CloudFlare issues first transparency report, says feds aren’t monitoring its customers

CloudFlare, the rich and fast-growing provider of website performance and security services, published its first comprehensive “Transparency Report” to show how often law enforcement agencies request data about its clients. The report says the company has received hundreds of subpoenas and security letters, but that such requests have affected only 0.017 percent of its 2 million customers.
Transparency reports have become a common feature of the tech landscape, published by everyone from Google(s goog) to AT&T (s att), but the CloudFare report is significant because of its forceful tone and because its CEO, Matthew Prince, has been one of the most outspoken figures in the debate over NSA surveillance and the tech industry.
In September, Price decried the NSA’s gag order policies related to security requests as “insane.” He also warned that the agency’s controversial programs, disclosed in a series of leaks by former NSA contractor Edward Snowden, may harm U.S. cloud computer providers and said CloudFlare was receiving hundreds of questions a day from clients asking if the American government was poking around in their data.
Such comments likely explain a portion of the new transparency report, in which CloudFlare implicitly suggests that the NSA has not subjected the company to the type of forced, secret data collection that it imposed on Yahoo(s yhoo), phone carriers and others. Here are some comments (emphasis mine):

  • CloudFlare has never turned over our SSL keys or our customers’ SSL keys to anyone.
  • CloudFlare has never installed any law enforcement software or equipment anywhere on our network.
  • CloudFlare has never terminated a customer or taken down content due to political pressure.
  • CloudFlare has never provided any law enforcement organization a feed of our customers’ content transiting our network.

The report also breaks out the specific types of legal requests it receives  — search warrants, National Security Letters and so on — and notes that CloudFlare has pushed back on every subpoena (many of which don’t require a court order) that it has received.
Finally, CloudFlare’s transparency report and its overall response to the Snowden scandal are worth watching because the company is becoming a major player in the field of web security. In the last month, it helped bring attention to a new breed of DDoS attacks and also acquired anti-malware firm StopTheHacker.
The report issued on Thursday follows a partial one CloudFlare published in late January.