Just two days ago, Cloudflare, a U.S. based company that provides content delivery network services, DDoS (Denial of Service) mitigation, Internet security, etc, took a strong step towards transparency by releasing its transparency report for the second half of 2018. The company has been publishing biannual Transparency Reports since 2013.
A post by Cloudflare reads, “We believe an essential part of earning the trust of our customers is being transparent about our features and services, what we do – and do not do – with our users’ data, and generally how we conduct ourselves in our engagement with third parties such as law enforcement authorities.”
The company believes in allowing companies to silently warn customers when the government secretly tries to acquire customer data.
The “warrant canaries” is named after the canary bird. Back then, coal miners used to take canaries to the mines. And if the canary bird died, they would get a signal (of bad happening).
It has been referred to as a key transparency tool that can be used by privacy-focused companies for keeping their customers aware of the whereabouts with regards to data.
Cloudflare’s current canaries
Cloudflare has set forth certain ‘warrant canaries’ statements of things that they claim have never done as a company. According to Cloudflare, the company has never leaked their SSL keys or customers’ SSL keys to anyone. The company claims to never have installed any law enforcement software or equipment anywhere on their network. The report by the company also states that they have never terminated a customer or taken down content due to political pressure. The company further states that it has never provided customers’ content to any law enforcement organization.
Cloudflare’s updated warrant canaries
The company has never modified customer content at the request of law enforcement or another third party. Cloudflare has never modified the destination of DNS responses at the request of the third party or law enforcement. It has never compromised, weakened, or subverted any of its encryption at the request of law enforcement or another third party.
Cloudflare has expanded its first canary and has confirmed that the company has never turned over our encryption or authentication keys or our customers’ encryption or authentication keys to anyone.
Cloudflare said that if it were ever asked to do any of the above, the company would “exhaust all legal remedies” to protect customer data, and remove the statements from its site.
Big companies like Apple also have worked in this direction. Apple had included a statement in its most recent transparency reports stating that the company has to date “not received any orders for bulk data.” Reddit had also removed its warrant canary in 2015, which indicated that it had received a national security order it wasn’t permitted to disclose.
Currently, Cloudflare has just responded to seven subpoenas of the 19 requests, affecting 12 accounts and 309 domains. It has also responded to 44 court orders of the 55 requests, affecting 134 accounts and 19,265 domains.
To know more about this news, check out Cloudflare’s official post.