Content delivery network CloudFlare's court order count soars

50 legal letters land in six months as spooks seek insights into traffic


Content delivery network CloudFlare says it has received 50 court orders in the first half of this year, more than double that clocked in the whole of 2014.

The statistics, which do not include search warrants, were revealed in the web defender's latest transparency report show it received 22 court orders in the first half of last year and 22 in the second.

Of those received this year only a small number accounts for the record 2120 affected domains and the 96 linked accounts.

This was the same for 2014 where 802 domains and 167 accounts were affected by the court orders.

CloudFlare and its acquired company stopthehacker.com were served only 28 orders for all of 2013, and was hit with three search warrants, one trap and trace order, and a single mutual legal assistance treaty request in the first half of this year.

It received less than 250 US National Security Letters, a metric which the touchy spy apparatus has mandated is as transparent as organisations are allowed to report.

"CloudFlare's approach to law enforcement requests is that we are supportive of their work; however, any request we receive must strictly adhere to the due process of law and be subject to judicial oversight," the company says in the report.

"It is not CloudFlare's intent to make law enforcement's job harder, nor easier. We respect the work they do and appreciate their assistance in protecting the rights of our customers.

"It is our policy to notify our customers of a subpoena or other legal process requesting their customer or billing information before disclosure of information."

The company says it has never:

  • Turned over our SSL keys or our customers SSL keys to anyone;
  • Installed any law enforcement software or equipment anywhere on our network;
  • Terminated a customer or taken down content due to political pressure,
  • Provided any law enforcement organization a feed of our customers' content transiting our network.

®


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • California state's gun control websites expose personal data
    And some of it may have been leaked on social media

    A California state website exposed the personal details of anyone who applied for concealed-carry weapons (CCW) permits between 2011 and 2021.

    According to the California Department of Justice, the blunder happened earlier this week when the US state's Firearms Dashboard Portal was overhauled.

    In addition to that portal, data was exposed on several other online dashboards provided the state, including: Assault Weapon Registry, Handguns Certified for Sale, Dealer Record of Sale, Firearm Safety Certificate, and Gun Violence Restraining Order dashboards. 

    Continue reading
  • Firefox kills another tracking cookie workaround
    URL query parameters won't work in version 102 of Mozilla's browser

    Firefox has been fighting the war on browser cookies for years, but its latest privacy feature goes well beyond mere cookie tracking to stop URL query parameters.

    HTML query parameters are the jumbled characters that appear after question marks in web addresses, like website.com/homepage?fs34sa3aso12knm. Sites such as Facebook and HubSpot use them to track users when links are clicked, and other websites like YouTube use them to enable certain site features too.

    On June 28, Firefox 102 released a feature that enables the browser to "mitigate query parameter tracking when navigating sites in ETP strict mode." ETP, or enhanced tracking protection, encompasses a variety of Firefox components that block social media trackers, cross-site tracking cookies, fingerprinting and cryptominers "without breaking site functionality," says Mozilla's ETP support page.

    Continue reading
  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading
  • Never fear, the White House is here to tackle web trolls
    'No one should have to endure abuse just because they are attempting to participate in society'

    A US task force aims to prevent online harassment and abuse, with a specific focus on protecting women, girls and LGBTQI+ individuals.

    In the next 180 days, the White House Task Force to Address Online Harassment and Abuse will, among other things, draft a blueprint on a "whole-of-government approach" to stopping "technology-facilitated, gender-based violence." 

    A year after submitting the blueprint, the group will provide additional recommendations that federal and state agencies, service providers, technology companies, schools and other organisations should take to prevent online harassment, which VP Kamala Harris noted often spills over into physical violence, including self-harm and suicide for victims of cyberstalking as well mass shootings.

    Continue reading
  • Cloudflare menaces virtual desktops with isolated browser access to internal networks
    Gives cloudy email a kicking, too – but VDI should be safe in its bastions

    Cloudflare has added the ability to access private networks to its browser isolation service, and suggests the combo represents an alternative to virtual desktop infrastructure.

    Browser isolation requires organizations to have a Cloudflare Zero Trust account, and to install a client on users' devices. Cloudflare runs a browser in its cloud and users browse as usual – but Cloudflare intervenes so that users don't make it to whichever web server they intend to visit.

    Cloudflare browses to the server and then redraws the web page on the client browser. The user's device therefore never touches the web server, so anything nasty on a page is snuffed out by Cloudflare in its cloud instead of poisoning a local PC.

    Continue reading
  • The App Gap and supply chains: Purism CEO on what's ahead for the Librem 5 USA
    Freedoms eroded, iOS-Android duopoly under fire, chip sources questioned – it's all an opportunity for this phone

    Interview In June, Purism began shipping a privacy-focused smartphone called Librem 5 USA that runs on a version of Linux called PureOS rather than Android or iOS. As the name suggests, it's made in America – all the electronics are assembled in its Carlsbad, California facility, using as many US-fabricated parts as possible.

    While past privacy-focused phones, such as Silent Circle's Android-based Blackphone failed to win much market share, the political situation is different now than it was seven years ago.

    Supply-chain provenance has become more important in recent years, thanks to concerns about the national security implications of foreign-made tech gear. The Librem 5 USA comes at a cost, starting at $1,999, though there are now US government agencies willing to pay that price for homegrown hardware they can trust – and evidently tech enthusiasts, too.

    Continue reading

Biting the hand that feeds IT © 1998–2022