In the fall of 2016, Keegan Hankes, an analyst at the Southern Poverty Law Center, paid a visit to the neo-Nazi website the Daily Stormer. This was not unusual; part of Hankes’ job at the civil rights organization was to track white supremacists online, which meant reading their sites. But as Hankes loaded the page on his computer at SPLC’s headquarters in Montgomery, Alabama, something caught his eye: a pop-up window that announced “Checking your browser before accessing … Please allow up to 5 seconds.” In fine print, there was the cryptic phrase “DDoS protection by Cloudflare.” Hankes, who had worked at SPLC for three years, had no idea what Cloudflare was. But soon he noticed the pop-up appearing on other hate sites and started to poke around.
There’s a good chance that, like Hankes, you haven’t heard of Cloudflare, but it’s likely you’ve viewed something online that has passed through its system. Cloudflare is part of the backend of the internet. Nearly 10 percent of all requests for web pages go through its servers, which are housed in 118 cities around the world. These servers speed along the delivery of content, making it possible for clients’ web pages to load more quickly than they otherwise would. But Cloudflare’s main role is protection: Its technology acts as an invisible shield against DDoS attacks—hacker campaigns that disable a website by overwhelming it with fake traffic. The company has more than 7 million customers, from individual bloggers who pay nothing for basic security services to Fortune 50 companies that pay up to a million dollars a year for guaranteed 24-hour support.