"The only thing I have in common with Justin Timberlake is that we've both been 'SWAT-ed,' " says CloudFlare CEO Matthew Prince. In 2012 an armed rescue team stormed his company's downtown San Francisco office ready to defuse a hostage situation called in by a prankster. It was the first of many visits from the SWAT team and Maggie the bomb-sniffing dog. Prince is used to unwanted attention. Federal agents occasionally show up at his offices with court orders rather than guns, demanding to know who's been sending Web traffic over CloudFlare's servers.
All the attention is a result of what CloudFlare has built: a cheap, dependable service for bouncing malicious traffic away from its customers' websites and apps. Instead of the traditional approach of selling firewall or intrusion-prevention hardware, which customers have to install locally, CloudFlare offers cheap (and often free) protection in the cloud. Its routers and servers are in 28 data centers around the world and reroute its customers' visitors to the closest CloudFlare server. Traffic deemed a threat is turned away. The heavyweight in the business is Akamai, a 16-year-old content-delivery network with $1.6 billion in yearly revenue and huge customers like Facebook and Microsoft that depend on it to make their websites load faster. Like Akamai, CloudFlare speeds up websites, but from the beginning it emphasized protection against " malicious botnets."
CloudFlare, founded five years ago by Prince, his Harvard Business School classmate Michelle Zatlyn and engineer Lee Holloway, initially went after customers that were too small for Akamai to care about, but it has steadily worked its way up to big customers such as Nasdaq, Yelp, Zendesk, OkCupid and the federal government. CloudFlare's rise parallels that of distributed denial of service (DDoS) attacks, which have grown in size tenfold since 2009. DDoS attackers barrage a site with data requests until it shuts down or can be hacked. The perpetrators can be pranksters, competitors playing dirty, political opposition or extortionists. The FBI is reportedly investigating DDoS-for-ransom attacks on Meetup, Evernote, Vimeo, Move and Basecamp, among others.
The majority of the 2 million websites CloudFlare guards take advantage of its free basic offering. Prince doesn't mind because CloudFlare's protection algorithm learns from all the traffic it sees. Some 4% to 5% of its customers opt to pay between $20 and $5,000 per month for enhanced features such as encryption, firewalls and stronger DDoS mitigation, with some paying more than $1 million per year. CloudFlare has raised more than $72 million in funding, with a $50 million round in 2012, valuing the company at $1 billion. That last slug of equity is still in the bank, says Prince; the company says it just had its first cash-flow-positive quarter with revenue, estimated to be around $40 million by year-end, growing 450% year over year.
Prince describes himself as a recovering lawyer, but that shortchanges his background. He's equal parts computer geek, law professor and businessman, all of which coalesce when he's near a whiteboard and seizes the magic marker opportunity to sketch the architecture of the Internet and the place in it where CloudFlare's servers sit like a digital bouncer at a website's door. Prince is a free speech believer who thinks any site with an idea should have the right to express it. Defending unpopular sites or ones that attackers really want to take down and can't makes the company and its employees frequent targets. Two years ago Prince's Gmail was hacked by a 15-year-old who bought his Social Security number off a Russian website. Employees' last names were scrubbed from CloudFlare's site after a hacker tried to ruin the Google reputation of one, writing in forums that he was a pedophile. "We never press charges because we see ourselves as soldiers, and soldiers don't complain about being shot at," says Prince.
CloudFlare has been criticized for protecting controversial operators, including DDoS-for-hire sites that are its own nemeses. In 2011, a site called LulzSecurity.com registered for CloudFlare an hour before publishing 3.5 million usernames and passwords allegedly stolen from Sony. Sometimes CloudFlare is right in the middle of two parties who literally fire at each other: Two years ago CloudFlare was protecting the websites of both the Israel Defense Forces and the Al-Quds Brigades pro-Palestinian military group in the Gaza Strip.
"They stand in front of so many bullets on the Internet," says OkCupid chief technology officer Mike Maxim. Earlier this year, the IAC-owned tryst shop realized it needed better DDoS protection after love-seeking members of Reddit complained in April that the site was down. "Speed was of the essence to us so we could get this going as fast as possible with as little a capital expenditure as possible. Other services wanted us to add equipment to our data centers," says Maxim. All he has sacrificed are minor "bumps and blips" in service since its traffic now goes through CloudFlare.
Prince has struck the right balance between discretion and transparency. CloudFlare sees all of its customers' traffic but makes its data logs ephemeral so they can't be subpoenaed. In February it published its first transparency report disclosing government requests for its data, saying it has yet to turn over a customer's encryption keys to law enforcement agencies that would allow the government to "wiretap" a site's traffic — which was a controversial request made to encrypted email provider Lavabit. CloudFlare also signaled that it may have received a National Security Letter, which would allow the government to make a massive data grab about visitors to a particular site. "All I can say is that our policy would be to challenge an NSL if we received one," he says. "We have fought not to have hardware installed on our network and have not altered software to make it easier."
"CloudFlare is transparent," says Chris Soghoian, a privacy advocate at the American Civil Liberties Union. "In contrast, Akamai is a black hole. It's night and day between [CloudFlare] and everyone else in the content-delivery industry."
Prince's principled approach to protecting free speech and privacy through technology was forged at a young age. He grew up in Park City, Utah. When he was 7 he got an Apple II Plus for Christmas and spent that summer at computer camp, programming. In the early 90s, he went to Trinity College, home to the first online-only magazine. "I couldn't get anyone on campus to read it," says Prince. "I got an email from someone in Japan reading it, but I couldn't get the cute girl I wanted to go on a date with to use a browser."
The bruising experience led him to write his college thesis on, "Why the Internet is a fad." (Whoops. He's since destroyed all but one copy.) He instead went the legal route, getting a law degree from the University of Chicago. Working as a summer associate for Latham & Watkins in 1999 in San Francisco, he kicked himself each time he was brought in as the young tech-savvy guy to help partners take start-up after start-up public. After graduation, he stayed in Chicago to work at an online insurance business called GroupWorks, walking away with a "comfortable" amount from his stock options when the company sold. "It wasn't F.U. money but it was enough to screw around," he says.
While teaching cyberlaw at John Marshall, a question he posed in an exam gave him the idea for his first company: Unspam Technologies, a "do-not-email" service used by state governments to help people avoid 'vice' marketing. "Then I got sued by the porn industry," says Prince. Pornsters alleged Unspam was aiding government infringement of their First Amendment rights. Prince knew the suit could drag on for years. Sitting in his apartment with a bottle of wine, he decided to head back to school again and wound up at Harvard. There, in the shadow of Akamai, the giant it hoped to challenge, CloudFlare's business plan was born and anointed with an HBS competition win. After graduation in 2009, he, Zatlyn and Holloway moved operations to California, opening an office in Palo Alto above a nail salon. It thrived enough to move into a converted coffee-roasting warehouse in San Francisco's South of Market district in February 2011. They plan to move somewhere bigger soon.
One of CloudFlare's early venture backers told Prince he loved the business but wanted to know what he would do when the death threats came. "When you start something like this you don't realize what the endgame will be if you're successful," says Prince.