Cloudflare's Intelligent Design

Plus! Travel Recovery; Targeted Restrictions; Another Retail Ad Product; Semi-Public

You're in the free list for The Diff. This week, paid subscribers also saw:

Thanks for reading The Diff. If you'd like to support it, please subscribe.

This is the Friday free edition of The Diff, the newsletter about inflections in finance and technology. The free edition goes out to 21,601 subscribers, up 133 since the last edition.

In this issue:

  • Cloudflare's Intelligent Design

  • Travel Recovery

  • Targeted Restrictions

  • Another Retail Ad Product

  • Semi-Public

Cloudflare's Intelligent Design

If there's one mantra that's essential to understanding Internet economics, it goes like this: a small number, even a very small number, multiplied by 4.7 billion Internet users, is probably a big enough number to pay attention to. This little tautology is a helpful way to explain all sorts of phenomena, like why it pays for Google to be good at disambiguating typos, why Shopify doesn't run out of entrepreneurs with hyper-niche store ideas, why big tech companies are reluctant to offer live customer service, and more. It's also an explanation for the existence of Cloudflare, which has turned into a key piece of global communications infrastructure.

Cloudflare offers edge computing—it ensures that sites can keep serving content when they're hit with sudden spikes in traffic, whether that traffic is legitimate (hitting the front page of Reddit, for example) or not (getting the attention of a botnet that can direct a torrent of malicious traffic to take a site down). And their Workers offering basically makes deployment function in practice the way it sounds like it should in the abstract. In the real world, "the Internet" is a handwavy term that refers to specific computers and the wires that connect them; the Internet has physical limits that can cause latency at best, inconvenience and complexity by default, and failure at worst. Cloudflare is, in part, in the business of making the Internet work the way a techno-optimist in 1996 might have assumed it would. The Internet has been evolving for decades, and Cloudflare can look at it holistically and apply some intelligent design to route around inefficiencies and design problems.

There's a lively debate over what counts as the Original Sin of the Internet, but two ways of phrasing the same problem are:

  1. The original plan was to connect computers at four universities to one another so they could share some files and programs. Privacy, security, identity, commerce, etc. were not meaningful parts of the model; when the cost of the computers that connected to ARPANET was multiples of the median salary, a good working assumption was that physical security of hardware was assured, and network security was a subset of that.

  2. The Internet doesn't build in a notion of identity that maps to the real-world functions of identity—specifically, the part of identity that enables restricting someone's freedoms when they misbehave. Big tech platforms end up creating some form of identity-as-a-service, or bootstrapping off of somebody else's. (SEO people often advise registering a domain for a long period and putting a physical address on one's website, two ways to claim real-world existence for the Google algorithm. And early Facebook had a good growth hack for identity verification: using school email addresses.)

Whether the root cause is general network design or specifically the fact that identity is one layer down from the underlying protocol, websites are vulnerable to denial of service attacks that flood them with fake traffic. And security has to be bolted on because it's not built in. As Cloudflare repeatedly puts it in their investor relations materials and talks: "The Internet was never actually designed to do what we have asked it to do."

The stylized facts that drive Cloudflare's value are that fake traffic is far more scalable than real traffic, which encourages people to launch attacks on sites; and that anything scalable has a statistical signature that makes it detectable, but only to someone who operates at scale. The same force that creates a broad problem also creates a winner-take-all market for solutions. This is one reason Cloudflare offers so many free versions of its paid products: every instance collects more data, and the more data—and more random the sample—the faster Cloudflare can identify suspicious or malicious traffic.

It's worth looking at the products Cloudflare has been able to roll out, in addition to their core DDoS protection. Hhhypergrowth has a great overview of what they've built and where they might be going. But at a high level:

  • They have relationships with ISPs, allowing them to deploy directly to their datacenters. This is a nice flywheel for Cloudflare: more customers means more traffic that will run through Cloudflare anyway, and more ISP relationships mean their latency will be lower globally. (They have a clever way to accelerate this: Cloudflare provides infrastructure for two of the thirteen root name servers. As a result: "We don't make a lot of money off of that. It's not something that is flashed in our marketing. But if you're an ISP around the world, and you're trying to make sure that you have the best possible performance, one of the things that you can do to make sure that's the case is make sure that you've got a root server running somewhere on your network. And what's powerful is that if you work with Cloudflare and you let us deploy our equipment in your network, then that means that you not only get a root server, but we, in turn, get the ability to offer our security, reliability, performance services on that same infrastructure.")

  • Their "workers" product lets customers write code and then deploy it to the edge around the world; they can be location-agnostic, both in the technical sense that packets won't take a needlessly roundabout path to users and in the legal sense that if they run something in a country that requires data to be stored locally, it will be stored locally. They originally built this as an internal tool for deploying their own code, then started letting customers use it. And then they turned that decision into an abstraction: "And so we implemented what we internally and somewhat cheekily called the Bezos Rule. And what the Bezos Rule is, is the exact same rule that Amazon put in place when they were developing AWS, which is, any API or any development tool that we build for ourselves and for our own team, we also are then going to make available to our customers." Cloudflare built an uptime factory, then workers became an uptime factory factory, and with the Bezos rule they've codified the production of such things: an uptime factory factory factory. They are no doubt adding new layers of recursion even now.

  • Cloudflare Access gives corporate users a single sign-on for their applications—and, as Hhhypergrowth notes, they could provide more granular access controls than the apps themselves.1

What all of these have in common is that, piece by piece, Cloudflare is building up a version of the Internet that is designed to be used the way the modern Internet actually is used. Instead of distributed ad hoc identity provision, Cloudflare detects bad behaviors at scale and bans them. Instead of a network that identifies devices but not individuals, there's a suite of products that implicitly adds a personal identity layer, and builds useful rules on top of it. And while the network is still bounded by the annoying limitations of physics, it does the next best thing to traveling faster than the speed of light—caching things a few light-milliseconds closer, and shaving off any needless overhead to accessing them.

This project has some interesting advantages when it comes to margins. On Glassdoor, a frequent complaint about the company is that it doesn't pay especially well. Meanwhile, the company says "last year, we had 200,000 people apply to work at Cloudflare. We accepted less than 0.5% of that." Building essential infrastructure for the Internet is an interesting project; plenty of web pioneers did it for free, or for the price of a grad school stipend, so if anything Cloudflare is leaning towards generosity here. The company is essential enough to get called on to make moderation decisions, and they've handled that in part through internal discussions and a sort of offset/indulgence program of making charitable donations to causes that counter whatever their worst customers are doing.2 In one case where the company decided to eject a customer it was hard to offset, they cast it as a heel turn: "I woke up this morning in a bad mood and decided to kick them off the Internet... It was a decision I could make because I’m the CEO of a major Internet infrastructure company... No one should have that power." This manages to simultaneously be a joke and take moderation questions more seriously than most outside commentators do. It is kind of weird to have a system where you read enough O'Reilly books about networking protocols and suddenly you're deciding the boundaries of discourse for everyone. Cloudflare hasn't solved this problem, but they recognize that it's an important responsibility—and organizations that couple power and responsibility will tend to attract competent people.

There's a pattern among the most successful tech companies, where they tend to privatize something that used to be unowned. Early Microsoft privatized parts of the software market that used to be bundled with hardware. Google privatized the link graph, and built a tollbooth at the entrance to the open Internet—something that had to be done, incidentally, before the Internet was overwhelmed with spam or dominated by a separate group of walled gardens. Facebook privatized the link graph, and LinkedIn privatized the digital résumé as well as the employment and professional connection graph.

Cloudflare, if evaluated as a typical growth company, is valued at a price that's challenging to justify: The company trades at 55x sales, or 40x next year's sales. It's growing at a steady pace of about 50% annualized, and net dollar retention is at a respectable but not top-tier level in the high 110s (and improving). It’s possible to extrapolate a bit and get to some reasonable numbers, but a lot has to go right. On the other hand, the company's enterprise value is $23.5bn, and it's privatizing a market worth orders of magnitude more than that. 16% of Internet traffic flows through them, and that number rises one percentage point every quarter. Viewed as a large (or at least large-cap) software company, Cloudflare looks like a premium asset that commands a premium price, but viewed as a privatizer-in-waiting, it's actually a very early-stage bet.

Further reading: Cloudflare is a sleeper hit as an iconic tech company. We'd notice it more if it were gone. Some writers who have been early to notice its importance include Liberty (see here) and Ben Thompson (see this thoughtful interview on content moderation). The Hhhypergrowth writeup, linked above, is also required reading.


A Word From Our Sponsors

Here's a dirty secret: part of equity research consists of being one of the world's best-paid data-entry professionals. It's a pain—and a rite of passage—to build a financial model by painstakingly transcribing information from 10-Qs, 10-Ks, presentations, and transcripts. Or, at least, it was: Daloopa uses machine learning and human validation to automatically parse financial statements and other disclosures, creating a continuously-updated, detailed, and accurate model.

If you've ever fired up Excel at 8pm and realized you'll be doing ctrl-c alt-tab alt-e-es-v until well past midnight, you owe it to yourself to check this out.


Travel Recovery

Delta reported earnings yesterday, and had some positive remarks about demand recovery: leisure travel is at 85% of 2019 levels, and they made the guardedly optimistic comment that they have "real optimism that there's a pathway to get into profitability this summer." Cruise lines have made similar comments about leisure travel.

I wrote a while ago about how consumers are less sensitized to tragedies than they used to be ($); the world very quickly reverts to normal. One thing that's surprising about the post-Covid recovery is that businesses are taking a while to get back to normal; there's been a long struggle for companies to adjust compensation to account for labor shortages, for example, and many companies remain surprisingly cautious about spending given the boom-by-default expectations for 2021. Since consumers are such a large share of the overall economy—70% in 2019—eventually this rapid sentiment recovery will apply to everyone.

Targeted Restrictions

Nuclear non-proliferation often sets benchmarks for just what a country can do with uranium before it stops being a defensible power or research program and turns into a weapons project. The US is trying to do something similar with chips, by restricting sales of chip equipment to Chinese companies designing chips at or below the 14nm node. This sounds fairly hard to enforce—what stops one company from designing 16nm chips, importing some equipment, and then reselling it to another company doing 10nm chips? But it's a nice idea: drawing a line between what's strategic and what's more of a global commodity is an important part of US chip policy. There are some supply chain shifts that have very little meaning, other than the usual local variation in the cost of capital and labor, and there are other shifts with serious geopolitical consequences.

Meanwhile, in other chip news: Intel, TSM, and Nvidia agree that the current shortage will last for at least a few years longer.

Another Retail Ad Product

I've written before about the marvelous price discrimination powers of running ads within e-commerce sites, as well as the limits to this model. The trend continues: Dollar Tree is offering its own ad network. With so many companies offering this kind of high-intent ad inventory, it will be interesting to see if any e-commerce players decide to focus most of their growth on this ad inventory. As a general rule, new categories of ads bootstrap new business models, and these ads have the benefit that they're close to the bottom of the funnel: if they work for advertisers, it's very easy to measure.


Facebook has outlined what they do about scraping, which is a timely topic: the most recent large-scale "breach" of their site consisted of information that Facebook surfaces to individual users, but aggregated. Scraping is in an interesting legal category, because it's a technical vulnerability that's hard to fix: a company like Facebook partly makes its money by aggregating and privatizing data, but some of that data is only useful when it's displayed to end users. To maintain control over it, companies have to somehow disrupt scalable efforts to copy it, without interfering at all with non-scalable ones. Meanwhile, recent legal cases have made it harder for companies to sue over scraping, while nothing stops them from making it difficult. So a legible legal rule has been replaced with an illegible technical limitation. Since scrapers don't want to give away their techniques, and the companies being scraped don't want to discuss how their countermeasures work, the only way to know what the actual limits are is to do some scraping yourself.


This has some interesting long-term effects. For many software products, the price goes from $xx/month to "request a quote" once compliance issues like access control get introduced. But if Cloudflare can persuasively demonstrate that they provide sufficient controls, then they can blur the line between SMB-focused software and Fortune 500-targeting products.


This sounds like a libertarian modest proposal, but appears to be their actual business practice. From the Stratechery interview:

But there are very many people who pay us a lot, like tens of thousands of dollars where, we’re like, we just don’t like these people. We think that they are actively making the world a worse place, and they probably have the right to be on the internet, and whether we like it or not, the challenge is that it’s very hard to be on the internet without a service like Cloudflare. We’re not the only one that can do it, but there’s a relatively small set of companies today that have the resources to navigate the complexity that the internet has. And so if you believe that anyone has the right to be on the internet, you probably believe that anyone has the right to have some service like Cloudflare. And if that’s the case, every once in a while, people want some of our paid services and so when that happens, we typically will go to teams internally at the company, that are hurt by whatever the organization stands for. So if it was the anti-green people organization, then we would go to the green people in the company and would say, “Listen, who do you think best represents your interests, and is best the opposite of this?” And then, we’ll just dollar-for-dollar without netting anything out, just donate the cash from them to that and we ask that be kept confidential.