
Cloudflare’s Transparency Report for Second Half 2016 and a Disclosure for 2013 - jgrahamc
https://blog.cloudflare.com/cloudflares-transparency-report-for-second-half-2016-and-an-additional-disclosure-for-2013-2/
======
thwd
This sentence stood out to me:

> Now that this gag order has been lifted, Cloudflare is able to publish a
> more accurate transparency report to its customers and constituents.

A _more_ accurate report, not necessarily a completely accurate report. May or
may not imply that there are other gag orders still in force for the period. I
wouldn't be surprised.

------
xja
Wow hugely interesting, including that Capitol Hill staff felt NSLs could not
be issued against Cloudflare, when they were.

One question I have, they chose to voluntarily redact the customers account
name in question for obvious reasons. But have they now informed the customer
directly?

In any case, thanks Cloudflare for fighting this. I often feel a bit bad about
using Cloudflare for my blog, as it exposes users to a potential layer of
tracking. This makes me feel a little better.

~~~
jgrahamc
> I often feel a bit bad about using Cloudflare for my blog, as it exposes
> users to a potential layer of tracking.

We're not tracking your users.

~~~
gcp
_We 're not tracking your users._

As far as you're allowed to admit by NSL's, you mean :-)

Intentions != Guarantees

~~~
Jarwain
I was under the impression a NSL could not force the recipient to do work to
comply. For example, they could hand over information they currently have, but
they cannot insert a backdoor/vulnerability to start collecting data they
previously didn't.

~~~
gcp
They presumably have some short term logging. Collecting those over a longer
period = tracking.

------
throw2016
You don't suddenly wake up one day in a police state. The security services in
the UK and USA are clearly out of control and at odds with basic democractic
principles.

These anti-democratic 'forces' always exist, and they empower themselves at
the cost of the people shifting power to themselves and the state, and there
is always an excuse, a reason. A history and established culture of checks and
balances and rule of law is supposed to keep them in check.

In this case things are going wrong over an extended period of time
accompanied with increasingly hysterical propaganda with no counter forces in
play to correct this anomaly. I think the smugness and lack of spine from our
generation will cost others heavily and it is gross negligence to continue to
pretend this is not happening.

------
Already__Taken
So Policy makers can't even be informed of problems with policy? Stunning.

Aren't Senators or something exempt from this kind of record spying? So the
gag order could at the very least be written to permit engaging with them. Of
course not just any staffer but at least cloudflare would have had a reason to
push harder to speak to someone.

~~~
mtgx
It's written so that it's hard to change on purpose. Originally you couldn't
even tell your _lawyer_ too much about it (I think you still can't, but I
could be wrong). That's why NSLs need to reach the Supreme Court multiple
times before they resemble any form of common sense.

And even then, when the law will have to change to address the Supreme Court
rulings, the FBI will probably still push to basically ignore some of the
Supreme Court decisions, already knowing they are unconstitutional. But if
that can buy them an extra 5 years of abuses before the NSLs reach the Supreme
Court again and the law has to change again, they are more than happy to play
that cat and mouse game.

The GCHQ in the UK has been doing the same thing. By the time the _previous_
surveillance law is declared illegal, they will have already passed a new
surveillance law that would have to be challenged in court again, and on and
on we go.

They did it when the data retention law was declared invalid by the CJEU and
they made the Parliament quickly pass DRIPA in 2014 to "make it all legal
again". And now the CJEU said DRIPA was invalid as well. But they had already
passed the Investigatory Powers Act, which will likely have to be brought in
court itself, too, to be made invalid.

By then they'll just pass an "amendment" to "make it legal again", even though
it likely won't, because none of the mass surveillance "features" they want in
these laws will ever be considered legal either by the CJEU or by the European
Court of Human Rights. But they are also happy to play the cat and mouse game.

~~~
enkid
Once the UK leaves the EU, they wouldn't fall under these courts any more,
correct?

~~~
dazc
AFIK the European Convention on Human Rights is not connected to membership of
the EU?

~~~
vidarh
Correct. The ECHR is overseen by the Council of Europe and the final court of
appeals is the European Court of Human Rights in Strasbourg. However under the
Treaty of Nice all EU members are bound to ratify and abide by the ECHR, and
under the Treaty of Lisbon the EU itself is expected to ratify it (though
that's on hold after concerns raised by the ECJ).

The EU _also_ has the Charter of Fundamental Rights of the European Union. The
final court for that is the European Court of Justice (or Court of Justice of
the European Union) in Luxembourg. The ECJ is a EU organ, and appeals instance
for violations of EU law in general. As such, since the ECHR is party of EU
law by treaty, the ECJ also handles cases that involves the ECHR.

Once the UK leaves the EU, it will no longer be bound by judgements of the
ECJ, but it will be bound by judgements of the ECHR.

The UK Human Rights Act sets out the obligations for the government with
respect to the ECHR. The ECJ obligations I believe are indirect via the
European Communities Act 1972, which gives EU law and treaties primacy over UK
law.

Indirectly, leaving the EU does make it legally _possible_ for the UK to
withdraw from the ECHR, but that would still mean leaving the Council of
Europe as well, but that's unlikely - it would put it in company with
Kazakhstan, Belarus and the Vatican City as the only European states which are
not CoE members (the Vatican is an observer).

~~~
enkid
Thanks for the info

------
tomhoward
Related EFF announcement: [https://www.eff.org/deeplinks/2017/01/finally-
revealed-cloud...](https://www.eff.org/deeplinks/2017/01/finally-revealed-
cloudflare-has-been-fighting-nsls-years)

------
ntoshev
Could EFF disclose statistics on the NSLs they are fighting but can't talk
about individually? E.g. can they say "We are currently fighting 50 NSLs with
gag orders?"

If not, that's a good pressure point for a change in current legislation. I
can't possibly imagine a scenario where disclosing the number of NSL would be
a threat to national security.

~~~
Bartweiss
That's a fascinating question. Since they're not the target of the NSLs, it
wouldn't confirm or deny that any given organization is under an NSL (the
usual problem with someone saying "we're under 4 NSLS").

------
LaurentVB
Cloudflare redacted the name of the Agent, but left their signature. That's a
very literal (and maybe risky?) reading of their obligations.

~~~
jacobush
Risky or not, I make a very "in-your-face" reading of Cloudflare's attitude.
This little detail speaks loudest in the whole story, I think.

~~~
gist
And what is the benefit of being 'in your face'?

~~~
jacobush
I didn't mean to imply any benefit.

------
gist
Well the way I see it they did disclose the agent there is a signature there.

But you have to wonder why the FBI simply doesn't use aliases for real
people's names in any letters that they issue. Seems to be a safer alternative
to asking that something is redacted later.

------
yAnonymous
That's good, but

>Because of the gag order, I had to sit in silence, implicitly confirming the
point in the mind of the staffer.

Please. He could have easily let her know about it without explicitly stating
it.

~~~
dspillett
Explicit/implicit doesn't matter, the gag order is still in force and is not
affected by how you pass on information that should be gagged according to the
order.

~~~
yAnonymous
1\. Say nothing. 2\. They ask what's going on. 3\. Stand up and leave.

~~~
gcp
As parent said: "not affected by how you pass on information". Highly unusual
behavior meant to signal something is just the same as explicitly saying it.
This kind of attitude won't fly in a court, they very much take intent rather
than exact wording into account when ruling.

~~~
yAnonymous
There is no "usual" behavior when you're in a discussion and a gag order
prevents you from continuing it, as it's not a situation you're used to. I'd
actually consider what the author did unusual.

What are they going to charge him with? Violation of the gag order by saying
and doing nothing? That would only serve to ridicule the whole practice.

Gag orders seem to do exactly what they're supposed to: They scare people into
compliance. Are there actually any cases where someone was charged for
breaking a gag order?

~~~
gcp
You're beating around the bush making up nonexistent loopholes or hypothetical
situations because you don't like reality, but that doesn't make you right.
You yourself said that "he could have let her know", yet he didn't. Clearly,
you were able to understand just 2 posts ago that it was possible to imply the
existence of the NSL OR ALTERNATIVELY avoid having to do so. He chose the
latter. Congratulations, you'd don't get to do jail-time for impeding an
antiterrorism investigation under the mistaken impression that law is a hard-
coded logic system and judges are too stupid to understand _intent_.

 _What are they going to charge him with? Violation of the gag order by saying
and doing nothing? That would only serve to ridicule the whole practice._

[https://en.wikipedia.org/wiki/Warrant_canary](https://en.wikipedia.org/wiki/Warrant_canary)

In September 2014,[18] US security researcher Moxie Marlinspike wrote that
"every lawyer I've spoken to has indicated that having a 'canary' you remove
or choose not to update would likely have the same legal consequences as
simply posting something that explicitly says you've received something.

Lawyers clearly disagree with you.

 _Gag orders seem to do exactly what they 're supposed to: They scare people
into compliance. Are there actually any cases where someone was charged for
breaking a gag order?_

Of course they do. Jail-time & heavy fines are typical for court imposed gag
orders. I don't know of any examples of NSL gag orders being broken, nor do I
expect you'll find any volunteers that want to find out.

~~~
yAnonymous
While we're at it, I'd like to show another method of safely disclosing gag
orders.

Report the gag order stolen. Make a photo with a one-time camera and post it
from an open wifi using Tails or another Linux live distribution. Shred the
data, burn the order, dispose the camera.

This can even be scripted easily to happen automatically when you're in range
of the wifi, so you're not seen with the device.

There are a lot of ways to safely disclose gag orders if you really want to,
especially if you work in IT.

