Content distribution network and web security startup Cloudflare today published a redacted version of a National Security Letter (NSL) the FBI served on it in 2012, seeking information on an account holder. A few weeks ago the FBI told Cloudflare that it had chosen to lift the gag order on the fact of the NSL, thus allowing for the publication of the document, albeit with certain details removed.
In fact Cloudflare challenged the request and the FBI subsequently “withdrew the request for information,” and consequently Cloudflare never had to give up information on the account holder in question, Cloudflare counsel Kenneth Carter wrote in a blog post . Cloudflare’s transparency report now reflects that in the first half of 2013 it received 0-249 national security orders but has a footnote acknowledging the aforementioned NSL.
The NSL is a tool the FBI can use to gather information under the auspices of national security, and one that has become more powerful and also more common particularly following the passage of the USA Patriot Act in 2001. This is not the first time an NSL is being published , but it’s nonetheless telling that Cloudflare ― which counts more than 10 million customer domains ― was at one point viewed as a potential data source by the U.S. government.
This letter, addressed to Cloudflare cofounder and chief executive Matthew Prince and signed by the special agent in charge of the FBI’s Washington field office, specifically tells Cloudflare not to suspend the account of the particular customer, as that “may alert the subscriber(s)/account user(s) that investigative action being taken.” The letter said Prince, whose company is based in San Francisco, must personally deliver the requested documents to the FBI’s San Francisco division within 14 business days of receiving the NSL.
View this document on Scribd
The document makes a request for several types of information, including the subscriber’s name; account number; payment details; associated addresses, email addresses, IP addresses, phone numbers, screennames, and URLs; and “the names of any and all upstream and downstream providers facilitating this account’s communications.”
The letter Cloudflare received on December 19, also from a special agent in charge in FBI’s Washington field office, says the FBI decided to lift the gag order “consistent with the requirements of the USA Freedom Act of 2015 and the Termination Procedures for NSL Nondisclosure Requirement.”
Cloudflare’s investors include Baidu, Capital G (formerly Google Capital), Fidelity Management and Research Co., Microsoft, and Qualcomm.