Section 702. Section 702 of the Foreign Intelligence Surveillance Act (“FISA”) is an authority that allows the U.S. government to request the communications of non-U.S. persons located outside of the United States for foreign intelligence purposes. The U.S. government uses section 702 to collect the content of communications through specifical “selectors”, such as email addresses, that are associated with specific foreign intelligence targets. Because the authority is typically used to collect the content of communications, the “electronic communications service providers” asked to comply with section 702 are typically email providers or other providers with access to the content of communications.
As noted in our Transparency Report, Cloudflare does not have access to this type of traditional customer content for Cloudflare’s core services. In addition, Cloudflare has had a public commitment for many years that we have never provided any government a feed of our customers' content transiting our network and that we would exhaust all legal remedies if we were asked to do so in order to protect our customers from what we believe are illegal or unconstitutional requests.
Executive Order 12333. Executive Order 12333 governs U.S. intelligence agencies' foreign intelligence collection targeting non-U.S. persons outside the United States. Executive Order 12333 does not have provisions to compel the assistance of U.S. companies.
Cloudflare has a longstanding commitment to require legal process before providing any government entity with access to any customer data outside of an emergency. We therefore would not comply with voluntary requests for data under Executive Order 12333. In addition, Cloudflare has been a leader in encouraging additional security for data in transit, for both content and metadata, to prevent personal data from any type of prying eyes. In 2014, for example, we launched Universal SSL, making encryption — something that had been expensive and difficult — free for all Cloudflare customers. The week we launched it, we doubled the size of the encrypted web. Because of an increasing number of laws attempting to target encryption, we have even committed that we have never weakened, compromised, or subverted any of our encryption at the request of a government or other third party.
CLOUD Act. The Clarifying Lawful Overseas Use of Data (CLOUD) Act does not expand U.S. investigative authority. Tough requirements for law enforcement to obtain a valid warrant remain unchanged. The CLOUD Act also applies to access to content, which we generally do not store, as described above. It is important to note that law enforcement would typically seek to obtain data from the entity which has effective control of the data (i.e., our customers) rather than cloud providers.
The CLOUD Act provides mechanisms for a provider to petition a court to quash or modify a legal request that poses such a conflict of law. That process also allows a provider to disclose the existence of the request to a foreign government whose citizen is affected, if that government has signed a CLOUD Act agreement with the United States. Cloudflare has committed to legally challenge any orders that pose such a conflict of law. To date, we have received no orders that we have identified as posing such a conflict.
Finally, bear in mind that our DPA commits that unless legally prohibited, we will notify customers if we are able to identify that third-party legal process requesting personal data we process on behalf of that customer raises a conflict of law. Customers notified of a pending legal request for their personal data can seek to intervene to prevent the disclosure of personal data.