Cloudflare family-friendly DNS service flubs first filtering foray: Vital LGBTQ, sex-ed sites blocked 'by mistake'

For a biz that prides itself on not censoring the internet, it sure likes censoring the internet

Got Tips? 95 Reg comments
An illustration of two young people looking over a fence at the internet, with the word 'censored' on the fence

Updated Cloudflare, known for free speech advocacy, rolled out a self-styled family-friendly variation of its DNS service to block adult content – and ended up denying access to LGBTQ websites and sex education resources.

Introduced on Wednesday, the service is called 1.1.1.1 for Families. It can be used by home internet users to block malware and prevent children from seeing adult content. Parents can configure their devices or gateways to use the DNS resolver 1.1.1.2 for protection from malware-serving websites, or 1.1.1.3 for malware and adult content protection.

Browsers and other apps use DNS resolvers to turn domain names like theregister.com into network addresses they can connect to. Thus, Cloudflare's filtered DNS can refuse to look up domain names considered off-limits or dangerous, preventing users, such as children, from seeing bad stuff. That's the theory.

Cloudflare's initial filter configuration for adult content, however, prevented users from visiting useful and crucial online resources including Stonewall, LGBT Foundation, Outright, Mermaids, Broken Rainbow, Transgender Law Center, Lambda Legal, and various sex education sites.

Via Twitter, Sarah Jamie Lewis, executive director of Open Privacy Research Society, an advocacy group based in Vancouver, Canada, slammed Cloudflare for its inept site blocking.

"You would think that an organization like @Cloudflare that spent weeks and agonizing over a decision to block literal nazis from its platform (and then minutes deciding to throw sex workers under the bus) would be more considerate when getting into the censorship game," she said.

Cloudflare CEO Matthew Prince promptly responded, saying, "Dumb mistake on our part and we are fixing it immediately."

Lewis said some but not all of the sites she identified have been unblocked.

In an email to The Register, Prince said as much. "It was a horrible mistake and we are working to remedy it as quickly as possible," he said. "We use a variety of external categorization services to categorize the internet. Our intention was to do something similar to 'Google Safe Search' and there were some categories that were included in Adult Themes by one provider that we missed when we did our review."

DNS

Cloudflare is over the moon because its pro-privacy 1.1.1.1 DNS service got a clean bill of health from everyone's favorite auditor – KPMG

READ MORE

The company said that 1.1.1.1 for Families uses the same site filtering and categorization technology as its Gateway corporate firewall.

"We use multiple external sources that we combine together to ensure we have good coverage of the internet," a company spokesperson explained in an email to The Register. "The list of providers is constantly being reviewed and checked against each other for errors. In the future, we plan to offer the ability for users to select more granular and additional categories that will only apply to them."

Via Twitter DM, Lewis acknowledged that content filtering can be difficult but said Cloudflare should have understood what its service would block before launching it.

"Content filtering is a very hard problem," she said. "Perhaps one of the hardest systems problems that exists in internet tech. That being said, filtering content intended to support queer youth is something that practically every naive filtering product has done since they were first invented. It's a known issue and the fact that no one at Cloudflare tried to access any resource site prior to launching (or did and didn't see it as an issue) reveals systemic issues that can't be fixed by whitelisting individual sites."

What makes the misstep particularly galling for Lewis is Cloudflare has been so vocal in the past about the dangers of censorship. As Prince wrote in 2011, "Cloudflare is firm in our belief that our role is not that of Internet censor."

"That this 'mistake' exists at all reveals a systemic issue at Cloudflare that has the potential to kill queer youth – millions of which attempt suicide every year – and the reason why these sites exist in the first place," Lewis observed. "You don't get to brand yourselves as neutral third parties and then turn around and enact policies that explicitly target such a marginalized population."

Lewis contends Cloudflare should take its content blocking service offline until the biz can demonstrate that it can filter without doing harm. ®

Updated to add

Cloudflare has shared a blog post "to walk through what happened, why, and what we've done to fix it."

Full disclosure: The Register is a Cloudflare customer.

Sponsored: Ransomware has gone nuclear

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020