Cloudflare receives requests for different kinds of data on its users from U.S. and foreign governments, courts and those involved in civil litigation. To provide additional transparency about the type of information Cloudflare might provide, we have broken down the types of requests we receive, as well as the legal process we require before providing particular types of information. We review every request for legal sufficiency before responding with data.
We also recognize that a government’s request for data might be inconsistent with another government’s regulatory regime for protecting the personal data of its citizens. Cloudflare believes that government requests for the personal data of a person that conflict with the privacy laws of that person’s country of residence should be legally challenged. We have yet to receive a government request that we have identified as posing such a conflict.
This report does not include information about government requests for data that may be received by Cloudflare’s partners.
Requests for Basic Subscriber Data
The most frequent requests Cloudflare receives are requests for information that might be used to identify a Cloudflare customer. This basic subscriber data would include the information our customers provide at the time they sign up for our service, like name; email address; physical address; phone number; the means or source of payment of service; and non-content information about a customer’s account, such as data about login times and IP addresses used to login to the account. Unless there is an emergency, Cloudflare requires valid legal process such as a subpoena or a foreign government equivalent of a subpoena before providing this type of information to either foreign or domestic government authorities or civil litigants.
U.S. Government. Under the Electronic Communications Privacy Act (ECPA), the U.S. government can compel disclosure of subscriber information with a subpoena, a type of legal process that does not require prior judicial review. Although Cloudflare typically requires a subpoena before providing subscriber information, consistent with ECPA, Cloudflare may disclose information without delay to law enforcement if the request involves imminent danger of death or serious injury to any person. Cloudflare will evaluate emergency disclosure requests on a case-by-case basis as we receive them. For emergency disclosure requests, we request that law enforcement obtain legal process when time permits
Beyond subpoenas issued under ECPA, some U.S. government agencies may issue administrative subpoenas for subscriber data. Cloudflare has received a number of such subpoenas from the Securities and Exchange Commission (SEC).
National Security Process. The U.S. government can also issue a variety of different types of national security requests for data. Under the Foreign Intelligence Surveillance Act (FISA), the U.S. government may apply for court orders from the FISA Court to, among other actions, require U.S. companies to hand over users' personal information. The U.S. government can also issue National Security Letters (NSLs), which are similar to subpoenas, for subscriber and non-content data. Both FISA court orders and NSLs typically come with a non-disclosure obligation.
Cloudflare has long had concerns about these types of non-disclosure obligations, particularly when they are indefinite in nature. In 2013, after receiving such an NSL, Cloudflare objected to an administratively imposed gag which prohibited Cloudflare from disclosing information about this NSL to anyone other than our attorneys and a limited number of our staff, under threat of criminal liability. Cloudflare provided no customer information subject to NSL-12-358696; but the NSL's nondisclosure provisions remained in effect for nearly four years, until December 2016, after which Cloudflare disclosed receipt of the NSL, along with a redacted copy of the NSL.
Governments Outside the United States. Cloudflare responds to requests from governments outside the United States for all types of information, including subscriber data, that are issued through a U.S. court by way of diplomatic process like a mutual legal assistance treaty (MLAT) request. The information produced to governments outside the United States in response to these requests is the same as would be produced to the U.S. government in response to a similar U.S. court order.
Cloudflare evaluates on a case-by-case basis requests for subscriber information from governments outside the United States that do not come through the U.S. court system. Cloudflare may, in our discretion, provide subscriber data to in response to a local equivalent of a subpoena, provided that the request complies with local law, and is consistent with international norms and Cloudflare policies.
In March 2018, the United States passed the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which permits the U.S. government to enter into Executive Agreements with other governments to allow direct law enforcement access for both governments to data stored in the other country to investigate and prosecute certain crimes. The law permits countries that enter into such Agreements with the United States to seek content data from U.S. companies directly, using that country’s legal process, rather than requiring the country’s law enforcement agencies to work with U.S. law enforcement to get U.S. legal process such as a court order.
Cloudflare believes that government access to data must be consistent with principles of rule of law and due process, including prior independent judicial review of requests for content; that users are entitled to notice when the government accesses their data; and that companies must have procedural mechanisms to raise legal challenges to access requests. Whether inside or outside the United States, we will fight law enforcement requests that we believe are overbroad, illegal, or wrongly issued, or that unnecessarily restrict our ability to be transparent with our users.
Civil Process. Cloudflare responds to legal process requesting subscriber data from civil litigants, such as subpoenas issued pursuant to the Digital Millennium Copyright Act (DMCA) seeking information on users alleged to be infringing copyright
Emergency Requests. Cloudflare receives emergency requests for data from time to time from law enforcement and governments. Cloudflare will respond on a voluntary basis if we have a good faith belief that there is an emergency involving the danger of death or serious physical injury.
Requests for Other Non-Content Data
Beyond requests for the types of subscriber data described above, Cloudflare sometimes receives court orders for transactional data related to a customer’s account or a customer’s website, such as logs of the IP addresses visiting a customer’s website or the dates and times a customer may have contacted support. Because Cloudflare retains such data for only a limited period of time, Cloudflare rarely has responsive data to provide to such requests.
Court Orders. Court orders are requests for data issued by a judge or magistrate. With a court order, Cloudflare may provide both the basic subscriber information that might be provided in response to a subpoena and other non-content information. The court orders that Cloudflare receives typically include a temporary non-disclosure requirement.
Pen Register Trap and Trace. Cloudflare periodically receives pen register/trap and trace orders, issued by a court, seeking real-time disclosure of non-content information, such as IP addresses of visitors to an account or website. We provide limited forward looking data in response to those requests.
Requests for Content Data
Cloudflare is not generally a hosting provider or an email service provider and does not have customer content -- like email or other types of customer-generated material -- in the traditional sense. In the rare instances where law enforcement has sought content such as abuse complaints or support communications, Cloudflare has insisted on a search warrant for those electronic communications, consistent with the principles laid out in U.S. v. Warshak. To date, we have received no such warrants.
Search Warrants. Search warrants require judicial review, a finding of probable cause, inclusion of a location to be searched, and a detail of items requested. Although we have received a number of search warrants, as noted above, we have not had customer content to provide in response to those warrants.
Wiretap. A wiretap order is a court order that requires a company to turn over the content of communications in real time. Law enforcement must comply with very detailed legal requirements to obtain such an order. Cloudflare has never received such a wiretap order
National Security Process. The U.S. government may apply for court orders from the FISA Court to require U.S. companies to turn over the content of users' communications to the government. As noted above, Cloudflare does not have access to the type of traditional customer content generally sought by FISA court orders. Because the public reporting of all national security process is highly regulated, if Cloudflare were to receive such an order, it would be reported as part of a combined number of NSLs and content and non-content FISA orders, in a band of 250, beginning with 0-250.