Cloudflare has revealed details about a National Security Letter (NSL) it received in February 2013 after a nearly four-year long legal battle with the FBI.
The company worked with the Electronic Frontier Foundation (EFF) to challenge the NSL it received, which was rescinded by the FBI in July 2013, shortly after Cloudflare enlisted the EFF’s help. In doing so, the FBI didn’t receive any customer information it sought from Cloudflare, but the gag order remained in effect, until last month when the FBI informed Cloudflare that the nondisclosure requirement was no longer necessary.
In a blog post on Tuesday, Cloudflare Counsel Kenneth R. Carter said that “[t]he gag order not only impacted our transparency report and our ability to talk about the sealed case, but Cloudflare has been involved in public policy discussions related to the Internet and matters of electronic communications both in Congress and in the public sphere more broadly since the early days of the company. We believe that participation in policy debates is an axiomatic part of our mission to build a better internet. The inability to disclose the receipt of NSLs and to participate in a robust discussion of the policy issues surrounding NSLs was important to Cloudflare and the members of our community.”
The 2013 NSL demanded Cloudflare turn over “transactional/activity logs” and email header information. Transactional information could include a wide range of data, such as the date an account is opened or closed, “screen-names and other online names associated with the account,” billing information, and IP addresses related to the account and its email addresses.
“Under the USA FREEDOM Act of 2015, the FBI is required to periodically review outstanding NSLs and lift gag orders on its own accord if circumstances no longer support a need for secrecy,” EFF staff attorney Andrew Crocker wrote in a post to the organization’s website. “As we’ve seen, this periodic review process has recently resulted in some very selective transparency by the FBI, which has nearly complete control over the handful of NSL gags it retracts, not to mention the hundreds of thousands it leaves in place. Make no mistake: this process is irredeemably flawed. It fails to place on the FBI the burden of justifying NSL gag orders in a timely fashion to a neutral third party, namely a federal court. Nevertheless, Cloudflare’s fight demonstrates that it is not unreasonable to require the FBI to relinquish some of its customary secrecy in national security cases.”
Cloudflare isn’t the only EFF client that has been involved in legal challenges surrounding NSLs and gag orders. According to EFF, Credo Mobile is challenging two NSLs issued in 2013 and their related gag orders. The EFF argues that the NSL system violates the constitiution in the Ninth Circuit.
Details about the NSL program have been slowly filtering out with the resolution of court challenges.
Also on Tuesday, Cloudflare released its latest transparency report which shows that Cloudflare received nine requests from law enforcement in the second half of 2016, affecting 17 accounts, and answered six of those requests. The total number of domains affected was 2,586, but the company notes that some two-thirds of them came from “a small number of subpoenas received.” The company received one search warrant and one Pen/Tap order during the period, but was also served 60 court orders, the most in any of its transparency reports, of which it answered 55.
Law enforcement agencies including the FBI may gain greater surveillance powers under the incoming U.S. administration, though the relationship between the agencies and the administration faces its own challenges.