CLOUDFLARE TRANSPARENCY REPORT - H2 2017

Shield
Shield

Introduction

An essential part of earning the trust of our customers is being transparent about the requests we receive from law enforcement and other governmental entities. To this end, Cloudflare publishes this semi-annual Transparency Report on the governmental requests we have received to disclose information about our customers. The data is complete as of December 31, 2017, including requests related to Cloudflare and StopTheHacker. This Report supplants our previous Transparency Reports, which are archived in their entirety here.

Cloudflare operates a robust global network that transmits as much as 10% of all global internet requests and is extremely mindful of the responsibility that comes with that privileged position. It is Cloudflare's overriding privacy principle that any personal information you provide to us is just that: personal and private. We will not sell, rent, or give away any of your personal information without your consent. Our respect for our customers' privacy applies with equal force to commercial requests and to government or law enforcement requests.

Cloudflare's approach to law enforcement requests is that we are supportive of their work; however, any request we receive must strictly adhere to the due process of law and be subject to judicial oversight. It is not Cloudflare's intent to make law enforcement's job any harder, or easier. We respect the work they do and appreciate their assistance in protecting the rights of our customers. We have a healthy and open relationship with law enforcement officials so they understand these standards and our processes. It is our policy to notify our customers of a subpoena or other legal process requesting their customer or billing information before disclosure of information. Cloudflare is not subject to foreign legal jurisdictions and only accepts requests in English from foreign law enforcement agencies that are issued via a U.S. court either by way of a mutual legal assistance treaty (MLAT) or a letter rogatory. We received 6 MLAT requests through the U.S. court system in the second half of 2017. We received 2 SEC subpoena.

Some things we have never done

  • Cloudflare has never turned over our SSL keys or our customers' SSL keys to anyone.

  • Cloudflare has never installed any law enforcement software or equipment anywhere on our network.

  • Cloudflare has never terminated a customer or taken down content due to political pressure.

  • Cloudflare has never provided any law enforcement organization a feed of our customers' content transiting our network.

If Cloudflare were asked to do any of the above, we would exhaust all legal remedies, in order to protect our customers from what we believe are illegal or unconstitutional requests.

The data

The data presented below covers the period from July 1, 2017 to December 31, 2017. A request received in December 2017, but not processed until January 2018 will show as both "Requests received" and "Requests in process." Also, requests for which we are waiting for a response from law enforcement before moving forward may also be reflected in "Requests in process." The Total # of domains affected and the Total number of accounts affected refer only to requests which have been answered.

Subpoenas

This category includes any legal process which does not have ex ante judicial review, including but not limited to grand jury subpoenas, U.S. government attorney issued subpoenas, and case agent issued summonses.

YearRequests receivedRequests answeredRequests in processTotal # of domains affectedTotal # of accounts affected
2017 2H
22
13
2
846(*2)
6
2017 1H
21
8
1
51
59
2016 2H
9
6
0
2586(*2)
17(*3)
2016 1H
12
11
0
96
14
2015 2H
26
22
0
458(*2)
33(*3)
2015 1H
12
10
0
139(*2)
12(*3)
2014 2H
12
11
1
393(*2)
15(*3)
2014 1H
11
4
0
12
4
2013
18
1
0(*1)
17
1

(*1) The one subpoena in process in 2013 was rescinded in 2014.
(*2) A small number of subpoenas received accounted for 2/3 of domains affected.
(*3) A small number of subpoenas received accounted for 2/3 of accounts affected.

In 2017 Cloudflare pushed back on 20 subpoenas, and they were rescinded.

Court orders

This category includes any order issued by a judge or magistrate, including but not limited to 18 U.S.C. § 2703(d), 18 U.S.C. § 2705(b), and MLAT orders. Orders which may fall under a more specific category such as search warrants or pen register / trap and trace orders will be reported under the more specific category and not counted here.

YearRequests receivedRequests answeredRequests in processTotal # of domains affectedTotal # of accounts affected
2017 2H
79
64
1
7354(*2)
113
2017 1H
74
56
4
1498(*2)
3711(*3)
2016 2H
60
55
0
2338(*2)
126(*3)
2016 1H
47
46
0
6465(*2)
196(*3)
2015 2H
14
14
0
668(*2)
18(*3)
2015 1H
50
49
0
2120(*2)
96(*3)
2014 2H
24
23
5
802(*2)
167(*3)
2014 1H
22
21
1
290
57
2013
28
27(*1)
0(*1)
266(*1)
47(*1)

(*1) For one of the court orders in 2013, Cloudflare was not able to provide any information. Counts have been updated to reflect the requests in process in 2013 that were answered in 2014.
(*2) A small number of court orders received accounted for almost 2/3 of domains affected.
(*3) A small number of court orders received accounted for almost 2/3 of accounts affected.

In 2017 Cloudflare pushed back or was unable to provide any information on 29 court orders, and they were rescinded.

Search warrants

This category includes only search warrants which require judicial review, probable cause, and inclusion of a location to be searched and a detail of items requested.

YearRequests receivedRequests answeredRequests in processTotal # of domains affectedTotal # of accounts affected
2017 2H
1
1
0
0
0
2017 1H
1
0
0
0
0
2016 2H
1
1
0
5
1
2016 1H
3
3
0
79
3
2015 2H
5
5
0
35
6
2015 1H
3
3
0
127(*2)
8(*3)
2014 2H
2
2
1
68
3
2014 1H
1
1
0
36
1
2013
3
2(*1)
0(*1)
40(*1)
2(*1)

(*1) One search warrant in 2013 was rescinded. Counts have been updated to reflect the requests in process in 2013 that were answered in 2014.
(*2) A small number of court orders received accounted for almost 2/3 of domains affected
(*3) A small number of court orders received accounted for almost 2/3 of accounts affected

In 2017 one search warrant was rescinded, as Cloudflare was not able to provide any information.

Cloudflare follows the principles laid out in U.S. v. Warshak and requires a valid search warrant before disclosing any customer content sought by law enforcement. Cloudflare is not a hosting provider or an email service provider and does not have customer content in the traditional sense. In the rare instances where law enforcement has sought content such as abuse complaints or support communications, Cloudflare has insisted on a warrant for those electronic communications. To date, we have received no such warrants.

Pen register/Trap and trace (PRTT) orders

This category includes only pen register/trap and trace orders issued by the court for real-time disclosure of non-content information, including IP address information.

YearRequests receivedRequests answeredRequests in processTotal # of domains affectedTotal # of accounts affected
2017 2H
0
0
0
0
0
2017 1H
0
0
0
0
0
2016 2H
1
1
0
1
1
2016 1H
2
2
0
7
7
2015 2H
0
0
0
0
1
2015 1H
1
1
0
2
1
2014 2H
1
1
0
6
4
2014 1H
0
0
0
0
0
2013
1
1
0
1
1

Wiretap orders

This category includes only wiretap orders that were issued by a court.

YearRequests receivedRequests answeredRequests in processTotal # of domains affectedTotal # of accounts affected
2017 2H
0
0
0
0
0
2017 1H
0
0
0
0
0
2016 2H
0
0
0
0
0
2016 1H
0
0
0
0
0
2015 2H
0
0
0
0
0
2015 1H
0
0
0
0
0
2014 2H
0
0
0
0
0
2014 1H
0
0
0
0
0
2013
0
0
0
0
0

National security process

What we can say in regard to national security orders is highly regulated. In January 2014, the Department of Justice and the Director of National Intelligence announced a change in the rules governing the disclosure of national security orders, including National Security Letters (NSLs) received by a company from the FBI. While an improvement, we still consider the 2014 guidance to be an undue prior restraint on the freedom of speech. These guidelines, now codified as part of the USA FREEDOM Act, allow companies to disclose the number of NSLs and FISA orders as a single number in bands of 250, starting with 0-249.

YearNational security orders receivedTotal accounts affected
2017 2H
0-249
0-249
2017 1H
0-249
0-249
2016 2H
0-249
0-249
2016 1H
0-249
0-249
2015 2H
0-249
0-249
2015 1H
0-249
0-249
2014 2H
0-249
0-249
2014 1H
0-249
0-249
2013
0-249(*FN1)
0-249(*FN2)
2012
0-249
0-249

(*FN1) In February 2013, the FBI served national security letter NSL-12-358696 on Cloudflare, requesting certain customer information. This NSL contained an administratively-imposed gag which prohibited Cloudflare from disclosing information about this NSL to anyone other than our attorneys and a limited number of our staff, under threat of criminal liability. In 2013, Cloudflare objected to the NSL and threatened to sue the U.S. Government to protect its customers’ rights. The FBI soon rescinded the NSL and withdrew the request for information. Cloudflare provided no customer information subject to NSL-12-358696; but nonetheless, the NSL's nondisclosure provisions remained in effect for nearly four years. The FBI delivered to Cloudflare a letter dissolving the 2013 gag order in December 2016. Now that the administrative gag order is no longer in effect, Cloudflare is disclosing receipt of the NSL in our second half 2016 report, along with a redacted copy of the NSL.
(*FN2) Since no information was provided in response to NSL-12-358696, the Total accounts affected figure remains unchanged.

Conclusion

Given the vast amount of information transiting of our global network, Cloudflare is mindful of the special and sensitive position we occupy with regard to our customers. Cloudflare is extremely mindful of the position and the responsibilities our customers have placed on us through their trust. While there has been a steady increase in the number of law enforcement requests since our first transparency report in 2013, this is due in part to the five-fold increase in the number of Cloudflare customer domains during that time period.

We will continue to publish this report on a semiannual basis. Please be advised that we may restate data as we go forward as more complete information becomes available or if we change our classifications. This page will always contain the most recent version of our Transparency Report. Archival reports will be available from this page.