Cloudflare CEO Matthew Prince discusses the company’s rapid expansion, the importance of building trust, and what’s next for the content delivery network provider.
The fourth annual Internet Summit was held in London yesterday, a day of talks given by a diverse range of speakers exploring how the web has evolved and where it might be going next.
Organizing the event, which saw approximately 300 people in attendance, was Cloudflare – a company boasting itself as an invisible layer of the internet, which delivers content across the web, along with providing DDoS protection and other security solutions.
The Daily Swig caught up with Matthew Prince, Cloudflare’s co-founder and CEO, who discussed the future of his business and how it’s growth requires a careful balance of power.
No one had heard of Cloudflare 10 years ago, and now your company has grown to be a massive player within the internet’s infrastructure. How does that feel?
Matthew Prince: It’s terrifying! The edge of the internet is going to centralize behind five to 10 players, and it is becoming difficult to run something by yourself online – you just can’t anymore.
Facebook, Google, Amazon, Microsoft, Alibaba, Tencent, Cloudflare, and maybe some others will emerge, but it’s all happening really quickly. We now run the edge of IBM’s cloud, which is insane because it’s IBM, but we’re just better at it and we have the scale and it makes sense.
With this monopolization that’s happening, law enforcement becomes increasingly reliant on the power that tech companies yield. How do you build trust with your customers and ensure them that your service isn’t going to be compromised by, for example, the NSA?
MP: One of the things that I’m really proud of is that we tend to be really long-term focused, and we try to think about the very privileged position that we sit in from a number of different angles and to think about if Cloudflare ran 100% of the internet, let’s imagine, what would be the right policy decision.
Our North Star is that the mere existence of Cloudflare should not make the job of law enforcement any harder, but it shouldn’t make law enforcement’s job any easier either. There’s a proper role for law enforcement online, and we’re not anarchists, so we’re a law abiding organization. But we believe in the rule of law and we believe in due process and we believe in exercising our rights in the that way we do.
We spend a lot of time on a policy level, a technical level, and also a legal level, making sure you can’t pull data off our system, which is why we invest in cryptography and have external audits to verify that we don’t store any data. Most of the time law enforcement comes to us, we can’t help.
Do you have an example of a time when law enforcement asked for Cloudflare’s assistance?
MP: The best example was in January of 2012. We had 40 people on the team and the FBI walked in and two agents said that they couldn’t talk to anyone but the CEO and I had to fight to get my attorney in the room. They gave us two national security letters, which is an order to produce documents about some of our customers. This was problematic for two different reasons: there was no judicial oversight, and then you’re not allowed to talk about it.
So we made the decision to sue the US government, which was crazy at some level, but we were thinking that some day we might run the internet and we’ve got to push back on things that are abusive.
So what happened?
MP: For five years we were on a gag order and couldn’t talk about it. We were able to have both letters rescinded and were able to get the law change so that the requests have automatic expiration times. But if you looked at the users behind these things, they weren’t good guys. They were going after bad people. But there’s a proper way to make those requests, and there’s an improper way to make those requests.
How do tech companies get this wrong?
MP: Most tech companies make some magic box and sell the magic box and there’s IP in it and if someone gets what the source code is, or gets how the magic works, then their value goes to zero really quickly. So they’ve built this culture of secrecy. When Apple, for example, makes a decision, they may have had a really rich and thorough conversation internally, but they just don’t have the culture to talk about that externally.
New EU legislation seems to be forcing companies to have those external conversations. Has GDPR impacted Cloudflare’s business?
MP: Anytime you have something that’s going to fine you 4% of annual revenue you take it seriously. It created some challenges for us but not really since we’re not in the data business, and because we don’t store much data, that it made it less hard.
Long term, I think it [GDPR] creates a lot of opportunities for us. By the end of this year, we’ll be in 100 countries around the world, which means 95% of the world’s population will live in a country with a Cloudflare data center.
Whether it’s good policy or not, governments are going to start requiring data locality, and if we can build the technical solution to help support that, then that can be a powerful thing.
You’ve just released DNS resolver 184.108.40.206. What else can we expect in the future from Cloudflare?
MP: I think we’ve built a core network that can get a piece of data from any point on earth, to any other point on earth faster, more securely, and more efficiently than anyone else. What else can we do with that network now that we have it?
I think there’s real opportunity to do things like making a mobile phone work better when you’re at a sporting event or a concert, how can a mobile phone not use as much data, how do we extend battery life, things like these really excite me.
Do other future plans include disallowing HTTP for a backend sever, especially now that browsers are increasingly HTTP reliant?
MP: Probably not. I think what we will do is just make sure that if we can connect over a secure connection, any time that we can, we’ll establish that connection. I think what we want to do is to make sure that any time you can encrypt something that we’ll be able to.
What we worry about, though, is that there is just a bunch of stuff in various places where you just can’t run encryption, and this will rankle some crypto purists, but we’re more practical about it.
We think the biggest risk actually comes from the local coffee shop that you’re sitting in, and that it’s much less likely that the NSA is spying on the back end cable. Frankly, if that’s your problem you should have encryption in place to begin with.
We’ll push encryption as far as we can, and we want to opportunistically support it wherever it’s possible. We default on it for all our customers for free, but we’re not the crypto zealots. We think some crypto is better than no crypto.