Recently the internet security firm Cloudflare launched its new product 220.127.116.11 for Families (See product announcement). The product’s purpose is to allow families to easily block websites with malware and adult content on their home networks. To build this product Cloudflare purchased a license to use third-party filtering lists and put them into an easy to use product. Due to an error in the lists, they inadvertently blocked LGBTQIA+ content. This caused several non-profit equity organizations such as HRC to be blocked by the product. This quickly created controversy.
What is 18.104.22.168 for Families and what went wrong?
22.214.171.124 for Families is Cloudflare’s new product. It is an alternative to their existing Public DNS Resolver 126.96.36.199, which also blocks malware and adult content on networks using the product. Sarah Lewis brought attention to the issue and as a result, Cloudflare took action to fix the issue.
After testing Cloudflare’s product, Sarah found that several non-profit organizations were blocked by the filter, not just adult content and malware.
I am not an expert in child development and can’t speak to whether blocking sex education websites is harmful or not. I would advise Cloudflare to consult child development experts to determine how to approach this as there may still be age-appropriate content available.
Are LGBTQIA+ resources family unfriendly?
Blocking LGBTQIA+ content perpetrates the idea that only cisgender (people who identify with the gender they were assigned at birth) and heterosexual people are normal. Recent studies indicate that between 4.5% and 11% of people identify somewhere on the LGBTQIA+ spectrum. (Further references: https://web.archive.org/web/20150814152313/http://www.pewsocialtrends.org/files/2013/06/SDT_LGBT-Americans_06-2013.pdf, https://web.archive.org/web/20061219090954/http://norc.uchicago.edu/issues/American_Sexual_Behavior_2003.pdf) everyone must have access to resources that affirm to them that they are normal.
Some works of art or blog posts specific to LGBTQIA+ people can include explicit imagery and blocking them with a family filter could be appropriate. However, the same type of content exists for non-LGBTQIA+ people. We do not see people claiming we should hide the fact cisgender and heterosexual people exist and resources for them remain available. It’s wrong to censor information about 11% of the population.
This was most likely a mistake
I have my doubts that Cloudflare would do this intentionally. The company has an internal group called Proudflare (however it has not posted recently) Would this group remain silent if Cloudflare planned on doing this intentionally? The recent silence from the group is concerning. Are they still allowed to operate after Cloudflare’s initial public offering? Was there a massive silent change in the company’s policies. A “we still exist” post would be encouraging.
I believe a more likely explanation is that Cloudflare’s team was asked by upper management to make a family content filter, had to rush the product to meet deadlines and did not thoroughly test the product. If this is the case, what other products have been rushed without proper testing, what security-related bugs still exist on their platform?
Cloudflare’s response to the incident
The team at Cloudflare fixed the issue quickly. They issued an apology and unblocked the affected websites. Their blog post explained how this issue happened.
To get data for 188.8.131.52 for Families we licensed feeds from multiple different providers who specialize in site categorization. We spent the last several months reviewing classification providers to choose the ones that had the highest accuracy and lowest false positives.
Malware, encompassing a range of widely agreed upon cyber security threats, was the easier of the two categories to define. For Adult Content, we aimed to mirror the Google SafeSearch criteria. Google has been thoughtful in this area and their SafeSearch tool is designed to limit search results for “sexually explicit content.” The definition is focused on pornography and largely follows the requirements of the US Children’s Internet Protection Act (CIPA), which schools and libraries in the United States are required to follow.
Because it was the default for the 184.108.40.206 service, and because we planned in the future to allow individuals to set their own specifications beyond the default, we intended the Adult Content category to be narrow. What we did not intend to include in the Adult Content category was LGBTQIA+ content. And yet, when it launched, we were horrified to receive reports that those sites were being filtered.https://blog.cloudflare.com/the-mistake-that-caused-1-1-1-3-to-block-lgbtqia-sites-today/
These recent events make me worry that Cloudflare is not testing its products enough. A lack of testing could indicate that security-related bugs exist in Cloudflare’s consumer products. As a result, I am unsure if I will continue using Cloudflare’s products.