Photo by Dayne Topkin / Unsplash

Cloudflare’s mission is to help build a better internet, and privacy has to be at the heart of that effort. That’s why we submitted comments last week on the National Telecommunications and Information Administration (NTIA)’s request for comment on its proposed approach to advance consumer privacy.

We think it is important for Internet infrastructure companies like us to be a part of the conversation about the future of internet privacy. We want to advocate for an internet that remains accessible to all, while becoming more secure and protective of privacy.

In 2018, we’ve seen high profile data breaches and data misuse, Europe’s sweeping data protection law – the General Data Protection Regulation (GDPR) – come into effect, and California pass its own comprehensive Consumer Privacy Act (CCPA). All of this has captured the attention of Washington, D.C. lawmakers and regulators.

On September 25, 2018, NTIA began a process to solicit feedback from stakeholders on a proposed approach to consumer data privacy.  NTIA is the Executive Branch agency in the Department of Commerce that is principally responsible for advising the President on telecommunications and information policy issues. The Administration’s hope is that NTIA will produce an approach to privacy that could inform future federal privacy efforts.

At the same time, another Department of Commerce agency, the National Institute of Standards and Technology (NIST) has begun a parallel process. NIST is a physical science lab and non-regulatory agency whose mission is to promote innovation and industrial competitiveness. Its mandate is to advance standards and measurement science in service to economic security, and their voluntary cybersecurity framework is used by businesses to manage cybersecurity risk. Their aim with their own stakeholder process on consumer privacy is to develop an enterprise-level voluntary framework that businesses can use to mitigate privacy risks for consumers.

As we thought about how best to engage with NTIA and NIST on their efforts, we thought it was important to stress that, for us, privacy is about much more than what is required by regulation. Protecting privacy is essential to maintaining trust not only with our customers but with all Internet users. That is why we have worked for years to develop and expand access to privacy-enabling technologies. For example, our customers – those who pay for our services and those who use our services for free – benefit from free SSL certificates. We also support DNSSEC, and recently announced that we would be supporting automatic DNSSEC, enabling increased usage of DNSSEC and additional security on the net. This year we also launched a product called Spectrum, which allows us to provide security and encryption for all TCP traffic rather than just for HTTP traffic.

We also have created products that make web browsing more private. To enable our users to take control over who is viewing their personal browsing information, this year Cloudflare launched 1.1.1.1, a privacy-focused DNS resolver. We just released the mobile App version this week that will allow you to take advantage of this service on your phone. Cloudflare also introduced encrypted Server Name Identification (eSNI), which encrypts the URL of the website a user is accessing. Mozilla has recently added eSNI functionality for testing on Firefox Nightly.

Although Cloudflare has a longstanding commitment to privacy, the last few years have strengthened our view that it is not enough for individual companies to be focused on privacy.  Given the importance of the issue, the U.S. government needs to be involved as well. The EU, and several other countries such as Canada, Japan, China, and Brazil, have already weighed in with privacy laws of their own. We believe an effort to develop a U.S. privacy approach will bolster and strengthen the ability of technology companies to continue to operate globally, providing confidence that the United States shares the view that the privacy of personal data is worth protecting.

In our comments to NTIA, we asked the US government to use all of the tools at hand, including trade agreements, to ensure that data is able to flow freely across borders and that our rules are interoperable with other laws and regulations around the world. We went on the record supporting Federal legislation that serves the goals of advancing consumer privacy, protecting innovation, and enabling security research.

Any US effort on data privacy must also have the ability to evolve and flex over time. This can be achieved by using technology neutral language and leveraging industry advisory groups and technical experts for ongoing guidance.

We believe that companies should be motivated to use privacy by design and encouraged to deploy innovation in the area of privacy protection. Organizations should use appropriate measures to secure their data in meaningful and proportionate ways. Cloudflare fully supports the use of a risk-management framework to provide companies the flexibility to make decisions based on the context of their individual businesses. And we think there should be a statutory baseline, with flexibility to add features on top, based on the type of data an organization collects and how it uses it.

We think accountability is essential to raising the bar on consumer privacy protections. We told NTIA that if the U.S. Federal Trade Commission (FTC) is to hold companies accountable under its Section 5 authority, then the FTC will need significantly more resources before it can be expected to effectively enforce new privacy standards.

We also urged the US government to consider creating incentives to support privacy research. We agree that we need to incentivize technology development that increases privacy and security, and we also want to ensure that the government doesn’t hinder technology developments that improve privacy and security.

Encryption is key to privacy on the internet, and any government-mandated encryption back doors would be highly concerning as such backdoors undermine data protection. Moreover, in the wake of discussions around proposed content filtering initiatives in the EU, we would urge governments to consider potential resultant privacy weaknesses. Some incentives towards privacy research should be dedicated to analyzing the costs and benefits of government mandates that weaken security.

While we were at it, we also threw out a few new ideas. We asked if the Federal government could explore a sufficiency scheme, where companies under a certain size, or with a presence below a certain threshold in another country, could be free from the burden of answering complaints in that jurisdiction. The country could then file the complaint with the FTC and rely on the FTC to take appropriate action. To allow small and medium enterprises to answer complaints in front of a single body, regardless of the jurisdiction where a breach occurred, for example, would go a long way towards reducing the burden of compliance.

We also suggested that the U.S. government could play a positive role in risk management by taking steps to reduce the potential impact of exposure of information. Collection of personal data poses a more significant risk to consumers if that same personal data can be misused to assume someone’s identity or affect their access to goods and services. A leak of social security numbers, for example, is problematic because social security numbers have become the way in which to access sensitive documents, like financial, health and education records. Rethinking this model, and potentially developing new ways of addressing digital identity, could go along way to reducing privacy risk for consumers.

Cloudflare appreciates the U.S. government’s efforts to modernize U.S. privacy policy, and we look forward to continuing to collaborate with NTIA, NIST, the U.S. International Trade Administration, Congress and others as they work towards meaningful consumer privacy protections.

Photo by Sarah Ferrante Goodrich / Unsplash

This October is the 15th annual National Cybersecurity Awareness Month in the United States, a collaboration between the US government and industry to raise awareness about the part we can all play in staying more secure online. Here at Cloudflare, where our mission is to help build a better internet, we look forward to this month all year.

As part of this month-long education campaign, Cloudflare is participating in D.C CyberWeek this week, the largest cybersecurity festival in the U.S, taking place in Washington, DC. This year’s event is expected to have over 10,000 attendees, more than 100 events, and feature representatives from over 180 agencies, private companies, and service providers. We will join with other leaders in cybersecurity, to share best practices, find ways to collaborate, and work to achieve common goals.

Along with the United States, the European Union also runs a month-long cyber awareness campaign in October, with the initiative having started back in 2012. The aim of this advocacy campaign is similar: promoting cybersecurity among citizens and organizations, and providing information on available tools and resources. Watch our CTO speak to some main considerations around good cyber hygiene, business practices and appropriate policy-making in the field of cybersecurity as part of EU #CyberSecMonth.

As well as our own company efforts, we have joined with 60 other global companies to sign on to the Cybersecurity Tech Accord. The Tech Accord is a public commitment to protect and empower civilians to take action to secure the internet. The accord itself covers four simple commitments:

• That we will protect all of our users everywhere

• That we will oppose cyberattacks on innocent citizens and enterprises from anywhere

• That we will help empower users, customers, and developers to strengthen cybersecurity protection

• That we will partner with each other and with like-minded groups to enhance cybersecurity

But more than that, it is about creating a forum where companies large and small can come together to share best practices, debate threats, and hold each other accountable for our efforts in this arena. It is also a place where we can share ideas for ways in which the government can help shape good cybersecurity hygiene through appropriate laws and policies. Signing on was an easy decision for us; these are commitments we have long supported in practice.

Beyond our collaboration with the cybersecurity community, Cloudflare runs two other initiatives, designed to make the internet a more secure place for vulnerable groups who might lack financial or technical resources.

At Cloudflare, we believe that limited resources shouldn’t preclude vulnerable groups from receiving the support they need. As part of our commitment to the overall health of the internet, we started Project Galileo in 2014 to ensure that at-risk public interest groups are able to stay online securely. We started it in response to cyber attacks launched with the intent of silencing important and vulnerable groups, like humanitarian organizations, political dissidents, and artistic groups. We partner with well-respected free speech, public interest, and civil society organizations to help us identify at-risk websites in need of our pro bono efforts. Once our partners have identified these groups, we extend our DDoS and WAF protection to ensure these websites stay online. The hundreds of websites we protect through Project Galileo includes sites for a national organization providing crisis intervention and suicide prevention services to lesbian, gay, bisexual, transgender and questioning (LGBTQ) young people, an editorial cartoonist, to an organization designed to help veterans with PTSD.

The Athenian Project was born out of a recognition that state and local governments had similar challenges as our Project Galileo participants. In an era of increasing distrust on the internet, it is essential that state and locally run election websites are safe, accurate, and online. So we extended our Enterprise-level services to those sites for free. We believe it’s imperative that voter data and election integrity is maintained, and that we can and should help prevent attackers from stealing sensitive voter information that may allow them to sway an election. Election sites should stay online during peak times, like voter registration deadlines, and election days. We have seen huge surges of traffic in those key days, and our AnyCast network has allowed these sites to stay up.

We believe CyberWeek is an important time for private companies to spend some time thinking about the broader world. This is just the tip of the iceberg, as we continue to think about new and innovative ways we can be good members of this community. We hope that you will join us in our efforts to help make the internet more secure.