting a patent claim is costly and time consuming regardless of the patent’s merit, while filing the claim is relatively cheap. Patent trolls exploit this imbalance and, in turn, they stifle innovation. Project Jengo was a great opportunity to use my knowledge of prior academic work for a good cause."

Kevin, Postdoctoral Research Scientist


"I’m pretty excited, I’ve never won a single thing in my life before. And to do it in service of taking down evil patent trolls? This is one of the best days of my life, no joke. I submitted because software patents are garbage and clearly designed to extort money from productive innovators for vague and obvious claims. Also, I was homeless at the time I submitted and was spending all day at the library anyway."

Garrett, San Francisco


What was the Impact?

The whole point of Project Jengo was to flip the incentive structure around patent trolls, who assume they can buy broad patents, spend a little money to initiate litigation, and then sit back and expect that a great percentage of defendants will send them a check. Under a proper incentive structure, they should have to expend some effort to prove their claims have merit, and we wanted to make available information that would support other potential defendants who may want to push back against claims under Blackbird patents.

One very simple measure of the impact is to review the number of new lawsuits Blackbird is bringing with its patent portfolio, which is a public record. So what does Blackbird’s activity look like on that point?

The Project Jengo Saga: How Cloudflare Stood up to a Patent Troll – and Won!

In the one-year period immediately preceding Project Jengo, (Q2’16-Q2’17) Blackbird filed more than 65 cases. Since Project Jengo launched more than 2.5 years ago, the number of cases Blackbird has filed has fallen to an average rate of 10 per year.  

Not only are they filing fewer cases, but Blackbird as an organization seems to be operating with fewer resources than they did at their peak. When we launched Project Jengo in May 2017, the Blackbird website identified a total team of 12: six lawyers, including two co-founders, four litigation counsel, as well as a patent analysis group of 6. Today, based on a review of the website and LinkedIn, it appears only three staff remain: one co-founder, one litigation counsel, and one member of the patent analysis group.  

Ethics Complaints (section submitted by Cloudflare’s General Counsel, Doug Kramer)

We filed ethics complaints against both of Blackbird’s co-founders before the bar associations in Massachusetts, Illinois, and the USPTO based on their self-described “new model” of pursuing intellectual property claims. Our complaints were based on rules of professional conduct prohibiting lawyers from acquiring a cause of action to assert on their own behalf, or in the alternative, rules prohibiting attorneys to split contingency fees with a non-attorney.

We did not file such complaints lightly, as we take ethical standards seriously and don’t think such proceedings should be used merely to harass. In this case, we think the public perception of patent trolls, who are seen as lawyers chasing an easy buck by taking advantage of distortions in the litigation process, has damaged the public perception of attorneys and respect for the legal profession–the exact sort of values the ethical rules and bar associations are meant to protect.

We based our complaints on the assignment agreement we found filed with the USPTO, where Blackbird purchased the ’335 patent from an inventor in October 2016 for $1. It seemed apparent that the actual but undisclosed compensation between the parties was considerably more than $1, so Blackbird may have simply acquired the cause of action or the agreement involved an arrangement where Blackbird would split a portion of any recovered fees with the inventor. Such agreements are generally prohibited by the ethical rules.

In public statements, Blackbird’s defense to these allegations was that it (i) was not a law firm (despite the fact it is led exclusively by lawyers who are actively engaged in the litigation it pursues) and (ii) does not use contingency fee arrangements for the patents it acquires, but does use something “similar.” Both defenses were rather surprising to us. Isn’t an organization led and staffed exclusively by lawyers who are drafting complaints, filing papers with courts, and arguing before judges amount to a “law firm”? In fact, we found pleadings in other Blackbird cases where the Blackbird leadership asked to be treated as lawyers so they could have access to sensitive technical evidence in those cases that is usually off-limits to anyone but the lawyers. And what does it mean for an agreement to be merely “similar” to a contingency agreement?

The disciplinary proceedings in front of bar associations are generally confidential, so we are limited in our ability to report out developments in those cases. But regardless of the outcome, we’ve only approached bar associations in two states. Getting this back on the right track will require more than successful adjudications in front of such committees. Instead, it will take a broader change in orientation by these professional associations across the country to view such matters as more than mere political disputes or arguments between active litigants.  

Our questions go to the very heart of ensuring an ethical legal profession, they are meant to determine what safeguards should be put in place to make sure that attorneys who take the oath are held to a standard beyond mere greed or base opportunism. They go to the question of whether being an attorney is merely a job or if there are higher standards they should be held to, making sure their monopoly over the ability to bring lawsuits as officers of the court (and all the implications, costs, and power that represents) is only wielded by people who can be trusted to do so responsibly. Otherwise, what’s the point of ethical standards?

That’s all … for now

We’ve said from the beginning that Project Jengo was a response to the patent troll litigation and we would end it as soon as the case was over. And now it is. Although we are proud of our work on this issue, we need to turn our focus back to the company’s mission — to help build a better Internet. But we may be back at some point. Patent trolls remain a risk to growing companies like Cloudflare and nothing in this experience has persuaded us that settling a patent lawsuit is ever the right answer. We don’t plan to settle, and if brought into such litigation again at some point in the future, we think we have a pretty good blueprint for how to respond.

The Blackbird prior art will remain available here, and we remain available to consult with our colleagues at other companies who face these issues, as we have done many times over the past few years.

Finally, we would like to express our sincere gratitude to the community who researched the Blackbird patent portfolio and helped us fight this troll. It was our confidence in all of you that inspired the idea of Project Jengo in the first place, so its success belongs to you.

Thank you.  

Terminating Service for 8Chan

Post Syndicated from Matthew Prince original https://blog.cloudflare.com/terminating-service-for-8chan/

The mass shootings in El Paso, Texas and Dayton, Ohio are horrific tragedies. In the case of the El Paso shooting, the suspected terrorist gunman appears to have been inspired by the forum website known as 8chan. Based on evidence we’ve seen, it appears that he posted a screed to the site immediately before beginning his terrifying attack on the El Paso Walmart killing 20 people.

Unfortunately, this is not an isolated incident. Nearly the same thing happened on 8chan before the terror attack in Christchurch, New Zealand. The El Paso shooter specifically referenced the Christchurch incident and appears to have been inspired by the largely unmoderated discussions on 8chan which glorified the previous massacre. In a separate tragedy, the suspected killer in the Poway, California synagogue shooting also posted a hate-filled “open letter” on 8chan. 8chan has repeatedly proven itself to be a cesspool of hate.

8chan is among the more than 19 million Internet properties that use Cloudflare’s service. We just sent notice that we are terminating 8chan as a customer effective at midnight tonight Pacific Time. The rationale is simple: they have proven themselves to be lawless and that lawlessness has caused multiple tragic deaths. Even if 8chan may not have violated the letter of the law in refusing to moderate their hate-filled community, they have created an environment that revels in violating its spirit.

We do not take this decision lightly. Cloudflare is a network provider. In pursuit of our goal of helping build a better internet, we’ve considered it important to provide our security services broadly to make sure as many users as possible are secure, and thereby making cyberattacks less attractive — regardless of the content of those websites.  Many of our customers run platforms of their own on top of our network. If our policies are more conservative than theirs it effectively undercuts their ability to run their services and set their own policies. We reluctantly tolerate content that we find reprehensible, but we draw the line at platforms that have demonstrated they directly inspire tragic events and are lawless by design. 8chan has crossed that line. It will therefore no longer be allowed to use our services.

What Will Happen Next

Unfortunately, we have seen this situation before and so we have a good sense of what will play out. Almost exactly two years ago we made the determination to kick another disgusting site off Cloudflare’s network: the Daily Stormer. That caused a brief interruption in the site’s operations but they quickly came back online using a Cloudflare competitor. That competitor at the time promoted as a feature the fact that they didn’t respond to legal process. Today, the Daily Stormer is still available and still disgusting. They have bragged that they have more readers than ever. They are no longer Cloudflare’s problem, but they remain the Internet’s problem.

I have little doubt we’ll see the same happen with 8chan. While removing 8chan from our network takes heat off of us, it does nothing to address why hateful sites fester online. It does nothing to address why mass shootings occur. It does nothing to address why portions of the population feel so disenchanted they turn to hate. In taking this action we’ve solved our own problem, but we haven’t solved the Internet’s.

In the two years since the Daily Stormer what we have done to try and solve the Internet’s deeper problem is engage with law enforcement and civil society organizations to try and find solutions. Among other things, that resulted in us cooperating around monitoring potential hate sites on our network and notifying law enforcement when there was content that contained an indication of potential violence. We will continue to work within the legal process to share information when we can to hopefully prevent horrific acts of violence. We believe this is our responsibility and, given Cloudflare’s scale and reach, we are hopeful we will continue to make progress toward solving the deeper problem.

Rule of Law

We continue to feel incredibly uncomfortable about playing the role of content arbiter and do not plan to exercise it often. Some have wrongly speculated this is due to some conception of the United States’ First Amendment. That is incorrect. First, we are a private company and not bound by the First Amendment. Second, the vast majority of our customers, and more than 50% of our revenue, comes from outside the United States where the First Amendment and similarly libertarian freedom of speech protections do not apply. The only relevance of the First Amendment in this case and others is that it allows us to choose who we do and do not do business with; it does not obligate us to do business with everyone.

Instead our concern has centered around another much more universal idea: the Rule of Law. The Rule of Law requires policies be transparent and consistent. While it has been articulated as a framework for how governments ensure their legitimacy, we have used it as a touchstone when we think about our own policies.

We have been successful because we have a very effective technological solution that provides security, performance, and reliability in an affordable and easy-to-use way. As a result of that, a huge portion of the Internet now sits behind our network. 10% of the top million, 17% of the top 100,000, and 19% of the top 10,000 Internet properties use us today. 10% of the Fortune 1,000 are paying Cloudflare customers.

Cloudflare is not a government. While we’ve been successful as a company, that does not give us the political legitimacy to make determinations on what content is good and bad. Nor should it. Questions around content are real societal issues that need politically legitimate solutions. We will continue to engage with lawmakers around the world as they set the boundaries of what is acceptable in their countries through due process of law. And we will comply with those boundaries when and where they are set.

Europe, for example, has taken a lead in this area. As we’ve seen governments there attempt to address hate and terror content online, there is recognition that different obligations should be placed on companies that organize and promote content — like Facebook and YouTube — rather than those that are mere conduits for that content. Conduits, like Cloudflare, are not visible to users and therefore cannot be transparent and consistent about their policies.

The unresolved question is how should the law deal with platforms that ignore or actively thwart the Rule of Law? That’s closer to the situation we have seen with the Daily Stormer and 8chan. They are lawless platforms. In cases like these, where platforms have been designed to be lawless and unmoderated, and where the platforms have demonstrated their ability to cause real harm, the law may need additional remedies. We and other technology companies need to work with policy makers in order to help them understand the problem and define these remedies. And, in some cases, it may mean moving enforcement mechanisms further down the technical stack.

Our Obligation

Cloudflare’s mission is to help build a better Internet. At some level firing 8chan as a customer is easy. They are uniquely lawless and that lawlessness has contributed to multiple horrific tragedies. Enough is enough.

What’s hard is defining the policy that we can enforce transparently and consistently going forward. We, and other technology companies like us that enable the great parts of the Internet, have an obligation to help propose solutions to deal with the parts we’re not proud of. That’s our obligation and we’re committed to it.

Unfortunately the action we take today won’t fix hate online. It will almost certainly not even remove 8chan from the Internet. But it is the right thing to do. Hate online is a real issue. Here are some organizations that have active work to help address it:

Our whole Cloudflare team’s thoughts are with the families grieving in El Paso, Texas and Dayton, Ohio this evening.

Project Galileo: the view from the front lines

Post Syndicated from Erin Walk original https://blog.cloudflare.com/project-galileo-the-view-from-the-front-lines/

Project Galileo: the view from the front lines

Growing up in the age of technology has made it too easy for me to take the presence of the Internet for granted. It’s hard to imagine not being able to go online and connect with anyone in the world, whether I’m speaking with family members or following activists planning global rallies in support of a common cause. I find that as I forget the wonder of being connected, I become jaded. I imagine that many of you reading this blog feel the same way. I doubt you have gone a month, or even a week, this year without considering that the world might be better off without the Internet, or without parts of the Internet, or that your life would be better with a digital cleanse. Project Galileo is my antidote. For every person online who abuses their anonymity, there is an organization that literally could not fulfill their purpose without it. And they are doing amazing work.

Project Galileo: the view from the front lines

Working with Participants

As program manager for Project Galileo, Cloudflare’s initiative to provide free services to vulnerable voices on the Internet, a large portion of my time is spent interacting with the project’s participants and partners. This includes a variety of activities. In my organizational role, I reach out to our partnering organizations, such as the National Democratic Institute and the Center for Democracy and Technology, about sponsoring new recipients. I also help recipients onboard their websites and technically explain our product and how it works. Answering emails from Project Galileo recipients is my favorite part of every day. I can still remember when the sense of wonder truly set in. A few weeks into my time at Cloudflare, I received a request from a local community healthcare clinic that was under attack. I was new, I didn’t have all the permissions I have now, and I didn’t fully understand how all of our systems worked (I still don’t, but I’m much better at figuring out who does). I started reaching out to other teams, all of whom eagerly volunteered their time. Within a few hours, a website that had been down for a week was back up, and best practices were being discussed to help them stay online in the future.

About a week later I received a wonderful thank you message from the group, and made sure I sent it to those who had helped out and were invested. I treasure these little reminders in my day that what I’m doing makes a difference. In fact, I frequently question my luck in receiving all the praise for a project that functions thanks to the work of countless engineers, and other teams, who work tirelessly to make our product better. I try to find ways to pass these small moments on.

It makes me laugh when participants who joined while I’ve been working on the project email me with an introduction along the lines of “I don’t know if you remember us, but…”. It makes sense, in the abstract. I receive a lot of emails, and around half of all recipients have joined since I started organizing the project. Still, I remember almost everyone who I’ve written to. How could I forget the person who signed off all their emails with something joyful they were doing at the moment, or the one who told me that they had finally made it through a week without their website going down? In many ways, on Project Galileo I interact less with organizations and more with a set of extremely passionate people. The purpose and drive of these individuals infect me with a sense of wonder and excitement, even when our only communications are virtual.

Project Galileo: the view from the front lines
Project Galileo partners

Internal Commitment

Project Galileo doesn’t just bring out the best of the Internet through our recipients, it also brings out the best in Cloudflare. Working on Project Galileo has given me a lot of leeway to explore all aspects of the company. We don’t have a large team in DC, and most of us are on the Policy team. To do my job, I rely on being able to contact teams globally, from Support to Trust and Safety to Solutions Engineering. I’ve chatted with Support team members at 2am to fix an emergency situation, and had a Solutions Engineer on call from 11pm to 1am on a Friday night to support an organization during an event. Even when frustrating or anxiety provoking, these times make me proud to work for an organization that not only vocally supports this project, but whose members commit their time to it despite competing priorities.

At risk of being overly grandiose, there are a lot of hopes and dreams tied up in Project Galileo. There is the dream that the Internet is a place for vulnerable voices, no matter how small, to advocate for change. There is the dream that companies will use their products to help deserving groups who may not otherwise be able to afford them. As for me, I hope that every day I do something that makes the world a little better. It is an honor to carry these hopes and dreams within the company, and I strive to be a good steward.

Happy 5th Birthday, Project Galileo! Here’s to many more.

Project Galileo: the view from the front lines

Project Galileo: Lessons from 5 years of protecting the most vulnerable online

Post Syndicated from Matthew Prince original https://blog.cloudflare.com/project-galileo-fifth-anniversary/

Project Galileo: Lessons from 5 years of protecting the most vulnerable online

Today is the 5th anniversary of Cloudflare’s Project Galileo. Through the Project, Cloudflare protects—at no cost—nearly 600 organizations around the world engaged in some of the most politically and artistically important work online. Because of their work, these organizations are attacked frequently, often with some of the fiercest cyber attacks we’ve seen.

Project Galileo: Lessons from 5 years of protecting the most vulnerable online

Since it launched in 2014, we haven’t talked about Galileo much externally because we worry that drawing more attention to these organizations may put them at increased risk. Internally, however, it’s a source of pride for our whole team and is something we dedicate significant resources to. And, for me personally, many of the moments that mark my most meaningful accomplishments were born from our work protecting Project Galileo recipients.

The promise of Project Galileo is simple: Cloudflare will provide our full set of security services to any politically or artistically important organizations at no cost so long as they are either non-profits or small commercial entities. I’m still on the distribution list that receives an email whenever someone applies to be a Project Galileo participant, and those emails remain the first I open every morning.

Project Galileo: Lessons from 5 years of protecting the most vulnerable online

The Project Galileo Backstory

Five years ago, Project Galileo was born out of a mistake we made. At the time, Cloudflare’s free service didn’t include DDoS mitigation. If a free customer came under attack, our operations team would generally stop proxying their traffic. We did this to protect our own network, which was much smaller than it is today.

Usually this wasn’t a problem. Most sites that got attacked at the time were companies or businesses that could pay for our services.

Every morning I’d receive a report of the sites that were kicked off Cloudflare the night before. One morning in late February 2014 I was reading the report as I walked to work. One of the sites listed as having been dropped stood out as familiar but I couldn’t place it.

I tried to pull up the site on my phone but it was offline, presumably because we were no longer shielding the site from attack. Still curious, I did a quick search and found a Wikipedia page describing the site. It was an independent newspaper in Ukraine and had been covering the ongoing Russian invasion of Crimea.

I felt sick.

When Nation States Attack

What we later learned was that this publication had come under a significant attack, most likely directly from the Russian government. The newspaper had turned to Cloudflare for protection. Their IT director actually tried to pay for our higher tier of service but the bank tied to the publication’s credit card had had its systems disrupted by a cyber attack as well and the payment failed. So they’d signed up for the free version of Cloudflare and, for a while, we mitigated the attack.

The attack was large enough that it triggered an alert in our Network Operations Center (NOC). A member of our Systems Reliability Engineering (SRE) team who was on call investigated and found a free customer being pummeled by a major attack. He followed our run book and triggered a FINT — which stands for “Fail Internal” — directing traffic from the site directly back to its origin rather than passing through Cloudflare’s protective edge. Instantly the site was overwhelmed by the attack and, effectively, fell off the Internet.

Broken Process

I should be clear: the SRE didn’t do anything wrong. He followed the procedures we had established at the time exactly. He was a great computer scientist, but not a political scientist, so didn’t recognize the site or understand its importance due to the situation at the time in Crimea and why a newspaper covering it may come under attack. But, the next morning, as I read the report on my walk in to work, I did.

Cloudflare’s mission is to help build a better Internet. That day we failed to live up to that mission. I knew we had to do something.

Politically or Artistically Important?

It was relatively easy for us to decide to provide Cloudflare’s security services for free to politically or artistically important non-profits and small commercial entities. We were confident that we could stand up to even the largest attacks. What we were less confident about was our ability to determine who was “politically or artistically important.”

While Cloudflare runs infrastructure all around the world, our team is largely based in San Francisco, Austin, London, and Singapore. That certainly gives us a viewpoint, but it isn’t a particularly globally representative viewpoint. We’re also a very technical organization. If we surveyed our team to determine what organizations deserved protection we’d no-doubt identify a number of worthy organizations that were close to home and close to our interests, but we’d miss many others.

We also worried that it was dangerous for an infrastructure provider like Cloudflare to start making decisions about what content was “good.” Doing so inherently would imply that we were in a position to make decisions about what content was “bad.” While moderating content and curating communities is appropriate for some more visible platforms, the deeper you go into Internet infrastructure, the less transparent, accountable, and consistent those decisions inherently become.

Turning to the Experts

So, rather than making the determination of who was politically or artistically important ourselves, we turned to civil society organizations that were experts in exactly that. Initially, we partnered with 15 organizations, including:

  • Access Now
  • American Civil Liberties Union (ACLU)
  • Center for Democracy and Technology (CDT)
  • Centre for Policy Alternatives
  • Committee to Protect Journalists (CPJ)
  • Electronic Frontier Foundation (EFF)
  • Engine Advocacy
  • Freedom of the Press Foundation
  • Meedan
  • Mozilla
  • Open Tech Fund
  • Open Technology Institute

We agreed that if any partner said that a non-profit or small commercial entity that applied for protection was “politically or artistically important” then we would extend our security services and protect them, no matter what.

With that, Project Galileo was born. Nearly 600 organizations are currently being protected under Project Galileo. We’ve never removed an organization from protection in spite of occasional political pressure as well as frequent extremely large attacks.

Organizations can apply directly through Cloudflare for Project Galileo protection or can be referred by a partner. Today, we’ve grown the list of partners to 28, adding:

  • Anti-Defamation League
  • Amnesty International
  • Business & Human Rights Resource Centre
  • Council of Europe
  • Derechos Digitales
  • Fourth Estate
  • Frontline Defenders
  • Institute for War & Peace Reporting (IWPR)
  • LION Publishers
  • National Democratic Institute (NDI)
  • Reporters Sans Frontières
  • Social Media Exchange (SMEX)
  • Sontusdatos.org
  • Tech Against Terrorism
  • World Wide Web Foundation
  • X-Lab

Cloudflare’s Mission: Help Build a Better Internet

Some companies start with a mission. Cloudflare was not one of those companies. When Michelle, Lee, and I started building Cloudflare it was because we thought we’d identified a significant business opportunity. Truth be told, I thought the idea of being “mission driven” was kind of hokum.

I clearly remember the day that changed for me. The director of one of the Project Galileo partners called me to say that he had three journalists who had received protection under Project Galileo that were visiting San Francisco and asked if it would be okay to bring them by our office. I said sure and carved out a bit of time to meet with them.

The three journalists turned out to all be covering alleged government corruption in their home countries. One was from Angola, one was from Ethiopia, and they wouldn’t tell me the name or home country of the third because he was “currently being hunted by death squads.” All three of them hugged me. One had tears in his eyes. And then they proceeded to tell me about how they couldn’t do their work as journalists without Cloudflare’s protection.

There are incredibly brave people doing important work and risking their lives around the world. Some of them use the Internet to reach their audience. Whether it’s African journalists covering alleged government corruption, LGBTQ communities in the Middle East providing support, or human rights workers in repressive regimes, unfortunately they all face the risk that the powerful forces that oppose them will use cyber attacks to silence them.

I’m proud of the work we’ve done through Project Galileo over the last five years lending the full weight of Cloudflare to protect these politically and artistically important organizations. It has defined our mission to help build a better Internet.

While we respect the confidentiality of the organizations that receive support under the Project, I’m thankful that a handful have allowed us to tell their stories. I encourage you to read about our newest recipients of the Project:

And, finally, if you know of an organization that needs Project Galileo’s protection, please let them know we’re here and happy to help.

Project Galileo: Lessons from 5 years of protecting the most vulnerable online

EU election season and securing online democracy

Post Syndicated from Caroline Greer original https://blog.cloudflare.com/eu-election-season-and-securing-online-democracy/

EU election season and securing online democracy

It’s election season in Europe, as European Parliament seats are contested across the European Union by national political parties. With approximately 400 million people eligible to vote, this is one of the biggest democratic exercises in the world – second only to India – and it takes place once every five years.

Over the course of four days, 23-26 May 2019, each of the 28 EU countries will elect a different number of Members of the European Parliament (“MEPs”) roughly mapped to population size and based on a proportional system. The 751 newly elected MEPs (a number which includes the UK’s allocation for the time being) will take their seats in July. These elections are not only important because the European Parliament plays a large role in the EU democratic system, being a co-legislator alongside the European Council, but as the French President Emmanuel Macron has described, these European elections will be decisive for the future of the continent.

Election security: an EU political priority

Political focus on the potential cybersecurity threat to the EU elections has been extremely high, and various EU institutions and agencies have been engaged in a long campaign to drive awareness among EU Member States and to help political parties prepare. Last month for example, more than 80 representatives from the European Parliament, EU Member States, the European Commission and the European Agency for Network and Information Security (ENISA) gathered for a table-top exercise to test the EU’s response to potential incidents. The objective of the exercise was to test the efficacy of EU Member States’ practices and crisis plans, to acquire an overview of the level of resilience across the EU, and to identify potential gaps and adequate mitigation measures.

Earlier this year, ENISA published a paper on EU-wide election security which described how as a result of the large attack surface that is inherent to elections, the risks do not only concern government election systems but also extend to individual candidates and individual political campaigns. Examples of attack vectors that affect election processes can include spear phishing, data theft, online disinformation, malware, and DDoS attacks. ENISA went on to propose that election systems, processes and infrastructures be classified as critical infrastructure, and that a legal obligation be put in place requiring political organisations to deploy a high level of cybersecurity.

Last September, in his State of the Union address, European Commission President Juncker announced a package of initiatives aimed at ensuring that the EU elections are organised in a free, fair and secure manner. EU Member States subsequently set up a national cooperation network of relevant authorities – such as electoral, cybersecurity, data protection and law enforcement authorities – and appointed contact points to take part in a European cooperation network for elections.

In July 2018, the Cooperation Group set up under the EU NIS Directive (composed of Member States, the European Commission and ENISA) issued a detailed report,Compendium on Cyber Security of Election Technology“. The report outlined how election processes typically extend over a long life cycle, consisting of several phases, and the presentation layer is as important as the correct vote count and protection of the interface where citizens learn of the election results. Estonia – a country that is known to be a digital leader when it comes to eGovernment services – is currently the only EU country that offers its citizens the option to cast their ballot online. However, even electoral systems that rely exclusively on paper voting typically take advantage of digital tools and services in compiling voter rolls, candidate registration or result tabulation and communication.

The report described various election/cyber incidents witnessed at EU Member State level and the methods used. As the electoral systems vary greatly across the EU, the NIS Cooperation Group ultimately recommended that tools, procedures, technologies and protection measures should follow a “pick and mix” approach which can include DDoS protection, network flow analysis and monitoring, and use of a CDN. Cloudflare provides all these services and more, helping to prevent the defacement of public-facing websites and Denial of Service attacks, and ensuring the high availability and performance of web pages which need to be capable of withstanding a significant traffic load at peak times.

Cloudflare’s election security experience

Cloudflare’s CTO John Graham-Cumming recently spoke at a session in Brussels which explored Europe’s cyber-readiness for the EU elections. He outlined that while sophisticated cyber attacks are on the rise, humans can often be the weakest link. Strong password protection, two factor authentication and a keen eye for phishing scams can go a long way in thwarting attackers’ attempts to penetrate campaign and voting web properties. John also described Cloudflare’s experience in running the Athenian Project, which provides free enterprise-level services to government election and voter registration websites.

EU election season and securing online democracy
Source: Politico

Cloudflare has protected most of the major U.S Presidential campaign websites from cyberattacks, including the Trump/Pence campaign website, the website for the campaign of Senator Bernie Sanders, and websites for 14 of the 15 leading candidates from the two  political parties. We have also protected election websites in countries like Peru, Ecuador and, most recently, North Macedonia.

Is Europe cyber-ready?

Thanks to the high profile awareness campaign across the EU, Europeans have had time to prepare and to look for solutions according to their needs. Election interference is certainly not a new phenomenon, however, the scale of the current threat is unprecedented and clever disinformation campaigns are also now in play. Experts have recently identified techniques such as spear phishing and DDoS attacks as particular threats to watch for, and the European Commission has been monitoring industry progress under the Code of Practice on Disinformation which has encouraged platforms such as Google, Twitter and Facebook to take action to fight against malicious bots and fake accounts.

What is clear is that this can only ever be a coordinated effort, with both governments and industry working together to ensure a robust response to any threats to the democratic process. For its part, Cloudflare is protecting a number of political group websites across the EU and we have been seeing Layer 4 and Layer 7 DDoS attacks, as well as pen testing and firewall probing attempts. Incidents this month have included attacks against Swedish, French, Spanish and UK web properties, with particularly high activity across the board around 8th May. As the elections approach, we can expect the volume/spread of attacks to increase.

Further information about the European elections can be found here – and if you are based in Europe, don’t forget to vote!