Cloudflare, the next big cybersecurity IPO company, says it may have violated US law by doing business with terrorists and narcotics traffickers
- Cybersecurity company Cloudflare is about to become public company, possibly as soon as this week, and there are indicators that investors are ready to buy in.
- However, the company also quietly updated its S-1 filing to go public to disclose that it may have broken the law in ways including including selling its services to terrorists, to narcotics traffickers, and to governments being sanctioned by the US.
- It also may have violated laws governing exporting encryption technology, it said in the filing.
- Cloudflare has for years faced scrutiny over its role in protecting some of the darkest corners of the internet.
- Visit Business Insider's Tech homepage for more stories
Cloudflare gave a strong indication that its IPO roadshow is going well, when on Wednesday it increased its pricing range on Wednesday to $12 to $14 per share - up from $10 to $12 per share.
This should value the company at between $3.5 billion and $4.1 billion at the time of its IPO, exceeding its last private valuation of $3.25 billion. The company is expected to go public later this week, possibly as soon as Thursday.
But then the company also raised eyebrows by filing an amended S-1 form, its IPO prospectus, in which it admitted it may have violated US law. It sold its services to entities blacklisted by US government including terrorists, narcotics traffickers and sanctioned governments, it said in the filing.
Specifically, Cloudflare said (emphasis ours):
"We identified that our products were used by, or for the benefit of, certain individuals and entities included in OFAC's Specially Designated Nationals and Blocked Persons List (the SDN List), including entities identified in OFAC's counter-terrorism and counter-narcotics trafficking sanctions programs, or affiliated with governments currently subject to comprehensive U.S. sanctions. A small number of these parties made payments to us in connection with their use of our platform."
It also disclosed it may have broken US laws governing exporting encryption hardware.
Cloudflare offers a service that helps website operators keep their sites up and running even if hackers attempt to bring the website down, or if parts of the internet go down. The company says its network spans 194 cities in over 90 countries and connect with major internet providers and big corporate networks alike.
It may have installed encryption hardware in some of these overseas places in violation of the law, it explained:
"In 2019, we learned that we may have failed to comply with certain U.S. export-related filing and reporting requirements and may have submitted incorrect information to the U.S. government in connection with certain hardware exports."
Cloudflare has faced criticism for years over how it helped protect some of the darkest corners of the internet. Its has also been praised when it has kicked such entities off its network.
For instance, Cloudflare said its platform was used by 8chan, the online forum which "served as an inspiration" for the deadline mass shootings in El Paso, Texas and Christchurch, New Zealand. In April, after the El Paso shooting. The company announced that 8chan was no longer a customer, describing the forum as a "cesspool of hate."
In 2017, it faced a similar publicity storm when it admitted its network had been used by The Daily Stormer, the neo-Nazi white supremacist website, which became infamous for its role in the 2017 protests in Charlottesville, Virginia. Cloudflare later terminated the group's account.
The company says it disclosed the information about the blacklisted entities using its site to the appropriate government agency in May, 2019.
While Cloudflare promises it is doing all it can to prevent its service being used illegally, it says this remains a risk (emphasis ours):
"Although we have implemented, and are working to implement additional controls and screening tools designed to prevent similar activity from occurring in the future, there is no guarantee that we will not inadvertently provide our products to additional individuals, entities, or governments prohibited by U.S. sanctions in the future. "
Cloudflare did not immediately respond to a request for comment.