Taking bullets for customers: CloudFlare CEO Matthew Prince gets unwanted attention from hackers and SWAT teams
The only thing I have in common with Justin Timberlake is that we’ve both been ‘SWAT-ed,’ ” says CloudFlare CEO Matthew Prince. In 2012, an armed rescue team stormed his company’s San Francisco office ready to defuse a hostage situation called in by a prankster. It was the first of many visits from the SWAT team and Maggie, the bomb-sniffing dog. Federal agents occasionally show up at Prince’s offices with court orders rather than guns, demanding to know who’s been sending Web traffic over CloudFlare’s servers.
The attention is a result of what CloudFlare has built: A cheap, dependable service for bouncing malicious traffic away from its customers’ websites and apps. Instead of selling firewall or intrusion-prevention hardware, which customers have to install locally, CloudFlare offers cheap (and often free) protection in the cloud. Its routers and servers are in 28 data centres across the world and reroute its customers’ visitors to the closest CloudFlare server. Traffic deemed a threat is turned away. The heavyweight in the business is Akamai, a 16-year-old content-delivery network with $1.6 billion in yearly revenue and customers like Facebook and Microsoft. Like Akamai, CloudFlare speeds up websites, but from the beginning, it emphasised protection against “malicious botnets.”
CloudFlare, founded five years ago by Prince, his Harvard Business School classmate Michelle Zatlyn and engineer Lee Holloway, initially went after customers that were too small for Akamai to care about, but it has steadily worked its way up to big customers such as Nasdaq, Yelp, Zendesk, OkCupid and the federal government. CloudFlare’s rise parallels that of distributed denial of service (DDoS) attacks, which have grown in size ten-fold since 2009. DDoS attackers barrage a site with data requests until it shuts down or can be hacked. The FBI is investigating DDoS-for-ransom attacks on Meetup, Evernote, Vimeo, Move and Basecamp, among others.
The majority of the two million websites CloudFlare guards take advantage of its free basic offering. Prince doesn’t mind because CloudFlare’s protection algorithm learns from all the traffic it sees. Some 4-5 percent of its customers opt to pay between $20 and $5,000 per month for enhanced features such as encryption, firewalls and stronger DDoS mitigation, with some paying more than $1 million per year. CloudFlare has raised more than $72 million in funding, with a $50 million round in 2012, valuing the company at $1 billion. That last slug of equity is still in the bank, says Prince; the company says it just had its first cash-flow-positive quarter with revenue, estimated to be around $40 million by year-end, growing 450 percent year over year.
Defending unpopular sites—or ones that attackers want to take down but can’t—makes the company and its employees frequent targets. Two years ago, Prince’s Gmail was hacked by a 15-year-old who bought his Social Security number off a Russian website. Employees’ last names were scrubbed from CloudFlare’s site after a hacker tried to ruin the Google reputation of one, writing in forums that he was a paedophile. “We never press charges because we see ourselves as soldiers, and soldiers don’t complain about being shot at,” says Prince.
Two years ago, CloudFlare was protecting the websites of both the Israel Defense Forces and the Al-Quds Brigades, a pro-Palestinian military group in the Gaza Strip.
Prince has struck the right balance between discretion and transparency. CloudFlare sees all of its customers’ traffic, but makes its data logs ephemeral so they can’t be subpoenaed. In February, it published its first transparency report disclosing government requests for its data, saying it has yet to turn over a customer’s encryption keys to law enforcement agencies that would allow the government to “wiretap” a site’s traffic.
It also signalled that it may have received a National Security Letter, which would allow the government to make a massive data grab about visitors to a particular site. “All I can say is that our policy would be to challenge an NSL if we received one,” he says. “We have fought not to have hardware installed on our network and have not altered software to make it easier.”
“CloudFlare is transparent,” says Chris Soghoian, a privacy advocate at the American Civil Liberties Union. “In contrast, Akamai is a black hole. It’s night and day between [CloudFlare] and everyone else in the content-delivery industry.”
One of CloudFlare’s early venture backers wanted to know what Prince would do when the death threats came. “When you start something like this, you don’t realise what the endgame will be if you’re successful,” says Prince.