Monsters in the Cloud(flare)

A child talking to an adult

Schools have a statutory obligation to do "appropriate filtering and monitoring" of their internet traffic in order to protect their children from online harms.  There are several requirements of filtering systems laid down by the UK Safer Internet Centre which are relevant to this discussion - the filters must:

  • block access to illegal Child Sexual Abuse Material (through the use of the Internet Watch Foundation's block lists);
  • integrate the ‘the police assessed list of unlawful terrorist content, produced on behalf of the Home Office’; and
  • provide contextual content filters, which analyse content as it is streamed to the user.

Since the majority of web traffic is encrypted, the above requirements cannot be adequately met without decrypting the traffic in order for the filter to examine it.  We have previously noted that a very high proportion of the child sexual abuse material on the Internet Watch Foundation's block lists and radicalisation content on the Home Office's list cannot be blocked without decrypting traffic.  So that is what most filtering systems do - encrypted HTTPS traffic is decrypted in a process known as "man in the middle" decryption.

Indeed, following an inquest into the suicide of a 15 year old girl, a coroner recently produced a report which highlighted the fact that even websites which schools encourage their students to use may contain harmful content, which in this case sadly contributed to the death of a child (section 5, paragraph 3 of the report).  Although there is a small amount of harmful content hosted by such websites, schools deem them to have significant educational value.  In order for a school to allow safe access to such a website the filtering / monitoring system must decrypt the connection in order to be able to discriminate between the safe and unsafe parts of the website.

Cloudflare is a "reverse proxy service" used by websites to improve their scalability and to filter malicious web traffic.  Although the technical details are slightly different, in essence Cloudflare works in a similar way to a school's filter, but at the opposite end of the connection:  A school will employ us to protect their students, whereas a content provider will employ Cloudflair to protect their web servers.

Around 19.4% of all websites reportedly use Cloudflare.

In 2019, Cloudflare announced that they were now providing tools to detect when users were connecting through "man in the middle" decryption systems, such as those that are used within schools.

We are now seeing an increase in Cloudflare's detection system being used in ways which are harmful to the end-user's browsing experience. For example, users in schools are now frequently expected to complete Cloudflare's CAPTCHA tests (i.e. "click all of the boats to prove you are human"), and are occasionally blocked entirely.

Opendium's online safety systems incorporate technology to mitigate the harmful effects of Cloudflare's current detection technology.  However, we remain concerned that Cloudflare may continue to evolve their systems to a point where our mitigation strategies are rendered ineffective.  With Cloudflare in control of almost a fifth of websites on the internet, we are very much aware that any changes to their policies could essentially break schools' internet access over night.

Cloudflare argue that "man in the middle" decryption reduces security.  To some extent, they are correct - the more points in the connection at which traffic is decrypted, the more risk there is that one of them may be compromised, and it is worth pointing out that Cloudflare themselves are one such point in the connection and pose a similar risk as a school's system does.  However, such systems can also increase security by providing facilities such as malware scanning.  Above all, Cloudflare have not recognised that security and safety are not the same thing - whilst they are chasing security they are neglecting the safety of the users, many of whom are children.

The security concerns that Cloudflare cite regarding school filters apply equally to Cloudflare's own services - possibly even more so, given the size of a target that must be painted on a company worth $41 billion.  Cloudflare's business is providing "man in the middle" services in order to protect the content providers: when a user connects to a Cloudflare protected website, their connection is decrypted by Cloudflare before being forwarded onto the real web servers.  Whilst the user is able to verify the security of their connection to Cloudflare, there is no way for them to know if Cloudflare themselves are handling it securely or that the onward connection to the real web server is secure.

Cloudflare's position appears to be that they support the use of a technology to protect their clients, but object to (and try to prevent) the use of similar technologies being used to protect children.