Cloudflare explains how FBI gag order impacted business

Cloudflare issued its biannual transparency report yesterday, detailing the government requests for user data it received during the latter half of 2016. Many tech companies make regular disclosures about these types of requests in an effort to be more transparent with their users, and, following the passage of the USA Freedom Act, more and more of these disclosures include national security letters.

Cloudflare’s latest transparency report reveals that the company received a national security letter back in 2013 — and includes a chilling story about how NSL gag orders have kept the public and politicians in the dark about the FBI’s use of secret subpoenas.

The FBI issues national security letters in secret, without judicial approval, in order to compel tech companies to reveal information about their customers. But, thanks to legislation passed last year, the gag orders that accompany NSLs are periodically reviewed and sometimes lifted — which means companies like Cloudflare eventually get to talk about them.

The gag order on Cloudflare was lifted in mid-December, and although the company could reveal the specific user whose account was requested, it chose not to. Instead, Cloudflare’s attorney Kenneth Carter is talking about how the gag order prevented him from advocating effectively for the company.

In a blog post, Carter wrote:

One personal experience is particularly telling about the gag order’s negative impact on our policy advocacy efforts. In early 2014, I met with a key Capitol Hill staffer who worked on issues related to counter-terrorism, homeland security, and the judiciary. I had a conversation where I explained how Cloudflare values transparency, due process of law, and expressed concerns that NSLs are unconstitutional tools of convenience rather than necessity. The staffer dismissed my concerns and expressed that Cloudflare’s position on NSLs was a product of needless worrying, speculation, and misinformation. The staffer noted it would be impossible for an NSL to issue against Cloudflare, since the services our company provides expressly did not fall within the jurisdiction of the NSL statute. The staffer went so far as to open a copy of the U.S. Code and read from the statutory language to make her point.

Because of the gag order, I had to sit in silence, implicitly confirming the point in the mind of the staffer. At the time, I knew for a certainty that the FBI’s interpretation of the statute diverged from hers (and presumably that of her boss).

Carter says that Cloudflare worked with the Electronic Frontier Foundation to fight the NSL and the FBI rescinded the letter in July 2013, a few months after issuing it. Ultimately, Cloudflare didn’t disclose any information about its customer and the FBI closed its investigation. But Cloudflare was still forced to keep quiet about the existence of the NSL until years later.

“In addition to protecting our customers’ information, we want to remain a vigorous participation in public policy discussions about our services and public law enforcement efforts. The gag rule did not allow that,” Carter said.

Between July and December 2016, Cloudflare received more court orders for data than it has over any other six-month period since it began publishing transparency reports in 2013. In addition to 60 court orders for data from 126 accounts, Cloudflare also received nine subpoenas, one search warrant and one pen register/tap and trace order.

However, Cloudflare says the increase in requests from courts and law enforcement doesn’t necessarily represent a spike in surveillance. Rather, the company notes that the increase is due in part to its increase in business — Cloudflare reports a five-fold growth in customer domains since 2013.