Hacker News new | comments | show | ask | jobs | submit login
Cloudflare’s Transparency Report for Second Half 2016 and a Disclosure for 2013 (cloudflare.com)
159 points by jgrahamc on Jan 11, 2017 | hide | past | web | favorite | 38 comments

This sentence stood out to me:

> Now that this gag order has been lifted, Cloudflare is able to publish a more accurate transparency report to its customers and constituents.

A _more_ accurate report, not necessarily a completely accurate report. May or may not imply that there are other gag orders still in force for the period. I wouldn't be surprised.

Wow hugely interesting, including that Capitol Hill staff felt NSLs could not be issued against Cloudflare, when they were.

One question I have, they chose to voluntarily redact the customers account name in question for obvious reasons. But have they now informed the customer directly?

In any case, thanks Cloudflare for fighting this. I often feel a bit bad about using Cloudflare for my blog, as it exposes users to a potential layer of tracking. This makes me feel a little better.

> I often feel a bit bad about using Cloudflare for my blog, as it exposes users to a potential layer of tracking.

We're not tracking your users.

Which is why I said potential rather than actual. Having users terminate their connection at Cloudflare always adds an extra layer, and a dependency on a US corporation and therefore subject to the US legal system.

It's not totally ideal. But I'm glad to hear you're trying your best.

We're not tracking your users.

As far as you're allowed to admit by NSL's, you mean :-)

Intentions != Guarantees

I was under the impression a NSL could not force the recipient to do work to comply. For example, they could hand over information they currently have, but they cannot insert a backdoor/vulnerability to start collecting data they previously didn't.

They presumably have some short term logging. Collecting those over a longer period = tracking.

> We're not tracking your users.

Which is why the parent poster said "potential". You're not tracking, but you could be.

Couldn't the same be said about any web service, like DuckDuckGo?

It could, and OP would probably feel icky about serving their site through DuckDuckGo as well.

It's not just about serving the sites, it's about any company that claims they don't track users.

You don't suddenly wake up one day in a police state. The security services in the UK and USA are clearly out of control and at odds with basic democractic principles.

These anti-democratic 'forces' always exist, and they empower themselves at the cost of the people shifting power to themselves and the state, and there is always an excuse, a reason. A history and established culture of checks and balances and rule of law is supposed to keep them in check.

In this case things are going wrong over an extended period of time accompanied with increasingly hysterical propaganda with no counter forces in play to correct this anomaly. I think the smugness and lack of spine from our generation will cost others heavily and it is gross negligence to continue to pretend this is not happening.

So Policy makers can't even be informed of problems with policy? Stunning.

Aren't Senators or something exempt from this kind of record spying? So the gag order could at the very least be written to permit engaging with them. Of course not just any staffer but at least cloudflare would have had a reason to push harder to speak to someone.

It's written so that it's hard to change on purpose. Originally you couldn't even tell your lawyer too much about it (I think you still can't, but I could be wrong). That's why NSLs need to reach the Supreme Court multiple times before they resemble any form of common sense.

And even then, when the law will have to change to address the Supreme Court rulings, the FBI will probably still push to basically ignore some of the Supreme Court decisions, already knowing they are unconstitutional. But if that can buy them an extra 5 years of abuses before the NSLs reach the Supreme Court again and the law has to change again, they are more than happy to play that cat and mouse game.

The GCHQ in the UK has been doing the same thing. By the time the previous surveillance law is declared illegal, they will have already passed a new surveillance law that would have to be challenged in court again, and on and on we go.

They did it when the data retention law was declared invalid by the CJEU and they made the Parliament quickly pass DRIPA in 2014 to "make it all legal again". And now the CJEU said DRIPA was invalid as well. But they had already passed the Investigatory Powers Act, which will likely have to be brought in court itself, too, to be made invalid.

By then they'll just pass an "amendment" to "make it legal again", even though it likely won't, because none of the mass surveillance "features" they want in these laws will ever be considered legal either by the CJEU or by the European Court of Human Rights. But they are also happy to play the cat and mouse game.

Once the UK leaves the EU, they wouldn't fall under these courts any more, correct?

AFIK the European Convention on Human Rights is not connected to membership of the EU?

Correct. The ECHR is overseen by the Council of Europe and the final court of appeals is the European Court of Human Rights in Strasbourg. However under the Treaty of Nice all EU members are bound to ratify and abide by the ECHR, and under the Treaty of Lisbon the EU itself is expected to ratify it (though that's on hold after concerns raised by the ECJ).

The EU also has the Charter of Fundamental Rights of the European Union. The final court for that is the European Court of Justice (or Court of Justice of the European Union) in Luxembourg. The ECJ is a EU organ, and appeals instance for violations of EU law in general. As such, since the ECHR is party of EU law by treaty, the ECJ also handles cases that involves the ECHR.

Once the UK leaves the EU, it will no longer be bound by judgements of the ECJ, but it will be bound by judgements of the ECHR.

The UK Human Rights Act sets out the obligations for the government with respect to the ECHR. The ECJ obligations I believe are indirect via the European Communities Act 1972, which gives EU law and treaties primacy over UK law.

Indirectly, leaving the EU does make it legally possible for the UK to withdraw from the ECHR, but that would still mean leaving the Council of Europe as well, but that's unlikely - it would put it in company with Kazakhstan, Belarus and the Vatican City as the only European states which are not CoE members (the Vatican is an observer).

Thanks for the info

Correct. Though the debate in Britain often mixes them up. Also some part of the eurosceptic side want to leave the ECHR too.

Could EFF disclose statistics on the NSLs they are fighting but can't talk about individually? E.g. can they say "We are currently fighting 50 NSLs with gag orders?"

If not, that's a good pressure point for a change in current legislation. I can't possibly imagine a scenario where disclosing the number of NSL would be a threat to national security.

That's a fascinating question. Since they're not the target of the NSLs, it wouldn't confirm or deny that any given organization is under an NSL (the usual problem with someone saying "we're under 4 NSLS").

Cloudflare redacted the name of the Agent, but left their signature. That's a very literal (and maybe risky?) reading of their obligations.

The letter states explicitly that it is requested, but not required, that they redact the name and phone number of the agent.

I thought the same, but was it intentional or rather just oversight?

Risky or not, I make a very "in-your-face" reading of Cloudflare's attitude. This little detail speaks loudest in the whole story, I think.

And what is the benefit of being 'in your face'?

I didn't mean to imply any benefit.

Well the way I see it they did disclose the agent there is a signature there.

But you have to wonder why the FBI simply doesn't use aliases for real people's names in any letters that they issue. Seems to be a safer alternative to asking that something is redacted later.

That's good, but

>Because of the gag order, I had to sit in silence, implicitly confirming the point in the mind of the staffer.

Please. He could have easily let her know about it without explicitly stating it.

Explicit/implicit doesn't matter, the gag order is still in force and is not affected by how you pass on information that should be gagged according to the order.

This is entirely true.

It would have been interesting to see what action the FBI would have taken if a Congressional(?) staffer had become aware that the FBI's interpretation was different to the lawmakers.

It is certainly possible that the FBI would have been reluctant to pursue persecution in this case.

1. Say nothing. 2. They ask what's going on. 3. Stand up and leave.

As parent said: "not affected by how you pass on information". Highly unusual behavior meant to signal something is just the same as explicitly saying it. This kind of attitude won't fly in a court, they very much take intent rather than exact wording into account when ruling.

There is no "usual" behavior when you're in a discussion and a gag order prevents you from continuing it, as it's not a situation you're used to. I'd actually consider what the author did unusual.

What are they going to charge him with? Violation of the gag order by saying and doing nothing? That would only serve to ridicule the whole practice.

Gag orders seem to do exactly what they're supposed to: They scare people into compliance. Are there actually any cases where someone was charged for breaking a gag order?

You're beating around the bush making up nonexistent loopholes or hypothetical situations because you don't like reality, but that doesn't make you right. You yourself said that "he could have let her know", yet he didn't. Clearly, you were able to understand just 2 posts ago that it was possible to imply the existence of the NSL OR ALTERNATIVELY avoid having to do so. He chose the latter. Congratulations, you'd don't get to do jail-time for impeding an antiterrorism investigation under the mistaken impression that law is a hard-coded logic system and judges are too stupid to understand intent.

What are they going to charge him with? Violation of the gag order by saying and doing nothing? That would only serve to ridicule the whole practice.


In September 2014,[18] US security researcher Moxie Marlinspike wrote that "every lawyer I've spoken to has indicated that having a 'canary' you remove or choose not to update would likely have the same legal consequences as simply posting something that explicitly says you've received something.

Lawyers clearly disagree with you.

Gag orders seem to do exactly what they're supposed to: They scare people into compliance. Are there actually any cases where someone was charged for breaking a gag order?

Of course they do. Jail-time & heavy fines are typical for court imposed gag orders. I don't know of any examples of NSL gag orders being broken, nor do I expect you'll find any volunteers that want to find out.

While we're at it, I'd like to show another method of safely disclosing gag orders.

Report the gag order stolen. Make a photo with a one-time camera and post it from an open wifi using Tails or another Linux live distribution. Shred the data, burn the order, dispose the camera.

This can even be scripted easily to happen automatically when you're in range of the wifi, so you're not seen with the device.

There are a lot of ways to safely disclose gag orders if you really want to, especially if you work in IT.

It's funny that you talk about "non-existent loopholes", but acknowledge that there haven't been any court cases regarding such behavior.

I don't think they ever want things like that to go to court, because proving that somebody gave away information implicitly can be very much impossible.

The "scare" part is all there is to gag orders, as far as implicitly disclosing information is concerned.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact