Cloudflare receives requests for different kinds of data on its users from US and foreign governments, courts and those involved in civil litigation. To provide additional transparency about the type of information Cloudflare might provide, we have broken down the types of requests we receive, as well as the legal process we require before providing particular types of information. We review every request for legal sufficiency before responding with data.
We also recognize that a government’s request for data might be inconsistent with another government’s regulatory regime for protecting the personal data of its citizens. Cloudflare believes that government requests for the personal data of a person that conflict with the privacy laws of that person’s country of residence should be legally challenged. We have yet to receive a government request that we have identified as posing such a conflict.
The most frequent requests Cloudflare receives are requests for information that might be used to identify a Cloudflare customer. This basic subscriber data would include the information our customers provide at the time they sign up for our service, like name; email address; physical address; phone number; the means or source of payment of service; and non-content information about a customer’s account, such as data about login times and IP addresses used to login to the account. Unless there is an emergency, Cloudflare requires valid legal process such as a subpoena or a foreign government equivalent of a subpoena before providing this type of information to either foreign or domestic government authorities or civil litigants.
U.S. Government. Under the Electronic Communications Privacy Act (ECPA), the U.S. government can compel disclosure of subscriber information with a subpoena, a type of legal process that does not require prior judicial review. Although Cloudflare typically requires a subpoena before providing subscriber information, consistent with ECPA, Cloudflare may disclose information without delay to law enforcement if the request involves imminent danger of death or serious injury to any person. Cloudflare will evaluate emergency disclosure requests on a case-by-case basis as we receive them. For emergency disclosure requests, we request that law enforcement obtain legal process when time permits
Beyond subpoenas issued under ECPA, some U.S. government agencies may issue administrative subpoenas for subscriber data. Cloudflare has received a number of such subpoenas from the Securities and Exchange Commission (SEC).
National Security Process. The U.S. government can also issue a variety of different types of national security requests for data. Under the Foreign Intelligence Surveillance Act (FISA), the U.S. government may apply for court orders from the FISA Court to, among other actions, require U.S. companies to hand over users' personal information. The U.S. government can also issue National Security Letters (NSLs), which are similar to subpoenas, for subscriber and non-content data. Both FISA court orders and NSLs typically come with a non-disclosure obligation.
Cloudflare has long had concerns about these types of non-disclosure obligations, particularly when they are indefinite in nature. In 2013, after receiving such an NSL, Cloudflare objected to an administratively imposed gag which prohibited Cloudflare from disclosing information about this NSL to anyone other than our attorneys and a limited number of our staff, under threat of criminal liability. Cloudflare provided no customer information subject to NSL-12-358696; but the NSL's nondisclosure provisions remained in effect for nearly four years, until December 2016, after which Cloudflare disclosed receipt of the NSL, along with a redacted copy of the NSL.
Governments Outside the United States. Cloudflare responds to requests from governments outside the United States for all types of information, including subscriber data, that are issued through a U.S. court by way of diplomatic process like a mutual legal assistance treaty (MLAT) request. The information produced to governments outside the United States in response to these requests is the same as would be produced to the U.S. government in response to a similar U.S. court order.
Cloudflare evaluates on a case-by-case basis requests for subscriber information from governments outside the United States that do not come through the U.S. court system. Cloudflare may, in our discretion, provide subscriber data to in response to a local equivalent of a subpoena, provided that the request complies with local law, and is consistent with international norms and Cloudflare policies.
In March 2018, the United States passed the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which permits the U.S. government to enter into Executive Agreements with other governments to allow direct law enforcement access for both governments to data stored in the other country to investigate and prosecute certain crimes. The law permits countries that enter into such Agreements with the United States to seek content data from U.S. companies directly, using that country’s legal process, rather than requiring the country’s law enforcement agencies to work with U.S. law enforcement to get U.S. legal process such as a court order.
Cloudflare believes that government access to data must be consistent with principles of rule of law and due process, including prior independent judicial review of requests for content; that users are entitled to notice when the government accesses their data; and that companies must have procedural mechanisms to raise legal challenges to access requests. Whether inside or outside the United States, we will fight law enforcement requests that we believe are overbroad, illegal, or wrongly issued, or that unnecessarily restrict our ability to be transparent with our users.
Civil Process. Cloudflare responds to legal process requesting subscriber data from civil litigants, such as subpoenas issued pursuant to the Digital Millennium Copyright Act (DMCA) seeking information on users alleged to be infringing copyright
Emergency Requests. Cloudflare receives emergency requests for data from time to time from law enforcement and governments. Cloudflare will respond on a voluntary basis if we have a good faith belief that there is an emergency involving the danger of death or serious physical injury.
The most frequent requests Cloudflare receives are requests for information that might be used to identify a Cloudflare customer. This basic subscriber data would include the information our customers provide at the time they sign up for our service, like name, email address, physical address, phone number; the means or source of payment of service; and non-content information about a customer’s account, such as data about login times and IP addresses used to login to the account. Unless there is an emergency, Cloudflare requires valid legal process such as subpoena or a foreign government equivalent of a subpoena before providing this type of information to either foreign or domestic law enforcement or civil litigants.
Court Orders. Court orders are requests for data issued by a judge or magistrate. With a court order, Cloudflare may provide both the basic subscriber information that might be provided in response to a subpoena and other non-content information.
Pen Register Trap and Trace. Cloudflare periodically receives pen register/trap and trace orders, issued by a court, seeking real-time disclosure of non-content information, such the IP addresses of visitors to an account or website. We provide limited forward looking data in response to those requests.
Cloudflare is not a hosting provider or an email service provider and does not have customer content -- like email or other types of customer-generated material -- in the traditional sense. In the rare instances where law enforcement has sought content such as abuse complaints or support communications, Cloudflare has insisted on a search warrant for those electronic communications, consistent with the principles laid out in U.S. v. Warshak. To date, we have received no such warrants.
Search Warrants. Search warrants require judicial review, a finding of probable cause, inclusion of a location to be searched, and a detail of items requested. Although we have received a number of search warrants, as noted above, we have not had customer content to provide in response to those warrants.
Wiretap. A wiretap order is a court order that requires a company to turn over the content of communications in real time. Law enforcement must comply with very detailed legal requirements to obtain such an order. Cloudflare has never received such a wiretap orderThe U.S. government may apply for court orders from the FISA Court to require U.S. companies to turn over the content of users' communications to the government. As noted above, Cloudflare does not have access to the type of traditional customer content generally sought by FISA court orders. Because the public reporting of all national security process is highly regulated, if Cloudflare were to receive such an order, it would be reported as part of a combined number of NSLs and content and non-content FISA orders, in a band of 250, beginning with 0-250.
Cloudflare runs a global network that provides security and performance enhancements for Internet-facing websites and applications around the world. Because Cloudflare’s infrastructure sits between our customers’ websites and internet users in order to protect those websites from direct attack and serve requests to and from those servers, Cloudflare’s nameservers may appear in WHOIS data and Cloudflare’s IP addresses may appear in the DNS records for websites using our service
As the point of contact listed on relevant records, Cloudflare receives requests to remove content from our network from copyright holders alleging infringement or from governments taking the position that the content is unlawful. As Cloudflare cannot remove material from the Internet that is hosted by others, we generally forward requests for removal of content to the website hosting provider, who has access to the website content and the ability to address the underlying concern.
A small but growing number of Cloudflare’s products include storage. For content that is stored definitively on the Cloudflare network, as opposed to transiting or being temporarily cached on the network, we review the complaint carefully to determine whether additional action needs to be taken.
Cloudflare carefully reviews requests that we receive for content removal under the Digital Millennium Copyright Act (DMCA). If we are storing the content in question and we receive a valid takedown request that meets DMCA requirements, we will notify the user of the complaint and take steps to disable access to that content consistent with the DMCA
Cloudflare also may receive written requests from law enforcement and government agencies to block access to content based on the local law of the jurisdiction. Because of the significant potential impact on freedom of expression, Cloudflare will evaluates each content blocking request on a case-by-case basis, analyzing the factual basis and legal authority for the request.
If we determine that the order is valid and requires Cloudflare action, we may limit blocking of access to the content to those areas where it violates local law, a practice known as “geo-blocking”. We will attempt to clarify and narrow overbroad requests when possible.
As an ICANN-accredited domain registrar, Cloudflare follows ICANN’s Uniform Domain-Name Dispute Resolution Policy (UDRP) for trademark-based domain name disputes. Consistent with the policy, Cloudflare will, upon receipt of a valid UDRP verification request from an ICANN approved dispute board: (1) Lock the disputed domain name(s) to prevent modification to the registrant and registrar information for the duration of the dispute, and (2) Unmask or provide the underlying WHOIS information to the dispute board.
Upon receipt of a valid notice of decision from an ICANN approved dispute board, and based on the decision, Cloudflare will, as appropriate, unlock the domain to allow the Respondent to manage the domain, transfer the domain to the Complainant at a predetermined time to allow the Respondent to initiate legal dispute with their local legal system that is within the jurisdiction of the Registrar, or delete the domain.