Cloudflare and CREDO are still gagged from talking about national security letters

For more than a decade, CEOs of major tech companies have opened innocuous envelopes to find letters from the FBI inside, letters that demand these CEOs share information about their customers without telling anyone — except their lawyers — about it.

In 2013, the government estimated that it issued approximately 60 of these national security letters per day. But, until last summer, no company was allowed to admit that it had received one.

This week, the content delivery network Cloudflare revealed that it received a demand for customer data from the FBI in 2013. Cloudflare has been prevented from talking about the demand for years, but is finally speaking out after the FBI lifted its gag order.

However, there is still a secret demand for customer data that Cloudflare can’t talk about. Court records make clear that Cloudflare received a second national security letter in 2013, and the FBI is still preventing the company from acknowledging its existence. The phone company CREDO Mobile, which is challenging the constitutionality of national security letters in a case with Cloudflare, is also still gagged from discussing a NSL it received in 2011, records suggest.

National security letters are used by the FBI to extract information from companies about their users and are often accompanied by interminable gag orders that prevent companies from informing their users or the public about the government’s access to their information. Unlike traditional subpoenas, national security letters are not approved by a judge. Tech companies have criticized the process for its lack of judicial oversight and have argued that the gag orders violate their right to free speech.

Cloudflare is one of several companies fighting back in court. Cloudflare’s counsel, Kenneth Carter, revealed in a blog post this week that the company was one of the two previously unnamed clients in an Electronic Frontier Foundation lawsuit challenging the constitutionality of NSLs and their accompanying gag orders. CREDO Mobile, a phone company that donates some of its revenue to progressive causes, announced last November that it was the other appellant in the EFF case.

Although the EFF’s legal filings are redacted, it’s clear that Cloudflare received not one national security letter, but two. Since Cloudflare is only acknowledging one of the letters, it seems clear that the company is still legally bound from talking about the other.

The filings also show that CREDO received a NSL in 2011 that it has not publicly discussed, in addition to the two letters it received in 2013 and has acknowledged with permission from the FBI.

A redacted EFF brief describes the national security letters issued to CREDO: “On May 2, 2011, [redacted] filed a petition asking the district court to set aside the 11-2173 NSL, arguing that the statute was unconstitutional on its face and as applied. … More NSLs followed. In [redacted] 2013, Appellant [redacted] received two additional NSLs from the FBI.”

CREDO has publicly stated it received two NSLs in 2013, seeking access to information from three customers’ accounts. The company has not discussed the NSL it received in 2011.

The EFF brief continues: “Appellant [redacted] also received two NSLs (collectively the ’13-1165 NSLs’).” Earlier briefing in the 13-1165 case similarly notes that the appellant — which we now know to be Cloudflare — received the two national security letters in 2013.

The EFF declined to comment on the number of NSLs received by its clients, but said that its briefing does not contain errors.

The NSLs received by Cloudflare and CREDO asked the companies to turn over customer information, including names, addresses, length of service, and message metadata, and billing records. Cloudflare did not disclose any user data in response to the NSL it can discuss because the FBI withdrew it. It is not clear what, if any, data CREDO disclosed in response to the two NSLs it can acknowledge. CREDO referred a request for comment to the EFF.

“The government’s position is there are a lot of things people who get NSLs can say and there’s a narrow thing they’re gagged about,” Andrew Crocker, a staff attorney at the EFF who represents CREDO and Cloudflare, explained. “One of the most obvious things about why that’s wrong is, even as our clients get these gags lifted, there are still things that we are constrained from talking about. I can’t parse out what is constrained and what is not. It’s clearly a much broader constraint than what the government says — look at how difficult it is to answer questions about something we’re not allowed to talk about publicly.”

Cloudflare and CREDO regularly publish transparency reports about government requests for user data in an effort to be transparent with their customers about how their data is accessed. However, because of the gag orders accompanying the NSLs, neither Cloudflare nor CREDO could include information about the FBI’s demands in its transparency report. Although CREDO can now report two NSLs and Cloudflare can report one, each has a remaining NSL that is not included in its disclosures, according to court records.

On behalf of Cloudflare and CREDO, the EFF is arguing in the Ninth Circuit Court of Appeals that NSLs and gag orders are unconstitutional. “The National Security Letter (‘NSL’) statute is unconstitutional because it allows the FBI to unilaterally prohibit Americans from speaking on matters of significant public interest, and to prevent them from doing so indefinitely,” EFF says in its brief.

However, since the FBI allowed CREDO to identify itself in November and Cloudflare to identify itself this week, it’s possible that the revelations could harm the EFF’s case. One of the EFF’s major arguments is that the companies have a First Amendment right to discuss the orders they receive from the government and that the gag orders represent a prior restraint on their free speech. Now that CREDO and Cloudflare are allowed to speak out about some — if not all — the NSLs they received, that argument could be weakened.

“One of our biggest arguments was that they should be able to say they were recipients of NSLs,” says Nate Cardozo, a staff attorney for the EFF who represents CREDO and Cloudflare.

The EFF is scheduled to deliver oral arguments in the Cloudflare-CREDO case this March, and it’s possible that the FBI’s decision to allow the companies to identify themselves is a tactical move designed to undercut those arguments.

“If in fact this is a strategic move to undercut EFF’s arguments, that goes to show that the gag was imposed improperly in the first place. We shouldn’t be making decisions about disclosure or non-disclosure based on legal maneuvering,” says Gabe Rottman, the deputy director of the Freedom, Security and Technology Project at the Center for Democracy and Technology.

The disclosure of the identities of Cloudflare and CREDO, he says, “shows that when push comes to shove, the gag on the identity of the recipient just isn’t warranted.”

“It shows you need companies and individuals to stick their necks out to force the FBI’s hand and allow disclosure. The presumption should be transparency and the gag should only be imposed when the FBI can show beforehand that there is a compelling government interest in having the gag imposed,” Rottman added.

Cloudflare still believes it has a strong case. “We still — despite this disclosure — maintain our concerns about the NSL process. Because of the scope of the gag orders, we don’t think it is consistent with our company’s principles, which are based in transparency and openness,” Cloudflare’s general counsel Doug Kramer says.