Cloudflare's Experience with a National Security Letter

Interesting post on Cloudflare's experience with receiving a National Security Letter.

News article.

Posted on January 16, 2017 at 6:40 AM • 31 Comments

Comments

Winslow PeckJanuary 16, 2017 7:43 AM

In the post-Snowden era companies are terrified that the truth about their secret collusion with spies will impact sales. And so they've embarked on a immense public relations campaign, the aim of which is to create the impression of an adversarial relationship akin to the kayfabe of professional wrestling. Replete with lawsuits, public statements by CEOs, heroic media tales like this highlighted by security celebrities, and other gestures of resistance.

But rest assured that the secret collusion continues. Simply buried deeper, under a mountain of public relations, so that companies can continue to sell us things.

Clive RobinsonJanuary 16, 2017 9:57 AM

If people look at Cloudflare's map of data centers, it becomes clear that by far the majority are outside of the US. Thus it's probably safe to asume that a likewise percentage of it's income is from outside of the US. I should imagine that similar is true for other companies in approximately the same business.

Cloudflare's position appears to currently be "Fight not Flight", but you have to wonder how much longer that is going to continue for US corporates. Fighting such things as NSL's is a "one hand tied behind your back" game, because of the way US legislation is currently.

No matter how much money a corporate has to fight this, the USG is always going to have more. Even if the corporate wins it does not get it's earned money back. The USG however just taps the US Tax payer for more cash via threat of their guard labour.

It does not take much of an imagination to realise that Cloudflare has to fight whilst still being a US company or risk lossing it's customers to non US based corporates. Thus in effect they are cornered as long as they remain in a US jurisdiction and thus effectively always in a financialy loosing position.

Which gives rise to the thought of Cloudflare's position of "fight not flight" turning to "flight" via initial corporate restructuring then moving corporate structure and legal status out of the US.

I would say that it would be wise for all startups in the US --and similar nations-- that have global ambition to actually structure for flight or in such a way that the likes of NSLs and similar from other jurisdictions have little or no effect on their customers outside of such jurisdictions.

As my father used to tell me "The best place to be when there is trouble is somewhere else" and "To keep a weather eye for signs of trouble with your decks free and clear, such that steering for calmer waters can be quick and efficient". I don't know about others but to me it still looks like prudent advice.

Other advice would apear to be "A man who does not make a practice of receiving gifts does not become beholden to others" it is not unknown for the USG to act like a drug pusher with contracts to telco's, so it would be very unwise for a global organisation to allow themselves to get hooked thus dependent on the USG or similar.

I guess the real question is "When will global corporates start to wise up and shift out from under the thumb of the USG and similar, and what will such Governments do to get their power back over them". A look at the UK "Snoopers charter" and it's similar legislation gives a clear indication that the UK Gov has no respect for geopolitical borders and belives it can do as it pleases any time, any place to any person's property without exception or compensation. Other Five eyes are busy enacting similar legislation. I can see the likes of "Tax Havens" extending to become "Data Havens" to attract global corporates and in the process break the current "All roads lead to Rome" US / Five Eye centric structure of both the Internet and it's underlying physical layer...

Terrence D.January 16, 2017 10:31 AM

Someone explain to me how the EFF is preparing for war with the Trump administration over privacy. The most liberal sources of all claim the Obama Administration was/is the worst. See:

https://www.washingtonpost.com/blogs/erik-wemple/wp/2014/10/27/usa-todays-susan-page-obama-administration-most-dangerous-to-media-in-history/?utm_term=.decc2958251f

Dozens more examples go back 8 years to portray the Obama Administration worse than Nixon. What am I to think?

My question is a response to comments on this blog, as well as Bruce Schneier's statements that the Trump Administration is to be feared. And NOT as though we're going from bad to worse, but as if we're going from OK to bad. It makes absolutely no sense. I don't know what to expect from the Trump Administration and neither do you.

Also, I read (CBS) Sharyl Atkisson's "Stonewalled" about the Obama Administration. And now I don't believe anyone, and everything the EFF says is suspicious. I don't know where in the World they are coming from.

My only theory at this point is, that no matter how oppressive and controlling an authority is, if they act cool and intelligent and seem to appreciate technology then they're OK (you're duped) no matter what they actually do. I guess you think it must be the "other guy" that's pushing all the buttons. But if they're not cool then somehow you're suddenly wise and need to warn everyone. Maybe if they wear a light colored suit or is it their hair?

Dirk PraetJanuary 16, 2017 10:39 AM

@ Clive

I can see the likes of "Tax Havens" extending to become "Data Havens" to attract global corporates and in the process break the current "All roads lead to Rome" US / Five Eye centric structure of both the Internet and it's underlying physical layer...

They will just move from subpoenas to legally cleared CNE. IIRC, Microsoft eventually won its 2nd Circuit appeal in the Ireland data center case and is now setting up data centres in Frankfurt and Magdeburg falling under German data and protection regimes. Shortly after that, the FBI's powers to break into any computer either at home or abroad were drastically expanded, and I guess the NSA under EO12333 and others can still do pretty much anything they want outside of the US. The wicked witch of the west, like you say, made sure GCHQ & co. can do the same out of the UK.

But the Balkanisation of the internet is well on its way indeed. I think Germany recently passed some piece of legislation to keep German data in Germany, and the Russian Duma did the same already somewhere in 2015.

RhysJanuary 16, 2017 10:53 AM

There is an increasing separation between Information Security and Information Assurance. But why?

There is a similar to the split of information security and information privacy.

Without some standardization of language terms, which I am not sure vested interests have great antipathy for, and an open, reasoned discussion- I suspect your dour forecast will be only part of sadness we may be asked to give witness to.

Integrity vs. security. Values vs. Ethics.

We live in times where Pareto optimal (or conflict games) are the primary mode of modern business. And for those who want to exempt themselves to a life of privilege and entitlement by evading the punishment-of-opponent principles, collusion and masquerade are traditional tools.

Nuanced in technology or security doesn't change its purpose.

The Danegeld of this millennia might be more subtle than that of 991 BCE but, we (collectively) seem to have forgotten the lesson.

Kool Aid ManJanuary 16, 2017 11:02 AM

The staffer noted it would be impossible for an NSL to issue against Cloudflare, since the services our company provides expressly did not fall within the jurisdiction of the NSL statute. The staffer went so far as to open a copy of the U.S. Code and read from the statutory language to make her point.

So the question then becomes as to whether or not the staffer has the courage to out herself and if she is still employed by the federal government the courage to resign. Knowing what I know about Congressional staffers I doubt that she has the guts to do either. Too many perks, too much bling.

SteveJanuary 16, 2017 11:36 AM

@Kool Aid Man: "Too many perks, too much bling."

Or too many mortgages, too many kids to put through school.

Comments often say more about the commenter than they do about the subject.

Yes, this one included.

RhysJanuary 16, 2017 12:33 PM

There is an increasing separation between Information Security and Information Assurance. But why?

There is a similarity to the split of information security and information privacy.

Without some standardization of language terms, which I am not sure vested interests have great antipathy for, and an open, reasoned discussion- I suspect your dour forecast will be only part of sadness we may be asked to give witness to.

Integrity vs. security. Values vs. Ethics.

We live in times where Pareto optimal (or conflict games) are the primary mode of modern business. And for those who want to exempt themselves to a life of privilege and entitlement by evading the punishment-of-opponent principles, collusion and masquerade are traditional tools.

Nuanced in technology or security doesn't change its purpose.

The Danegeld of this millennia might be more subtle than that of 991 ACE but, we (collectively) seem to have forgotten the lesson.

TedJanuary 16, 2017 12:57 PM

EFF has a good FAQ and Timeline for understanding National Security Letters.

The Department of Justice Office of Inspector General (DOJ-OIG) provides related documents on the matter as well:

"A Review of the Federal Bureau of Investigation's Use of National Security Letters," DoJ Office of Inspector General, March 2007 (as released in February 2016)
"'Access to Justice?: Does DOJ's Office of the Inspector General Have Access to Information Needed to Conduct Proper Oversight?,' Statement of Michael Horowitz, DOJ Inspector General," September 9, 2014 (House Judiciary Committee Hearing)

From the paper “Protecting Rights from Within? Inspectors General and National Security Oversight,” Stanford Law Review, 2013:

"Abstract: I argue that Inspectors General (IGs), little-noticed oversight institutions within federal agencies, are now playing a significant role in monitoring national security practices curtailing individual rights… At their strongest, IG reviews provided remarkable transparency on national security practices, identified violations of the law that had escaped judicial review, and even challenged government conduct where existing law was ambiguous or undeveloped...”

albertJanuary 16, 2017 3:11 PM

@hawk,
If your business deals with political organizations, then you must -be- a political organization. That doesn't have to be a bad thing. If the EFF can do good work in 1st Amendment issues (they do), then more power to them. Success in the government security areas may be thwarted, but that doesn't mean it's a bad organization.

-----------

In honor of MLK:

http://www.counterpunch.org/2017/01/16/who-killed-mlk-jr/

. .. . .. --- ....

Jesse ThompsonJanuary 16, 2017 3:37 PM

@Clive Robinson

"To keep a weather eye for signs of trouble with your decks free and clear, such that steering for calmer waters can be quick and efficient"

I don't understand fishing metaphors, Dad! *throws self dramatically onto bed*

SomeoneJanuary 16, 2017 3:48 PM

@Dirk Praet
The same has been happening a couple of years ago, with Satcom systems.
First USG forced inmarsat to reclock the f4 constellation such that two of the three f4s can be landed in hawaii, the third most likely Italy.
Then first russia made it mandatory to register all users on/above russian teritory to be registered with the russian govs provider mvs, else after a couple of days no more service. Same with china, all chineese traffic (also chineese registered vessels, A/C) have to land their traffic tru a ges in china. Not sure if india also went that route yet or is still dreaming...

Clive RobinsonJanuary 16, 2017 4:33 PM

@ Jesse Thompson,

I don't understand fishing metaphors, Dad!

Tsk tsk, yews kids a knows nuffin these days, that thair t'aint nar fishing met'afer that be a sailing met'afer* ;-)

* and wanders of stage left on crutches with a parity error on my shoulder going "Pieces of seven, pieces of seven".

Clive RobinsonJanuary 16, 2017 4:48 PM

@ hawk,

If politicians get political in your domain, then you have three choices,

1, Get out of the kitchen.
2, Get real mean on their asses.
3, Get real political via the courts.

The first is an abdication of responsability, the second probably illegal, which leaves the third.

I guess the EFF are "going the third way".

@ Albert,

Yes its MLK day, sadly though the kids of today, just seam to live in the moment. So neither remember, nor have a dream...

Dirk PraetJanuary 17, 2017 4:26 AM

@ Clive

... and wanders of stage left on crutches with a parity error on my shoulder going "Pieces of seven, pieces of seven".

Parroty error, eh 8-) There is exactly no reason why @Bruce would be the only one on this forum to get to do cameos. So if anyone from the Pirates of the Carribean crew would be so kind as to extend a formal invitation ...

CarpetCatJanuary 17, 2017 9:56 AM

@ Clive,

Civil disobedience would be my direct route. Just reveal every NSL every time, immediately. In effect, call the USG bluff- are they really gonna shut down apple, or google, or cloudfare? Oh sure, they could really hurt their profits, but- oh, that's the rub now isn't it? Pieces of eight for sure, sad.

Dirk PraetJanuary 17, 2017 10:48 AM

@ CarpetCat

... are they really gonna shut down apple, or google, or cloudfare?

They don't have to. Locking up some figureheads in a small cell with two characters named Bubba and Jamal generally will change their minds. Even the threat will suffise. Case in point: former QWEST CEO Joseph Nacchio.

Clive RobinsonJanuary 17, 2017 10:51 AM

@ Dirk Praet,

So if anyone from the Pirates of the Carribean crew would be so kind as to extend a formal invitation ...

I've actually met some of them and Johny Depp in passing in Greenwich South East London a back in 2010 when my son was in primary school. They were using the Royal Maritime Museum and the old Naval collage to do film scenes for the movie.

The reason I mention this is Johny Depp made a whole bunch of kids day by turning up at their school (Meridian Primary) and did the full Jack Sparrow piece for them with a mutiny against the teachers ;) A lot of fun was had by all.

Clive RobinsonJanuary 17, 2017 11:04 AM

@ Dirk Praet, CarpetCat,

Even the threat will suffise. Case in point: former QWEST CEO Joseph Nacchio.

Yup if I was a CEO in a global comms company, I would definately be looking to put some water between me and any of the Five Eye nations and the eight to ten hangers on like Germany, Israel, Sweden etc, even Switzerland is not looking good. Hence the notion of restructuring into "Data Havens" in existing Tax Havens where the company privacy laws and in some cases extradition laws work less in the favour of the authoritarian following guard labour of such the UK, US, et al and more in favour of the company and it's officers.

Apple for instance has done such restructuring for "tax efficiency" and I would not be surprised to see them move onto the next stage, as it's possible they are on a hit list in the incomming administration (4days and counting).

AJWMJanuary 17, 2017 11:41 AM

their school (Meridian Primary)

That is an awesome name. But what else would you call a primary school in Greenwich? :)

Dirk PraetJanuary 17, 2017 12:29 PM

@ Clive

I've actually met some of them and Johny Depp in passing in Greenwich South East London

I can easily imagine how that went:

Depp: "Clive, dude! OMG !!!!! Can I take a selfie with you?"
Clive: "Sorry, mate, no offense, but have we met? And, no. Pencil and paper only."

Clive RobinsonJanuary 17, 2017 2:36 PM

@ AJWM,

That is an awesome name. But what else would you call a primary school in Greenwich? :)

Do you want the list? It's mostly dull, including the usuall "saints names"...

@ Dirk Praet,

I can easily imagine how that went

Ouch... As my son used to say "snot fair".

vas pupJanuary 17, 2017 2:39 PM

@Steve • January 16, 2017 11:36 AM.
You are right. For same reason: "It is difficult to get a man to understand something, when his salary {perks -vp} depends upon his not understanding it" (Upton Sinclair). Sometimes folks you are working for consider issues affecting the whole population through the same prism of personal (monetary or other) benefits. MICE as a tool of manipulation of human behavior has universal application with minor variations for particular activity.

AJWMJanuary 18, 2017 10:35 AM

@Clive Robinson
Do you want the list? It's mostly dull, including the usuall "saints names"...

No, and I'm sure it is. It's just that Meridian Primary on the Prime Meridian is a great pun.

Me, I went to a school boringly named Caldecott Rd. Primary School (in Camberwell), if I remember right (which I may not, that was a long time ago.)

TJJanuary 18, 2017 5:21 PM

@Dirk Praet: Most fortune five-hundreds and big international investors do infrastructure and policy/legislature moves like that even in deep parts of Russia and Iran as UN-nation based at least at four-month intervals and it doesn't even make a obscure headline on the most paranoid-analytical of underground news mediums..

My InfoJanuary 21, 2017 9:29 PM

By what authority, exactly, is a so-called "National Security Letter" issued? Let's cite some U.S. Code, and some reasoning why someone of some vague purported government authority thinks this is in accordance with the U.S. Constitution.

Did the letter come in the United States mail? How, then, is it any different from any other scam or mail fraud or some sweepstakes or chain letter or the like? Or was it "served" by the local sheriff's office?

NSLs do not require prior approval from a judge.…

If you need a Wikipedia article, Barratry (common law). Or take it up with your local postmaster or postal inspector.

Return to sender.

We're getting deep into the red-light district of national security, where TSA officials feel up our private parts before we are allowed to fly with made-up attendants in tightly fitting skirts, minimum shoe heel height, long acrylic nails, and bangle bracelets as they motion flight emergency instructions with their hands. Until we learn to stand up for our rights, we just keep falling deeper into this hole we are digging ourselves.

Excuse me, my motion discomfort bag is full. Could you please put it in the recycle bin and get me a new one?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.