Fighting back responsibly

3 minute read

Today on The Day We Fight Back, companies are coming together to protest the NSA’s mass surveillance programs. CloudFlare is proud to be one of those companies. We are taking a stand and proclaiming that “we will push back against powers that seek to observe, collect, and analyze our every digital action.”

Set Boundaries with Law Enforcement to Protect Users’ Rights

Taking such a stand does not mean that CloudFlare opposes the US government or law enforcement. On the contrary, we routinely work with law enforcement agents and officers across state and Federal agencies to educate them on CloudFlare’s privacy policies and cloud service provider technologies. Here, at CloudFlare, we believe strongly in due process, judicial oversight, and transparency. It is our policy to notify our customers of a subpoena or other legal process requesting their customer or billing information before disclosure of information.

Push Back - Ask for a Court Order

However, administrative letters with gag provisions, such as National Security Letters (NSLs) lack both due process and judicial oversight. CloudFlare considers those letters to be a legal tool of convenience instead of a legal tool of necessity. As previously stated, CloudFlare fully contests National Security Letters in the courts of competent jurisdiction of the United States, including exhausting all appellate remedies.

A few weeks ago, our in house counsel, Ken Carter, fielded a call from an FBI national security agent asking for information for service of process. Not only do we maintain an email address strictly for law enforcement inquiries, which is publicly available at https://www.cloudflare.com/abuse/, we also have our information and policies on file with the Department of Justice. In accordance with our law enforcement agent vetting procedure, Ken asked him to email a formal request to us. In the agent’s request, he mentioned his intent to submit a National Security Letter/subpoena. We responded with a restatement of our policies. The agent’s response completely took us by surprise. He wrote, “[t]he legal process to be submitted was to be an NSL, so I will cancel that request until a full court order can be satisfied." Our little bit of push back, our boundary setting, our consistent statement of policy was enough to deter this agent from using a tool we have little faith in to instead use a legal tool which has judicial oversight.

Get Educated - Create a Trust Relationship with Law Enforcement

It is not CloudFlare’s intent to make law enforcement’s jobs harder. We respect the work they do and appreciate their assistance when CloudFlare has been a target. However, it’s the mutual boundary setting, understanding, and respect which prevents the abuse of process and keeps us all honest. It is important for internet companies, especially young startups, to find this boundary and respect while cultivating a trust relationship with law enforcement. The relationship with law enforcement should not be built on fear. There are many opportunities for organizations to receive a greater understanding of law enforcement through partnerships such as the FBI’s Infragard program and the National Cyber-Forensics Training Alliance or the US Secret Service’s Electronic Crime Task Forces.

To maintain the trust and respect of our customers, we must be consistent in our application of policy and be transparent wherever and whenever possible. It is also important for us to help instill trust back in the law enforcement community through education. I, myself, volunteer my time to train law enforcement officials on a regular basis. The training I offer helps law enforcement officials craft narrowed requests appropriate for the technology and cloud services while addressing users’ privacy concerns. This approach makes the whole investigative process more efficient for all involved. If one phone call with an agent helps him understand why a narrowed scope in a court ordered information request will not jeopardize his investigation, yield the appropriate information, and preserves the rights of customers, and in turn, makes him more mindful of his future requests of cloud service providers, then we are winning this fight.

Categories:

Updated:

Spotlight on Women in Cybersecurity

less than 1 minute read

Sucuri is committed to helping women develop their careers in technology. On International Women’s Day, Sucuri team members share their insights into workin...

Hacked Website Trend Report – 2018

less than 1 minute read

We are proud to be releasing our latest Hacked Website Trend Report for 2018. This report is based on data collected and analyzed by the GoDaddy Security / ...