Cloudflare Transparency Report - H2 2023
An essential part of earning and maintaining the trust of our customers is being transparent about the requests we receive from law enforcement and other governmental entities. To this end, Cloudflare publishes semi-annual updates to our Transparency Report on the requests we have received to disclose information about our customers.
Cloudflare has never turned over our encryption or authentication keys or our customers' encryption or authentication keys to anyone.
Cloudflare has never installed any law enforcement software or equipment anywhere on our network.
Cloudflare has never provided any law enforcement organization a feed of our customers' content transiting our network.
Cloudflare has never modified customer content at the request of law enforcement or another third party.
Cloudflare has never modified the intended destination of DNS responses at the request of law enforcement or another third party.
Cloudflare has never weakened, compromised, or subverted any of its encryption at the request of law enforcement or another third party.
If Cloudflare were asked to do any of these, we would exhaust all legal remedies, in order to protect our customers from what we believe are illegal or unconstitutional requests.
Accurate as of November 21, 2024
Background on the data
The data presented below covers the period from July 1, 2023, to December 31, 2023. A request received in December 2023, but not processed until January 2024 will show as both “Requests received” and “Requests in process.” Also, requests for which we are waiting for a response from law enforcement before moving forward may also be reflected in "Requests in process.” The total number of domains affected and the total number of accounts affected refer only to requests which have been answered.
You can subscribe to updates on our Transparency Report using an RSS Feed.
Cloudflare receives requests for different kinds of data on its users from U.S. and foreign governments, courts and those involved in civil litigation. To provide additional transparency about the type of information Cloudflare might provide, we have broken down the types of requests we receive, as well as the legal process we require before providing particular types of information. We review every request for legal sufficiency before responding with data.
We also recognize that a government’s request for data might be inconsistent with another government’s regulatory regime for protecting the personal data of its citizens. Cloudflare believes that government requests for the personal data of a person that conflict with the privacy laws of that person’s country of residence should be legally challenged.
This report does not include information about government requests for data that may be received by Cloudflare’s partners.
Requests for Basic Subscriber Data
The most frequent requests Cloudflare receives are requests for information that might be used to identify a Cloudflare customer. This basic subscriber data would include the information our customers provide at the time they sign up for our service, like name; email address; physical address; phone number; the means or source of payment of service; and non-content information about a customer’s account, such as data about login times and IP addresses used to login to the account. Unless there is an emergency, Cloudflare requires valid legal process such as a subpoena or a foreign government equivalent of a subpoena before providing this type of information to either foreign or domestic government authorities or civil litigants.
U.S. Government
Under the Electronic Communications Privacy Act (ECPA), the U.S. government can compel disclosure of subscriber information with a subpoena, a type of legal process that does not require prior judicial review. Although Cloudflare typically requires a subpoena before providing subscriber information, consistent with ECPA, Cloudflare may disclose information without delay to law enforcement if the request involves imminent danger of death or serious injury to any person. Cloudflare will evaluate emergency disclosure requests on a case-by-case basis as we receive them. For emergency disclosure requests, we request that law enforcement obtain legal process when time permits.
Beyond subpoenas issued under ECPA, some U.S. government agencies may issue administrative subpoenas for subscriber data. Cloudflare has received such subpoenas from a variety of different federal agencies.
National Security Process
The U.S. government can also issue a variety of different types of national security requests for data. Under the Foreign Intelligence Surveillance Act (FISA), the U.S. government may apply for court orders from the FISA Court to, among other actions, require U.S. companies to provide users' personal information. The U.S. government can also issue National Security Letters (NSLs), which are similar to subpoenas, for subscriber and limited non-content data. Both FISA court orders and NSLs typically come with a non-disclosure obligation.
Cloudflare has long had concerns about these types of non-disclosure obligations, particularly when they are indefinite in nature. In 2013, after receiving such an NSL, Cloudflare objected to an administratively imposed gag which prohibited Cloudflare from disclosing information about this NSL to anyone other than our attorneys and a limited number of our staff, under threat of criminal liability. Cloudflare provided no customer information subject to NSL-12-358696; but the NSL's nondisclosure provisions remained in effect for nearly four years, until December 2016, after which Cloudflare disclosed receipt of the NSL, along with a redacted copy of the NSL. Cloudflare has also threatened litigation over other indefinite non-disclosure orders, resulting in the government imposing time limits on the non-disclosure requirements in those orders.
Governments Outside the United States
Cloudflare responds to requests from governments outside the United States for all types of information, including subscriber data, that are issued through a U.S. court by way of diplomatic process like a mutual legal assistance treaty (MLAT) request. The information produced to governments outside the United States in response to these requests is the same as would be produced to the U.S. government in response to a similar U.S. court order.
Cloudflare evaluates on a case-by-case basis requests for subscriber information from governments outside the United States that do not come through the U.S. court system. Cloudflare may, in our discretion, provide subscriber data in response to a local equivalent of a subpoena, provided that the request complies with local law, and is consistent with international norms and Cloudflare policies.
In March 2018, the United States passed the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which permits the U.S. government to enter into Executive Agreements with other governments to allow direct law enforcement access for both governments to data stored in the other country to investigate and prosecute certain crimes. The law permits countries that enter into such Agreements with the United States to seek content data from U.S. companies directly, using that country’s legal process, rather than requiring the country’s law enforcement agencies to work with U.S. law enforcement to get U.S. legal process such as a court order.
Cloudflare believes that government access to data must be consistent with the principles of rule of law and due process, including prior independent judicial review of requests for content; that users are entitled to notice when the government accesses their data; and that companies must have procedural mechanisms to raise legal challenges to access requests. Whether inside or outside the United States, we will fight law enforcement requests that we believe are overbroad, illegal, or wrongly issued, or that unnecessarily restrict our ability to be transparent with our users.
Civil Process
Cloudflare responds to legal process requesting subscriber data from civil litigants, such as subpoenas issued pursuant to the Digital Millennium Copyright Act (DMCA) seeking information on users alleged to be infringing copyright.
Emergency Requests
Cloudflare receives emergency requests for data from time to time from law enforcement and governments. Cloudflare will respond on a voluntary basis if we have a good faith belief that there is an emergency involving the danger of death or serious physical injury.
Requests for Other Non-Content Data
Beyond requests for the types of subscriber data described above, Cloudflare sometimes receives court orders for transactional data related to a customer’s account or a customer’s website, such as logs of the IP addresses visiting a customer’s website or the dates and times a customer may have contacted support. Because Cloudflare retains such data for only a limited period of time, Cloudflare rarely has responsive data to provide to such requests.
Court Orders
Court orders are requests for data issued by a judge or magistrate. With a court order, Cloudflare may provide both the basic subscriber information that might be provided in response to a subpoena and other non-content information. The court orders that Cloudflare receives typically include a temporary non-disclosure requirement.
Pen Register Trap and Trace
Cloudflare periodically receives pen register/trap and trace orders, issued by a court, seeking real-time disclosure of non-content information, such as the IP addresses of visitors to an account or website. We provide limited forward looking data in response to those requests.
Requests for Content Data
Cloudflare does not store customer content -- like email or other types of customer-generated material -- for websites using Cloudflare’s pass-through security and performance services.
Cloudflare does have a number of products that involve storage services, such as our R2, Workers, Stream, and Pages products. As those services involve customer content under the Electronic Communications Privacy Act, we would insist on a search warrant before providing information to any law enforcement request for customer content stored in our storage services, consistent with the principles laid out in U.S. v. Warshak.
Search Warrants
Search warrants require judicial review, a finding of probable cause, inclusion of a location to be searched, and a detail of items requested. Although we have received a number of search warrants, we have not had customer content to provide in response to those warrants when they seek content related to Cloudflare’s pass-through security and performance services. Any search warrants for stored content are reported separately in our Transparency Report.
Wiretap
A wiretap order is a court order that requires a company to turn over the content of communications in real time. Law enforcement must comply with very detailed legal requirements to obtain such an order. Cloudflare has never received such a wiretap order.
National Security Process
The U.S. government may apply for court orders from the FISA Court to require U.S. companies to turn over the content of users' communications to the government. As noted above, Cloudflare does not have access to the type of traditional customer content generally sought by FISA court orders. Because the public reporting of all national security processes is highly regulated, if Cloudflare were to receive such an order, it would be reported as part of a combined number of NSLs and content and non-content FISA orders, in a band of 250, beginning with 0-250.
Cloudflare runs a global network that provides security and performance enhancements for Internet-facing websites and applications around the world. Because Cloudflare’s infrastructure sits between our customers’ websites and Internet users in order to protect those websites from direct attack and serve requests to and from those servers, Cloudflare’s nameservers may appear in the WHOIS records and Cloudflare’s IP addresses may appear in the DNS records for websites using our service.
As the point of contact listed on relevant records, Cloudflare receives requests to remove content from our network from copyright holders alleging infringement, or from governments taking the position that the content is unlawful. As Cloudflare cannot remove material from the Internet that is hosted by others, we generally forward requests for removal of content to the website hosting provider, who has access to the website content and the ability to address the underlying concern.
A small but growing number of Cloudflare’s products include storage. Consistent with legal requirements like those in the EU’s Digital Services Act (DSA), Cloudflare has different terms of service and a different process for responding to legal requests or abuse complaints about content stored on our network, as opposed to content transiting or being temporarily cached on the network, reflecting the distinct legal requirements and expectations for definitively hosted content. If Cloudflare receives a valid takedown request content that is stored on the Cloudflare network, Cloudflare will disable access to the content, as appropriate. This report includes details on the requests we receive to disable access to content stored on our network, described as “hosted content.”
Requests for Content Removal Due to Copyright
Cloudflare carefully reviews requests that we receive for content removal under the Digital Millennium Copyright Act (DMCA). If we receive a DMCA complaint regarding the limited amount of content that we host, we will notify the user of the alleged infringement, allow for the user to provide a counter notice contesting the infringement allegation, and remove content consistent with the DMCA.
Content removal for violations of Cloudflare’s Acceptable Hosting Policy
When Cloudflare determines that content for which we provide hosting services violates our terms of service for hosted content, we may remove or disable access to that content.
Termination of Hosting Services Due to Technical Abuse
When Cloudflare determines that a domain for which we provide hosting services, such as Pages, is engaged in technical abuse, we may terminate hosting services for that domain. This may include domains engaged in phishing or the dissemination of malware.
Requests for Content Blocking
Cloudflare also may receive written requests from law enforcement, government agencies, or foreign courts to block access to content based on the local law of the jurisdiction. Because of the significant potential impact on freedom of expression, Cloudflare will evaluate each content blocking request on a case-by-case basis, analyzing the factual basis and legal authority for the request.
If we determine that the order is valid and requires Cloudflare action, we may limit blocking of access to the content to those areas where it violates local law, a practice known as “geo-blocking”. In those cases, we strive to be transparent about the basis for the blocking, typically with a block page that includes a link to the underlying legal order. We will attempt to clarify and narrow overbroad requests when possible.
Requests for Content Blocking through DNS resolver
Cloudflare has received a small number of legal requests related to blocking or filtering content through the 1.1.1.1 Public DNS Resolver. Because such a block would apply globally to all users of the resolver, regardless of where they are located, it would affect end users outside of the blocking government’s jurisdiction, we evaluate any government requests or court orders to block content through a globally available public recursive resolver as requests or orders to block content globally.
Given the extraterritorial effect, as well as the different global approaches to DNS-based blocking, Cloudflare has pursued legal remedies before complying with requests to block access to domains or content through the 1.1.1.1 Public DNS Resolver or identified alternate mechanisms to comply with relevant court orders. To date, Cloudflare has not blocked content through the 1.1.1.1 Public DNS Resolver.
IPFS / Ethereum Gateways
Cloudflare has offered a number of gateways to enable users to access content stored on new distributed web technologies. Specifically, Cloudflare’s IPFS and Ethereum Gateways provided access to content on the InterPlanetary File System (IPFS), which is a peer-to-peer file system, and the Ethereum network, which is a distributed virtual computing network that stores and enforces smart contracts. Cloudflare does not host content on IPFS or the Ethereum network, and cannot remove it from storage. Indeed, because of the nature of distributed systems, content is generally stored on many nodes at the same time.
Although Cloudflare does not have the ability to remove content on IPFS or Ethereum, Cloudflare has disabled access through Cloudflare-operated gateways to certain content on IPFS and the Ethereum network in response to abuse reports, including reports of copyright, technical, sanctions compliance, and other abuse. This action does not prevent access to that content through other gateways, which Cloudflare does not control.
In 2024, Cloudflare's IPFS and Ethereum gateway traffic will be transitioning to IPFS Foundation's gateway. It will be maintained by the Interplanetary Shipyard team, an independent entity of IPFS core developers and maintainers.
Requests for Uniform Domain-Name Dispute Resolutions
As an ICANN-accredited domain registrar, Cloudflare follows ICANN’s Uniform Domain-Name Dispute Resolution Policy (UDRP) for trademark-based domain name disputes. Consistent with the policy, Cloudflare will, upon receipt of a valid UDRP verification request from an ICANN approved dispute board: (1) Lock the disputed domain name(s) to prevent modification to the registrant and registrar information for the duration of the dispute, and (2) Unmask or provide the underlying WHOIS information to the dispute board.
Upon receipt of a valid notice of decision from an ICANN approved dispute board, and based on the decision, Cloudflare will, as appropriate, unlock the domain to allow the Respondent to manage the domain, transfer the domain to the Complainant at a predetermined time to allow the Respondent to initiate legal dispute with their local legal system that is within the jurisdiction of the Registrar, or delete the domain.
Cloudflare has viewed responding to incidents of child sexual abuse material (CSAM) online as a priority since the company’s earliest days. When it comes to CSAM, our position is simple: We don’t tolerate it. We abhor it. It’s a crime, and we do what we can to support the processes to identify and remove that content.
Cloudflare is committed to providing tools to helping website operators to keep their sites free from child sexual abuse material (CSAM). To do that, we created our CSAM Scanning Tool and made it generally available for free in the second half of 2021 regardless of plan level. Once enabled, the CSAM Scanning Tool identifies potential CSAM material on a website using fuzzy hashing technology, takes steps to block that content from being accessed, helps ensure the customer reports the content to the National Center for Missing and Exploited Children (NCMEC), and notifies the customer so that they can take appropriate additional steps.
Under the scanning tool's original configuration in place in the first half of 2021, Cloudflare submitted reports to NCMEC from the tool on our customers’ behalf. Incorporating input from NCMEC, we subsequently updated the tool to allow our customers to submit the reports themselves to enable more direct follow up. In 2024, we are again updating the reporting element based on additional feedback from NCMEC, and will not require customers to obtain NCMEC credentials for reporting. We anticipate that these changes will make the tool more widely available to be used by all of our customers and result in blocking more content and streamlining the reports made to NCMEC on behalf of our customers.
Cloudflare also prioritizes responding to reports of CSAM. Although we are not in a position to remove content from the Internet that we do not host, we do everything we can to assist in getting that content taken offline. Abuse reports filed under the CSAM category are treated as the highest priority for our Trust & Safety team and moved to the front of the abuse response queue. Whenever we receive such a report, generally within minutes regardless of time of day or day of the week, we forward the report to NCMEC, as well as to the hosting provider and/or website operator, along with some additional information to help them locate the content quickly. We also respond to the reporter with additional details so that they can follow up as necessary.