FBI withdrew national security letter after Cloudflare lawsuit

Cloudflare, served with a national security letter at the beginning of 2013, managed to get the FBI to withdraw its request but has been under a gag order preventing it from speaking about the matter since.

Cloudflare received a national security letter (NSL) from the United States Federal Bureau of Investigation (FBI) back in February 2013, its transparency report for 2016 has shown, with the company only now able to report the event after being placed under a gag order.

The FBI had been seeking the names, addresses, length of service, electronic communications transactional records, transaction and activity logs, and all email header information linked with a certain Cloudflare account, although not the content of those emails.

Once served with the NSL, Cloudflare, with the help of the Electronic Frontier Foundation (EFF), filed a lawsuit under seal, successfully getting the FBI to rescind the NSL in July 2013 and withdraw its request for customer information.

Consequently, no customer information was ever provided by Cloudflare under the NSL, but the company was required to fulfil the non-disclosure obligations that have now been lifted.

"For nearly four years, Cloudflare has pursued its legal rights to be transparent about this request despite the threat of criminal liability. As explained above, the FBI recently removed that gag order, so we are now able to share the redacted text of NSL-12-358696," Cloudflare said in a blog post.

The redacted NSL does not show whose account was requested by the FBI, or which FBI agent was involved in making the request.

(Image: Screenshot by Corinne Reichert/ZDNet)

Cloudflare said that not being able to disclose that it received the NSL negatively impacted its "policy advocacy efforts", calling the letters "unconstitutional tools of convenience". The letters are issued by the FBI without any oversight or approval by the courts.

"The gag order not only impacted our transparency report and our ability to talk about the sealed case, but Cloudflare has been involved in public policy discussions related to the internet and matters of electronic communications both in Congress and in the public sphere more broadly since the early days of the company," Cloudflare said.

"The inability to disclose the receipt of NSLs and to participate in a robust discussion of the policy issues surrounding NSLs was important to Cloudflare and the members of our community.

"Cloudflare fought this battle for four years even after the request for customer information had been dismissed. In addition to protecting our customers' information, we want to remain a vigorous participation in public policy discussions about our services and public law enforcement efforts. The gag rule did not allow that."

Cloudflare's transparency report also revealed that it received 21 subpoenas during 2,016, 17 of which it answered, affecting 2,682 domains and 31 accounts. By comparison, Cloudflare received 38 subpoenas back in 2015 and answered 32, but this affected only 597 domains and 45 accounts.

The company also received 116 court orders, 101 of which it answered, affecting 8,803 domains and 322 accounts. The number of court orders represented a jump of 81 percent from last year's 64 court orders, with 215.7 percent more domains affected than the 2,788 affected in 2015.

In regards to search warrants, just four were received and all four answered in 2016 -- half the number received and answered in 2015 -- affecting 84 domains and four accounts, while three pen register/tap and trace (PRTT) orders were received and answered, affecting eight domains and eight accounts. This was a jump from the single PRTT order received and answered in 2015, which affected two domains and one account.

Cloudflare said it has never received any wiretapping orders; turned over its own SSL keys or customers' SSL keys; installed law-enforcement equipment or software on its network; terminated a customer or removed content due to political pressure; or provided a feed of its customers' content to a law-enforcement agency.

The company said that it would "exhaust all legal remedies" before ever handing over any customer information.

In December, Facebook also revealed that it had received an NSL back in September 2015, under which Facebook was forced to provide the personal information of a certain user to the FBI. This information included the user's name, address, and electronic communications transactional records, although not the content of those communications.

Facebook was under a non-disclosure order until December 2016.

Yahoo also recently revealed the three NSLs it received in March 2013, August 2013, and May 2015, under which it was required to provide subscriber names and related information; account numbers; the dates on which accounts were opened and closed; postal addresses; phone numbers; screen names; other online names; credit cards and billing information; email addresses; IP addresses; URLs; hardware information, including ISDN and DSL data; and the names of upstream and downstream providers facilitating the communications of the accounts in question.

Like Cloudflare, Microsoft was also successful in challenging the FBI on providing customer information when it received an NSL in 2013.

"In this case, the letter included a non-disclosure provision and we moved forward to challenge it in court. We concluded that the non-disclosure provision was unlawful and violated our Constitutional right to free expression. It did so by hindering our practice of notifying enterprise customers when we receive legal orders related to their data," Microsoft said in a blog post in May 2014, when the non-disclosure order lifted.

"After we filed this challenge in Federal Court in Seattle, the FBI withdrew its letter.

"Fortunately, government requests for customer data belonging to enterprise customers are extremely rare. We therefore have seldom needed to litigate this type of issue. In those rare cases where we have received requests, we've succeeded in redirecting the government to obtain the information from the customer, or we have obtained permission from the customer to provide the data."