Thanks to the lifting of a gag order, on Tuesday security firm Cloudflare was finally able to post a National Security Letter it received from the Federal Bureau of Investigation back in 2013.
Cloudflare’s counsel Kenneth R. Carter acknowledged the lifting of the order and said the letter is part of the company’s seventh transparency report, covering the second half of 2016 and also published Tuesday.
Cloudflare’s Transparency Report for Second Half 2016 and an Additional Disclosure for 2013 – https://t.co/wA7ER43LLk
— Cloudflare (@Cloudflare) January 10, 2017
The company, which offers CDN, DNS, DDoS protection for websites, was identified in a public notice filed last Friday in the United States Court of Appeals for the Ninth Circuit. In the notice, addressed to Cloudflare’s legal department, the FBI said a nondisclosure requirement, originally imposed on the company in February 2013, was no longer necessary.
“Consistent with the requirements of the USA FREEDOM Act of 2015 and the Termination Procedures for NSL Nondisclosure Requirement, the FBI has reviewed whether to continue the nondisclosure requirement in the NSL and determined that the nondisclosure is no longer necessary with respect to all information contained in the NSL except as set forth below,” the document reads.
The note goes on to add that Cloudflare can disclose that it received a NSL, the account which the FBI wanted information, and whether or not the company provided responsive information.
According to Carter, Cloudflare objected to the NSL from the get go; five months later the FBI withdrew its request, so no information was disclosed. For near four years however the gag order persisted however.
The redacted letter – below – addressed to the company’s CEO Matthew Prince, requested Cloudflare turn over information – the name, address, and any activity logs or email correspondence – it had on one subscriber.
In addition to being able to disclose the NSL, Carter was able to clarify that the company enlisted the help of the Electronic Frontier Foundation to file a lawsuit against the government’s power when it comes to NSLs.
Cloudflare joins CREDO, a San Francisco-based mobile provider, in challenging the legality of NSLs. The company, the first mobile provider to publish a transparency report, received an NSL from the FBI in 2011 asking for information about one of its customers.
It wasn’t until this past November that representatives with the company confirmed it was working with the EFF however. Like Cloudflare, CREDO fought back, but was put under a similar gag order forbidding the company from disclosing its participation in the case.
The government dropped its appeal of the gag order in November, allowing CREDO to discuss the letter and its involvement in the EFF case.
Litigation around the lawsuit continues to be held up on appeal in the Ninth Circuit but according to Andrew Crocker, a staff attorney with the EFF’s civil liberties team, an oral argument is slated for the week of March 20 in San Francisco.
The concept of NSL gag orders has been heavily criticized. The EFF called the process “irredeemably flawed” on Monday, saying it “fails to place on the FBI the burden of justifying NSL gag orders in a timely fashion to a neutral third party, namely a federal court.”
Marcia Hofmann, formerly of the Electronic Frontier Foundation, now an attorney at Zeitgeist Law PC, filed a briefing (.PDF) in September calling the process unconstitutional. She, along with five members of congress, said in the briefing that the procedures currently in place for reviewing and terminating NSL nondisclosure orders violates the USA FREEDOM Act. The briefing cites another case, Elrod vs. Burns (1976), and argues that “the loss of the right to speak for even minimal periods of time unquestionably constitutes irreparable injury.”
Cloudflare is the second company to disclose it received a subpoena for user data and fought a corresponding gag order in the last four months.
In October, Open Whisper Systems, the non-profit group behind Signal, disclosed that it had received a letter from the U.S. District Court for the Eastern District of Virginia asking for records on two individuals. As Signal keeps the bare minimum on its users – the time accounts are created and the date they last connected to Signal’s servers – the company was unable to satisfy the request.
Like Cloudflare, Signal, with the help of the American Civil Liberties Union, was able to lift a gag order – this one scheduled to last a year. In a letter to attorneys with the court in Virginia, ACLU staff attorney called the order unconstitutional, “overbroad” and the latest “secrecy overreach” by the government.
According to Cloudflare’s transparency report, in the second half of 2016 it answered six of the nine subpoena requests it received; the requests affected 2,586 domains and 17 accounts. The company meanwhile received between 0 and 249 NSLs. Per the USA Freedom Act, companies can disclose NSLs and FISA orders as a single number in bands of 250.