CloudFlare Transparency Report for the First Half of 2015

Introduction

An essential part of earning the trust of our customers is being transparent about the governmental requests we receive. To this end, CloudFlare is now publishing this complete annual Transparency Report on the governmental requests it has received to disclose information about our customers. The data is complete as of June 30, 2015, including requests related to CloudFlare and StopTheHacker. This Report supplants our previous Transparency Reports, which are archived in their entirety.

CloudFlare operates a global network and is thus extremely mindful of the responsibility that comes with that privileged position. It is CloudFlare's overriding privacy principle that any personal information you provide to us is just that: personal and private. We will not sell, rent, or give away any of your personal information without your consent. Our respect for our customer's privacy applies with equal force to commercial and to law enforcement requests.

CloudFlare's approach to law enforcement requests is that we are supportive of their work; however, any request we receive must strictly adhere to the due process of law and be subject to judicial oversight. It is not CloudFlare's intent to make law enforcement's job harder, nor easier. We respect the work they do and appreciate their assistance in protecting the rights of our customers. It is our policy to notify our customers of a subpoena or other legal process requesting their customer or billing information before disclosure of information. CloudFlare is not subject to foreign jurisdictions and only accepts requests in English from foreign law enforcement agencies that are issued via U.S. court either by way of a mutual legal assistance treaty (MLAT) or a letter rogatory. We received one MLAT request through the U.S. court system in the first half of 2015.

Some things we have never done

  • CloudFlare has never turned over our SSL keys or our customers' SSL keys to anyone.
  • CloudFlare has never installed any law enforcement software or equipment anywhere on our network.
  • CloudFlare has never terminated a customer or taken down content due to political pressure.
  • CloudFlare has never provided any law enforcement organization a feed of our customers' content transiting our network.

If CloudFlare were asked to do any of the above, we would exhaust all legal remedies, in order to protect its customers from what we believe are illegal or unconstitutional requests.

The data

The data presented below covers the period from January 1, 2015 to June 30, 2015. So, for example, a request received in June 2015, but not processed until July 2015 will show as both "Requests received" and "Requests in process." Also, requests for which we are waiting for a response from law enforcement before moving forward may also be reflected in "Requests in process." The Total # of domains affected and the Total # of accounts affected refer only to requests which have been answered.

Subpoenas

This category includes any legal process which does not have ex ante judicial review, including but not limited to grand jury subpoenas, U.S. government attorney issued subpoenas, and case agent issued summonses.

Year

Requests received

Requests answered

Requests in process

Total # of domains affected

Total # of accounts affected

2015 (1H)

12

10

0

139 2

12 3

2014 (2H)

12

11

1

393 2

15 3

2014 (1H)

11

4

0

12

4

2013

18

1

0 1

17

1

1 The one subpoena in process in 2013 was rescinded in 2014.
2 A small number of subpoenas received accounted for 2/3 of domains affected.
3 A small number of subpoenas received accounted for 2/3 of accounts affected.

In 2014, CloudFlare pushed back on 7 subpoenas, all of which were rescinded. In 2013, CloudFlare pushed back on 16 subpoenas, all of which were rescinded. In some instances, court orders were issued in lieu of the original subpoena and in other instances, CloudFlare was not able to provide any information.

Court orders

This category includes any order issued by a judge or magistrate, including but not limited to 18 U.S.C. §2703(d), 18 U.S.C. §2705(b), and MLAT orders. Orders which may fall under a more specific category such as search warrants or pen register / trap and trace orders will be reported under the more specific category and not counted here.

Year

Requests received

Requests answered

Requests in process

Total # of domains affected

Total # of accounts affected

2015 (1H)

50

49

0

2120 2

96 3

2014 (2H)

24

23

5

802 2

167 3

2014 (1H)

22

21

1

290

57

2013

28

27 1

0 1

266 1

47 1

1 For one of the court orders in 2013, CloudFlare was not able to provide any information. Counts have been updated to reflect the requests in process in 2013 that were answered in 2014.
2 A small number of court orders received accounted for almost 2/3 of domains affected
3 A small number of court orders received accounted for almost 2/3 of accounts affected

Search warrants

This category includes only search warrants which require judicial review, probable cause, and inclusion of a location to be searched and a detail of items requested.

Year

Requests received

Requests answered

Requests in process

Total # of domains affected

Total # of accounts affected

2015 (1H)

3

3

0

127 2

8 3

2014 (2H)

2

2

1

68

3

2014 (1H)

1

1

0

36

1

2013

3

2 1

0 1

40 1

2 1

1 One search warrant in 2013 was rescinded. Counts have been updated to reflect the requests in process in 2013 that were answered in 2014.
2 A small number of court orders received accounted for almost 2/3 of domains affected
3 A small number of court orders received accounted for almost 2/3 of accounts affected

CloudFlare follows the principles laid out in U.S. v. Warshak and requires a valid search warrant before disclosing any customer content sought by law enforcement. CloudFlare is not a hosting provider or an email service provider and does not have customer content in the traditional sense. In the rare instances where law enforcement has sought content such as abuse complaints or support communications, CloudFlare has insisted on a warrant for those electronic communications. To date, we have received no such warrants.

Pen register/Trap and trace (PRTT) orders

This category includes only pen register/trap and trace orders issued by the court for real-time disclosure of non-content information, including IP address information.

Year

Requests received

Requests answered

Requests in process

Total # of domains affected

Total # of accounts affected

2015 (1H)

1

1

0

2

1

2014 (2H)

1

1

0

6

4

2014 (1H)

0

0

0

0

0

2013

1

1

0

1

1

Wiretap orders

This category includes only wiretap orders that were issued by a court.

Year

Requests received

Requests answered

Requests in process

Total # of domains affected

Total # of accounts affected

2015 (1H)

0

0

0

0

0

2014 (2H)

0

0

0

0

0

2014 (1H)

0

0

0

0

0

2013

0

0

0

0

0

National security process

What we can say in regard to national security orders is highly regulated. Recently, the Department of Justice and the Director of National Intelligence announced a change in the rules governing the disclosure of national security orders, including National Security Letters (NSLs) received by a company from the FBI. While an improvement, we still consider these new regulations to be an undue prior restraint on the freedom of speech. The DoJ and DNI now allow companies to disclose the number of NSLs and FISA orders as a single number in bands of 250, starting with 0-249.

Year

National security orders received

Total accounts affected

2015 (1H)

0-249

0-249

2014 (2H)

0-249

0-249

2014 (1H)

0-249

0-249

2013

0-249

0-249

2012

0-249

0-249

Even assuming the high end of the range at 249 accounts affected, such national security orders would affect fewer than 0.005% of CloudFlare customer accounts.

Conclusion

Given the prominence of our global network, CloudFlare occupies a special position in the Internet at large. CloudFlare is extremely mindful of the position and the responsibilities our customers have placed on us through their trust.

The requests received, which were subject to legal process, affected fewer than 0.05% of the more than 4.7 million CloudFlare customer domains. Due to the prior restraint on free speech imposed by current law, this percentage does not include any domains that may have been subject to national security orders.

We will continue to publish this report on a semiannual basis. Please be advised that we may restate data as we go forward as more complete information becomes available or if we change our classifications. This page will always contain the most recent version of our Transparency Report. Archival reports will be available from this page.