Why We Weighed In on US Privacy Efforts
Cloudflare’s mission is to help build a better internet, and privacy has to be at the heart of that effort. That’s why we submitted comments last week on the National Telecommunications and Information Administration (NTIA)’s request for comment on its proposed approach to advance consumer privacy.
We think it is important for Internet infrastructure companies like us to be a part of the conversation about the future of internet privacy. We want to advocate for an internet that remains accessible to all, while becoming more secure and protective of privacy.
What is NTIA and what is it trying to do?
In 2018, we’ve seen high profile data breaches and data misuse, Europe’s sweeping data protection law – the General Data Protection Regulation (GDPR) – come into effect, and California pass its own comprehensive Consumer Privacy Act (CCPA). All of this has captured the attention of Washington, D.C. lawmakers and regulators.
On September 25, 2018, NTIA began a process to solicit feedback from stakeholders on a proposed approach to consumer data privacy. NTIA is the Executive Branch agency in the Department of Commerce that is principally responsible for advising the President on telecommunications and information policy issues. The Administration’s hope is that NTIA will produce an approach to privacy that could inform future federal privacy efforts.
At the same time, another Department of Commerce agency, the National Institute of Standards and Technology (NIST) has begun a parallel process. NIST is a physical science lab and non-regulatory agency whose mission is to promote innovation and industrial competitiveness. Its mandate is to advance standards and measurement science in service to economic security, and their voluntary cybersecurity framework is used by businesses to manage cybersecurity risk. Their aim with their own stakeholder process on consumer privacy is to develop an enterprise-level voluntary framework that businesses can use to mitigate privacy risks for consumers.
What we do to improve privacy in our community
As we thought about how best to engage with NTIA and NIST on their efforts, we thought it was important to stress that, for us, privacy is about much more than what is required by regulation. Protecting privacy is essential to maintaining trust not only with our customers but with all Internet users. That is why we have worked for years to develop and expand access to privacy-enabling technologies. For example, our customers – those who pay for our services and those who use our services for free – benefit from free SSL certificates. We also support DNSSEC, and recently announced that we would be supporting automatic DNSSEC, enabling increased usage of DNSSEC and additional security on the net. This year we also launched a product called Spectrum, which allows us to provide security and encryption for all TCP traffic rather than just for HTTP traffic.
We also have created products that make web browsing more private. To enable our users to take control over who is viewing their personal browsing information, this year Cloudflare launched 126.96.36.199, a privacy-focused DNS resolver. We just released the mobile App version this week that will allow you to take advantage of this service on your phone. Cloudflare also introduced encrypted Server Name Identification (eSNI), which encrypts the URL of the website a user is accessing. Mozilla has recently added eSNI functionality for testing on Firefox Nightly.
Towards a U.S framework for privacy protection
Although Cloudflare has a longstanding commitment to privacy, the last few years have strengthened our view that it is not enough for individual companies to be focused on privacy. Given the importance of the issue, the U.S. government needs to be involved as well. The EU, and several other countries such as Canada, Japan, China, and Brazil, have already weighed in with privacy laws of their own. We believe an effort to develop a U.S. privacy approach will bolster and strengthen the ability of technology companies to continue to operate globally, providing confidence that the United States shares the view that the privacy of personal data is worth protecting.
In our comments to NTIA, we asked the US government to use all of the tools at hand, including trade agreements, to ensure that data is able to flow freely across borders and that our rules are interoperable with other laws and regulations around the world. We went on the record supporting Federal legislation that serves the goals of advancing consumer privacy, protecting innovation, and enabling security research.
Any US effort on data privacy must also have the ability to evolve and flex over time. This can be achieved by using technology neutral language and leveraging industry advisory groups and technical experts for ongoing guidance.
We believe that companies should be motivated to use privacy by design and encouraged to deploy innovation in the area of privacy protection. Organizations should use appropriate measures to secure their data in meaningful and proportionate ways. Cloudflare fully supports the use of a risk-management framework to provide companies the flexibility to make decisions based on the context of their individual businesses. And we think there should be a statutory baseline, with flexibility to add features on top, based on the type of data an organization collects and how it uses it.
We think accountability is essential to raising the bar on consumer privacy protections. We told NTIA that if the U.S. Federal Trade Commission (FTC) is to hold companies accountable under its Section 5 authority, then the FTC will need significantly more resources before it can be expected to effectively enforce new privacy standards.
We also urged the US government to consider creating incentives to support privacy research. We agree that we need to incentivize technology development that increases privacy and security, and we also want to ensure that the government doesn’t hinder technology developments that improve privacy and security.
Encryption is key to privacy on the internet, and any government-mandated encryption back doors would be highly concerning as such backdoors undermine data protection. Moreover, in the wake of discussions around proposed content filtering initiatives in the EU, we would urge governments to consider potential resultant privacy weaknesses. Some incentives towards privacy research should be dedicated to analyzing the costs and benefits of government mandates that weaken security.
While we were at it, we also threw out a few new ideas. We asked if the Federal government could explore a sufficiency scheme, where companies under a certain size, or with a presence below a certain threshold in another country, could be free from the burden of answering complaints in that jurisdiction. The country could then file the complaint with the FTC and rely on the FTC to take appropriate action. To allow small and medium enterprises to answer complaints in front of a single body, regardless of the jurisdiction where a breach occurred, for example, would go a long way towards reducing the burden of compliance.
We also suggested that the U.S. government could play a positive role in risk management by taking steps to reduce the potential impact of exposure of information. Collection of personal data poses a more significant risk to consumers if that same personal data can be misused to assume someone’s identity or affect their access to goods and services. A leak of social security numbers, for example, is problematic because social security numbers have become the way in which to access sensitive documents, like financial, health and education records. Rethinking this model, and potentially developing new ways of addressing digital identity, could go along way to reducing privacy risk for consumers.