Today, I’m talking with Cloudflare co-founder and CEO Matthew Prince. Cloudflare might be the most important internet company you’ve never heard of, and that’s almost by design. It’s a network infrastructure provider to more than 20 percent of the entire web — it’s effectively what prevents bad actors around the world from torpedoing some of the biggest websites on the planet with cyberattacks. But if Cloudflare is doing its job, you don’t have to know it even exists. 

Cloudflare is an absolutely fascinating company at the intersection of so many of the biggest ideas we talk about here on Decoder. That’s in no small part because of Matthew, who’s been at the helm for nearly 15 years and has had to make some of the most uncomfortable moderation decisions in the tech industry. 

As an infrastructure company, Cloudflare is one of the only defenses — in some cases, the only defense — standing between websites and the people who want to take them down. That includes websites for social good, like news organizations around the world, but also means unsavory or downright despicable ones, like neo-Nazi haven The Daily Stormer and hate and harassment breeding ground 8chan. 

Over the last decade, Matthew has had to make the call when to stop providing service to websites like those, even as he’s championed Cloudflare as a bastion of free speech and a tool used by journalists, activists, and dissidents in authoritarian regimes. It is a profound balancing act, and you’ll hear me ask Matthew how he thinks about making those types of decisions and the company values he says drives them. 

Matthew and I got into pretty much the whole gamut of protecting speech on the internet. We talked about the contrast between speech in the US covered by the First Amendment and speech overseas that is very much not. We got into how governments might be able to regulate companies like Cloudflare and what that would even look like here in the US or perhaps in a country like India. 

And we discussed how Cloudflare looks at its role in war zones like Ukraine and how the threat of a splintering internet — or one that’s just more restrictive and more aggressively under attack from bad actors — could undo the last 40 years of progress. None of this is theoretical for people like Matthew — seriously, he’s personally under sanction by the Russian government. 

Some notes before we start — because this conversation really went places and you’re going to hear a lot of references to various political philosophers. Aristotle comes up, which Matthew explains, but then we talk about Thomas Hobbes, who believed that nature is cruel and anarchic and the purpose of government is to enforce a social contract between citizens. 

We also mention John Locke, who expanded the idea of the social contract into what we call liberalism and whose work directly influenced the founding fathers and shaped the Declaration of Independence, and then we mention John Rawls, who moved away from the idea of an unchanging natural law into fairness as the foundation of the social contract.

This is a lot for a conversation with a guy who keeps websites on the internet, but it is very much why I love doing Decoder. 

Okay: Cloudflare CEO Matthew Prince, here we go.

This transcript has been lightly edited for length and clarity. 

Matthew Prince, you’re the co-founder and CEO of Cloudflare. Welcome to Decoder.

Thank you so much for having me.

I am very excited to talk to you. It feels like the internet is in a moment of deep and lasting change for a variety of reasons. Cloudflare is an underappreciated part of the internet for most people. If you use internet services, you might not even know Cloudflare exists. But I think if you make internet services, there’s nothing about Cloudflare that’s underappreciated. It’s an important technical piece of the internet. Can you just describe from the beginning what Cloudflare is for folks?

At the absolute simplest level, Cloudflare is a service that makes the internet faster and protects it from bad guys. How we do that is we run today one of the world’s largest networks. Our customers are anyone who’s trying to put content online, anyone who’s trying to connect to the internet in a secure way — businesses, not consumers, for the most part. And what they do is they put that content behind our network in order to make sure that it can be fast anywhere in the world. It can be reliable no matter what. It can be secure, private, and efficient so that it can reach as much of the internet as possible. 

Today, we operate that network in over 300 cities worldwide, in over 120 countries, and we’re within milliseconds of the vast majority of the users on Earth. And when we’re doing our job right, you don’t even know that we exist. You just have a better, faster, more reliable internet experience.

Put that next to what most people think about as the internet. Cloudflare has a network of its own. It has data centers around the world. Those data centers are close to me physically such that data might get from the data center to me in milliseconds, as you’re saying. But I think most people think about data centers and they think about Google or Microsoft or Amazon. Are you running the same kind of data centers? Are you running different kinds of data centers? Do you work with them? How does that go?

We tend to have lots of machines scattered in many, many places around the world. Whereas, what you’d think of as the traditional cloud providers — the AWSes, the Google Clouds, the Microsoft Azures of the world — will have many, many computers but be more concentrated in individual places. We tend to cooperate really well with those providers. They tend to be much more like the data stores, the sort of the database companies that are out there, whereas we’re the networking company that connects those things together. 

You would often use one of those traditional cloud providers plus Cloudflare in order to have the best possible experience. And somewhere between 20 and 25 percent of the web today sits behind us. So chances are, everyone who’s listening to this has probably used us certainly in the last 24 hours.

So, if I’m starting a website — it’s funny I say that, I run a website — but let’s say I’m starting another website, and I say, “Man, I want to make sure the stuff on my website can get to customers quickly. I want to make sure that I’m protected from DDoS attacks.” What do I actually buy from you?

First of all, we believe that our mission is to help build a better internet. And that’s not just a better internet for the largest companies in the world. They’re all customers as well, but I’m really proud of the fact that even individual developers, startups, can adopt Cloudflare. We have a free version of our service, which is really pretty astonishing. We don’t believe that you should have to have a huge budget to have top-grade security, performance, and reliability.

For all of those things, you can come up to our website, sign up, you effectively make some technical changes to how your website is announced to the rest of the world that causes that traffic to go through us. Or, from the other side, if you’re a business and you want to make sure that your employees are connecting to the internet in a secure way, we provide you software that you can install on your laptops or your mobile devices in order to make sure that, again, you’re using that network. And so, regardless of whether you’re publishing content online or running a business whose employees need to get online, we have a set of services and we try to make them make sense for you, whether you’re small or, today, over a third of the Fortune 500 uses Cloudflare in order to get those same benefits as well, and we have services for those large companies, too. 

You’ve talked about security a number of times. When I think about Cloudflare, I think about caching mostly. I’ve got some stuff on my computer or my server or my data center. I do want to put it closer to people so they can access it more quickly around the world. That feels like the big thing that you guys provide to folks. But you’ve talked about security a number of times. What is the specific security solution that you provide to your customers?

It’s interesting that some people think of us for things like caching. So the idea of caching is basically just making a copy of something so that you don’t have to move it as far. The speed of light is only so fast, so if we can make copies of the logo on a website or the images and move those closer to people, then effectively, the online experience gets significantly faster. But that’s not where Cloudflare started. In fact, it’s actually kind of ancillary to what we did. We’re very good at it today. But the original premise of Cloudflare was: how could we make a firewall that was deployed without any hardware where you could just get it as a service? 

The thing was that, early on, the objection that everyone had was, “That sounds great, you can serve a much broader market, you can make it incredibly easy to use, you can learn from all the traffic that flows through you in order to get and make everyone more secure, but you’re going to add a bump in the wire. You’re going to slow things down.” And so Michelle [Zatlyn], my co-founder and I, as we were first starting to think about the business, we became obsessed with how to make things faster. And caching was one part of it, protocol optimization, just getting enormous amounts of connectivity around the world were all pieces of the puzzle, but they were really servicing that end goal of how do we make everything more secure. But it turns out that, in most cases, security comes with a compromise of slowing things down.

When we launched, we launched with the goal of just not slowing things down, and then we were a little bit better at it than we intended to be. So not only do we not slow things down but we also actually significantly speed things up. And so, today, there are people who may not be particularly worried about cyberattacks who also use Cloudflare. But the great news is you can be really concerned about security and you get performance, or you can be really concerned about performance and you get security. And again, I think it comes back to how Cloudflare is living up to our mission of just making sure that everyone online can have the best internet experience and that our mission is really to help build a better internet.

Who are your biggest competitors?

I think that there are a lot of companies that compete with us in individual areas. You do have companies that focus just on things like caching, the folks like an Akamai or Fastly, and we compete with them from time to time if people are just looking at that one thing. You have other companies that are really focused on the VPN replacements of the world — so the likes of Zscaler, Palo Alto Networks, Cisco for some of Cisco’s products — and we compete with them as well. But I think what’s unique about Cloudflare is that we offer that complete package: that we can make sure that your content is safe, that you can make sure that your employees are safe. If you look across that entire thing, there really aren’t that many companies that do everything that Cloudflare does. And what we see from our customers is they really want to have that complete network security package, and they’re sick of buying individual point solutions.

Cloudflare can deliver what we think of as a complete connectivity cloud, and that replaces a lot of the Akamai, Fastly, Zscaler, Palo Alto Networks, and a lot of the people who are doing what is traditionally network security. And then, of course, all of the box vendors, the checkpoints, and… I’ve forgotten the names of them. I guess that’s how much we focus on our competitors, but we really are just saying, “How can we help make the network experience the best possible thing it can be?” We compete with competitors in those areas, but there isn’t really anyone that does the complete suite of things that Cloudflare delivers.

I just want to point out, if there was one person in the world who had learned the name of enterprise security vendors from the advertising at the airport, it’s Matthew Prince, and you clearly did not gain that knowledge from that. I always wondered who those ads are for, and I figured you would pay attention to them.

We spend a ton of time focusing on our customers, and we tend to spend a ton of time just focusing on how we build a better internet, even to my board’s chagrin. They’re always like, “We should talk more about competitors.” And I’m like, “I think if you just focus on your customers, you focus on building a great product, competitors will follow you as opposed to you having to follow them.”

If you hear that sound, it’s the price of airport advertising plummeting in the background. I want to talk about competitors along the way here. I think it’s a really important point, because I think there’s a lot downstream of whether you feel competition. A lot of people characterize Cloudflare as one of the most vital companies on the internet, or a required company on the internet, and a core infrastructure layer. Do you feel that way about Cloudflare — that you’re just part of the essential utility fabric of the internet now?

When we were just getting started, one of the things that we would always ask ourselves —  and this was when it was eight of us above a nail salon in Palo Alto, California — “If Cloudflare ran the entire internet, what would the right decision be?” And we asked that around technical questions. We asked that around policy questions, around how we did customer support, around everything. We’re just always asking ourselves what that was doing. And there was a certain absurdity to it, because again, we were eight people without a single customer above a nail salon. 

And yet, I think that we would joke that someday if we had an outage or something went wrong, it would be on the front page of the newspaper because we would be that important. We have an incredibly robust reliability record. But when we’ve had challenges now, it is that level of news, except oftentimes, the news publications themselves are Cloudflare customers, so they’re offline as well. But we take the responsibility that we have extremely seriously, and we try to be a very principled organization and think about what the long term is. 

People do rely on our networks. There are aircraft that can’t take off if Cloudflare doesn’t work. There are cash registers around the world that don’t work if Cloudflare doesn’t work. There are ATMs around the world that don’t work if Cloudflare doesn’t work. And because of that, I think our entire team is really focused on how we make sure that we are delivering the absolute highest-quality service that we can. And again, when we’re doing our job right, we’re that thing behind the scenes that’s just making everything work better, and most people don’t even ever need to know that we exist.

Particularly in enterprise, the notion that you have a single vendor as opposed to multiple redundant vendors, that pendulum swings back and forth, right? Cloudflare is obviously the integrated solution. You provide all of it. You can get all the things you need to run your service across the network. Your competitors, it’s more mix and match. You can probably go to them for pricing and competition, discounts, all that stuff. Why do you think your approach has won so definitively?

I think that people want to have one integrated network security vendor. And there are times that that can provide a robust way of protecting your network that you can’t get stitching together a number of different solutions. Oftentimes, what we see in the security space is that the seams that are created between vendors are often what the attackers exploit. And what we can do is give you a seamless experience where you can see traffic coming into your network, traffic going out to your network, see that all through one dashboard, give that visibility to all of your employees. That idea of a connectivity cloud that really does connect all aspects of your business together really resonates. 

The other thing is that we can often deliver it in a much more cost-effective way than individual networks. There is a certain fixed cost to running a network like ours, and the first service that a customer buys from us costs us a certain amount of provision, but then, each additional service that we provision on top of that is actually very cost-effective for us to deliver.

And Michelle, my co-founder, had a mantra that we should always be delivering 10 times the value that we should be capturing ourselves. And I think we’ve really done that. What that means is that oftentimes companies can just get a much higher return on their investment. They can save a significant amount of money while at the same time having a better solution, a more integrated solution, by switching to us. I think, over time, it makes sense for you to have one network security vendor. And I think we’re well positioned to be that.

There are things we don’t do. Security has other aspects. There are endpoint security companies like CrowdStrike and SentinelOne. I think that’s a very different skill set and that’s somewhere where we’d be much more likely to partner. There’s identity, companies like Microsoft, Okta, and Ping Identity that provide those services. Again, I think that’s somewhere where we think it makes a lot more sense to partner. But in the network security space, we think that one integrated solution is able to not only deliver the best experience but also be able to deliver it in a way that is the most cost-effective.

Let me ask you some of the Decoder questions now. You mentioned eight people in a nail salon. How big is Cloudflare now?

We’re about 3,500 people around the world and very global. So we run what is an incredibly global service, and our team is distributed very globally around the world.

And how is it structured? How do you think about how the company is organized?

There’s one P&L at Cloudflare. We try to be as flat as possible. Generally, the metric that I pay a lot of attention to is: what’s the average number of direct reports that a manager has? We try to get that number around eight direct reports, which is on the high side. Most companies are around five, and that tends to make the structure a little bit flatter. Michelle’s our president and COO, and we split the world up. She handles a lot of the go-to-market and HR and support side of the business. I handle a lot more of the product engineering, finance, and legal side of the business. And those are sort of where we divide things up. We have not split up into GMs yet.

I think the one thing that we’ve done, which is a little bit unique at Cloudflare, is we really have three different product and engineering teams that have somewhat different mandates and have very different mandates, ultimately, around the time to market and the timeframes that they’re thinking around. So our traditional product and engineering organization, which is 80 to 90 percent of our R&D budget, is what everyone thinks of. They think in two-quarter roadmaps, spend a ton of time talking to customers, listen to what they want, try to deliver that, think about what our products are and how they can move up and to the right in the Gartner or Forrester survey, and make what is incredibly important but very much sustaining innovation around the products that we already have. 

We have a second R&D org — which is, approximately, call it 10 to 20 percent, it varies depending on the time — and that’s what we call ETI, or emerging technology and incubation. They don’t think in two-quarter timeframes; they think in two-to-three-year timeframes and very intentionally spend very little time talking directly to customers. They spend a lot of time thinking about, with the resources that Cloudflare has with the network that Cloudflare has, if we look out over the horizon, what’s the thing that someone’s going to want two years from now that we can deliver? Their job is to take lots of shots on goal, and 80 or 90 percent of them never see the light of day, but some of them do. People can rotate in and out of the ETI group, but it’s almost like a little skunkworks team inside of Cloudflare. A lot of the really big leaps where we’ve provided things like our developer platform, a lot of the work that we’re doing around AI today, comes out of that group. 

We have a third group, which is the smallest. Often, it’s made up of a lot of people who are getting their PhDs in computer science or they’re taking time off to do an internship or some people who would almost be professors at a lot of universities. They are thinking more in a five-year timeframe on fundamental internet technologies. As we have things like TLS 1.3, which is the encryption protocol that protects how, when you put your credit card in, that it’s secure, or thinking about things like quantum cryptography. They’re the team that’s thinking on that longer timeframe on what the internet’s fundamental protocols are going to need and then how Cloudflare can be contributing to those things. They’re very much not focused on shipping products but, instead, helping standards develop. They’re working with organizations like the IETF [Internet Engineering Task Force] on what the future of the internet looks like. And again, they’re thinking about something that almost has zero direct return on our business. 

I think because we have those three different engineering groups that have those three different timeframes, it’s allowed us to both deliver what our customers want but then also deliver really disruptive innovation from an organization like ETI — and then also contribute back to the fundamental protocols of the internet with our technology team, which is thinking on that longer timeframe. For me, that’s one of the things that’s the most exciting about Cloudflare is I think we are one of the most innovative technology companies out there, and we built an org structure really designed around how we can continue to deliver innovation every single day that we’re doing the work that we do. 

So you mentioned you have the three groups, and you actually just said something really interesting, which is that the longest-term group doesn’t really have a measurable return. But that’s the most important group, the one that’s working on the actual standards that make the internet go, that protects against things like quantum attacks on cryptography. There are some really long-term things that need to be invented. How do you think about allocating the margin from the day-to-day customers paying you to, “Okay, we have to invent some stuff for five years in the future?”

I think that, again, we start with the mission, which is to help build a better internet. That means, oftentimes, we’re doing things that don’t have some direct measurable return. Maybe this sounds somewhat naive, but what we found is, if we do the right thing, that it pays off, but you don’t always know exactly how it’s going to pay off. 

As an example of this, back in 2016, we saw a lot of foreign interference with the elections, and we thought, “Is there something that we can do to help with that?” And so we launched something called the Athenian Project, where we provide our services at no cost to anyone originally in the US — although it’s expanded now — who’s helping administer an election. There was a lot of hand-wringing from our state, local, and federal team that, “Oh my gosh, this is going to cannibalize our business because it’s something that they could sell and now we’re going to give it away for free.”

But at the end of the day, we couldn’t have built the company that we did if we didn’t have a stable and functioning democratic government. I think that we have a duty and responsibility when we have the ability to protect things, like how elections work, for us to not have costs be something that stands in the way. I’m proud of the fact that, today, a majority of US states, almost all of the battleground states in the US, the officials that administer elections there use us in various ways and have been for quite some time. There was no direct return from that. It was just… it’s the right thing to do. But I think it’s helped us build goodwill with governments. It’s helped us build goodwill with a lot of businesses where people want to work with companies that aren’t just coin-operated. They want to work with companies that are principled and are trying to do the right thing. 

As a result of that — even though it’s very hard to measure the return of these things ex ante — ex post, they have paid off in spades. And so, the technology team is like that. A lot of the work that we do volunteering our services is like that. For our team, maybe more than anything else, the key to building great companies is recruiting great people. People want to work for companies with a real mission that are doing some real good in the world.

So anytime that we do these things, whether it’s helping with the TLS 1.3 protocol or helping protect Ukraine before the Russian invasion in 2022, that pays off. But you can’t always see it and how it’s going to look in advance. So I guess the answer to your question is that we don’t so much think about, “Oh, we’re going to allocate exactly this amount of margin.” But we do make sure that we’ve got a structure in place that gives us the ability to build the things that customers want who pay us but also builds the trust in the greater market, which again, has turned out to be some of the best marketing that we can do both for customers but also for prospective new team members.

Let me push on that a little bit, but I think this is a good time to ask the Decoder question. You have a lot of decisions to make. Some of them are harder than others. Some of them are more esoteric than others. How do you make decisions? What’s your framework?

I keep coming back to the mission of Cloudflare, and I’ll confess that I went to business school, and I remember sitting in classes where people talked about the importance of mission, and I’d never worked somewhere that was a really mission-driven place. I’d never been in the military. I’d never really done government service in any way. I hadn’t been in a company that I would describe as extremely mission-driven, so I kind of rolled my eyes at it. I think that early on at Cloudflare, if you had asked, “What’s Cloudflare’s mission?” I would’ve said, “Our mission is to take advantage of this really unique market opportunity where the world is shifting from on-premise hardware to the cloud, and clearly the network is going to take over that, and a whole bunch of the things that were like firewalls and VPNs are going to turn into a service, and hopefully we’ll even make a little bit of money and impress our parents,” which is, by the way, why most people do the things that they do.

That’s a mission that inspires almost religious fervor.

We had a chicken-and-egg problem, where, in order to make some money and impress our parents, we had to sell to really big companies that would pay us millions of dollars a year. But in order to do that, we needed to have something that was valuable to them. In order to do that, what they cared about was cybersecurity, so we needed to be able to predict who the bad guys were and stop them. In order to do that, we had to have a whole bunch of data. In order to have data, we had to have customers, because the customers basically would feed the data back into the system. And so we had this problem in a simplistic way that, in order to have customers, we needed to have data; in order to have data, we needed to have customers.

So being good little business students, Michelle and I said, “Well, what if we created a free version of our service, and we’d let anyone sign up?” And we expected it was going to be small businesses and individual developers that signed up, but that wasn’t what happened. And the reason why is if you imagine sort of a two by two and the X axis in the two by two is, call it, company size, and the Y axis is security risk, it turns out that as companies get smaller, their security risk goes way down. There’s still some momentum that keeps people from signing up for even a free service. As companies get bigger, the security risks go up, but they’re not going to trust free services. So none of those signed up. Who did sign up were the only organizations that are in what I would call the northwest quadrant of that two by two, which are smaller organizations that have really big security risks.

Those organizations tended to be civil society and human rights organizations. So we woke up one day back in 2010, and it was like every human rights organization in the world had signed up for Cloudflare. There was a part of me that was like, “Gosh, why do we care about this? Because they’re never going to pay us much, so we’re not going to make money, and we’re not going to impress our parents.” But they keep signing up, and they would write in and say, “Hey, it’s so useful what you do.” And if you’re a human rights organization, you’re often pissing someone off and often someone powerful. And so the powerful people would try to knock them offline, and we would protect them. 

I remember there was a guy who ran an organization called the Committee to Protect Journalists. His name was Jeffrey. He wrote to me one day, and he’s like, “Hey, I’ve got three Cloudflare customers that are in town. Would you like to meet them?” I rolled my eyes. Michelle was watching me. She’s like, “Matthew, just take the meeting. It’s 15 minutes. You never know what comes out of these things.” And Jeffrey brought into our office — we were on Third Street in San Francisco — these three African journalists. One was from Angola, one was from Ethiopia, and the third, they wouldn’t tell us his name or where he was from because he was currently being hunted by death squads. It was the first meeting I’d ever been in where the term “death squad” had been used. We’re fortunate to live in the West, but in most of the world, journalism is very dangerous and everywhere is an incredibly noble profession. In these cases, these journalists were covering largely government corruption in their home countries and people wanted to shut them up.

They would threaten them physically but also do things to knock them offline. One guy had tears in his eyes. By the end, we were all hugging, and they said, “We couldn’t do what we’re doing without you.” I remember it was supposed to be a 15-minute meeting and it turned into two hours. Michelle somehow, at some point, comes and finds me and gets dragged into the meeting. We finally walk them all out and put them in a cab in San Francisco and look at each other like, “What in the world have we gotten ourselves into?” That’s when the mission really crystallized, and that’s when the mission became so important. I think when we started, when we said, “What are we doing?” we were making the internet a little bit faster and more reliable and more secure. But today, as we think about things, it’s much more about, “How do we fight to make sure the internet still exists?”

From the comfortable places that we sit in the West, that may not seem like a threat. But if you look at what Russia is trying to do, if you look at what Iran is trying to do, Turkey, Egypt — for different reasons, India, Brazil — you can’t overstate how disruptive the internet was to the traditional sources of power, be those family, education, media, religion, government, . So the analogy that I’ve often used is it’s like Star Wars: Episode IV – A New Hope, the 40 years leading up to 2016, and then right around then, it flipped. Today, I don’t think we can take for granted that the internet that we have known in our lives exists 40 years from now.

I think we’re very much living in a time when we have to think about how we make decisions on what’s right for our business. But at the same time, we also have to think about how we make decisions to fight for the fundamental existence of the internet overall. That, for us, comes back to, “What are our core values?” At Cloudflare, we are a very curious organization. We want to take on new challenges, never say, “It’s not my job,” always go in a bunch of different directions, often to a fault, by the way. I think the biggest criticism of Cloudflare can be that we’re a mile wide and an inch deep. We do a ton of different things. But again, I think that comes from curiosity. I think we’re a very transparent organization. When we make mistakes, we talk about it. We do that both externally and internally. After every board meeting, we present all the slides we presented to our board to our entire company, which people thought after we went public, there’s no way we’d keep doing, but we have. 

I think we’re a very principled organization, which, fundamentally, means we’re not going to sacrifice the short term for the long term. So I think coming back to the mission and coming back to those core values is a lot of how we, as a company and how I as a leader of the company, make decisions.

You’re talking a lot about values and mission. It’s interesting to hear the CEO of what is effectively an infrastructure company talk about running that company on values and mission. Those things do come to a head. There’s a tension there that occasionally comes to a head. I think you can probably guess I’m going to ask you about The Daily Stormer and 8chan and Kiwi Farms. These are sites that relied on Cloudflare. They were Cloudflare customers. They hosted a bunch of hate speech, a bunch of racism. They did a bunch of harassment. They were Nazis in some cases. 

Then you said, “Look, you’re not going to be our customers anymore.” And Cloudflare is big enough that when you say that, people do want to knock a bunch of Nazis off the internet, and their sites went down because Cloudflare wasn’t standing in the way. Walk me through that decision because there’s a real tension between “We are here to protect speech and the internet that we know” and “We know that if we stop doing business with you based on our values, you will get DDoSed off the internet.”

I don’t want to dismiss that these are tricky issues, but they are not daily issues for us. For the most part, our business is pretty straightforward. There are things that are illegal in various parts of the world, and in those places of the world, we comply with the laws. There are then things that are legal but may be gross in various ways. Someone might say, “Oh, I don’t like that.” And for the most part, we say, “Well, that’s what the legislative process is for.” That tends to actually work surprisingly well. 

Cloudflare is 13 years old now, and we’ve had sort of three of these big incidents over that period of time. The mean time between incidents is a little over four years at this point. It’s not like every single day we’re wringing our hands and thinking about it. I think that that’s different than if you’re Facebook or Twitter, who really are every single day having to make these decisions, and they have a much harder job because they are fundamentally the content. In our case, in order for somebody to have gotten to us, it has to be an individual makes a kind of gross decision to post something, which then doesn’t get taken down by a platform, doesn’t get taken down by a host, and falls all the way down to the network level, which there are a lot of layers that have to have gone wrong there.

But every once in a while, it is bound that that is going to happen. It tends to be places that are still technically maybe legal but are really harmful and destructive. In some cases, places where we’ve actually worked with law enforcement, they’ve said, “We are very worried that if this site is still online, you might see a mass shooting or you might see something else.” It’s one of those questions where, if you’re living in an apartment building, generally, it’s not cool to spy on what your neighbors are doing in the apartment next door. But if you see someone whose life is in danger, then yeah, you break down the door and you go help them. But that wouldn’t be what you normally do. Every once in a while, we have to do that. 

I think the thing that is different about how we think about it than how most companies think about it… and I’ve had the privilege to get to sit in on a lot of the public policy chats that folks like Facebook or Twitter / X or AWS or Google or Apple have had. I think if you sat in on those, you would actually feel a lot better about the companies. I think that they are almost always incredibly thoughtful people that are behind this and that have tradeoffs that you might not imagine. But I think that what a lot of tech companies really believe in is they trust their own internal bubble. They don’t trust the rest of the world. So they have this almost militant secrecy about them, which I think is actually one of the real mistakes that the tech industry today is making. Whereas we really take a very transparent view of this. I have to confess that I didn’t expect that I would spend a significant portion of the time that I talk to journalists for the rest of my career talking about neo-Nazis because it’s not really a topic I actually spend all that much time thinking about.

But I think that the thing that we’ve done is that when we have come to these hard issues, we haven’t just said, “Paragraph 13G of our terms of service, beyond that, no comment.” We’ve tried to walk through: here’s why this is hard and here’s why we struggle with it and here’s the good and here’s the bad and here’s why these are tricky issues. It just happens to be that neo-Nazis are about the grossest thing that you could imagine, and so people who are trying to be gross either are or pretend to be neo-Nazis. So you get tough conversations around this. What’s different about us than other companies is that we’re willing to talk about it, whereas most other companies don’t. The reason we’re willing to do that is that I think transparency is key to trust.

When this first of all went down with The Daily Stormer, I tried to figure out how, when you get into these situations, do you show that you are being thoughtful and responsible. And I actually went back and pulled down a bunch of philosophy textbooks, and I started out reading James Madison because I thought, “Okay, in the US, we have the First Amendment. Where does that come from and what’s behind it?” Because it turns out, if you go to Germany and you say, “Well, what about the First Amendment?” everyone rolls their eyes, and I think it’s the wrong place to start. 

I think the right place to start is actually around the rule of law, and Madison was really inspired by Aristotle so I went back and read all my Aristotle textbooks. Aristotle really believed that there were three things that were inherent for a government to be trustworthy: it had to be transparent; it had to be consistent; and it had to be accountable. So you need to know what the laws were, they needed to be consistently applied, and then the people who applied the laws had to be subject to the laws themselves. So that’s basically what government is. It’s really amazing, around the world, even totalitarian governments that don’t really follow the rule of law pretend to. They pretend to be transparent.

We just had elections. Oh my God, Vladimir Putin got voted in one more time.

That’s exactly right! And it’s like, why does Russia go through the effort to do it? It turns out that it’s because that’s where trust in these organizations goes to. And Cloudflare is not a government, and no big tech company is. But if you think about it, on a daily basis, more people interact with Cloudflare’s network than live in any country on Earth. And so, while we’re not a government, I think some of the principles of how large organizations build trust do apply to us. And so I think we try to follow those principles of rule of law, which are transparency, consistency, and accountability. 

Wait, can I ask you about this though?

I believe you, and I think it’s fascinating that so many tech CEOs think about the demands of running a state when they think about running their company for their customers. And it’s true, I think that’s a function of scale. I just think it’s fascinating that we got to Aristotle in this conversation. 

We’ll do [Michel] Foucault next, if you want.

Yeah, I’m ready, “nasty, brutish, and short.” That’s life on the internet. We’ll do the whole thing. We’ll go all the way back to Hobbes. But the mechanism of “I’m going to stop doing business with The Daily Stormer,” famously you said, “I woke up and decided that I was sick of it and stopped it.” That’s the transparency. But at the end of the day, you had the power.

But the way that the bad thing that happened was that a bunch of people were then able to do a DDoS attack. Your power is, in that case, contingent on knowing that there’s a universe of actors who will then immediately knock The Daily Stormer off the internet. That’s the relationship in your role specifically that I think is interesting. A hosting company has a different power, which is, “I’ll just delete your website.” An internet service provider says, “We’re just going to block your IP address.” You’re saying, “I’m going to get out of the way so the mob can tear you down.” That feels like a different kind of power or a different expression of accountability. How did you think about that?

There’s some truth to that. The thing about hosting providers is there are lots of them. The thing about Cloudflare is that there are very few companies that can provide the services that we do, and if you piss all of us off, it’s really hard to still be on the internet.

Because there’s a mob of people who will take you down. But that’s the thing. It seems like it’s okay to say, “I’m not going to be your security guard anymore.”

Yeah, I guess, although it turns out, if you’re running something even completely innocuous today, there’s real risk that’s out there. You need an immune system in order to just stay online, even if you’re posting cute pictures of kittens. And so it’s not just the neo-Nazis that get knocked offline. Everything, at some point, needs some level of a security guard, or again, something like an immune system, to stay online. If you don’t have that, there’s just enough badness out there looking for vulnerabilities that it’s hard to stop. And then, in addition to that, just the advantages that we’re able to provide in terms of performance, in terms of cost, just being able to make sure your content is available everywhere in a cost-effective way. If you have to exist in a world without a Cloudflare, it’s just a lot more expensive to operate.

So again, I think it comes back to that question that we asked ourselves when we were eight people above a nail salon, which was, “If we ran the entire internet, what would the right policy be?” And again, we will never run the entire internet. That’s just never going to happen. But I think that that’s the right mentality to think about these questions from, because I think it puts the right level of seriousness into the discussion. None of these sites paid us anything that mattered, right? If the only thing that we were motivated by was just money, I mean, it’s easy. Of course you should kick these things off. But again, I think we really do believe that we are very principled, we’re very mission-driven. And I think that’s part of what sometimes gets us into these sorts of challenges. But I’m really proud that the team that we have is thinking about them, and I hope it sets a good example for a lot of startups and also companies that are a lot larger than we are. 

It’s cool that today, regularly, companies that are much, much, much larger than Cloudflare that run into the same issues call us up and say, “Hey, we’d love your advice on this.” I’m proud of the fact that that’s a role that we’re playing, and I think that that’s an important bit as we think about how we are going to ensure that the internet still exists because I don’t think that’s inevitable. 

First of all, I want to point out, I think we did get to the Hobbesian state of nature on the internet. You were saying there’s enough latent badness out there that you’ll just… red in tooth and claw will just come and kill you if you don’t protect yourself or build a society. 

That’s fascinating to me, and I think probably most listeners aren’t aware of this: that if you just put a server on the internet exposed to the wider internet, someone will come and kill you. 

Explain that essential truth, because I don’t think that’s obvious to most people.

It’s become so efficient, if you’re a bad guy, to just be able to literally scan the entire internet to have a catalog of every vulnerability that is out there to run through all of those. And then the value that you can derive from taking over a website publishing cute pictures about kittens because you can create some subfolder that’s child pornography or because you can use that server to hack another server and bounce across it. I mean, in every bad movie featuring technology, there are a bunch of FBI agents or whatever staring at a screen, saying, “Oh, he’s bouncing the connection through 10 different satellites so it’s really hard for us to figure it out.”

That sort of happens, and that really is how bad guys operate online. It is very difficult as an individual, whether that’s just someone running a kitten website or someone in a small county in Georgia trying to run an election versus the [Russian Federal Security Service], which is exactly what is going on today. Part of what we and a handful of other companies do is make sure that you can have that collective immune system that can keep you safe and can make sure that, as the bad hacker comes, you’ve got the forces standing up to make sure that you can stay safe no matter what.

So this makes you even more essential infrastructure. You can’t even do business on the internet unless Cloudflare or one of your competitors is there to protect you.

I think we have gotten to a point where it is very difficult to operate if, again, it’s what I wrote when we kicked The Daily Stormer off, there is a small group of people who make the decisions on whether you use these services. And the funny thing about the post: that’s not the actual post that we posted. That was the internal post that I wrote. It was maybe a little bit brutally honest, but the point that I was trying to make when I said I woke up in a bad mood and kicked someone off the internet was, there is some aspect to that. There is somebody that makes a decision. And in this case, if I go back, and I had been fighting with my at-the-time girlfriend, now wife, over whether we should do this, and I was always like, “Are even you not on my side? There are humans that are behind this, and you need to acknowledge that that’s the case. And I think you need to set up structures.”

But the tradeoff here is usually as you go down the stack toward infrastructure, traditionally, we regulate those providers and say, “You cannot make these decisions.” The telephone network AT&T does not get to decide who gets to make phone calls. Everyone can just make phone calls because that’s a public good. You go all the way up the stack to, I don’t know, Facebook, and the First Amendment is at play. And we say, “You can do whatever you want all the way here, consumer-facing. And if people don’t like your moderation decisions, Mark Zuckerberg, theoretically, they can leave.”

The consumer market is vibrant enough and transparent enough that that’s fine. But all the way down at the metal, we’re arguing about telecom providers. We’re arguing about net neutrality, in a way. You don’t want to slow these bits down. Do you think there should be some level of regulation for a service like Cloudflare that says you can or cannot make these decisions?

I mean, there is regulation, but the tricky part is, you use the example of a telecom—

You’re reading Aristotle! If you’re all the way back at Aristotle to come up with the first principles of the decisions, there’s not a rule to follow.

Sure there is, but the tricky part is that there’s a different rule to follow almost everywhere in the world. So your frame of reference, you talk about the First Amendment, you talk about network neutrality. I mean you, you’re very US-based. These are all actually relatively easy issues in the US because the US is radically libertarian in terms of freedom of expression. And I grew up in the US. I tend to think if you believe in innovation, if you believe in things like a free press, that does make sense. But the vast majority of the world doesn’t believe in those things. And so there is regulation all around the world. What’s different is telecoms are inherently regional businesses. Like AT&T, big deal in the US, but you go to England, no one’s ever even heard of it. Comcast, huge deal in half the United States. I mean, Orange, huge deal in France, right?

We can pick whatever example you want. What has been different about the internet and the tension is that it is global from day one. And Cloudflare, when we launched Cloudflare, we had eight employees. We had customers in 10 countries the day we launched, which we were like, “Wow, that’s amazing.” By the end of the first month, we think we had customers in every country on Earth, and we had eight people. And again, that’s miraculous at some level, but I think it starts to show some of the tensions that are here. I think the question with regulation is, “Whose regulation?” 

Think about other technologies that have come along. So think about television. Television comes out, and it is this wildly successful product. In that case, it was interesting if you think about what the risk was, and let’s just focus on the US. The US, for reasons of physics, initially, there were only three networks: NBC, ABC, CBS. Yeah, they competed a little bit with one another, but they effectively had an oligopoly on this new technology that existed. And so where risk would come from them was actually regulation.

And so they, as an industry, got together and said, “How can we fend that off in different ways?” And it’s led to all kinds of things. So the fact that all three of those networks still to this day cover both political conventions — the Democrat and the Republican conventions — with the same pool feed, basically, from opening speech to balloon drop at the end, that the vast majority of anchors came from Kansas… way overrepresented because it was the center of the country. Equal time laws weren’t proposed by the government. They were actually proposed by the networks to say, “This is a way to show that we’re radically neutral.” 

That preserved the technology. In some cases, there are a lot of people who will say, “Well, that was great,” and I remember fondly watching Tom Brokaw or whoever growing up as a kid. But there are a lot of voices, whether they were brown voices, female voices, or gay voices, that just didn’t appear on TV in the ’60s, ’70s, and ’80s. So there’s a tradeoff that’s there, and that’s when the regulation is set by Lawrence, Kansas. In a global network, if we start to think about what that regulation looks like, I think that the parade of horribles that we could go down is that we could actually get it set by the lowest common denominator of what every country on Earth wants.

In that case, we get to sort of a Teletubbies-like internet where only the least possibly offensive thing is what can be anywhere online. And that sounds absurd, and yet, if you look at a lot of the regulation that’s coming out today, I think that that’s what we have to be extremely careful of. And it won’t be the US that sets the policy. It probably won’t be Europe, either. My hunch is, if that’s the direction we go, that the country that ends up setting the policy is India. And that’s a place where we’re spending a ton of time looking at and watching. It is very telling, the amount of investment that the major technology companies are making in that country, because they have the natural gravity and they have the political will to set that policy. 

The good news is relatively free press. The bad news is that it’s a pretty scary world in terms of internet regulation and cryptography regulation. So again, is there a role for regulation? Absolutely. But you’ve got to think about who that is and what it looks like, and on a global network, there’s a real tension that is different than you had with telecoms.

But let me make that point more regionally. You’re saying globally, and I agree with you. I think the [Narendra] Modi government is the largest democracy, but the Modi government has some autocratic tendencies, especially around speech, especially on the internet. They’re asserting control over it in very direct ways. The average person in Lawrence, Kansas, doesn’t feel that, right? They’re in America. They’re using American networks. 

I think a more direct question is, would you be more comfortable if the United States government passed a rule that said, actually, Cloudflare can’t kick people off the service and just took that decision-making authority away from you, which would preserve a more open internet but maybe makes a different tradeoff in terms of speech? Because I think the Modi government is going to tell you who you cannot do business with.

They’re going to make sure that some things never arise, that some opposition parties never get access to the networks or the information ecosystem there. I’m saying here, it seems like we’d go the other way.

So, first of all, I don’t want to speak for the Modi government or others.

I don’t do any business in India, so I get to say whatever I want, but even here, right, you are being careful because you don’t want to piss him off, and I think that’s notable.

I don’t actually know what the Modi government would do versus the opposition government in India or anywhere around the world. I know that we have to operate in lots of places around the world, and we comply with the laws in all of those places. I don’t know that changing the laws in the US would actually change what we have to do in other parts of the world, or if it did all of a sudden, then we just can’t be a global company. Because if you set up a set of rules where you can’t operate that way, then it makes sense. So we are pretty good at following the law wherever it is, and I think clarity of law makes a ton of sense. What I’ll say is, I don’t spend a ton of time thinking about this because it’s an issue that’s come up three times in 13 years.

Fair enough. I’m just wondering because I think your role in the ecosystem is so fascinating. 

I think it’s worth talking about these things even if they’re not our most pressing issues because I do think that we need to be long-term oriented as we think about this. And if the 40 years up to 2016 was A New Hope, the next 40 years is The Empire Strikes Back, and the AT-ATs have just landed on Hoth. What does Russia do when they take new territory in Ukraine? One of the very first things they do is they find the ISP and telecom headquarters, and they reprogram the routers to route the traffic back through Russia. Why do they do that? Because controlling communications is so critically important. That’s the other side of this, and it is not inevitable that the internet exists the way it does 40 years from now. And I’m proud of the role that Cloudflare is playing in helping defend what I think is one of the great inventions of human history and one that’s worth fighting for.

You’ve mentioned Russia and Ukraine several times now. You’re obviously supporting a bunch of customers in Ukraine. You have also said that just disconnecting Russia from the global internet would be a mistake. And the quote here is, “The consequences of such a shutdown would be profound” and that “Russia needs more internet access, not less.” This concept is broadly called the splinternet, the idea that every country is going to invent its own internet. We can see it here in this country. There are different state laws now that sort of determine what services are available depending on age or pornography or what people think about protecting children. Do you see that coming here? Do you see the splinternet taking root in the US? Kicking TikTok off our internet in some way appears to be in vogue. Do you see that coming here?

You can’t overstate how disruptive the internet was to what are the five traditional sources of power in society that have been the case since we climbed out of whatever swamp we climbed out of thousands and thousands of years ago. Family, religion, government, media, and education are where power traditionally has come from, and the internet disrupted them all in various forms, and they are trying to push back. It’s not that the internet isn’t without faults, and we should be honest about those and talk about those faults, but we should also be very careful not to give up on what is there. China is really interesting and really smart in that they never really let the internet in. They and North Korea are basically the only countries on Earth that never let the internet in.

A lot of other countries today are looking at what China has and saying, “That doesn’t seem so bad. Maybe we can recreate that.” So I think the question is, can other countries get the horse back in the barn? We’re trying very hard to make that difficult for the Russias and Irans of the world to make it so that if they want to have access to the APIs that drive oil trading markets, that they also have to let the Anti-Corruption Foundation or Bellingcat be able to broadcast information about the corruption of the Putin regime. We’re really good at making that a very difficult thing for them to block. That’s earned us some challenges. I’m personally sanctioned by the Russian government, which is a sort of surreal thing to have happen. But again, I wear that as a badge of honor and think that that’s us doing the right thing fighting for the internet overall.

I think that we should worry about the sort of TikTok bans and porn filters and things, but I think that those are small stakes compared to what are some of the really big-stake efforts where Russia and Iran are basically saying, “Can we recreate the same filtering engines that somewhere like China has?” And if they do, it won’t stop there. It’ll happen next in Turkey, it’ll happen next in Egypt, and it won’t stop there, either. India, Brazil, Canada, and eventually, governments want to be able to control how information is disseminated.

You mentioned a technical capability there that feels like a policy, right? If you want access to these oil trading APIs, you need to make sure Bellingcat is available. That’s just a policy you’re enforcing. Do you see other technical evidence of this inside the Cloudflare network that gives you pause?

I think we’ve made it very difficult to block any one site on Cloudflare inside Russia without blocking all of Cloudflare. We are at a scale where blocking all of Cloudflare is tough. It’s interesting to look at what Russia hasn’t been able to block. So the fact that YouTube is still available, I think it’s actually a really interesting point. I’ve spent quite a bit of time talking to policymakers and people who are much deeper experts about this. And they’ve said that, at the end of the day, a Russian family still relies on something like YouTube to entertain kids and that if Putin shuts that down, that he has a problem with the average Russian family. 

In our case, there are just enough things that the Russian economy depends on that run on Cloudflare, that you can also have folks like Bellingcat. It’s very difficult to block one without blocking the other. I think that these are the sorts of things that we don’t make any money off of but we think are important policy decisions to be thinking about as a fundamental internet infrastructure provider.

You mentioned Bellingcat, all these sites. You’re basically mentioning websites, right? Or servers on the internet in some way. I look at the web and I see this slow deterioration of web content because of AI. All the web is being flooded with C-plus AI-generated content, and all the action is on platforms. So it’s actually interesting to say they can’t block YouTube. Because they can’t go into YouTube and filter YouTube directly. Like, Google just runs that as a service. China might be able to filter the web more directly and block some sites versus others. 

How do you feel about the state of the web today? I’ve been asking a lot of CEOs that, because all of us built companies because of the richness of the web and our ability to meet customers right away because of the web, and as things head toward platforms and the web gets overrun with AI, that might be changing in a huge way.

At the end of the day, it doesn’t really matter how you’re consuming the content, whether that’s on your desktop or a mobile device, whether that’s through a browser or an app. Behind the scenes, a huge amount of what we see is processed through APIs. So APIs make up 57 percent of the traffic that we processed last year. And so that’s maybe not a traditional website. I think the web is probably the easiest thing for most people to relate to, but at the end of the day, it’s just anytime you’re accessing content online, if there’s a network involved, then I think we play some role in that. I think these things evolve and change over time. The death of the web has been predicted many, many, many times, and again, it still keeps emerging.

There was a period of time in the early web history where the search technology that we had wasn’t good enough. That’s where Google came from. It was building something that was just a better way to filter through all of the garbage that was out there. So I guess I’m a little bit more optimistic that, fundamentally, people are trying to figure out how to communicate. People are trying to figure out how to find the answer to the problems that they have and find innovative new solutions. And there will be things that make that harder, and there will be things that make that easier. But over time, if you look at it, the growth in overall internet traffic spiked enormously during covid, and then that slowed down. But in the last two years, it’s still grown almost 25 percent year over year, which is an extraordinary growth rate this far into the internet.

I think that if you started to see the utility of the internet slowing down, you would see the usage slowing down. And that’s not just because we’re bringing, I mean, it’s amazing, we’ve brought 4 billion people online. It’s disgraceful that there are 4 billion people who are not online. But it’s not just that. Even if you look at developed markets, you’re still seeing double-digit growth rates in internet usage. I think that’s the best predictor of, is there still real value coming from it? So I think we can wring our hands about whether AI is going to destroy the web, but I’m still optimistic that having networks that connect people together, people are going to use that to communicate and find answers to questions. If the current tools that we have, if Google isn’t sufficient to sort the wheat from the chaff, then there will be a new Google.

I think Google hopes there’s not a new Google, but we’ll see how that goes.

And I would guess that whoever that new Google is will use Cloudflare, so…

There you go. See, it’s all just customers for you. Let me bring this all the way back around. We’ve had what I would call a very idealistic conversation, and maybe we should get to John Rawls, although we have not done Locke, and I feel like you have to do Locke. You have to put Rawls in opposition to Locke. But we’ve had a very idealistic conversation. 

I would cynically say idealism for a company like Cloudflare is a function of margin. You are able to invest in long-term internet thinking. You are able to sit around thinking about these really hard decisions and supporting customers that you think are morally correct to support, even though they don’t pay you a lot of money. You’ve had to preserve those margins recently, right? You did layoffs. There was a very famous video of a person being laid off.

No layoffs. We’ve never done a layoff. 

You fire people. So you don’t think of those as layoffs?

No. I mean, if somebody doesn’t do their job well, then we will fire a person. But a layoff is a very specific thing where you’re saying we need to increase our margins. We’ve never made a determination on letting go of an employee for a margin reason. 

Because a lot of tech companies have been doing this. They say we overinvested, we’re getting smaller. I guess you fired a bunch of people recently because you thought you were too big.

Again, I don’t think we even fired a bunch of people. We fired about the same number of people that we normally fire. Covid had some really interesting effects. I think one is that, in 2020, we really stopped firing people because we’re human and people were suffering and we wanted to take care of them. Some people just expected that that would be the state of how things went on forever. We had people who for six months didn’t do a single thing as far as we could tell. At some point, you have to get back to actually doing work. If you don’t do work, then we’re going to let you go. But again, that’s not because we were too big. That’s just because you need to have people who are actually doing their jobs.

So I think we should focus on that. I think we’ve actually been unbelievably disciplined in the rate at which we’ve hired, and our margins have stayed kind of exactly the same for quite some time as a result of that. When you hire someone, it’s a big deal. It’s a responsibility that you have. I’m incredibly proud that last year we had 1.2 million people apply to work at Cloudflare, which is just extraordinary. We hired about a thousand, a little over a thousand of those. And we do a pretty good job of that. But every once in a while, we make decisions or someone just isn’t the right fit or sometimes the job grows more than they do, and it’s not the right thing. When we do that, we — in as responsible a way as possible — try to let people go. But it’s a relatively small part of the team, and I think we do a good job of it.

So I’m asking specifically about this video that you said was painful to watch with the person being fired. You’re actually hitting on something that I was going to ask you about as well, which is last year you fired about a hundred people and you said they weren’t doing very well, and you’re saying that again here. You were criticized for that. People basically said you shouldn’t disparage people even though you’re firing them for underperforming. You should just let them go live their lives. You seem to have a different approach. Even the culture of the company is radical transparency. It seems like you’re carrying that through even to this moment at the end.

I want to be very careful. It would be incredibly unfair for me to talk about the woman who posted the video. I mean, we have a much bigger megaphone, and we could walk through all the reasons for her being let go. That would be totally, totally, totally irresponsible. What I will say is that it’s incredibly costly to hire someone and then have them not work out. So it’s in our interest for everyone to work out. Not everyone does. And when they don’t, that doesn’t mean they’re a bad person. It doesn’t mean they won’t be an incredible employee somewhere else. They just weren’t the right person for us. And sometimes that’s their fault. Sometimes it’s our fault. It can be a number of different things. I remember, I was at a job, and I got fired because I wasn’t very good at the job, and I still remember it and it was super painful, but I learned from it.

With, gosh, at this point, almost 30 years of hindsight, they were right to fire me. But I’m a better employee today because of that. We can’t get to a point where we just say, everyone is great and everyone gets a medal and everyone gets a trophy. There are people who perform better than others, and we have a certain amount of work to get done. The worst thing that you can do as an organization is hold on to your low performers because that not only is wasteful, but it actually is incredibly discouraging to your high performers. That doesn’t mean that anyone who we’ve let go won’t be a great person somewhere else. Or even if we’d done certain things differently, if we’d trained them in a different way, maybe they would’ve been better. But for us, at that moment in time, they weren’t the right person. 

I think that as you hire people, no matter what, you’ve got to be really, really thoughtful around this. I remember in early 2022, every story was about how it was going to be the Great Resignation. Every employee was going to quit. Meanwhile, we’re looking at the data, and we’re like, “Seems like the economy is going to slow down.” So all my peers are like, “We’re hiring as fast as we can.” And then it turned out no one quit. The Great Resignation never showed up. I remember thinking, “Gosh, maybe we’re doing this wrong.” Because companies that I really respect, I would talk to their CEOs, and they would say, “Yeah, we’re hiring as quickly as we can.” We’re like, “Gosh, all the data sort of suggests that we’re about to slow down, so we’re actually kind of pulling back on hiring right now.”

That was a very scary and risky decision. But I think it’s part of what then has allowed us to not have to do layoffs and to be able to continue to invest because it’s always incredibly costly and just disruptive and demoralizing if you have to do this. On the other hand, if you don’t let go of low performers, that’s also incredibly disruptive and demoralizing. So I think we have to be very clear: it is irresponsible as a company to overhire and then have to lay a bunch of people off even if they’re performing well. But it’s also irresponsible as a company to have low performers who you don’t lay off as individuals because, again, that’s bad for the company, and it’s bad for the high performers that are there. 

I agree with that completely. My question is a little bigger, and I want to end here. It’s about having the space to have your values. And a lot of the other big companies in tech preached their values for a decade or more. We’re connecting the world. We’re going to make the world a better place, famously. And then the margin pressure did come, and they did overhire and they made layoffs, and now they’re kind of more ruthlessly focused on profitability, and the values seem to have gone away. 

Is that something you’re worried about? Because so much of this conversation has stood out to me because of how often you come back to the values and the mission of the company in that I’m watching other big companies immediately make that tradeoff. I’m wondering if you ever feel that pressure or how you think about it. Because it feels like that will determine the future of Cloudflare as much as anything else.

Michelle and I are fundamentally focused on being just incredibly efficient business leaders. We often joke that we’re scared squirrels at the end of the day, where I think that we believe that every dollar of investor capital that we’re trusted with, every dollar that a consumer pays us, that we have to deliver a really substantial return for that. And I’m super proud of the fact that we did that for all of our investors before we went public, and we’re way up from our IPO price, and we continue to be able to deliver very consistent and long-term results. We have always focused on efficiency. We’ve never been the place that wastes money on fancy cafeterias or conference tables. We have very functional basic offices. I don’t live a particularly fancy life, and neither does Michelle, because again, what we’re focused on is building what is a really great business.

We’ve done that for a long time now. We’ve done that for 13, 14 years. Over that time, I think we’ve built a lot of trust with the investing community. If you look at, even as a public company, who our top 10 shareholders are, it’s been remarkably stable over that period of time. You look at firms like Baillie Gifford that are a big investor in Cloudflare, their average holding period is 16 years. So they really are focused on the long term. I think if you chase short-termism, if you look for that, and you run your business that way, then you will get investors that behave that way. But if you really do think about the long term, if you are really mission-driven, then you’ll also get investors and customers who are focused on the long term and will let you do that as well.

I’m not saying it won’t come at some point, but I think both a combination of doing what we say and saying what we do, being incredibly consistent, really focusing on long-term value creation for every one of the stakeholders that we serve, including the general public, that that has given us that freedom to be able to continue to innovate. I think that it’s also one of the real powers of being a founder-led company. The fact that Michelle and I are still showing up every day to work, that lets us do that, because again, it’s a level of consistency, and I can’t imagine anything that I could do that would be more meaningful or more impactful. I think as long as we do what we say, we say what we do, hopefully we’ll always have the ability to build a great business. But also do those things that are living up to our mission, which is again, to help build a better internet.

I can’t think of a better place to end it, Matthew. Thank you so much for being on Decoder.

Today, I’m talking with Cloudflare co-founder and CEO Matthew Prince. Cloudflare might be the most important internet company you’ve never heard of, and that’s almost by design. It’s a network infrastructure provider to more than 20 percent of the entire web — it’s effectively what prevents bad actors around the world from torpedoing some of the biggest websites on the planet with cyberattacks. But if Cloudflare is doing its job, you don’t have to know it even exists. 

Cloudflare is an absolutely fascinating company at the intersection of so many of the biggest ideas we talk about here on Decoder. That’s in no small part because of Matthew, who’s been at the helm for nearly 15 years and has had to make some of the most uncomfortable moderation decisions in the tech industry. 

As an infrastructure company, Cloudflare is one of the only defenses — in some cases, the only defense — standing between websites and the people who want to take them down. That includes websites for social good, like news organizations around the world, but also means unsavory or downright despicable ones, like neo-Nazi haven The Daily Stormer and hate and harassment breeding ground 8chan. 

Over the last decade, Matthew has had to make the call when to stop providing service to websites like those, even as he’s championed Cloudflare as a bastion of free speech and a tool used by journalists, activists, and dissidents in authoritarian regimes. It is a profound balancing act, and you’ll hear me ask Matthew how he thinks about making those types of decisions and the company values he says drives them. 

Matthew and I got into pretty much the whole gamut of protecting speech on the internet. We talked about the contrast between speech in the US covered by the First Amendment and speech overseas that is very much not. We got into how governments might be able to regulate companies like Cloudflare and what that would even look like here in the US or perhaps in a country like India. 

And we discussed how Cloudflare looks at its role in war zones like Ukraine and how the threat of a splintering internet — or one that’s just more restrictive and more aggressively under attack from bad actors — could undo the last 40 years of progress. None of this is theoretical for people like Matthew — seriously, he’s personally under sanction by the Russian government. 

Some notes before we start — because this conversation really went places and you’re going to hear a lot of references to various political philosophers. Aristotle comes up, which Matthew explains, but then we talk about Thomas Hobbes, who believed that nature is cruel and anarchic and the purpose of government is to enforce a social contract between citizens. 

We also mention John Locke, who expanded the idea of the social contract into what we call liberalism and whose work directly influenced the founding fathers and shaped the Declaration of Independence, and then we mention John Rawls, who moved away from the idea of an unchanging natural law into fairness as the foundation of the social contract.

This is a lot for a conversation with a guy who keeps websites on the internet, but it is very much why I love doing Decoder. 

Okay: Cloudflare CEO Matthew Prince, here we go.

This transcript has been lightly edited for length and clarity. 

Matthew Prince, you’re the co-founder and CEO of Cloudflare. Welcome to Decoder.

Thank you so much for having me.

I am very excited to talk to you. It feels like the internet is in a moment of deep and lasting change for a variety of reasons. Cloudflare is an underappreciated part of the internet for most people. If you use internet services, you might not even know Cloudflare exists. But I think if you make internet services, there’s nothing about Cloudflare that’s underappreciated. It’s an important technical piece of the internet. Can you just describe from the beginning what Cloudflare is for folks?

At the absolute simplest level, Cloudflare is a service that makes the internet faster and protects it from bad guys. How we do that is we run today one of the world’s largest networks. Our customers are anyone who’s trying to put content online, anyone who’s trying to connect to the internet in a secure way — businesses, not consumers, for the most part. And what they do is they put that content behind our network in order to make sure that it can be fast anywhere in the world. It can be reliable no matter what. It can be secure, private, and efficient so that it can reach as much of the internet as possible. 

Today, we operate that network in over 300 cities worldwide, in over 120 countries, and we’re within milliseconds of the vast majority of the users on Earth. And when we’re doing our job right, you don’t even know that we exist. You just have a better, faster, more reliable internet experience.

Put that next to what most people think about as the internet. Cloudflare has a network of its own. It has data centers around the world. Those data centers are close to me physically such that data might get from the data center to me in milliseconds, as you’re saying. But I think most people think about data centers and they think about Google or Microsoft or Amazon. Are you running the same kind of data centers? Are you running different kinds of data centers? Do you work with them? How does that go?

We tend to have lots of machines scattered in many, many places around the world. Whereas, what you’d think of as the traditional cloud providers — the AWSes, the Google Clouds, the Microsoft Azures of the world — will have many, many computers but be more concentrated in individual places. We tend to cooperate really well with those providers. They tend to be much more like the data stores, the sort of the database companies that are out there, whereas we’re the networking company that connects those things together. 

You would often use one of those traditional cloud providers plus Cloudflare in order to have the best possible experience. And somewhere between 20 and 25 percent of the web today sits behind us. So chances are, everyone who’s listening to this has probably used us certainly in the last 24 hours.

So, if I’m starting a website — it’s funny I say that, I run a website — but let’s say I’m starting another website, and I say, “Man, I want to make sure the stuff on my website can get to customers quickly. I want to make sure that I’m protected from DDoS attacks.” What do I actually buy from you?

First of all, we believe that our mission is to help build a better internet. And that’s not just a better internet for the largest companies in the world. They’re all customers as well, but I’m really proud of the fact that even individual developers, startups, can adopt Cloudflare. We have a free version of our service, which is really pretty astonishing. We don’t believe that you should have to have a huge budget to have top-grade security, performance, and reliability.

For all of those things, you can come up to our website, sign up, you effectively make some technical changes to how your website is announced to the rest of the world that causes that traffic to go through us. Or, from the other side, if you’re a business and you want to make sure that your employees are connecting to the internet in a secure way, we provide you software that you can install on your laptops or your mobile devices in order to make sure that, again, you’re using that network. And so, regardless of whether you’re publishing content online or running a business whose employees need to get online, we have a set of services and we try to make them make sense for you, whether you’re small or, today, over a third of the Fortune 500 uses Cloudflare in order to get those same benefits as well, and we have services for those large companies, too. 

You’ve talked about security a number of times. When I think about Cloudflare, I think about caching mostly. I’ve got some stuff on my computer or my server or my data center. I do want to put it closer to people so they can access it more quickly around the world. That feels like the big thing that you guys provide to folks. But you’ve talked about security a number of times. What is the specific security solution that you provide to your customers?

It’s interesting that some people think of us for things like caching. So the idea of caching is basically just making a copy of something so that you don’t have to move it as far. The speed of light is only so fast, so if we can make copies of the logo on a website or the images and move those closer to people, then effectively, the online experience gets significantly faster. But that’s not where Cloudflare started. In fact, it’s actually kind of ancillary to what we did. We’re very good at it today. But the original premise of Cloudflare was: how could we make a firewall that was deployed without any hardware where you could just get it as a service? 

The thing was that, early on, the objection that everyone had was, “That sounds great, you can serve a much broader market, you can make it incredibly easy to use, you can learn from all the traffic that flows through you in order to get and make everyone more secure, but you’re going to add a bump in the wire. You’re going to slow things down.” And so Michelle [Zatlyn], my co-founder and I, as we were first starting to think about the business, we became obsessed with how to make things faster. And caching was one part of it, protocol optimization, just getting enormous amounts of connectivity around the world were all pieces of the puzzle, but they were really servicing that end goal of how do we make everything more secure. But it turns out that, in most cases, security comes with a compromise of slowing things down.

When we launched, we launched with the goal of just not slowing things down, and then we were a little bit better at it than we intended to be. So not only do we not slow things down but we also actually significantly speed things up. And so, today, there are people who may not be particularly worried about cyberattacks who also use Cloudflare. But the great news is you can be really concerned about security and you get performance, or you can be really concerned about performance and you get security. And again, I think it comes back to how Cloudflare is living up to our mission of just making sure that everyone online can have the best internet experience and that our mission is really to help build a better internet.

Who are your biggest competitors?

I think that there are a lot of companies that compete with us in individual areas. You do have companies that focus just on things like caching, the folks like an Akamai or Fastly, and we compete with them from time to time if people are just looking at that one thing. You have other companies that are really focused on the VPN replacements of the world — so the likes of Zscaler, Palo Alto Networks, Cisco for some of Cisco’s products — and we compete with them as well. But I think what’s unique about Cloudflare is that we offer that complete package: that we can make sure that your content is safe, that you can make sure that your employees are safe. If you look across that entire thing, there really aren’t that many companies that do everything that Cloudflare does. And what we see from our customers is they really want to have that complete network security package, and they’re sick of buying individual point solutions.

Cloudflare can deliver what we think of as a complete connectivity cloud, and that replaces a lot of the Akamai, Fastly, Zscaler, Palo Alto Networks, and a lot of the people who are doing what is traditionally network security. And then, of course, all of the box vendors, the checkpoints, and… I’ve forgotten the names of them. I guess that’s how much we focus on our competitors, but we really are just saying, “How can we help make the network experience the best possible thing it can be?” We compete with competitors in those areas, but there isn’t really anyone that does the complete suite of things that Cloudflare delivers.

I just want to point out, if there was one person in the world who had learned the name of enterprise security vendors from the advertising at the airport, it’s Matthew Prince, and you clearly did not gain that knowledge from that. I always wondered who those ads are for, and I figured you would pay attention to them.

We spend a ton of time focusing on our customers, and we tend to spend a ton of time just focusing on how we build a better internet, even to my board’s chagrin. They’re always like, “We should talk more about competitors.” And I’m like, “I think if you just focus on your customers, you focus on building a great product, competitors will follow you as opposed to you having to follow them.”

If you hear that sound, it’s the price of airport advertising plummeting in the background. I want to talk about competitors along the way here. I think it’s a really important point, because I think there’s a lot downstream of whether you feel competition. A lot of people characterize Cloudflare as one of the most vital companies on the internet, or a required company on the internet, and a core infrastructure layer. Do you feel that way about Cloudflare — that you’re just part of the essential utility fabric of the internet now?

When we were just getting started, one of the things that we would always ask ourselves —  and this was when it was eight of us above a nail salon in Palo Alto, California — “If Cloudflare ran the entire internet, what would the right decision be?” And we asked that around technical questions. We asked that around policy questions, around how we did customer support, around everything. We’re just always asking ourselves what that was doing. And there was a certain absurdity to it, because again, we were eight people without a single customer above a nail salon. 

And yet, I think that we would joke that someday if we had an outage or something went wrong, it would be on the front page of the newspaper because we would be that important. We have an incredibly robust reliability record. But when we’ve had challenges now, it is that level of news, except oftentimes, the news publications themselves are Cloudflare customers, so they’re offline as well. But we take the responsibility that we have extremely seriously, and we try to be a very principled organization and think about what the long term is. 

People do rely on our networks. There are aircraft that can’t take off if Cloudflare doesn’t work. There are cash registers around the world that don’t work if Cloudflare doesn’t work. There are ATMs around the world that don’t work if Cloudflare doesn’t work. And because of that, I think our entire team is really focused on how we make sure that we are delivering the absolute highest-quality service that we can. And again, when we’re doing our job right, we’re that thing behind the scenes that’s just making everything work better, and most people don’t even ever need to know that we exist.

Particularly in enterprise, the notion that you have a single vendor as opposed to multiple redundant vendors, that pendulum swings back and forth, right? Cloudflare is obviously the integrated solution. You provide all of it. You can get all the things you need to run your service across the network. Your competitors, it’s more mix and match. You can probably go to them for pricing and competition, discounts, all that stuff. Why do you think your approach has won so definitively?

I think that people want to have one integrated network security vendor. And there are times that that can provide a robust way of protecting your network that you can’t get stitching together a number of different solutions. Oftentimes, what we see in the security space is that the seams that are created between vendors are often what the attackers exploit. And what we can do is give you a seamless experience where you can see traffic coming into your network, traffic going out to your network, see that all through one dashboard, give that visibility to all of your employees. That idea of a connectivity cloud that really does connect all aspects of your business together really resonates. 

The other thing is that we can often deliver it in a much more cost-effective way than individual networks. There is a certain fixed cost to running a network like ours, and the first service that a customer buys from us costs us a certain amount of provision, but then, each additional service that we provision on top of that is actually very cost-effective for us to deliver.

And Michelle, my co-founder, had a mantra that we should always be delivering 10 times the value that we should be capturing ourselves. And I think we’ve really done that. What that means is that oftentimes companies can just get a much higher return on their investment. They can save a significant amount of money while at the same time having a better solution, a more integrated solution, by switching to us. I think, over time, it makes sense for you to have one network security vendor. And I think we’re well positioned to be that.

There are things we don’t do. Security has other aspects. There are endpoint security companies like CrowdStrike and SentinelOne. I think that’s a very different skill set and that’s somewhere where we’d be much more likely to partner. There’s identity, companies like Microsoft, Okta, and Ping Identity that provide those services. Again, I think that’s somewhere where we think it makes a lot more sense to partner. But in the network security space, we think that one integrated solution is able to not only deliver the best experience but also be able to deliver it in a way that is the most cost-effective.

Let me ask you some of the Decoder questions now. You mentioned eight people in a nail salon. How big is Cloudflare now?

We’re about 3,500 people around the world and very global. So we run what is an incredibly global service, and our team is distributed very globally around the world.

And how is it structured? How do you think about how the company is organized?

There’s one P&L at Cloudflare. We try to be as flat as possible. Generally, the metric that I pay a lot of attention to is: what’s the average number of direct reports that a manager has? We try to get that number around eight direct reports, which is on the high side. Most companies are around five, and that tends to make the structure a little bit flatter. Michelle’s our president and COO, and we split the world up. She handles a lot of the go-to-market and HR and support side of the business. I handle a lot more of the product engineering, finance, and legal side of the business. And those are sort of where we divide things up. We have not split up into GMs yet.

I think the one thing that we’ve done, which is a little bit unique at Cloudflare, is we really have three different product and engineering teams that have somewhat different mandates and have very different mandates, ultimately, around the time to market and the timeframes that they’re thinking around. So our traditional product and engineering organization, which is 80 to 90 percent of our R&D budget, is what everyone thinks of. They think in two-quarter roadmaps, spend a ton of time talking to customers, listen to what they want, try to deliver that, think about what our products are and how they can move up and to the right in the Gartner or Forrester survey, and make what is incredibly important but very much sustaining innovation around the products that we already have. 

We have a second R&D org — which is, approximately, call it 10 to 20 percent, it varies depending on the time — and that’s what we call ETI, or emerging technology and incubation. They don’t think in two-quarter timeframes; they think in two-to-three-year timeframes and very intentionally spend very little time talking directly to customers. They spend a lot of time thinking about, with the resources that Cloudflare has with the network that Cloudflare has, if we look out over the horizon, what’s the thing that someone’s going to want two years from now that we can deliver? Their job is to take lots of shots on goal, and 80 or 90 percent of them never see the light of day, but some of them do. People can rotate in and out of the ETI group, but it’s almost like a little skunkworks team inside of Cloudflare. A lot of the really big leaps where we’ve provided things like our developer platform, a lot of the work that we’re doing around AI today, comes out of that group. 

We have a third group, which is the smallest. Often, it’s made up of a lot of people who are getting their PhDs in computer science or they’re taking time off to do an internship or some people who would almost be professors at a lot of universities. They are thinking more in a five-year timeframe on fundamental internet technologies. As we have things like TLS 1.3, which is the encryption protocol that protects how, when you put your credit card in, that it’s secure, or thinking about things like quantum cryptography. They’re the team that’s thinking on that longer timeframe on what the internet’s fundamental protocols are going to need and then how Cloudflare can be contributing to those things. They’re very much not focused on shipping products but, instead, helping standards develop. They’re working with organizations like the IETF [Internet Engineering Task Force] on what the future of the internet looks like. And again, they’re thinking about something that almost has zero direct return on our business. 

I think because we have those three different engineering groups that have those three different timeframes, it’s allowed us to both deliver what our customers want but then also deliver really disruptive innovation from an organization like ETI — and then also contribute back to the fundamental protocols of the internet with our technology team, which is thinking on that longer timeframe. For me, that’s one of the things that’s the most exciting about Cloudflare is I think we are one of the most innovative technology companies out there, and we built an org structure really designed around how we can continue to deliver innovation every single day that we’re doing the work that we do. 

So you mentioned you have the three groups, and you actually just said something really interesting, which is that the longest-term group doesn’t really have a measurable return. But that’s the most important group, the one that’s working on the actual standards that make the internet go, that protects against things like quantum attacks on cryptography. There are some really long-term things that need to be invented. How do you think about allocating the margin from the day-to-day customers paying you to, “Okay, we have to invent some stuff for five years in the future?”

I think that, again, we start with the mission, which is to help build a better internet. That means, oftentimes, we’re doing things that don’t have some direct measurable return. Maybe this sounds somewhat naive, but what we found is, if we do the right thing, that it pays off, but you don’t always know exactly how it’s going to pay off. 

As an example of this, back in 2016, we saw a lot of foreign interference with the elections, and we thought, “Is there something that we can do to help with that?” And so we launched something called the Athenian Project, where we provide our services at no cost to anyone originally in the US — although it’s expanded now — who’s helping administer an election. There was a lot of hand-wringing from our state, local, and federal team that, “Oh my gosh, this is going to cannibalize our business because it’s something that they could sell and now we’re going to give it away for free.”

But at the end of the day, we couldn’t have built the company that we did if we didn’t have a stable and functioning democratic government. I think that we have a duty and responsibility when we have the ability to protect things, like how elections work, for us to not have costs be something that stands in the way. I’m proud of the fact that, today, a majority of US states, almost all of the battleground states in the US, the officials that administer elections there use us in various ways and have been for quite some time. There was no direct return from that. It was just… it’s the right thing to do. But I think it’s helped us build goodwill with governments. It’s helped us build goodwill with a lot of businesses where people want to work with companies that aren’t just coin-operated. They want to work with companies that are principled and are trying to do the right thing. 

As a result of that — even though it’s very hard to measure the return of these things ex ante — ex post, they have paid off in spades. And so, the technology team is like that. A lot of the work that we do volunteering our services is like that. For our team, maybe more than anything else, the key to building great companies is recruiting great people. People want to work for companies with a real mission that are doing some real good in the world.

So anytime that we do these things, whether it’s helping with the TLS 1.3 protocol or helping protect Ukraine before the Russian invasion in 2022, that pays off. But you can’t always see it and how it’s going to look in advance. So I guess the answer to your question is that we don’t so much think about, “Oh, we’re going to allocate exactly this amount of margin.” But we do make sure that we’ve got a structure in place that gives us the ability to build the things that customers want who pay us but also builds the trust in the greater market, which again, has turned out to be some of the best marketing that we can do both for customers but also for prospective new team members.

Let me push on that a little bit, but I think this is a good time to ask the Decoder question. You have a lot of decisions to make. Some of them are harder than others. Some of them are more esoteric than others. How do you make decisions? What’s your framework?

I keep coming back to the mission of Cloudflare, and I’ll confess that I went to business school, and I remember sitting in classes where people talked about the importance of mission, and I’d never worked somewhere that was a really mission-driven place. I’d never been in the military. I’d never really done government service in any way. I hadn’t been in a company that I would describe as extremely mission-driven, so I kind of rolled my eyes at it. I think that early on at Cloudflare, if you had asked, “What’s Cloudflare’s mission?” I would’ve said, “Our mission is to take advantage of this really unique market opportunity where the world is shifting from on-premise hardware to the cloud, and clearly the network is going to take over that, and a whole bunch of the things that were like firewalls and VPNs are going to turn into a service, and hopefully we’ll even make a little bit of money and impress our parents,” which is, by the way, why most people do the things that they do.

That’s a mission that inspires almost religious fervor.

We had a chicken-and-egg problem, where, in order to make some money and impress our parents, we had to sell to really big companies that would pay us millions of dollars a year. But in order to do that, we needed to have something that was valuable to them. In order to do that, what they cared about was cybersecurity, so we needed to be able to predict who the bad guys were and stop them. In order to do that, we had to have a whole bunch of data. In order to have data, we had to have customers, because the customers basically would feed the data back into the system. And so we had this problem in a simplistic way that, in order to have customers, we needed to have data; in order to have data, we needed to have customers.

So being good little business students, Michelle and I said, “Well, what if we created a free version of our service, and we’d let anyone sign up?” And we expected it was going to be small businesses and individual developers that signed up, but that wasn’t what happened. And the reason why is if you imagine sort of a two by two and the X axis in the two by two is, call it, company size, and the Y axis is security risk, it turns out that as companies get smaller, their security risk goes way down. There’s still some momentum that keeps people from signing up for even a free service. As companies get bigger, the security risks go up, but they’re not going to trust free services. So none of those signed up. Who did sign up were the only organizations that are in what I would call the northwest quadrant of that two by two, which are smaller organizations that have really big security risks.

Those organizations tended to be civil society and human rights organizations. So we woke up one day back in 2010, and it was like every human rights organization in the world had signed up for Cloudflare. There was a part of me that was like, “Gosh, why do we care about this? Because they’re never going to pay us much, so we’re not going to make money, and we’re not going to impress our parents.” But they keep signing up, and they would write in and say, “Hey, it’s so useful what you do.” And if you’re a human rights organization, you’re often pissing someone off and often someone powerful. And so the powerful people would try to knock them offline, and we would protect them. 

I remember there was a guy who ran an organization called the Committee to Protect Journalists. His name was Jeffrey. He wrote to me one day, and he’s like, “Hey, I’ve got three Cloudflare customers that are in town. Would you like to meet them?” I rolled my eyes. Michelle was watching me. She’s like, “Matthew, just take the meeting. It’s 15 minutes. You never know what comes out of these things.” And Jeffrey brought into our office — we were on Third Street in San Francisco — these three African journalists. One was from Angola, one was from Ethiopia, and the third, they wouldn’t tell us his name or where he was from because he was currently being hunted by death squads. It was the first meeting I’d ever been in where the term “death squad” had been used. We’re fortunate to live in the West, but in most of the world, journalism is very dangerous and everywhere is an incredibly noble profession. In these cases, these journalists were covering largely government corruption in their home countries and people wanted to shut them up.

They would threaten them physically but also do things to knock them offline. One guy had tears in his eyes. By the end, we were all hugging, and they said, “We couldn’t do what we’re doing without you.” I remember it was supposed to be a 15-minute meeting and it turned into two hours. Michelle somehow, at some point, comes and finds me and gets dragged into the meeting. We finally walk them all out and put them in a cab in San Francisco and look at each other like, “What in the world have we gotten ourselves into?” That’s when the mission really crystallized, and that’s when the mission became so important. I think when we started, when we said, “What are we doing?” we were making the internet a little bit faster and more reliable and more secure. But today, as we think about things, it’s much more about, “How do we fight to make sure the internet still exists?”

From the comfortable places that we sit in the West, that may not seem like a threat. But if you look at what Russia is trying to do, if you look at what Iran is trying to do, Turkey, Egypt — for different reasons, India, Brazil — you can’t overstate how disruptive the internet was to the traditional sources of power, be those family, education, media, religion, government, . So the analogy that I’ve often used is it’s like Star Wars: Episode IV – A New Hope, the 40 years leading up to 2016, and then right around then, it flipped. Today, I don’t think we can take for granted that the internet that we have known in our lives exists 40 years from now.

I think we’re very much living in a time when we have to think about how we make decisions on what’s right for our business. But at the same time, we also have to think about how we make decisions to fight for the fundamental existence of the internet overall. That, for us, comes back to, “What are our core values?” At Cloudflare, we are a very curious organization. We want to take on new challenges, never say, “It’s not my job,” always go in a bunch of different directions, often to a fault, by the way. I think the biggest criticism of Cloudflare can be that we’re a mile wide and an inch deep. We do a ton of different things. But again, I think that comes from curiosity. I think we’re a very transparent organization. When we make mistakes, we talk about it. We do that both externally and internally. After every board meeting, we present all the slides we presented to our board to our entire company, which people thought after we went public, there’s no way we’d keep doing, but we have. 

I think we’re a very principled organization, which, fundamentally, means we’re not going to sacrifice the short term for the long term. So I think coming back to the mission and coming back to those core values is a lot of how we, as a company and how I as a leader of the company, make decisions.

You’re talking a lot about values and mission. It’s interesting to hear the CEO of what is effectively an infrastructure company talk about running that company on values and mission. Those things do come to a head. There’s a tension there that occasionally comes to a head. I think you can probably guess I’m going to ask you about The Daily Stormer and 8chan and Kiwi Farms. These are sites that relied on Cloudflare. They were Cloudflare customers. They hosted a bunch of hate speech, a bunch of racism. They did a bunch of harassment. They were Nazis in some cases. 

Then you said, “Look, you’re not going to be our customers anymore.” And Cloudflare is big enough that when you say that, people do want to knock a bunch of Nazis off the internet, and their sites went down because Cloudflare wasn’t standing in the way. Walk me through that decision because there’s a real tension between “We are here to protect speech and the internet that we know” and “We know that if we stop doing business with you based on our values, you will get DDoSed off the internet.”

I don’t want to dismiss that these are tricky issues, but they are not daily issues for us. For the most part, our business is pretty straightforward. There are things that are illegal in various parts of the world, and in those places of the world, we comply with the laws. There are then things that are legal but may be gross in various ways. Someone might say, “Oh, I don’t like that.” And for the most part, we say, “Well, that’s what the legislative process is for.” That tends to actually work surprisingly well. 

Cloudflare is 13 years old now, and we’ve had sort of three of these big incidents over that period of time. The mean time between incidents is a little over four years at this point. It’s not like every single day we’re wringing our hands and thinking about it. I think that that’s different than if you’re Facebook or Twitter, who really are every single day having to make these decisions, and they have a much harder job because they are fundamentally the content. In our case, in order for somebody to have gotten to us, it has to be an individual makes a kind of gross decision to post something, which then doesn’t get taken down by a platform, doesn’t get taken down by a host, and falls all the way down to the network level, which there are a lot of layers that have to have gone wrong there.

But every once in a while, it is bound that that is going to happen. It tends to be places that are still technically maybe legal but are really harmful and destructive. In some cases, places where we’ve actually worked with law enforcement, they’ve said, “We are very worried that if this site is still online, you might see a mass shooting or you might see something else.” It’s one of those questions where, if you’re living in an apartment building, generally, it’s not cool to spy on what your neighbors are doing in the apartment next door. But if you see someone whose life is in danger, then yeah, you break down the door and you go help them. But that wouldn’t be what you normally do. Every once in a while, we have to do that. 

I think the thing that is different about how we think about it than how most companies think about it… and I’ve had the privilege to get to sit in on a lot of the public policy chats that folks like Facebook or Twitter / X or AWS or Google or Apple have had. I think if you sat in on those, you would actually feel a lot better about the companies. I think that they are almost always incredibly thoughtful people that are behind this and that have tradeoffs that you might not imagine. But I think that what a lot of tech companies really believe in is they trust their own internal bubble. They don’t trust the rest of the world. So they have this almost militant secrecy about them, which I think is actually one of the real mistakes that the tech industry today is making. Whereas we really take a very transparent view of this. I have to confess that I didn’t expect that I would spend a significant portion of the time that I talk to journalists for the rest of my career talking about neo-Nazis because it’s not really a topic I actually spend all that much time thinking about.

But I think that the thing that we’ve done is that when we have come to these hard issues, we haven’t just said, “Paragraph 13G of our terms of service, beyond that, no comment.” We’ve tried to walk through: here’s why this is hard and here’s why we struggle with it and here’s the good and here’s the bad and here’s why these are tricky issues. It just happens to be that neo-Nazis are about the grossest thing that you could imagine, and so people who are trying to be gross either are or pretend to be neo-Nazis. So you get tough conversations around this. What’s different about us than other companies is that we’re willing to talk about it, whereas most other companies don’t. The reason we’re willing to do that is that I think transparency is key to trust.

When this first of all went down with The Daily Stormer, I tried to figure out how, when you get into these situations, do you show that you are being thoughtful and responsible. And I actually went back and pulled down a bunch of philosophy textbooks, and I started out reading James Madison because I thought, “Okay, in the US, we have the First Amendment. Where does that come from and what’s behind it?” Because it turns out, if you go to Germany and you say, “Well, what about the First Amendment?” everyone rolls their eyes, and I think it’s the wrong place to start. 

I think the right place to start is actually around the rule of law, and Madison was really inspired by Aristotle so I went back and read all my Aristotle textbooks. Aristotle really believed that there were three things that were inherent for a government to be trustworthy: it had to be transparent; it had to be consistent; and it had to be accountable. So you need to know what the laws were, they needed to be consistently applied, and then the people who applied the laws had to be subject to the laws themselves. So that’s basically what government is. It’s really amazing, around the world, even totalitarian governments that don’t really follow the rule of law pretend to. They pretend to be transparent.

We just had elections. Oh my God, Vladimir Putin got voted in one more time.

That’s exactly right! And it’s like, why does Russia go through the effort to do it? It turns out that it’s because that’s where trust in these organizations goes to. And Cloudflare is not a government, and no big tech company is. But if you think about it, on a daily basis, more people interact with Cloudflare’s network than live in any country on Earth. And so, while we’re not a government, I think some of the principles of how large organizations build trust do apply to us. And so I think we try to follow those principles of rule of law, which are transparency, consistency, and accountability. 

Wait, can I ask you about this though?

I believe you, and I think it’s fascinating that so many tech CEOs think about the demands of running a state when they think about running their company for their customers. And it’s true, I think that’s a function of scale. I just think it’s fascinating that we got to Aristotle in this conversation. 

We’ll do [Michel] Foucault next, if you want.

Yeah, I’m ready, “nasty, brutish, and short.” That’s life on the internet. We’ll do the whole thing. We’ll go all the way back to Hobbes. But the mechanism of “I’m going to stop doing business with The Daily Stormer,” famously you said, “I woke up and decided that I was sick of it and stopped it.” That’s the transparency. But at the end of the day, you had the power.

But the way that the bad thing that happened was that a bunch of people were then able to do a DDoS attack. Your power is, in that case, contingent on knowing that there’s a universe of actors who will then immediately knock The Daily Stormer off the internet. That’s the relationship in your role specifically that I think is interesting. A hosting company has a different power, which is, “I’ll just delete your website.” An internet service provider says, “We’re just going to block your IP address.” You’re saying, “I’m going to get out of the way so the mob can tear you down.” That feels like a different kind of power or a different expression of accountability. How did you think about that?

There’s some truth to that. The thing about hosting providers is there are lots of them. The thing about Cloudflare is that there are very few companies that can provide the services that we do, and if you piss all of us off, it’s really hard to still be on the internet.

Because there’s a mob of people who will take you down. But that’s the thing. It seems like it’s okay to say, “I’m not going to be your security guard anymore.”

Yeah, I guess, although it turns out, if you’re running something even completely innocuous today, there’s real risk that’s out there. You need an immune system in order to just stay online, even if you’re posting cute pictures of kittens. And so it’s not just the neo-Nazis that get knocked offline. Everything, at some point, needs some level of a security guard, or again, something like an immune system, to stay online. If you don’t have that, there’s just enough badness out there looking for vulnerabilities that it’s hard to stop. And then, in addition to that, just the advantages that we’re able to provide in terms of performance, in terms of cost, just being able to make sure your content is available everywhere in a cost-effective way. If you have to exist in a world without a Cloudflare, it’s just a lot more expensive to operate.

So again, I think it comes back to that question that we asked ourselves when we were eight people above a nail salon, which was, “If we ran the entire internet, what would the right policy be?” And again, we will never run the entire internet. That’s just never going to happen. But I think that that’s the right mentality to think about these questions from, because I think it puts the right level of seriousness into the discussion. None of these sites paid us anything that mattered, right? If the only thing that we were motivated by was just money, I mean, it’s easy. Of course you should kick these things off. But again, I think we really do believe that we are very principled, we’re very mission-driven. And I think that’s part of what sometimes gets us into these sorts of challenges. But I’m really proud that the team that we have is thinking about them, and I hope it sets a good example for a lot of startups and also companies that are a lot larger than we are. 

It’s cool that today, regularly, companies that are much, much, much larger than Cloudflare that run into the same issues call us up and say, “Hey, we’d love your advice on this.” I’m proud of the fact that that’s a role that we’re playing, and I think that that’s an important bit as we think about how we are going to ensure that the internet still exists because I don’t think that’s inevitable. 

First of all, I want to point out, I think we did get to the Hobbesian state of nature on the internet. You were saying there’s enough latent badness out there that you’ll just… red in tooth and claw will just come and kill you if you don’t protect yourself or build a society. 

That’s fascinating to me, and I think probably most listeners aren’t aware of this: that if you just put a server on the internet exposed to the wider internet, someone will come and kill you. 

Explain that essential truth, because I don’t think that’s obvious to most people.

It’s become so efficient, if you’re a bad guy, to just be able to literally scan the entire internet to have a catalog of every vulnerability that is out there to run through all of those. And then the value that you can derive from taking over a website publishing cute pictures about kittens because you can create some subfolder that’s child pornography or because you can use that server to hack another server and bounce across it. I mean, in every bad movie featuring technology, there are a bunch of FBI agents or whatever staring at a screen, saying, “Oh, he’s bouncing the connection through 10 different satellites so it’s really hard for us to figure it out.”

That sort of happens, and that really is how bad guys operate online. It is very difficult as an individual, whether that’s just someone running a kitten website or someone in a small county in Georgia trying to run an election versus the [Russian Federal Security Service], which is exactly what is going on today. Part of what we and a handful of other companies do is make sure that you can have that collective immune system that can keep you safe and can make sure that, as the bad hacker comes, you’ve got the forces standing up to make sure that you can stay safe no matter what.

So this makes you even more essential infrastructure. You can’t even do business on the internet unless Cloudflare or one of your competitors is there to protect you.

I think we have gotten to a point where it is very difficult to operate if, again, it’s what I wrote when we kicked The Daily Stormer off, there is a small group of people who make the decisions on whether you use these services. And the funny thing about the post: that’s not the actual post that we posted. That was the internal post that I wrote. It was maybe a little bit brutally honest, but the point that I was trying to make when I said I woke up in a bad mood and kicked someone off the internet was, there is some aspect to that. There is somebody that makes a decision. And in this case, if I go back, and I had been fighting with my at-the-time girlfriend, now wife, over whether we should do this, and I was always like, “Are even you not on my side? There are humans that are behind this, and you need to acknowledge that that’s the case. And I think you need to set up structures.”

But the tradeoff here is usually as you go down the stack toward infrastructure, traditionally, we regulate those providers and say, “You cannot make these decisions.” The telephone network AT&T does not get to decide who gets to make phone calls. Everyone can just make phone calls because that’s a public good. You go all the way up the stack to, I don’t know, Facebook, and the First Amendment is at play. And we say, “You can do whatever you want all the way here, consumer-facing. And if people don’t like your moderation decisions, Mark Zuckerberg, theoretically, they can leave.”

The consumer market is vibrant enough and transparent enough that that’s fine. But all the way down at the metal, we’re arguing about telecom providers. We’re arguing about net neutrality, in a way. You don’t want to slow these bits down. Do you think there should be some level of regulation for a service like Cloudflare that says you can or cannot make these decisions?

I mean, there is regulation, but the tricky part is, you use the example of a telecom—

You’re reading Aristotle! If you’re all the way back at Aristotle to come up with the first principles of the decisions, there’s not a rule to follow.

Sure there is, but the tricky part is that there’s a different rule to follow almost everywhere in the world. So your frame of reference, you talk about the First Amendment, you talk about network neutrality. I mean you, you’re very US-based. These are all actually relatively easy issues in the US because the US is radically libertarian in terms of freedom of expression. And I grew up in the US. I tend to think if you believe in innovation, if you believe in things like a free press, that does make sense. But the vast majority of the world doesn’t believe in those things. And so there is regulation all around the world. What’s different is telecoms are inherently regional businesses. Like AT&T, big deal in the US, but you go to England, no one’s ever even heard of it. Comcast, huge deal in half the United States. I mean, Orange, huge deal in France, right?

We can pick whatever example you want. What has been different about the internet and the tension is that it is global from day one. And Cloudflare, when we launched Cloudflare, we had eight employees. We had customers in 10 countries the day we launched, which we were like, “Wow, that’s amazing.” By the end of the first month, we think we had customers in every country on Earth, and we had eight people. And again, that’s miraculous at some level, but I think it starts to show some of the tensions that are here. I think the question with regulation is, “Whose regulation?” 

Think about other technologies that have come along. So think about television. Television comes out, and it is this wildly successful product. In that case, it was interesting if you think about what the risk was, and let’s just focus on the US. The US, for reasons of physics, initially, there were only three networks: NBC, ABC, CBS. Yeah, they competed a little bit with one another, but they effectively had an oligopoly on this new technology that existed. And so where risk would come from them was actually regulation.

And so they, as an industry, got together and said, “How can we fend that off in different ways?” And it’s led to all kinds of things. So the fact that all three of those networks still to this day cover both political conventions — the Democrat and the Republican conventions — with the same pool feed, basically, from opening speech to balloon drop at the end, that the vast majority of anchors came from Kansas… way overrepresented because it was the center of the country. Equal time laws weren’t proposed by the government. They were actually proposed by the networks to say, “This is a way to show that we’re radically neutral.” 

That preserved the technology. In some cases, there are a lot of people who will say, “Well, that was great,” and I remember fondly watching Tom Brokaw or whoever growing up as a kid. But there are a lot of voices, whether they were brown voices, female voices, or gay voices, that just didn’t appear on TV in the ’60s, ’70s, and ’80s. So there’s a tradeoff that’s there, and that’s when the regulation is set by Lawrence, Kansas. In a global network, if we start to think about what that regulation looks like, I think that the parade of horribles that we could go down is that we could actually get it set by the lowest common denominator of what every country on Earth wants.

In that case, we get to sort of a Teletubbies-like internet where only the least possibly offensive thing is what can be anywhere online. And that sounds absurd, and yet, if you look at a lot of the regulation that’s coming out today, I think that that’s what we have to be extremely careful of. And it won’t be the US that sets the policy. It probably won’t be Europe, either. My hunch is, if that’s the direction we go, that the country that ends up setting the policy is India. And that’s a place where we’re spending a ton of time looking at and watching. It is very telling, the amount of investment that the major technology companies are making in that country, because they have the natural gravity and they have the political will to set that policy. 

The good news is relatively free press. The bad news is that it’s a pretty scary world in terms of internet regulation and cryptography regulation. So again, is there a role for regulation? Absolutely. But you’ve got to think about who that is and what it looks like, and on a global network, there’s a real tension that is different than you had with telecoms.

But let me make that point more regionally. You’re saying globally, and I agree with you. I think the [Narendra] Modi government is the largest democracy, but the Modi government has some autocratic tendencies, especially around speech, especially on the internet. They’re asserting control over it in very direct ways. The average person in Lawrence, Kansas, doesn’t feel that, right? They’re in America. They’re using American networks. 

I think a more direct question is, would you be more comfortable if the United States government passed a rule that said, actually, Cloudflare can’t kick people off the service and just took that decision-making authority away from you, which would preserve a more open internet but maybe makes a different tradeoff in terms of speech? Because I think the Modi government is going to tell you who you cannot do business with.

They’re going to make sure that some things never arise, that some opposition parties never get access to the networks or the information ecosystem there. I’m saying here, it seems like we’d go the other way.

So, first of all, I don’t want to speak for the Modi government or others.

I don’t do any business in India, so I get to say whatever I want, but even here, right, you are being careful because you don’t want to piss him off, and I think that’s notable.

I don’t actually know what the Modi government would do versus the opposition government in India or anywhere around the world. I know that we have to operate in lots of places around the world, and we comply with the laws in all of those places. I don’t know that changing the laws in the US would actually change what we have to do in other parts of the world, or if it did all of a sudden, then we just can’t be a global company. Because if you set up a set of rules where you can’t operate that way, then it makes sense. So we are pretty good at following the law wherever it is, and I think clarity of law makes a ton of sense. What I’ll say is, I don’t spend a ton of time thinking about this because it’s an issue that’s come up three times in 13 years.

Fair enough. I’m just wondering because I think your role in the ecosystem is so fascinating. 

I think it’s worth talking about these things even if they’re not our most pressing issues because I do think that we need to be long-term oriented as we think about this. And if the 40 years up to 2016 was A New Hope, the next 40 years is The Empire Strikes Back, and the AT-ATs have just landed on Hoth. What does Russia do when they take new territory in Ukraine? One of the very first things they do is they find the ISP and telecom headquarters, and they reprogram the routers to route the traffic back through Russia. Why do they do that? Because controlling communications is so critically important. That’s the other side of this, and it is not inevitable that the internet exists the way it does 40 years from now. And I’m proud of the role that Cloudflare is playing in helping defend what I think is one of the great inventions of human history and one that’s worth fighting for.

You’ve mentioned Russia and Ukraine several times now. You’re obviously supporting a bunch of customers in Ukraine. You have also said that just disconnecting Russia from the global internet would be a mistake. And the quote here is, “The consequences of such a shutdown would be profound” and that “Russia needs more internet access, not less.” This concept is broadly called the splinternet, the idea that every country is going to invent its own internet. We can see it here in this country. There are different state laws now that sort of determine what services are available depending on age or pornography or what people think about protecting children. Do you see that coming here? Do you see the splinternet taking root in the US? Kicking TikTok off our internet in some way appears to be in vogue. Do you see that coming here?

You can’t overstate how disruptive the internet was to what are the five traditional sources of power in society that have been the case since we climbed out of whatever swamp we climbed out of thousands and thousands of years ago. Family, religion, government, media, and education are where power traditionally has come from, and the internet disrupted them all in various forms, and they are trying to push back. It’s not that the internet isn’t without faults, and we should be honest about those and talk about those faults, but we should also be very careful not to give up on what is there. China is really interesting and really smart in that they never really let the internet in. They and North Korea are basically the only countries on Earth that never let the internet in.

A lot of other countries today are looking at what China has and saying, “That doesn’t seem so bad. Maybe we can recreate that.” So I think the question is, can other countries get the horse back in the barn? We’re trying very hard to make that difficult for the Russias and Irans of the world to make it so that if they want to have access to the APIs that drive oil trading markets, that they also have to let the Anti-Corruption Foundation or Bellingcat be able to broadcast information about the corruption of the Putin regime. We’re really good at making that a very difficult thing for them to block. That’s earned us some challenges. I’m personally sanctioned by the Russian government, which is a sort of surreal thing to have happen. But again, I wear that as a badge of honor and think that that’s us doing the right thing fighting for the internet overall.

I think that we should worry about the sort of TikTok bans and porn filters and things, but I think that those are small stakes compared to what are some of the really big-stake efforts where Russia and Iran are basically saying, “Can we recreate the same filtering engines that somewhere like China has?” And if they do, it won’t stop there. It’ll happen next in Turkey, it’ll happen next in Egypt, and it won’t stop there, either. India, Brazil, Canada, and eventually, governments want to be able to control how information is disseminated.

You mentioned a technical capability there that feels like a policy, right? If you want access to these oil trading APIs, you need to make sure Bellingcat is available. That’s just a policy you’re enforcing. Do you see other technical evidence of this inside the Cloudflare network that gives you pause?

I think we’ve made it very difficult to block any one site on Cloudflare inside Russia without blocking all of Cloudflare. We are at a scale where blocking all of Cloudflare is tough. It’s interesting to look at what Russia hasn’t been able to block. So the fact that YouTube is still available, I think it’s actually a really interesting point. I’ve spent quite a bit of time talking to policymakers and people who are much deeper experts about this. And they’ve said that, at the end of the day, a Russian family still relies on something like YouTube to entertain kids and that if Putin shuts that down, that he has a problem with the average Russian family. 

In our case, there are just enough things that the Russian economy depends on that run on Cloudflare, that you can also have folks like Bellingcat. It’s very difficult to block one without blocking the other. I think that these are the sorts of things that we don’t make any money off of but we think are important policy decisions to be thinking about as a fundamental internet infrastructure provider.

You mentioned Bellingcat, all these sites. You’re basically mentioning websites, right? Or servers on the internet in some way. I look at the web and I see this slow deterioration of web content because of AI. All the web is being flooded with C-plus AI-generated content, and all the action is on platforms. So it’s actually interesting to say they can’t block YouTube. Because they can’t go into YouTube and filter YouTube directly. Like, Google just runs that as a service. China might be able to filter the web more directly and block some sites versus others. 

How do you feel about the state of the web today? I’ve been asking a lot of CEOs that, because all of us built companies because of the richness of the web and our ability to meet customers right away because of the web, and as things head toward platforms and the web gets overrun with AI, that might be changing in a huge way.

At the end of the day, it doesn’t really matter how you’re consuming the content, whether that’s on your desktop or a mobile device, whether that’s through a browser or an app. Behind the scenes, a huge amount of what we see is processed through APIs. So APIs make up 57 percent of the traffic that we processed last year. And so that’s maybe not a traditional website. I think the web is probably the easiest thing for most people to relate to, but at the end of the day, it’s just anytime you’re accessing content online, if there’s a network involved, then I think we play some role in that. I think these things evolve and change over time. The death of the web has been predicted many, many, many times, and again, it still keeps emerging.

There was a period of time in the early web history where the search technology that we had wasn’t good enough. That’s where Google came from. It was building something that was just a better way to filter through all of the garbage that was out there. So I guess I’m a little bit more optimistic that, fundamentally, people are trying to figure out how to communicate. People are trying to figure out how to find the answer to the problems that they have and find innovative new solutions. And there will be things that make that harder, and there will be things that make that easier. But over time, if you look at it, the growth in overall internet traffic spiked enormously during covid, and then that slowed down. But in the last two years, it’s still grown almost 25 percent year over year, which is an extraordinary growth rate this far into the internet.

I think that if you started to see the utility of the internet slowing down, you would see the usage slowing down. And that’s not just because we’re bringing, I mean, it’s amazing, we’ve brought 4 billion people online. It’s disgraceful that there are 4 billion people who are not online. But it’s not just that. Even if you look at developed markets, you’re still seeing double-digit growth rates in internet usage. I think that’s the best predictor of, is there still real value coming from it? So I think we can wring our hands about whether AI is going to destroy the web, but I’m still optimistic that having networks that connect people together, people are going to use that to communicate and find answers to questions. If the current tools that we have, if Google isn’t sufficient to sort the wheat from the chaff, then there will be a new Google.

I think Google hopes there’s not a new Google, but we’ll see how that goes.

And I would guess that whoever that new Google is will use Cloudflare, so…

There you go. See, it’s all just customers for you. Let me bring this all the way back around. We’ve had what I would call a very idealistic conversation, and maybe we should get to John Rawls, although we have not done Locke, and I feel like you have to do Locke. You have to put Rawls in opposition to Locke. But we’ve had a very idealistic conversation. 

I would cynically say idealism for a company like Cloudflare is a function of margin. You are able to invest in long-term internet thinking. You are able to sit around thinking about these really hard decisions and supporting customers that you think are morally correct to support, even though they don’t pay you a lot of money. You’ve had to preserve those margins recently, right? You did layoffs. There was a very famous video of a person being laid off.

No layoffs. We’ve never done a layoff. 

You fire people. So you don’t think of those as layoffs?

No. I mean, if somebody doesn’t do their job well, then we will fire a person. But a layoff is a very specific thing where you’re saying we need to increase our margins. We’ve never made a determination on letting go of an employee for a margin reason. 

Because a lot of tech companies have been doing this. They say we overinvested, we’re getting smaller. I guess you fired a bunch of people recently because you thought you were too big.

Again, I don’t think we even fired a bunch of people. We fired about the same number of people that we normally fire. Covid had some really interesting effects. I think one is that, in 2020, we really stopped firing people because we’re human and people were suffering and we wanted to take care of them. Some people just expected that that would be the state of how things went on forever. We had people who for six months didn’t do a single thing as far as we could tell. At some point, you have to get back to actually doing work. If you don’t do work, then we’re going to let you go. But again, that’s not because we were too big. That’s just because you need to have people who are actually doing their jobs.

So I think we should focus on that. I think we’ve actually been unbelievably disciplined in the rate at which we’ve hired, and our margins have stayed kind of exactly the same for quite some time as a result of that. When you hire someone, it’s a big deal. It’s a responsibility that you have. I’m incredibly proud that last year we had 1.2 million people apply to work at Cloudflare, which is just extraordinary. We hired about a thousand, a little over a thousand of those. And we do a pretty good job of that. But every once in a while, we make decisions or someone just isn’t the right fit or sometimes the job grows more than they do, and it’s not the right thing. When we do that, we — in as responsible a way as possible — try to let people go. But it’s a relatively small part of the team, and I think we do a good job of it.

So I’m asking specifically about this video that you said was painful to watch with the person being fired. You’re actually hitting on something that I was going to ask you about as well, which is last year you fired about a hundred people and you said they weren’t doing very well, and you’re saying that again here. You were criticized for that. People basically said you shouldn’t disparage people even though you’re firing them for underperforming. You should just let them go live their lives. You seem to have a different approach. Even the culture of the company is radical transparency. It seems like you’re carrying that through even to this moment at the end.

I want to be very careful. It would be incredibly unfair for me to talk about the woman who posted the video. I mean, we have a much bigger megaphone, and we could walk through all the reasons for her being let go. That would be totally, totally, totally irresponsible. What I will say is that it’s incredibly costly to hire someone and then have them not work out. So it’s in our interest for everyone to work out. Not everyone does. And when they don’t, that doesn’t mean they’re a bad person. It doesn’t mean they won’t be an incredible employee somewhere else. They just weren’t the right person for us. And sometimes that’s their fault. Sometimes it’s our fault. It can be a number of different things. I remember, I was at a job, and I got fired because I wasn’t very good at the job, and I still remember it and it was super painful, but I learned from it.

With, gosh, at this point, almost 30 years of hindsight, they were right to fire me. But I’m a better employee today because of that. We can’t get to a point where we just say, everyone is great and everyone gets a medal and everyone gets a trophy. There are people who perform better than others, and we have a certain amount of work to get done. The worst thing that you can do as an organization is hold on to your low performers because that not only is wasteful, but it actually is incredibly discouraging to your high performers. That doesn’t mean that anyone who we’ve let go won’t be a great person somewhere else. Or even if we’d done certain things differently, if we’d trained them in a different way, maybe they would’ve been better. But for us, at that moment in time, they weren’t the right person. 

I think that as you hire people, no matter what, you’ve got to be really, really thoughtful around this. I remember in early 2022, every story was about how it was going to be the Great Resignation. Every employee was going to quit. Meanwhile, we’re looking at the data, and we’re like, “Seems like the economy is going to slow down.” So all my peers are like, “We’re hiring as fast as we can.” And then it turned out no one quit. The Great Resignation never showed up. I remember thinking, “Gosh, maybe we’re doing this wrong.” Because companies that I really respect, I would talk to their CEOs, and they would say, “Yeah, we’re hiring as quickly as we can.” We’re like, “Gosh, all the data sort of suggests that we’re about to slow down, so we’re actually kind of pulling back on hiring right now.”

That was a very scary and risky decision. But I think it’s part of what then has allowed us to not have to do layoffs and to be able to continue to invest because it’s always incredibly costly and just disruptive and demoralizing if you have to do this. On the other hand, if you don’t let go of low performers, that’s also incredibly disruptive and demoralizing. So I think we have to be very clear: it is irresponsible as a company to overhire and then have to lay a bunch of people off even if they’re performing well. But it’s also irresponsible as a company to have low performers who you don’t lay off as individuals because, again, that’s bad for the company, and it’s bad for the high performers that are there. 

I agree with that completely. My question is a little bigger, and I want to end here. It’s about having the space to have your values. And a lot of the other big companies in tech preached their values for a decade or more. We’re connecting the world. We’re going to make the world a better place, famously. And then the margin pressure did come, and they did overhire and they made layoffs, and now they’re kind of more ruthlessly focused on profitability, and the values seem to have gone away. 

Is that something you’re worried about? Because so much of this conversation has stood out to me because of how often you come back to the values and the mission of the company in that I’m watching other big companies immediately make that tradeoff. I’m wondering if you ever feel that pressure or how you think about it. Because it feels like that will determine the future of Cloudflare as much as anything else.

Michelle and I are fundamentally focused on being just incredibly efficient business leaders. We often joke that we’re scared squirrels at the end of the day, where I think that we believe that every dollar of investor capital that we’re trusted with, every dollar that a consumer pays us, that we have to deliver a really substantial return for that. And I’m super proud of the fact that we did that for all of our investors before we went public, and we’re way up from our IPO price, and we continue to be able to deliver very consistent and long-term results. We have always focused on efficiency. We’ve never been the place that wastes money on fancy cafeterias or conference tables. We have very functional basic offices. I don’t live a particularly fancy life, and neither does Michelle, because again, what we’re focused on is building what is a really great business.

We’ve done that for a long time now. We’ve done that for 13, 14 years. Over that time, I think we’ve built a lot of trust with the investing community. If you look at, even as a public company, who our top 10 shareholders are, it’s been remarkably stable over that period of time. You look at firms like Baillie Gifford that are a big investor in Cloudflare, their average holding period is 16 years. So they really are focused on the long term. I think if you chase short-termism, if you look for that, and you run your business that way, then you will get investors that behave that way. But if you really do think about the long term, if you are really mission-driven, then you’ll also get investors and customers who are focused on the long term and will let you do that as well.

I’m not saying it won’t come at some point, but I think both a combination of doing what we say and saying what we do, being incredibly consistent, really focusing on long-term value creation for every one of the stakeholders that we serve, including the general public, that that has given us that freedom to be able to continue to innovate. I think that it’s also one of the real powers of being a founder-led company. The fact that Michelle and I are still showing up every day to work, that lets us do that, because again, it’s a level of consistency, and I can’t imagine anything that I could do that would be more meaningful or more impactful. I think as long as we do what we say, we say what we do, hopefully we’ll always have the ability to build a great business. But also do those things that are living up to our mission, which is again, to help build a better internet.

I can’t think of a better place to end it, Matthew. Thank you so much for being on Decoder.