Cloudflare receives requests for different kinds of data on its users from US and foreign governments, courts and those involved in civil litigation. To provide additional transparency about the type of information Cloudflare might provide, we have broken down the types of requests we receive, as well as the legal process we require before providing particular types of information. We review every request for legal sufficiency before responding with data.
The most frequent requests Cloudflare receives are requests for information that might be used to identify a Cloudflare customer. This basic subscriber data would include the information our customers provide at the time they sign up for our service, like name, email address, physical address, phone number; the means or source of payment of service; and non-content information about a customer’s account, such as data about login times and IP addresses used to login to the account. Unless there is an emergency, Cloudflare requires valid legal process such as subpoena or a foreign government equivalent of a subpoena before providing this type of information to either foreign or domestic law enforcement or civil litigants.
U.S. Government. Under the Electronic Communications Privacy Act (ECPA), the U.S. government can compel disclosure of subscriber information with a subpoena, a type of legal process that does not require prior judicial review. Although Cloudflare typically requires a subpoena before providing subscriber information, consistent with ECPA, Cloudflare may disclose information without delay to law enforcement if the request involves imminent danger of death or serious injury to any person. Cloudflare will evaluate emergency disclosure requests on a case-by-case basis as we receive them. For emergency disclosure requests, we request that law enforcement obtain legal process when time permits
Beyond subpoenas issued under ECPA, some U.S. government agencies may issue administrative subpoenas for subscriber data. Cloudflare has received a number of such subpoenas from the Securities and Exchange Commission (SEC).
Cloudflare has long had concerns about these types of non-disclosure obligations. In 2013, after receiving such an NSL, Cloudflare objected to an administratively imposed gag which prohibited Cloudflare from disclosing information about this NSL to anyone other than our attorneys and a limited number of our staff, under threat of criminal liability. Cloudflare provided no customer information subject to NSL-12-358696; but the NSL's nondisclosure provisions remained in effect for nearly four years, until December 2016, after which Cloudflare disclosed receipt of the NSL, along with a redacted copy of the NSL.
National security process. The U.S. government can also issue a variety of different types of national security requests for data. Under the Foreign Intelligence Surveillance Act (FISA), the U.S. government may apply for court orders from the FISA Court to, among other actions, require U.S. companies to hand over users' personal information. The U.S. government can also issue National Security Letters (NSLs), which are similar to subpoenas, for subscriber and non-content data. Both FISA court orders and NSLs typically come with a non-disclosure obligation.
Governments outside the United States Cloudflare responds to requests from governments outside the United States for all types of information, including subscriber data, that are issued through a U.S. court by way of diplomatic process like a mutual legal assistance treaty (MLAT) request. The information produced to governments outside the United States in response to these requests is the same as would be produced to the U.S. government in response to a similar U.S. court order.
Cloudflare evaluates on a case-by-case basis requests for subscriber information from governments outside the United States that do not come through the U.S. court system. Cloudflare may, in our discretion, provide subscriber data to in response to a local equivalent of a subpoena, provided that the request complies with local law, and is consistent with international norms and Cloudflare policies.
In March 2018, the United States passed the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which permits the U.S. government to enter into Executive Agreements with other governments to allow direct law enforcement access for both governments to data stored in the other country to investigate and prosecute certain crimes. The law permits countries that enter into such Agreements with the United States to seek content data from U.S. companies directly, using that country’s legal process, rather than requiring the country’s law enforcement agencies to work with U.S. law enforcement to get U.S. legal process such as a court order.
Given the difficult questions of national sovereignty, privacy, and conflict of laws that are raised by cross-border access to data, Cloudflare supports modernizing the rules and international frameworks regarding law enforcement access to data, as long as the new rules provide sufficient procedural safeguards to protect privacy. As these Executive Agreements move forward, we will have more opportunity to assess whether they provide adequate “protections for privacy and civil liberties” as required by the CLOUD Act
Cloudflare believes that government access to data must be consistent with principles of rule of law and due process, including prior independent judicial review of requests for content; that users are entitled to notice when the government accesses their data; and that companies must have procedural mechanisms to raise legal challenges to access requests. Whether inside or outside the United States, we will fight law enforcement requests that we believe are overbroad, illegal, or wrongly issued, or that unnecessarily restrict our ability to be transparent with our users.
Civil process. Cloudflare responds to legal process requesting subscriber data from civil litigants, such as subpoenas issued pursuant to the Digital Millennium Copyright Act (DMCA) seeking information on users alleged to be infringing copyright
Beyond requests for the types of subscriber data described above, Cloudflare sometimes receives court orders for transactional data related to a customer’s account or a customer’s website, such as logs of the IP addresses visiting a customer’s website or the dates and times a customer may have contacted support. Because Cloudflare retains such data for only a limited period of time, Cloudflare rarely has responsive data to provide to such requests
Court Orders. Court orders are requests for data issued by a judge or magistrate. With a court order, Cloudflare may provide both the basic subscriber information that might be provided in response to a subpoena and other non-content information.
Pen Register Trap and Trace. Cloudflare periodically receives pen register/trap and trace orders, issued by a court, seeking real-time disclosure of non-content information, such the IP addresses of visitors to an account or website. We provide limited forward looking data in response to those requests.
Cloudflare is not a hosting provider or an email service provider and does not have customer content -- like email or other types of customer-generated material -- in the traditional sense. In the rare instances where law enforcement has sought content such as abuse complaints or support communications, Cloudflare has insisted on a search warrant for those electronic communications, consistent with the principles laid out in U.S. v. Warshak. To date, we have received no such warrants.
Search warrants. Search warrants require judicial review, a finding of probable cause, inclusion of a location to be searched, and a detail of items requested. Although we have received a number of search warrants, as noted above, we have not had customer content to provide in response to those warrants.
Wiretap. A wiretap order is a court order that requires a company to turn over the content of communications in real time. Law enforcement must comply with very detailed legal requirements to obtain such an order. Cloudflare has never received such a wiretap order
National security process. The U.S. government may apply for court orders from the FISA Court to require U.S. companies to turn over the content of users' communications to the government. Because the public reporting of all national security process is highly regulated, Cloudflare’s receipt of such an order would be reported as part of a combined number of NSLs and content and non-content FISA orders, in a band of 250, beginning with 0-250.
Cloudflare runs a global network that provides security and performance enhancements for Internet-facing websites and applications around the world. Because Cloudflare’s infrastructure sits between our customers’ websites and internet users in order to protect those websites from direct attack and serve requests to and from those servers, Cloudflare’s nameservers may appear in WHOIS data and Cloudflare’s IP addresses may appear in the DNS records for websites using our service
As the point of contact listed on relevant records, Cloudflare receives requests to remove content from our network from copyright holders alleging infringement or from governments taking the position that the content is unlawful. As Cloudflare cannot remove material from the Internet that is hosted by others, we generally forward requests for removal of content to the website hosting provider, who has access to the website content and the ability to address the underlying concern.
A small but growing number of Cloudflare’s products include storage. For content that is stored definitively on the Cloudflare network, as opposed to transiting or being temporarily cached on the network, we review the complaint carefully to determine whether additional action needs to be taken.
Cloudflare carefully reviews requests that we receive for content removal under the Digital Millennium Copyright Act (DMCA). If we are storing the content in question and we receive a valid takedown request that meets DMCA requirements, we will notify the user of the complaint and take steps to disable access to that content, consistent with the DMCA
Cloudflare also may receive written requests from law enforcement and government agencies to block access to content based on the local law of the jurisdiction. Because of the significant potential impact on freedom of expression, Cloudflare will evaluates each content blocking request on a case-by-case basis, analyzing the factual basis and legal authority for the request.
If we determine that the order is valid and requires Cloudflare action, we may limit blocking of access to the content to those areas where it violates local law, a practice known as “geo-blocking”. We will attempt to clarify and narrow overbroad requests when possible.