There is a lot packed into the three pillar, 28-page Plan. 

• Pillar I: Accelerate AI Innovation. Focuses on removing regulations, enabling AI adoption and developing, and ensuring the availability of open-source and open-weight AI models.

• Pillar II: Build American AI Infrastructure. Prioritizes the construction of high-security data centers, bolstering critical infrastructure cybersecurity, and promoting Secure-by-Design AI technologies. 

• Pillar III: Lead in International AI Diplomacy and Security. Centers on providing America’s allies and partners with access to AI, as well as strengthening AI compute export control enforcement. 

Each of these pillars outlines policy recommendations for various federal agencies to advance the plan’s overarching goals. There’s much that the Plan gets right. Below we cover a few parts of the Plan that we think are particularly important. 

The Plan takes the position that the U.S. is in a global race to achieve AI dominance, and that it is a national priority for U.S. technology companies to be the gold standard for AI globally. Through the Plan, President Trump commits his Administration to support American workers, technology, and energy to achieve that objective. 

We share the view that governments have a helpful role to play in shaping rules and regulations that will enable private-sector innovation to flourish. For Cloudflare’s network to continue to operate globally, we need the U.S. government to shape and influence the right regulatory conditions. They should balance national and economic security concerns, promote consensus industry-led international standards, and support interoperable regulatory regimes. 

Far too often in recent years, we’ve observed policy developments that have unnecessarily increased restrictions on U.S. technology providers and have made it challenging to operate. Protectionist mandates, including data sovereignty requirements, customer data retention policies, various supervisory and government access requirements, do little to improve security or innovation and have unintended consequences. Protectionism increases costs for businesses, limits access to world-class technologies, and increases cybersecurity risk. 

Implementing policies that guarantee access to global, distributed edge-compute networks and the freedom to choose the best technology for users' needs will help ensure the right conditions to enable AI to flourish. 

The Plan endorses open-source and open-weight AI models to spur innovation and to benefit commercial and government adoption. The plan recommends ensuring access to computing resources to increase capability in the start-up and academic worlds. 

Cloudflare shares the view that open-source AI models play a crucial role in driving innovation. As recognized in the Plan, these models offer companies flexibility, freeing them from dependence on closed providers and enabling the use of AI with sensitive data where exporting to closed models might not be possible. That’s why Cloudflare includes access to more than fifty open-source models as part of our Workers AI model catalog. 

However, access to open-source models alone is not enough to harness AI’s potential. A complete ecosystem is needed to build and deploy the AI applications and tools that will usher in the new age imagined by the Plan. Cloudflare’s global network, with our GPU-powered inference, can play an essential role. Having a distributed network like ours which allows AI inference at the edge is critical for fast, efficient AI development and for building the next generation of AI applications.

Open ecosystems are deeply embedded in Cloudflare's DNA. Our developer platform democratizes access, providing powerful tools for anyone to build and deploy applications. We offer global network infrastructure that removes complexities and reduces barriers. This lets AI developers innovate freely, using many different AI models, without relying on gatekeepers. Our commitment to making these tools easy to use mirrors the Plan’s call to foster innovation and support U.S. AI leadership by enabling developers to use open-source AI models to build, deploy, and scale new AI applications globally. 

The Plan stresses the importance of cybersecurity for AI in several ways. There are two we want to highlight. 

First, it endorses the use of AI technologies for the cybersecurity of critical infrastructure. The use of AI-assisted cyber-defense tools are force multipliers for network defenders, and will be absolutely necessary for all organizations — but particularly critical infrastructure — to protect against cyber threats. 

Cloudflare’s network uses predictive AI and machine learning to block 247 billion cyberattacks daily. Under the theory of Defensive AI, Cloudflare uses information to constantly improve the effectiveness of our security solutions. With AI Labyrinth, we’ve even created a new tool that uses AI to trap AI. It is a new, next generation honeypot and cybersecurity defensive tool that leverages AI to confuse crawlers and bots that ignore "no crawl" directives. Instead of blocking these bots, AI Labyrinth directs bots into an endless maze of convincing, AI-generated pages. 

Second, to address potential vulnerabilities in AI technologies, the Plan tasks the U.S. government with ensuring that they are secure-by-design. 

To secure AI, Cloudflare has been active in shaping the cybersecurity and risk management of AI technologies. We have supported and provided feedback to the U.S. National Institute of Standards and Technology’s efforts to develop a Cybersecurity Profile for Artificial Intelligence. This is critically important and builds on our Secure-by-Design commitment. 

We look forward to working with the Administration on the proposed AI information sharing and analysis center and the proposed vulnerability information exchange. 

The Plan envisions the federal government playing a key role in accelerating AI adoption. Cloudflare can help. As the Plan notes, integrating AI can significantly enhance public service, making government more efficient and effective. Most, if not all, federal agencies now have Chief AI Officers, indicating a clear commitment to this technological shift. The government can further its efforts by fostering information sharing between government agencies, promoting best practices, and training its workforce to maximize AI’s efficiency gains.

Cloudflare can be a key partner in this journey. Our platform provides the secure, reliable, and scalable infrastructure necessary for federal agencies to deploy AI applications with full-stack AI building blocks. Cloudflare is FedRAMP Moderate authorized, and we are committed to FedRAMP High. By leveraging Cloudflare’s global network, federal agencies can ensure their AI initiatives are resilient and accessible, driving greater public benefit. 

To lead on AI internationally, the Plan outlines a dual strategy, presenting two approaches in tension with each other: aggressive AI export to allies and partners, and stringent restrictions on exporting AI compute and semiconductors. On one hand, the Plan emphasizes that providing the full U.S. AI technology stack is crucial to prevent allies from turning to rivals. This aims to solidify a global AI alliance and ensure the enduring diffusion of American technology.

Conversely, the plan calls for strengthening export control enforcement and plugging loopholes to prevent export of sensitive technologies. The administration seeks to use export controls — restrictions on what goods a company can export — to deny foreign adversaries access to certain resources for both geostrategic competition and national security concerns. The challenge arises because overly stringent export controls, while aiming to deny access to adversaries, may inadvertently make it harder to export AI even to allies. 

This dual approach highlights a critical tightrope walk. Cloudflare, along with many other industry players, will be watching closely to see how the administration balances these competing goals. Providing individuals across the world with access to resources that enable them to innovate and build applications close to their end users aligns with our mission to help build a better, more connected Internet. Having a globally distributed network like ours also enables U.S. AI companies to deploy their services globally. Although we appreciate the need for restricting access to sensitive compute resources, overly broad or imprecise controls could inadvertently stifle innovation and impede the open exchange of ideas crucial for AI development. The implementation of export controls must be meticulously balanced to target adversaries effectively without unwittingly hindering the very innovation and secure global digital ecosystem it seeks to protect. 

A reassuring aspect of the Plan is its clear recognition of the private sector's indispensable role. The document repeatedly emphasizes the need for collaboration with industry and consultation with leading technology companies across various recommended policy actions. For instance, it specifically calls for establishing programs within the Department of Commerce to gather proposals from industry consortia for AI export packages. Furthermore, for strengthening AI compute export control enforcement, it advises exploring new measures “in collaboration with industry.” This commitment to partnership is essential to navigate the complexities of AI development and deployment. This collaboration with industry will ensure that policies are technically feasible, globally effective, and avoid unforeseen negative impacts on the digital economy and cybersecurity.

The Plan represents a critical moment for U.S. AI leadership, and Cloudflare stands ready to partner in shaping the future of this critical technology. We applaud the Plan’s focus on accelerating AI development, building robust infrastructure, and leading global diplomacy. The Internet's global nature means that achieving these goals requires a delicate balance, particularly as the business model for the AI-powered web rapidly evolves.

Cloudflare champions an approach that fosters innovation while upholding an open, secure, and interoperable Internet. By prioritizing consensus-driven standards and ensuring that regulations do not inadvertently create barriers to a globally distributed AI infrastructure, we help ensure continued U.S. technological leadership and a sustainable, beneficial AI ecosystem.

The 2024 Democratic National Convention (DNC) wrapped up on Thursday, August 22, in Chicago, Illinois. Since our blog post about Internet trends during the first presidential debate between President Joe Biden and former President Donald Trump on June 27, the presidential race has fundamentally changed. We experienced the attempted assassination of Trump, the Republican National Convention (RNC), Biden’s late July withdrawal from the race, and Vice President Kamala Harris being selected as the Democratic nominee and participating in her party’s convention this week. Here, we’ll examine trends more focused on DNS traffic to news and candidate-related sites, cyberattacks targeting politically-related organizations, and spam and malicious emails mentioning the candidates’ names.

Over 60 more national elections are scheduled to take place across the world this year, and we have been monitoring them as they occur. Our goal is to provide a neutral analysis of their impact on Internet behavior, which often mirrors human activities. Significant events, such as the total eclipse in Mexico, the United States, and Canada, and the Paris 2024 Olympics, have had an impact on Internet traffic. Our ongoing election report on Cloudflare Radar includes updates from recent elections in the European Union, France, and the United Kingdom.

Let’s start with an Internet traffic perspective on the Chicago area, where the Democratic National Convention took place from August 19 through August 22, 2024.

Internet traffic shifts during major events like elections – and there have been several this year – are typically more impactful than those from a single political party’s event. During the DNC in Chicago, Illinois, we didn’t observe an obvious pattern change, similar to the RNC that took place in Milwaukee, Wisconsin in June.

Throughout the convention, although we didn’t notice any significant drops or spikes in Chicago’s Internet traffic, there was a rise in traffic starting on August 15 and continuing through the first three days of the convention. Notably, traffic was 10% to 20% higher after midnight compared to the previous week.

Shifting our focus to domain trends, our 1.1.1.1 resolver data highlights a more targeted impact from the DNC and preceding weeks. This analysis now includes Kamala Harris-related insights, as our earlier reports on the Biden-Trump debate and the Republican National Convention predated her selection as the Democratic nominee.

Kamala Harris’s official website, initially redirecting to Joe Biden’s website, became an independent dedicated site after July 21, following Biden’s announcement of his withdrawal and endorsement of Harris. Since then, aggregated daily DNS traffic to Kamala Harris-related domains has seen significant growth, particularly after June 29.

On August 6, the day Kamala Harris selected Minnesota Governor Tim Walz as her running mate, DNS traffic for Kamala Harris-related domains increased by 99% compared to the previous week. Following this announcement, as Harris and Walz campaigned together in various cities, DNS traffic initially peaked on August 8-9, showing increases of 896% and 845%, respectively. Another significant spike occurred on August 15, which persisted through the DNC, peaking on its fourth day, August 23, with a 21% growth in DNS traffic compared to the previous week.

From an hourly perspective, the impact of the convention on Kamala Harris-related sites is evident, with increased DNS traffic in the evenings coinciding with the convention’s key speakers. Traffic grew each day compared to the day before.

Here’s a summary of peak hourly DNS traffic to Kamala Harris’s-related domains on each day of the DNC, coinciding with key moments of the event:​

• Day 1, August 19: Peak at 23:00 EDT with a 313% increase in traffic compared to the previous week. This spike occurred around the time President Joe Biden appeared on stage.

• Day 2, August 20: Peak at 00:00 EDT (August 21) with a 466% increase, following former President Barack Obama’s speech that closed the second day of the DNC.

• Day 3, August 21: Peak at 22:00 EDT with a 70% increase just before Governor Tim Walz took the stage. Although this peak was higher than previous days, the percentage increase was lower due to higher traffic at the same time the previous week.

• Day 4, August 22: Peak at 23:00 EDT with a 71% increase around the time of Vice President Kamala Harris’s speech.

During the DNC, we observed a rise in DNS traffic for Harris/Democrats fundraising domains. The main spike occurred on day 4 of the DNC, August 22, at around 21:00 EDT, with a 493% increase compared to the previous week. On that day, daily traffic increased by 92% compared to the previous week.​

Like the RNC before it, the DNC sparked significant interest in US news organizations, resulting in an uptick in aggregated DNS traffic to general US news sites. This increase typically occurred just after the final speaker of the evening.

On day 1 of the DNC, traffic to US news organizations was 11% higher compared to the previous week at 23:00 EDT, coinciding with President Biden’s appearance. On day 2, when President Obama concluded the evening, DNS traffic to US news sites increased by 10%, continuing to rise thereafter. On day 3, during the hour when Vice Presidential candidate Tim Walz spoke, DNS traffic to US news sites spiked by 21% at 23:00 EDT. The final day (day 4) saw a 28% increase at 23:00 EDT, around Vice President Kamala Harris’s speech.

Attacks on political parties have remained a significant threat in an election-filled 2024. In Europe, we’ve seen political parties and associated websites targeted around elections. We previously reported on DDoS attacks around the Republican National Convention, and these types of attacks continued during the weeks ahead of the Democratic National Convention.

Since July 21, 2024, Cloudflare has blocked DDoS attacks targeting three US politically-related organizations. A site associated with one of the major parties (represented by the blue line on the chart) was attacked on July 23, and again just before the DNC.

The largest DDoS attack recorded (indicated in green) targeted another US politically-related website on July 26, peaking at 180,000 requests per second (rps) and lasting about 10 minutes. There were other smaller attacks, earlier on the same day, and on July 28.

Another site, focused on political fundraising, experienced a smaller attack on August 1, also lasting 10 minutes and peaking at 103,000 rps.

The most recent attacks we’ve observed occurred on August 17-18 (UTC time), targeting a politically-related website (blue line) and another politically-related website (green line). The former peaked at 62,000 rps on August 18, while the latter reached 24,000 rps on August 17.

As highlighted in our Q2 DDoS report, most DDoS attacks are short-lived, as exemplified by the two mentioned attacks. Also, 81% of HTTP DDoS attacks peak at under 50,000 requests per second (rps), and only 7% reach between 100,000 and 250,000 rps. While a 24,000 rps attack might seem minor to Cloudflare, it can be devastating for websites not equipped to handle such high levels of traffic.

From another cybersecurity angle, trending events, topics and individuals often attract malicious, phishing, and spam messages, and also more emails in general. Our earlier analysis covered email trends involving “Joe Biden” or “Donald Trump” since January, concluding just after the Biden-Trump debate in late June. From June 1, 2024, through August 21, Cloudflare’s Cloud Email Security service processed around 14 million emails that included the names “Donald Trump”, “Joe Biden”, or “Kamala Harris” in the subject, with 7.4 million referencing Trump.

The next chart highlights a surge in emails mentioning Trump in mid-July, contrasting with a drop of emails mentioning Biden in the subject, who saw a brief uptick on July 22-23 following his withdrawal from the race, and on August 20, the day after his DNC speech.

Focusing on the period since July 21 – when changes in the presumptive Democratic candidate occurred – over 3.2 million emails mentioned “Donald Trump”, around 1.2 million mentioned “Joe Biden”, and over 2 million mentioned “Kamala Harris” in the subject. Examining spam and phishing messages, 34% of emails with Trump’s name were spam, and 3% were malicious. For Kamala Harris, 0.8% were spam and 0.2% were malicious, while Biden’s figures were 1.1% for spam and 0.1% for malicious.

To better understand the elevated percentages of spam and malicious emails mentioning “Donald Trump,” it’s important to look at the trend over time. Notably, after July 15, there was a significant rise in all emails mentioning Trump in the subject, as the previous line chart also shows, and that also included a higher percentage of emails classified as spam.

Additionally, Republican Vice Presidential Candidate JD Vance and Democratic Vice Presidential Candidate Tim Walz also influenced email trends. JD Vance was announced as Donald Trump’s running mate on July 15, so we start there – Tim Walz’s announcement came later, on August 6. Emails with “Tim Walz” mentioned in the subject (over 530,000) outnumbered those with “JD Vance” (over 241,000). Spam made up 1% of emails with Vance’s name and 0.1% were malicious, and for Walz, 0.7% were spam and 0.03% malicious.

In this analysis of the Democratic National Convention, we’ve observed trends similar to those seen during the Republican National Convention. However, with Kamala Harris becoming the Democratic presidential candidate recently, there has been a noticeable increase in DNS traffic to both Kamala Harris-related domains and Democrats’ fundraising domains.

We have also noted that DDoS attacks targeting US politically-related organizations continue, and emails mentioning the candidates in the subject (including spam and malicious emails) have increased.

If you’re interested in more trends and insights about the Internet and elections, check out Cloudflare Radar, specifically our 2024 Elections Insights report. It will be updated throughout the year as elections (or election-related events) occur.

Cyberattacks are a constant threat, and aren't necessarily driven by elections. With that said, notable trends can often be observed, and we’ve seen before how specific geopolitical events can trigger online attacks. For example, we saw cyberattacks at the start of the war in Ukraine to more recently in the Netherlands, when the June 2024 European elections coincided with cyberattacks on Dutch political-related websites that lasted two days — June 5th and 6th. The main DDoS (Distributed Denial of Service attack) attack on June 5, the day before the Dutch election, reached 73,000 requests per second (rps).

Shifting our focus to the United States in particular, in the weeks since April 2024, we’ve seen several DDoS attacks targeting both federal and state government and political-related websites in the United States. In recent days Cloudflare has also blocked DDoS attacks targeting two political-related websites.

One of those is related to a political campaign, represented by the yellow line on the chart below. The first spike was a DDoS attack on July 2, 2024, peaking at 56,000 rps and lasting around 10 minutes. The same political-related site was attacked later on July 14, with a 34,000 rps peak, lasting four minutes.

The other political-related site under attack, in green on the previous chart, is a think tank website that does policy advocacy related to presidential politics. It was already attacked before, around the time of the Biden vs Trump debate, as we’ve published at the time in a related blog post. The main attack was on July 11, with a 137,000 rps peak, lasting a few minutes, and was repeated, with slightly lower intensity, a few hours later on July 12.

As we’ve seen in our recent DDoS report, the vast majority of DDoS attacks are short. This emphasizes the need for automated, in-line detection and mitigation systems. Ten minutes are hardly enough time for a human to respond to an alert, analyze the traffic, and apply manual mitigations.

The attempted assassination of former President Trump at a campaign rally near Butler, Pennsylvania precipitated an increase in Internet traffic within the United States, particularly to news-related media outlets. As news broke of shots fired at a Trump rally, injuring the former president, Internet traffic in the United States (in bytes) increased around 22:30 - 23:00 UTC (18:30-19:00 EST) by 10% to 12%.

HTTP requests in the United States saw up to an 8% increase on July 13th compared to the previous week.

At the same time, DNS traffic to TV news sites, via our 1.1.1.1 resolver, surged by as much as 215%, and to general news sites by 141%.

The Republican National Convention is an important political event as delegates of the United States Republican Party choose the party's nominees for president and vice president in the 2024 United States presidential election. Over the four-day event, convention delegates formally nominate the party’s presidential and vice presidential candidates and adopt the party's platform, which outlines its policies and positions on various issues. The convention features speeches from prominent party members, including the nominees, party leaders, and other influential figures.

This year’s convention was held in Milwaukee, Wisconsin. During this time, we didn’t identify any noticeable traffic spikes from Milwaukee or from Wisconsin in general.

Compared to the previous week, there was an increase in DNS traffic to Republican political party and fundraising websites. On July 18th, the last day of the convention, we saw two considerable increases in hourly traffic compared to a week prior. The first at 14:00 EDT, an increase of 268% in traffic to these sites. The second, at 23:00 EDT with another increase at 266%. The daily aggregation on this day was an increase of 90.48% compared to daily traffic aggregations in the previous week.

For DNS traffic during the convention for TV news channels, we see steady traffic numbers with the highest peaking days before the convention on July 14, then during the late hours of July 15th.

For political news websites covering the RNC, traffic numbers tend to decrease slightly as the event progresses.

We identified an attack against a think-tank based in Washington D.C. that does policy advocacy related to presidential politics. The attack itself lasted around 3 minutes, from July 18th 13:18 to 13:22 exclusive (EDT) with a total of 3.12 million DDoS requests mitigated. The attack peaked at around 30.33k rps.

We see that major political events may not always cause significant shifts in Internet traffic. Our data indicates increases in traffic primarily to news and media organizations from July 13th onward. When it comes to cyber attacks, a majority of activity we see targets political campaigns and policy organizations.

If you want to follow more trends and insights about the Internet and elections in particular, you can check Cloudflare Radar, and more specifically our new 2024 Elections Insights report, which will be updated as elections take place throughout the year.

The 2024 European Parliament election started in the Netherlands today, June 6, 2024, and will continue through June 9 in the other 26 countries that are part of the European Union. Cloudflare observed DDoS attacks targeting multiple election or politically-related Internet properties on election day in the Netherlands, as well as the preceding day.

These elections are highly anticipated. It’s also the first European election without the UK after Brexit.

According to news reports, several websites of political parties in the Netherlands suffered cyberattacks on Thursday, with a pro-Russian hacker group called HackNeT claiming responsibility.

On June 5 and 6, 2024, Cloudflare systems automatically detected and mitigated DDoS attacks that targeted at least three politically-related Dutch websites. Significant attack activity targeted two of them, and is described below.

A DDoS attack, short for Distributed Denial of Service attack, is a type of cyber attack that aims to take down or disrupt Internet services such as websites or mobile apps and make them unavailable for users. DDoS attacks are usually done by flooding the victim's server with more traffic than it can handle. To learn more about DDoS attacks and other types of attacks, visit our Learning Center.

Attackers typically use DDoS attacks but also exploit other vulnerabilities and types of attacks simultaneously.

Daily DDoS mitigations on June 5 reached over 1 billion HTTP requests in the Netherlands, most of which targeted two election or political party websites. The attack continued on June 6. Attacks on one website peaked on June 5 at 14:00 UTC (16:00 local time) with 115 million requests per hour, with the attack lasting around four hours. Attacks on another politically-related website peaked at the same time at 65 million requests per hour.

On June 6, the first politically-related site with the highest peak on June 5 referenced above was attacked again for several hours. The main attack peak occurred at 11:00 UTC (13:00 local time), with 44 million requests per hour.

The main June 5 DDoS attack on one of the websites peaked at 14:13 UTC (16:13 local time), reaching 73,000 requests per second (rps) in an attack that lasted for a few hours. This attack is illustrated by the blue line in the graph below, which shows that it ramped slowly over the first half of the day, and then appeared to abruptly stop at 18:06. And on June 6, the main attack on the second website peaked at 11:01 UTC (13:01 local time) with 52,000 rps.

Elections, geopolitical changes, and disputes also impact the online world and cyberattacks. Our DDoS threat report for Q1 2024 gives a few recent examples. One notable case was the 466% surge in DDoS attacks on Sweden after its acceptance into the NATO alliance, mirroring the pattern observed during Finland’s NATO accession in 2023.

As we’ve seen in recent years, real-world conflicts, disputed and highly anticipated elections, and wars are always accompanied by cyberattacks. We reported (1, 2) on an increase in cyberattacks following the start of the Israel-Hamas war on October 7, 2023. We’ve put together a list of recommendations to optimize your defenses against DDoS attacks, and you can also follow our step-by-step wizards to secure your applications and prevent DDoS attacks.

If you want to follow more trends and insights about the Internet and elections in particular, you can check Cloudflare Radar, and more specifically our new 2024 Elections Insights report, that we’re keeping up to date as national elections take place throughout the year.

Between June 6-9 2024, hundreds of millions of European Union (EU) citizens will be voting to elect their members of the European Parliament (MEPs). The European elections, held every five years, are one of the biggest democratic exercises in the world. Voters in each of the 27 EU countries will elect a different number of MEPs according to population size and based on a proportional system, and the 720 newly elected MEPs will take their seats in July. All EU member states have different election processes, institutions, and methods, and the security risks are significant, both in terms of cyber attacks but also with regard to influencing voters through disinformation. This makes the task of securing the European elections a particularly complex one, which requires collaboration between many different institutions and stakeholders, including the private sector. Cloudflare is well positioned to support governments and political campaigns in managing large-scale cyber attacks. We have also helped election entities around the world by providing tools and expertise to protect them from attack. Moreover, through the Athenian Project, Cloudflare works with state and local governments in the United States, as well as governments around the world through international nonprofit partners, to provide Cloudflare's highest level of protection for free to ensure that constituents have access to reliable election information.

Ensuring a free, fair, and open electoral process and securing candidate campaigns is understandably a top priority for the EU institutions, as well as for national governments and cybersecurity agencies across the EU. European authorities have already taken a number of measures to ensure the elections are well-protected. Efforts to coordinate election security measures amongst the EU countries are led by the NIS Cooperation Group, with the support of the EU Agency for Cybersecurity (ENISA), the European Commission, and the European External Action Service (the EU’s foreign service).

The NIS Cooperation Group recently issued an updated Compendium on safeguarding the elections amidst cybersecurity challenges, noting that “since the last EU elections in 2019, the elections threat landscape has evolved significantly”. Governments note in particular the impact of Artificial Intelligence (AI), including deep fakes, but also the increased sophistication of threat actors and the trend of “hacktivists-for-hire” as new risks that need to be taken into account. European institutions also highlight today’s geopolitical context, with conflicts in Ukraine and the Middle East impacting cyber threats and foreign influence campaigns in Europe. The European External Action Service analyzed cases of FIMI (Foreign Information Manipulation and Interference) during recent national elections in Spain and Poland, and put together suggested plans for governments on how to respond to the various stages of those FIMI campaigns originating from foreign (e.g. non-EU) actors. EU High Representative for Foreign Affairs Josep Borrell said in a recent blog post that protecting the election process and more broadly European public debate from malign foreign actors “is a security challenge, which we need to tackle seriously”.

Some national governments have also warned against the risks of so-called hybrid threats, whereby foreign governments deploy various methods to exert influence on other states, including disinformation campaigns, cyberattacks and espionage. Germany’s Federal Ministry of the Interior notes that “elections are often a catalyst for increased levels of illegitimate activity by foreign governments, because stoking fear and spreading hate can contribute to the polarization of society, influencing voting habits. (...) We must make a determined effort to counter these threats.”

As part of national and EU-level coordination amongst governments and agencies to prepare to mitigate threats and risks to the European elections, ENISA supports national governments’ measures to ensure the elections will be secure, including by organizing a cybersecurity exercise to test the various crisis plans and responses to potential attacks by national and EU level agencies and governments. ENISA has also put together a checklist for authorities in order to raise awareness on specific risks and threats to the election process.

The European Union has also prepared for other phenomena endangering the security and integrity of the election process, including the spread of disinformation via online platforms. For example, the European Commission recently issued strict guidelines for “Very Large Online Platforms” (VLOPs) and “Very Large Search Engines” (VLOSEs) under the EU Digital Services Act on measures to mitigate systemic risks online that may impact the integrity of elections. These large companies will be required to have dedicated staff to monitor for disinformation threats in the 23 official EU languages across the 27 member states, collaborating closely with European cybersecurity authorities. In addition, in line with upcoming EU legislation on transparency of political advertising, political ads on large social media platforms should be clearly labeled as such.

In its 11th EU Threat Landscape report, published in 2023, ENISA also warned about the risks associated with the rise of AI-enabled information manipulation, including the disruptive impacts of AI chatbots. The European Commission, in its efforts to fight the proliferation of deep fakes and sophisticated voter manipulation tactics through advanced generative AI systems, recently launched inquiries into major AI developers and promoted industry pledges in the context of the EU AI Pact.

It is likely that the EU is going to see a trend similar to many other jurisdictions where there have been increases in cyber threats targeting election entities. In the period between November 2022 and August 2023, Cloudflare mitigated 213.78 million threats to government election websites in the United States. That amounts to 703,223 threats mitigated per day on average. There is indeed already evidence that European institutions are subject to increasing attacks.

In November 2023, the European Parliament website was subject to a large cyber attack. And in March 2024, French government websites faced attacks of “unprecedented intensity,” according to a spokesperson. A few days before the attacks, on February 25, 2024, Cloudflare blocked a significant DDoS attack on a French government website. It reached as much as 420 million requests per hour and lasted for over three hours.

The UK government warned last year that there were “sustained” cyberattacks against civil society organizations, journalists and public sector groups, as well as phishing attempts directed at British politicians. Most recently, the IT infrastructure of German political party CDU was hit by a “serious cyberattack” according to the German Interior Ministry.

We have also seen that the magnitude of cyber attacks overall is growing every year. As outlined in Cloudflare’s latest DDoS threat report, published in Q1 2024, Cloudflare’s defense systems automatically mitigated 4.5 million DDoS attacks during that first quarter, representing a 50% year-over-year (YoY) increase. EU governments noted in their 2024 Compendium on safeguarding the elections that DDoS attacks “can still be very effective in undermining the public’s trust in the electoral process, especially if affecting its most critical and visible phases – that is the transmission, aggregation and display of voting results”.

However, it is not only an increase in the size of attacks on websites that is keeping election officials up at night. There are often multiple attack vectors that need to be taken into account, and ensuring election processes and public institutions remain secure is a very complicated task. For example, in the three months leading up to the 2022 U.S. midterm elections, Cloudflare prevented around 150,000 phishing emails targeting campaign officials. ENISA’s latest EU Threat Landscape report, when discussing phishing campaigns, pointed to the risks of AI applied to social engineering (e.g. used for crafting more convincing phishing messages), which can make phishing less costly, easier to scale-up, and more effective. These developments all show how securing voter registration systems, ensuring the integrity of election-related information, and planning effective incident response are necessary as online threats grow more and more sophisticated.

Securing the democratic process in the digital age requires partnerships between governments, civil society, and the private sector. Cloudflare has helped election entities around the world by providing tools and expertise to protect themselves from cyberattack. For example, in 2020, we partnered with the International Foundation for Electoral Systems to provide Enterprise-level services to six election management bodies, including the Central Election Commission of Kosovo, State Election Commission of North Macedonia, and many local election bodies in Canada.

Cloudflare’s global network, which spans more than 120 countries and protects around 20% of all websites, allows us a unique view of the trends and patterns seen in Internet traffic. Some of those trends, including traffic, connection quality, and Internet outages, can be seen in our Internet insights platform, Cloudflare Radar.

Several of these trends are especially important to watch during election season. Upon deeper analysis, we observed spikes in traffic to websites related to elections, and to news websites, during this time. From data obtained in 2023 through an analysis of US state and local government websites protected under the Athenian Project, as well as US nonprofit organizations that work in voting rights and promoting democracy under Project Galileo, and political campaigns and parties under Cloudflare for Campaigns, Cloudflare observed an increase in traffic to US election and non-profit websites during the run-up to elections, and then a significant spike on election day as seen in the graphs below.

Cloudflare observed similar patterns for election information websites and news media during the first day of the 2022 French Presidential elections and during the Presidential elections in Brazil that same year.

DNS traffic to election domains observed through Cloudflare’s 1.1.1.1 resolver in April 2022, during the first round of the French Presidential elections

The protection of election entities and related organizations and institutions is a huge and complex task. As noted, this requires partnerships and collaboration between different actors, both public and private, with specific expertise. The work done by EU governments and agencies to prepare, be ready and collaborate on election security precautions as outlined above is both welcome and necessary in order to ensure free, fair and above all secure elections. This can only ever be a coordinated effort, with both governments and industry working together to ensure a robust response to any threats to the democratic process. For its part, Cloudflare is protecting a number of governmental and political campaign websites across the EU.

We want to ensure that all groups working to promote democracy around the world have the tools they need to stay secure online. If you work in the election space and need our help, please get in touch. If you are an organization looking for protection under Project Galileo, please visit our website at cloudflare.com/galileo.

More information about the European Union elections can be found here. And if you are based in the EU, do not forget to vote!

February 17th, 2024 marked the entry into force of a landmark piece of European Union (EU) legislation, affecting European users who create and disseminate online content as well as tech companies who act as “intermediaries” on the Internet. I am talking of course about the EU Digital Services Act, or DSA for short. The DSA was first proposed in December 2020, and is meant to update a 20-year-old law called the EU e-commerce Directive, which provides important safeguards and legal certainty for all businesses operating online. The principles of that legal framework, most notably the introduction of EU-wide rules on intermediary liability, are still of major importance today. The DSA is a landmark piece of European legislation because it also sets out, for the first time, enhanced regulatory requirements for (large) digital platforms, thus affecting the entire Internet ecosystem.

At Cloudflare, we are supportive of the longstanding legal frameworks both in Europe and other parts of the world that protect Internet companies from liability for the content that is uploaded or sent through their networks by their users, subscribers or customers. These frameworks are indispensable for the growth of online services, and have been essential in the growth of online applications, marketplaces and social networks.

The EU Digital Services Act consists of two main parts: First, the DSA maintains the strong liability protections for intermediary services that have existed in Europe for over 20 years, and modernizes them, including by giving explicit recognition of supporting Internet services. Services which perform important roles in the functioning of the Internet, such as CDNs, reverse proxies and technical services at the DNS level were not explicitly mentioned in the EU e-commerce Directive at the time. The DSA, in recital 28, recognises that those services, along with many others, are part of the fundamental fabric of the Internet and deserve protection against liability for any illegal or infringing content. This marks an important clarification milestone in EU law.

Secondly, the DSA establishes varying degrees of due diligence and transparency obligations for intermediary services that offer services in the EU. The DSA follows a ‘staggered’ or ‘cumulative’ approach to those obligations and the different services it applies to. This ranges from a number of detailed obligations for the largest platforms (so-called “Very Large Online Platforms” or VLOPs, such as the Apple App Store, Facebook, TikTok, and YouTube), down to less extensive but still impactful rules for smaller platforms, hosting services and Internet intermediaries. What is really important to note with regard to the different service providers that are impacted is that the DSA clearly distinguishes between (technical) intermediary services, “mere” hosting services, and “online platforms”, with the latter category having a number of additional obligations under the new law. Online platform services are considered as hosting services which store information at the request of the recipients of the service, with the important additional role of also disseminating that information to the public.

This proportionate approach is in line with Cloudflare’s view of the Internet stack and the idea that infrastructure services are distinct from social media and search services that are designed to curate and recommend Internet content. This principle of a targeted, proportionate response to the matter is also embedded in the DSA itself. Recital 27 states that “(...) any requests or orders for [such] involvement should, as a general rule, be directed to the specific provider that has the technical and operational ability to act against specific items of illegal content, so as to prevent and minimise (sic) any possible negative effects on the availability and accessibility of information that is not illegal content”. This is an important provision, as principles of proportionality, freedom of speech, and access to information should be safeguarded at all times when it relates to online content.

As a provider of intermediary services, Cloudflare has engaged with European policymakers on the topic of intermediary liability for a number of years. From the start of the legislative process on the proposed DSA in 2020 we have contributed extensively to public consultations, and have shared our views on the proposed DSA with lawmakers in Brussels.

In many ways, the final version of the law reflects our existing practices. We have long taken the position, for example, that our intermediary services should have different rules than our hosting services, as is anticipated under the DSA. We have taken a few additional measures to ensure compliance with DSA requirements. For instance, we’ve announced a new legal representative in the EU and point of contact for the purposes of the DSA.

Cloudflare has strongly believed in transparency reporting for a long time, and we have issued transparency reports twice a year since 2013. We recognize that the DSA includes some new requirements around transparency reporting, some of which match with our current reports and processes, and others that do not. We will be revising our transparency reporting, to reflect the DSA’s requirements, beyond our existing documentation. We have also taken steps to confirm that our limited hosting services comply with DSA requirements.

The EU Digital Services Act, because of its enhanced regulatory requirements for (large) digital platforms, represents a significant change to the Internet ecosystem. Cloudflare feels nonetheless well-prepared to address the different requirements that came into force on February 17, 2024, and we look forward to having positive and constructive conversations with relevant European regulators as they start to work on the enforcement of the new law.

Since we first started reporting in 2013, our transparency report has focused on requests from U.S. law enforcement. Previous versions of the report noted that, as a U.S. company, we ask non-U.S. law enforcement agencies to obtain formal U.S. legal process before providing customer data.

As more countries pass laws that seek to extend beyond their national borders and as we expand into new markets, the question of how to handle requests from non-U.S. law enforcement has become more complicated. It seems timely to talk about our engagement with non-U.S. law enforcement and how our practice is changing. But first, some background on the changes that we’ve seen over the last year.

The explosion of cloud services -- and the fact that data may be stored outside the countries of residence of those who generated it -- has been a challenge for governments conducting law enforcement investigations. A number of U.S. laws, like the Stored Communications Act or the Electronic Communications Privacy Act restrict companies from providing particular types of data, such as the content of communications, to any person or entity, including foreign law enforcement agencies, without U.S. legal process. To get access to electronic data stored outside their home borders, law enforcement agencies around the world have long used Mutual Legal Assistance Treaties (MLATs) that allow one country to ask for another country’s help to get access to evidence. Unfortunately, the MLAT process can be slow and cumbersome.

Countries frustrated by the inability of law enforcement to quickly gather evidence held outside their borders have taken matters into their own hands. Some have proposed laws mandating that important data about their citizens remain in country, where it can be easily accessed when requested. Others have proposed laws that would allow law enforcement to get access to data wherever it is stored, which puts companies in the position of potentially violating one country’s laws in order to comply with another’s.

In short, a new paradigm that allows law enforcement to access appropriate digital evidence across borders, with sufficient procedural safeguards to protect our users’ privacy and ensure due process, is long overdue.

In March 2018, the U.S. Congress passed the Clarifying Lawful Overseas Use of Data (CLOUD) Act as part of a large bill funding the government. The idea behind the law is that governments that protect their citizens’ due process rights and civil liberties should be able to get access to electronic content related to their citizens when conducting law enforcement investigations, wherever that data is stored.

The CLOUD Act anticipates that the U.S. government will enter into agreements with other countries’ governments to give each of the participating governments access to data stored in other participating countries for the purpose of investigating and prosecuting certain crimes. Under the law, the U.S. government will have to determine that a country has “robust substantive and procedural protections for privacy and civil liberties” before entering into an agreement with that country. After a country enters a formal agreement with the United States, U.S. companies would no longer be restricted by U.S. law from providing that country’s law enforcement with access to content data in response to a valid law enforcement request.

From a practical standpoint, the CLOUD Act envisions that U.S. companies like Cloudflare will be providing information directly to governments that have entered into agreements with the U.S. government. The idea is to change the relevant question away from “where is the data stored?” to “is the person being investigated a citizen or resident of the country asking for the information?”, recognizing every government’s right to investigate crimes that occur within its borders or affect its citizens.

Governments outside the United States have also moved forward with proposals that would provide law enforcement agencies authority to obtain information related to their citizens across borders. The United Kingdom, for example, has been working to update their laws and negotiate a bilateral agreement with the United States for access to data maintained by U.S. companies, consistent with the framework established in the CLOUD Act.

The European Union has also been active in moving forward with a framework on obtaining electronic evidence across borders. Much like the U.S. CLOUD Act, the European Commission’s eEvidence Regulation would allow EU Member States to seek digital evidence outside of their national borders provided that fundamental rights are protected. The European Commission also envisions entering into negotiations with U.S. authorities on data sharing arrangements under the mandate of EU Member States.

As a U.S. company that stores customer records inside the United States, Cloudflare has long held the view that non-U.S. governments should have to follow U.S. due process requirements in order to obtain any records about our customers. When non-U.S. governments have come to us requesting records, we have explained the nature of our service and, to the extent they were interested in obtaining data, encouraged them to submit a request to the U.S. Department of Justice through the MLAT process.

But it’s important to note that these processes serve an important function and are not just intended to delay the efforts of foreign law enforcement. They have helped us address some of the more challenging requests that we have seen. Let’s say, for example, law enforcement from an otherwise-respected nation sent us a court order demanding information about websites run by a vocal group of dissenters or even the organizers of a separatist referendum and also asked us to redirect that website to a location of their choosing. In that case, we would direct that foreign agency to submit an MLAT request. In situations like this, we might not receive subsequent legal process from the U.S. government, either because the government declined to ask the Department of Justice for an MLAT related to activity that could be viewed as political or because the Department of Justice declined to process it.

With the changing legal and policy landscape, as well as our increased presence in non-U.S. locations, we think it’s time to take a step towards the new framework that is taking shape.

The overwhelming majority of information that U.S. law enforcement seeks from Cloudflare through legal process is what we consider to be basic subscriber data -- the type of information that customers give us when they sign up for service. That includes things like name, email address, physical address, phone number, the means and source of payment, and non-content information about a customer’s account, such as data about login times and IP addresses used to login to the account.

Although we consider this account information to be private customer data, worthy of protection, we share the commonly held view that it is less sensitive than information considered to be content, such as email communications or documents created by users. In fact, U.S. law allows law enforcement to compel us to provide basic subscriber data with a subpoena, a type of legal process that does not require prior judicial review.

Recent policy discussions have convinced us that there may be situations where it is appropriate to provide this type of basic subscriber information to non-U.S law enforcement in response to non-U.S. legal process similar to a subpoena, a view in line with that of many other tech companies. We may therefore respond to requests for subscriber information if a government is seeking information about a crime in its country or about its citizens, we have employees in the country, and appropriate due process requirements and international standards have been met. We will also consider whether the country has signed a CLOUD Act agreement with the United States.

The CLOUD Act and other existing U.S. laws govern the provision of more sensitive, content data to non-U.S. law enforcement. U.S. companies are legally prohibited from providing content data to a non-U.S. government absent a U.S. CLOUD Act agreement with that country. Given the nature of our service, however, we rarely have records that constitute content that we could provide to law enforcement regardless of jurisdiction.

When we talk about our relationship with law enforcement, we often say that it is not Cloudflare's intent to make law enforcement's work any harder or any easier. We respect both that law enforcement agencies have a job to do and that our customers have rights relating to how their data is shared with law enforcement.

Regardless of what government is asking, there are certain standards we believe must be followed before we turn over customer data. Our goal is to maintain a healthy and open relationship with law enforcement officials so that they understand and respect our positions on each of these standards. The principles which remain important to us are as follows:

• Require Due Process. Cloudflare requires government entities seeking access to personal customer information to obtain appropriate legal process, including prior independent judicial review of any request for content.

• Provide Notice. We believe our customers deserve to be notified when we receive legal requests for their information, whether the requests come from law enforcement or private parties involved in civil litigation. We will provide that notice before we disclose the information, unless prohibited by law.

• Protect Privacy and User Rights. Whether inside or outside the United States, Cloudflare will fight law enforcement requests that we believe are overbroad, illegal, or wrongly issued. This includes requests to delay or prevent notice that appear unnecessarily broad, given the government interests at stake.

• Be Transparent. We believe the ability to report on the numbers and types of requests that we get from law enforcement, as well as how we respond, is critical to building trust with our customers. We will fight requests that unnecessarily restrict our ability to be transparent with our users.

Consistent with the last standard, we also intend to update our transparency report to reflect any requests that we receive from non-U.S. law enforcement authorities, whether for user information or anything else.

In a blogpost yesterday, we addressed the principles we rely upon when faced with numerous and various requests to address the content of websites that use our services. We believe the building blocks that we provide for other people to share and access content online should be provided in a content-neutral way. We also believe that our users should understand the policies we have in place to address complaints and law enforcement requests, the type of requests we receive, and the way we respond to those requests. In this post, we do the dirty work of addressing how those principles are put into action, specifically with regard to Cloudflare’s expanding set of features and products.

Currently, we receive abuse reports and law enforcement requests on fewer than one percent of the more than thirteen million domains that use Cloudflare’s network. Although the reports we receive run the gamut -- from phishing, malware or other technical abuses of our network to complaints about content -- the overwhelming majority are allegations of copyright violations or violations of other intellectual property rights. Most of the complaints that we receive do not identify concerns with particular Cloudflare services or products.

In the last year or so, we’ve also launched a variety of new products, including our video product (Cloudflare Stream), a serverless edge computing platform (Cloudflare Workers), a self-serve registrar service, and a privacy-focused recursive resolver (1.1.1.1), among others. Each of these services raises its own complex set of questions.  

There is no one-size-fits-all solution to address possible abuse of our products. Different types of services come with different expectations, as well as different legal and contractual obligations. Yet as we discussed in relation to our focus on transparency on Monday, being fully transparent means being consistent and predictable so our users can anticipate how we will respond to new situations.

To help us sort through how to address both complaints and law enforcement requests, when we introduce new products or features, we ask ourselves four basic sets of questions about the relationship between the service we’re providing and potential complaints about content:

• First, how are Cloudflare’s services interacting with the website content? For example, are we doing anything more than providing security and acting as a reliable conduit from one location to another?  Are we providing definitive storage of content? Did we provide the website its domain name through our registrar service? Is the Cloudflare service or product doing anything that could be seen as organizing, analyzing, or promoting content?

• Second, what type of action might a law enforcement or private complainant want us to take and what are the consequences of it?  What sort of information might law enforcement request -- private information about the user, content of what was sent over the Internet, or logs that would track activity?  Will third parties request information about a website; would they request removal of content from the Internet? Would removing our services address the problem presented?

• Third, what laws, regulations or contractual requirements apply? Does the nature of our interaction with the online content impact our legal obligations? Has the law enforcement request or regulation satisfied basic principles of the rule of law or due process?

• Fourth, will our response to the matter presented scale to address the variety of different requests or complaints we may receive over time, covering a variety of different subject matters and viewpoints? Can we craft a principled and content-neutral process to respond to the request? Would our response have an overbroad impact, either by impacting more than the problematic content or changing the Internet in jurisdictions beyond the one that has issued the law or regulation at issue?

Although those preliminary questions help us determine what actions we must take, we also do our best to think about the broader implications on the Internet of any steps we might take to address complaints.

People often come to Cloudflare with abuse complaints because our network sits in front of our customers’ sites in order to protect them from cyber attacks and to improve the performance of their website.

There aren’t a lot of laws or regulations that impose obligations to address content on those providing security or CDN services, for good reason. Most people complaining about content are looking for someone who can take that content off the Internet entirely. As we’ve talked about on other occasions, Cloudflare is unable to remove content that we don’t host, so we therefore try to make sure that the complaint gets to its intended audience -- the hosting provider who has the ability to remove the material from the Internet. As described on our abuse page,  complaining parties automatically receive information about how to contact the hosting provider, and unless the complaining party requests otherwise, abuse complaints are automatically forwarded to both the website owner and the hosting company to allow them to take action.

This approach has another benefit, consistent with the fourth set of questions we ask ourselves. It prevents addressing content with an unnecessarily blunt tool. Cloudflare is unable to remove its security and CDN services from only a sliver of problematic content on a website.  If we remove our services, it has to be from an entire domain or subdomain, which may cause considerable collateral damage. For example, think of the vast array of sites that allow individual independent users to upload content (“user generated content”). A website owner or host may be able to curate or deal with specific content, but if companies like Cloudflare had to respond to allegations of abuse by a single user’s upload of a single piece of concerning content by removing our core services from an entire site, and making it vulnerable to a cyberattack, those sites would be much more difficult to operate and the content contributed by all other users would be put at risk.

Similarly, there are a number of different infrastructure services that cooperate to make sure each connection on the Internet can happen successfully – DNS, registrars, registries, security, etc.  If each of the providers of those services, any one of which could put the entire transmission at risk, is applying blunt tools to address content, then the aperture of what content will stay online will get smaller and smaller. Those are bad results for the Internet. Actions to address troubling content online should focus narrowly on the actual concern to avoid unintended collateral consequences.

While we are unable to remove content we do not host, we are able to take steps to address abuse of our services, such as phishing and malware attacks. Phishing attacks typically fall into two buckets -- a website that has been compromised (unintentional phishing) or a website solely dedicated to intentionally misleading others to gather information (intentional phishing). These buckets are treated differently.

We discussed earlier that we aim to use the most precise tools possible when addressing abuse, and we take a similar approach for unintentional phishing content. If a website has been compromised (typically an outdated CMS) we can place a warning interstitial page in front of that specific phishing content to protect users from accidentally falling victim to the attack. In the majority of situations, this action is taken at a URL level of granularity.

In the case of intentional phishing attacks, such a domain like  my-totally-secure-login-page{.}com in combination with our Trust & Safety team being able to confirm the presence of phishing content on the website, we take broader action including a domain-wide interstitial warning page (effectively *my-totally-secure-login-page{.}com/*), and in some cases we may terminate our services to the intentionally malicious domain. To be clear though, this does not remove the phishing content that remains hosted by the website’s hosting provider. Ultimately, action still needs to be taken by the website owner or hosting provider to fully remove the underlying issue.

We think our approach requires a different set of responses for the small, but growing, number of Cloudflare products that include some sort of storage. Cloudflare Stream, for example, allows users to store, transcode, distribute and playback their videos. And Cloudflare Workers may allow users to store certain content at the edge of our network without a core host server. Although we are not a website hosting provider, these products mean we may be the only place where a certain piece of content is stored in some cases.  

When we are the definitive repository for content through any of our services, Cloudflare will carefully review any complaints about that content and may disable access to it in response to a valid legal takedown request from either government or private actors. Most often, these legal takedown requests are from individuals alleging copyright infringement.  Under the U.S. Digital Millennium Copyright Act, there is a specific process online storage providers follow to remove or disable access to content alleged to infringe copyright and provide an opportunity for those who post the material to contest that it is infringing. We have already begun implementing this process for content stored on our network.  That’s why we’ve begun a new section of our transparency report on requests for content takedown pursuant to U.S. copyright law for content that is stored on our network.  

We haven’t received any government requests yet to take down content stored on our network. Given the significant potential impact on freedom of expression from a government ordering that content be removed, if we do receive those requests in the future, we will carefully analyze the factual basis and legal authority for the request.  If we determine that the order is valid and requires Cloudflare action, we will do our best to address the request as narrowly as possible, for example, by clarifying overbroad requests or limiting blocking of access to the content to those areas where it violates local law, a practice known as “geo-blocking”. We will also update our transparency report on any government requests that we receive in the future and any actions we take.

If you sign up for our self-serve registrar service, you’re legally bound by the terms of our contract with the Internet Corporation for Assigned Names and Numbers (ICANN), a non-profit organization responsible for coordinating unique Internet identifiers across the world, as well as our contract with the relevant domain name registry.  

Our registrar-focused web page for abuse reporting does not reference abuse complaints about a website’s content.  In our role as a domain registrar, Cloudflare has no control or ability to remove particular content from a domain. We would be limited to simply revoking or suspending the domain registration altogether which would remove the website owner’s control over the domain name. Such actions would typically only be done at the direction of the relevant domain name registry, in accordance with their registration rules associated with the Top Level Domain, or more usually to address incidents of abuse as raised by the registry or ICANN. We therefore treat content-related complaints submitted based on our registrar services the same way we treat complaints about content for sites using our CDN or proxy services.  We forward them to the website owner and the website hosting company to allow them to take action or we work in tandem with the relevant registry and at their direction.

Running a registrar service comes with other legal obligations. As an ICANN accredited registrar, part of our contractual obligations include adhering to third party dispute resolution processes regarding trademark disputes, as handled by providers such as the World Intellectual Property Organization (WIPO) and the National Arbitration  Forum. Also, we continue to be part of the ICANN community discussions on how best to handle the collection, publication and provision of access to personal data in the WHOIS database in a manner consistent with the EU’s General Data Protection Regulation (GDPR) and other privacy frameworks. We will provide more updates on that front when the discussions have ripened.

Back in September, we announced that Cloudflare would be providing a gateway to the InterPlanetary File System (IPFS). Cloudflare’s IPFS gateway is a way to access content stored on the IPFS peer-to-peer network. Because Cloudflare is not acting as the definitive storage for the IPFS network, we do not have the ability to remove content from that network. We simply operate as a cache in front of IPFS, much as we do for our more traditional customers.

Because content is stored on potentially dozens of nodes in IPFS, if one node that was caching content goes down, the network will just look for the same content on another node. That fact makes IPFS exceptionally resilient. That same resilience, however, means that unlike with our traditional customers, with IPFS, there is no single host to inform of a complaint about content stored on the IPFS network.  Cloudflare often has no knowledge of who the owner is of content being accessed through the gateway, and this makes it impossible to notify the specific owner when we receive a complaint.

The law hasn’t yet quite caught up with distributed networks like IPFS, and there’s a notable debate among IPFS users about how best to deal with abuse. Some argue that having problematic content stored on IPFS will discourage adoption of the protocol, and advocate for the development of lists of problematic hashes that  IPFS gateways could choose to block. Others point out that any mechanism intended to block IPFS content will itself be subject to abuse. We don’t have the answer to that debate, but it does demonstrate to us the importance of being thoughtful about how we proceed.

For the time being, our plan is to respond to U.S. court orders that require us to clear our cache of content stored on IPFS. More importantly, however, we intend to report in future transparency reports on any law enforcement requests we receive to clear our IPFS cache, to ensure continued public discussion.

In April of last year, we launched our first DNS resolver, 1.1.1.1.  In June, we partnered with Mozilla to provide direct DNS resolution from within the Firefox browser using the Cloudflare Resolver for Firefox. Our goal with both resolvers was to develop fast DNS services that were focused on user privacy.  

We often get questions about how how we deal with both abuse complaints and law enforcement requests related to our resolvers.  Both of our resolvers are intended to provide only direct DNS resolution. In other words, Cloudflare does not block or filter content through either 1.1.1.1 or the Cloudflare Resolver for Firefox. If Cloudflare were to receive a request from a law enforcement or government agency to block access to domains or content through one of our resolvers, Cloudflare would fight that request. At this point, we have not yet received any government requests to block content through our resolvers. Cloudflare would also document any request to block content from our resolvers in our semi-annual transparency report, unless we were legally prohibited from doing so.

Similarly, Cloudflare has not received any government requests for data about the users of our resolvers, and would fight such a request if necessary. Given our public commitment not to retain any personally identifiable information for more than 24 hours, we believe it is unlikely that we would have any information even if asked. Nonetheless, if we were to receive a government request for data about a resolver user, we would document the request in our transparency report, unless legally prohibited from doing so.    

Although new products offered by Cloudflare in the future, as well as the legal and regulatory landscape, may change over the years, we expect that our approach to thinking about new products will stand the test of time. We’re guided by some central principles -- allowing our infrastructure to be as neutral as possible, following the rule of law or requiring due process, being open about what we’re doing, and making sure that we’re consistent regardless of the wide variety of issues we face. And we will work hard to make sure that doesn’t change, because even the smallest tweaks to the way we do things can have a significant impact at the scale we operate.

Although we are focused on protecting and optimizing the operation of the Internet, Cloudflare is sometimes the target of complaints or criticism about the content of a very small percentage of the more than thirteen million websites that use our service. Our termination of services to the Daily Stormer website a year and a half ago drew significant attention to our approach to these issues and prompted a lot of thinking on our part.  

At the time, Matthew wrote that calls for service providers to reject some online content should start with a consideration of how the Internet works and how the services at issue up and down the stack interact with that content. He tasked Cloudflare’s policy team with engaging broadly to try and find an answer. With some time having passed, we want to take stock of what we’ve learned and where we stand in addressing problematic content online.  

The weeks immediately following the decision in August 2017 were filled with conversations. Matthew made sure the Cloudflare team accepted every single invitation to talk about these issues; we didn’t simply put out a press release or “no comment” anyone. Our senior leadership team spoke with the media and with our employees -- some of whom had received threats related both to Cloudflare’s provision of services to the Daily Stormer and to the termination of those services. On the policy side, we spoke with a broad range of ideologically-diverse advocacy groups who reached out to alternatively congratulate us or chastise us for the decision.

As the time stretched into months, the conversations changed. We spoke with organizations who have made it their mission to fight hate and intolerance, with human rights organizations that depend on access to the Internet, with tech companies doing their best to moderate content, with academics who think about and research all aspects of content online, and with interested government and non-governmental organizations on two continents. In the end, we spoke with hundreds of different experts, groups, and entities about how different companies and different types of services address troubling content at different places in the Internet stack.  

Our overwhelming sense from these conversations is that the Internet, and the industry that has grown up around it, is at a crossroads. Policy makers and the public are rightly upset about misuse of the Internet.  We heard repeatedly that the world is moving away from the Internet as a neutral platform for people to express themselves and access information. Many governments and many of the constituents they represent appear to want the Internet cleaned up and stripped of troubling content through any technical means necessary, even if it means that innovation will be stifled and legitimate voices will be silenced. And companies large and small seem to be going along with it.

We’ve thought long and hard about what’s next both for us and the Internet in general. Although we share concerns about the exploitation of online tools, we are convinced that there are ways forward that do not shortchange the security, availability, and promise of the Internet.

We think the right solution will take us out of the clouds and into the weeds.  We have to figure out what core functions need to be protected to have the Internet we want, and we will have to get away from the idea that there’s a one-size-fits-all solution that will address the problems we see. If we really want to address risks online while maintaining the Internet as a forum for communication, commerce, and free expression, different kinds of services are going to have to deal with abuse differently.

The more we talked to people, the more that we saw a fundamental split on the Internet between the services that substantively touch content and the infrastructure services that do not.  It’s possible that, as a company that provides largely infrastructure services ourselves, we were were looking for this distinction. But we believe the distinction is real and helps explain why different businesses make distinctly different choices. As we discuss in our blog posts on transparency this week, the approach to questions about abuse complaints will mean different things for different Cloudflare products. Although we are not at the point yet where Cloudflare’s products organize, analyze, or promote content, we are aware that this conclusion may have implications for us in the future.

The Internet has revolutionized the way we communicate and access information. Because of the way the Internet works, everyone online has the opportunity to create and consume the equivalent of their own newspaper or television network. Almost any content you could want is available, if you can find it. That idea is at the heart of a the divide between services that curate content -- like social media platforms and search engines -- and basic Internet infrastructure services.  

Content curators make content-based decisions for a business purpose. For a search engine, that might mean algorithmically reviewing content to best match what is sought by the user. For a social media site, it might be a review of content to help predict what content the user will want to see next or what advertising might be most appealing.

For these types of online products, users understand and generally expect that the services will vary based on content. Different search engines yield different results; Different social media platforms will promote different content for you to review. These services are the Internet’s equivalents of the very small circle of newspaper editors or television network executives of old, making decisions about what you see online based on what they think you’ll want to see.

The value in these content curator services depends on how well they analyze, use, and make judgments about content.  From a business perspective, that means that these services want the flexibility to include or exclude particular content from their platforms. For example, it makes perfect sense for a platform that advertises itself as building community to have rules that prevent the community from being disrupted with hate-filled messages and disturbing content.

We should expect content curator services to moderate content and should give them the flexibility to do so. If these services are transparent about what they allow and don’t allow, and how they make decisions about what to exclude, they can be held accountable the same way people hold other businesses to account. If people don’t like the judgments being made, they can take their business to a platform or service that’s a better fit.

Basic Internet services, on the other hand, facilitate the business of other providers and website owners by providing infrastructure that enables access to the Internet.  These types of services -- which Matthew described in detail in the Daily Stormer blog post -- include telecommunications services, hosting services, domain name services such as registry and registrar services, and services to help optimize and secure Internet transmissions. The core expertise of these services is not content analysis, but providing the infrastructure needed for someone else to develop and analyze that content.

Because people expect these infrastructure services to be used to provide technical access to the Internet, the notion that these numerous services might be used to monitor what you’re doing online or make decisions about what content you should be entitled to access feels like a misuse, or even an invasion of privacy.

Internet infrastructure is a lot like other kinds of physical infrastructure.  At some basic level, we believe that everyone should be allowed to have housing, electricity or telephone, no matter what they plan to do with those services. Or that individuals should be able to send packages through FedEx or walk down the street wearing a backpack with a reasonable expectation they won’t be subject to unfounded search or monitoring. Much as we believe that the companies that provide these services should provide services to all, not just those with whom they agree, we continue to believe that basic internet infrastructure services, which provide the building blocks for other people to create and access content online, should be provided in a content-neutral way.

Developing different expectations for content curation services and infrastructure services is tougher than it seems. Behemoths best known for content curation services often provide infrastructure services as well. Alphabet, for example, provides content-neutral infrastructure services to millions of customers through Google Cloud and Google Domains, while also running one of the world’s largest content curated site in YouTube. And even if companies try to distinguish their infrastructure from content curation services, their customers may not.

In a world where content needs to be on a large network to stay online, there are only a handful of companies that can satisfy. Reducing that handful to those — like Cloudflare — that fall solely into the infrastructure bucket makes the number almost impossibly small. That is why we want to do better job talking about differences in expectations not by company, but by service.

And maybe we should also recognize that having only a small number of companies with robust enough networks to keep content online--most of which do content curation--is part of the problem. If you believe that the only way to be online is to be on a platform that curates content, you’re going to be rightly skeptical of that company’s right to take down content that they don’t want on their site. That doesn’t mean that a business that depends on analyzing content has to stop doing it, but it does make it that much more important that we have neutral infrastructure. It might be impossible for an alternate platform to be built, and for certain voices to have a presence online, without it.

The good news is that we’re not alone in our view of the fundamental difference between content curators and Internet infrastructure services. From the criticism we received for the Daily Stormer decision, to the commentary of Mike Masnick at Techdirt, to the academic analysis of Yale Law Professor Jack Balkin, to the call of the Global Commission on the Security of Cyberspace (GCSC) to protect the “public core” of the Internet, there’s an increasing awareness that not protecting neutral Internet infrastructure could undermine the Internet as we know it.

In his blog post on the Daily Stormer decision, Matthew talked about the importance of due process, the idea that you should be able to know the rules a system will follow if you participate in that system. But what we’ve learned in our follow up conversations is that due process has a different meaning for content curators.

There has been a clamor for companies like Facebook and Google to explain how they make decisions about what to show their users, what they take down, and how someone can challenge those decisions. Facebook has even developed an “Oversight Board for Content Decisions” -- dubbed as Facebook’s supreme court -- that is empowered to oversee the decisions the company makes based on its terms of service. Given that this process is based on terms of service, which the company can change at will to accommodate business decisions, this mostly seems like a way to build confidence in the company’s decision-making process. Instituting an internal review process may make users feel that the decisions are less arbitrary, which may help the company keep people in their community.

That idea of entirely privatized due process may make sense for content curators, who make content decisions by necessity, but we don’t believe it makes sense for those that provide infrastructure services. When access to basic Internet services is on the line, due process has to mean rules set and adjudicated by external decision-makers.

Although we don’t believe it is appropriate for Cloudflare to decide what voices get to stay online by terminating basic Internet services because we think content is a problem, that’s far from the end of the story. Even for Internet infrastructure, there are other ways that problematic content online can be, and is, addressed.

Laws around the world provide mechanisms for addressing particular types of content online that governments decide is problematic. We can save for another day whether any particular law provides adequate due process and balances rights appropriately, but at a minimum, those who make these laws typically have a political legitimacy that infrastructure companies do not.

Tomorrow, we’ll talk about how we are operationalizing our view that it’s important to  get into the weeds by considering how different laws apply to us on a service-by-service, and function-by-function basis.

For an entity to provide a secure website, it needs a valid TLS certificate attached to the website server. These TLS certificates have both start dates and expiry dates. Normally certificates are renewed prior to their expiration. However, if there’s no one to execute this process, then websites serve expired certificates--a poor security practice.

This means that people looking for government information or resources may encounter alarming error messages when visiting important .gov websites:

The content of the website hasn’t changed; it’s just the cryptographic exchange that’s invalid (an expired certificate can’t be validated). These expired certificates present a trust problem. Certificate errors often dissuade people from accessing a website, and imply that the site is not to be trusted. Browsers purposefully make it difficult to continue to an insecure website by hiding the “proceed” option under an “Advanced Settings/Actions” button. In the example above, people seeking aid in the wake of a natural disaster may not be able to access government websites with crucial information.

Converse to the situation above, some Internet users may get desensitized to certificate error messages. Seeing expired certificates on otherwise trusted websites will teach users to dismiss certificate errors and bypass them even when a certificate (and website) is genuinely unsafe. Moreover, keys should be rotated on a regular basis to minimize the amount of traffic made vulnerable by a key breach. To use expired certificates is to extend the use of a public-private key pair beyond its expected lifetime, and opens up more traffic to potential snooping.

TechCrunch recently published a list of soon-to-expire certificates for .gov domains. To create this list, they iterated over a dataset of all federal .gov domains furnished by 18F, the federal government’s digital services unit. For each .gov domain on the list, they pulled its certificate and checked its expiration date. They then filtered out the state and local government .gov domains.

Relying on 18F for this list, however, introduces a single point of failure. What if 18F’s list was not up-to-date? What if 18F was shut down? What if 18F’s list is not conclusive? (Their list actually does not include .gov subdomains). One organization alone cannot be the provider of all truth about federal .gov sites. Third-party collections of .gov certificates would bolster the thoroughness and availability of expired certificate information.

Cloudflare's Certificate Transparency (CT) monitor, Merkle Town, is one such third-party. Around the same time as TechCrunch did its research, Cloudflare used Merkle Town to find .gov certificates under imminent expiration. CT monitors are one part of the Certificate Transparency ecosystem. Certificate Transparency Logs are used to store all issued certificates on the Internet and hold Certificate Authorities accountable for the certificates they issue. This means that CT logs hold all issued .gov certificates, so one can consult them for an exhaustive list. Certificate Transparency Monitors, on the other hand, help keep the CT logs accountable as well as make their raw bulk data useful to the general public. In addition to Merkle Town, crt.sh and Cert Spotter are other examples of monitors.

All the certificates that our monitor extracts from crawling CT logs are stored in an HBase table. HBase is a database similar to Google’s Bigtable, and is designed for storing large amounts of data and running MapReduce jobs. Using the MapReduce model, we wrote a small amount of code to look at each row of the database, parse the stored certificate and check if (1) it’s valid for a domain ending in “.gov” and (2) will expire in the next two months.

If (1) and (2) are true, the hostname, the name of the issuing certificate authority, and the expiration date were output.

Once the code was deployed, it took 90 minutes to scan over 1 billion unique certificates stored in all CT logs. This means that it was processing roughly 200,000 certificates per second!

The MapReduce job gave us an initial and comprehensive list. But just because a certificate was issued by a CA doesn’t mean that it’s being served. We did a second pass over the first list, this time actually contacting each domain and trying to complete a TLS handshake and observing if the old certificate was still being served. If so, the hostname was kept in the final list. If the handshake succeeded but a new certificate was being served, we discarded the hostname. If the handshake failed, the hostname was excluded and the error message was noted.

In our final dataset, we filter out .gov domains that correspond to state and local governments, as well as those federal government domains that appear to have been funded by earlier appropriations.

Our results can be found here.

As expected, a significant number of hostnames were excluded by the second pass because they had updated their certificates already. Another smaller number of hostnames were also excluded because those websites were unreachable or no longer operational. However, we also found many more hostnames than we expected with mis-configured TLS, even though they’re websites that seem to be for public consumption.

An example of this is https://cableplant.boulder.noaa.gov which currently fails to load with this error:

An error occurred during a connection to cableplant.boulder.noaa.gov. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG

A subtler issue we found was with https://www.indianaffairs.gov/ and https://www.volunteer.gov/. Our script was unable to validate the certificate chain for these websites, even though these websites seem to load fine in a browser. The reason is that these websites omit parts of their certificate chain which are necessary to verify that the certificate comes from a publicly trusted authority.

To improve page load times, browsers will often cache partial certificate chains on-disk. So even if a website does not send all of the necessary certificates, the browser may find what it needed in its cache, which has been well-populated by previous browsing activity. This is still just cache, though. It cannot be relied upon. In my case, after clearing my browser history, both of the websites above become inaccessible, same as for the script.

The presence of .gov expired certificates means that either (1) .gov certificates are manually renewed, or (2) .gov certificates cost money to renew, and the shutdown prevented spending on this important web security measure.

Automatic certificate issuance has become a standard for many domains, and services like Cloudflare offer automatic certificate renewal when you use Universal SSL or get a Cloudflare-issued certificate. CAs like Let’s Encrypt also offer automatic certificate renewal, which works as long as you run the certbot daemon on your webserver. Furthermore, automatic certificate renewal is free with both of these approaches.

Automating certificate renewals makes expired certificates and mis-configured TLS a problem of the past. We hope that this interesting blip with a few .gov certificates has encouraged domain owners to automate their certificate handling. If you haven’t automated your domain’s certificate renewal, try Universal SSL or Cloudflare certificates today!

Many thanks to Alissa Starzak for her help in filtering .gov domains for this blog post.

Today, Cloudflare can quantitatively confirm that Internet access has been shut down in the Democratic Republic of the Congo, information already reported by many press organisations. This shutdown occurred as the presidential election was taking place on December the 30th, and continues as the results are published.

Sadly, this act is far from unprecedented. We have published many posts about events like this in the past, including a different post about roughly three days of Internet disruption in the Democratic Republic of the Congo less than a year ago. A painfully familiar shape can be seen on our network monitoring platform, showing that the traffic in the country is barely reaching a quarter of its typical level:

Note that the graph is based on UTC and Democratic Republic of the Congo’s capital Kinshasa has the timezone of GMT+1.

The drop in bandwidth started just before midday on 31 December 2018 (around 10:30 UTC, 11:30 local time in Kinshasa). This can be clearly seen if we overlay each 24 hour day over each other:

The red line is 31 December, the gray lines the previous eight days. Looking at today’s overlay bandwidth graph, we can confirm this has continued and is an abnormal behaviour.

Other actors on the Internet have also been reporting similar figures. We hope that we can soon inform our readers the country is normally connected to the Internet again.

While 85 million people live in the country, very few people have internet access (6.21% according to Wikipedia’s List of countries by number of Internet users page). The country is also very large (2,344,858 square kms or 905,355 sq miles) and the 11th largest country in the world - around a quarter the landmass of the USA and nearly twice as big as South Africa. These facts play together and because of limited fiber deployment within the country; there are many places that still use very limited and expensive satellite Internet access. We can see in our bandwidth kgraphs that traffic to these satellite connected locations was not affected by this shutdown:

Note that the bandwidth levels are very low and represent a very small percentage of the overall traffic into Democratic Republic of the Congo.

Comparing that graph to the one from the largest mobile provider in the country; we clearly see the distinct cutoff.

15 months ago we wrote about an outage in Togo, were we noted that this adds Togo to the list of countries like Syria (twice), Iraq, Turkey, Libya, Tunisia, etc that have restricted or revoked Internet access. We have also written about unrest in Gabon (in 2016) and The Gambia (also in 2016). In Gambia’s case, the incumbent president lost the election! In fact we wrote “Rather than clamping down on the opposition by blocking the access to the Internet, it is quite possible that the blackout in Gambia may have infuriated voters and increased the vote against the president.”. Let’s see what happens in Democratic Republic of the Congo.

We'll update this blog once we see changes to these traffic levels. The Congolese government says they will restore internet access after election results are published on January 6th. That’s four days from now.

At Cloudflare, we’ll continue to do our part to try to ensure that vulnerable voices have access to the Internet. Cloudflare’s Project Galileo and Athenian Project help protect at risk websites -- such as those run by human rights organizations, journalists, and government entities reporting election results -- from being knocked offline by cyber attack.

We also support the principles for a Contract for the Web, which urge governments to commit to keeping all of the Internet available, all of the time, and Access Now’s #KeepitOn campaign. We can only hope that these efforts will yield more positive results in 2019.

Today, it appears that Internet access in the Democratic Republic of Congo has been greatly curtailed. The BBC reports that Internet access in the capital, Kinshasa was cut on Saturday and iAfrikan reports that the cut is because of anti-Kabila protests.

Our monitoring of traffic from the Democratic Republic of Congo shows a distinct drop off starting around midnight UTC on January 21, 2018. Traffic is down to about 1/3 of its usual level.

We'll update this blog once we have more information about traffic levels.

Update January 24, 2018

Internet access in the Democratic Republic of Congo looks to have been restored with traffic returning to typical levels after roughly three days of disruption.

As many of you know by now, the GDPR is a sweeping new EU law that comes into effect on May 25, 2018. The GDPR harmonizes data privacy laws across the EU and mandates how companies collect, store, delete, modify and otherwise process personal data of EU citizens.

Since our founding, Cloudflare has believed that the protection of our customers’ and their end users’ data is essential to our mission to help build a better internet.

Image by GregMontani via Wikimedia Commons

As we explained in a previous blog post last August, Cloudflare has been working hard to achieve GDPR compliance in advance of the effective date, and is committed to help our customers and their partners prepare for GDPR compliance on their side. We understand that compliance with a new set of privacy laws can be challenging, and we are here to help with your GDPR compliance requirements.

First, we are committed to making sure Cloudflare’s services are GDPR compliant and will continue to monitor new guidance on best practices even after the May 25th, 2018 effective date. We have taken these new requirements to heart and made changes to our products, contracts and policies.

And second, we have made it easy for you to comply with your own obligations. If you are a Cloudflare customer and have determined that you qualify as a data controller under the GDPR, you may need a data processing addendum (DPA) in place with Cloudflare as a qualifying vendor. We’ve made that part of the process easy for you.

• Instructions for completing our our GDPR-compliant DPA can be found here.

• To complete the DPA, you should fill in the “Customer” information and sign on pages 6, 13, 15, and 19.

• Send an electronic copy of the fully executed DPA to Cloudflare at eu.dpa@cloudflare.com.

That’s it. Now you’re one step closer to GDPR compliance.

We can’t help you with the diet, exercise, and reading stuff. But if you need more information about GDPR and more resources, you can go to Cloudflare’s GDPR page.

TL;DR - Net neutrality is under attack. There's an app on Cloudflare Apps that empowers site owners to host a popup on their sites, encouraging users to contact their congresspeople to fight back. Everyone should be doing this right now, before the December 14th FCC vote.

Use Battle for the Net to Call your Congressperson »

Attend Cloudflare's Save the Internet! Net Neutrality Call-A-Thon »

The Federal Communications Commission (FCC) has scheduled a vote to terminate its net neutrality rules this Thursday, December 14th. Unfortunately, the expectation is that the FCC will vote to repeal its net neutrality rules. Read about this on Business Insider, Bloomberg, or TechCrunch.

Net neutrality is the principle that networks should not discriminate against content that passes through them. The FCC’s net neutrality rules protect the Internet, users, and companies from abusive behavior by the largest Internet Service Providers (ISPs). Without net neutrality rules in place, ISPs may be able to legally create a "pay to play" system and charge websites to provide content to their customers more quickly. This will create a disadvantage for startups, bloggers, and everyone else who cannot afford to pay fees for their websites to offer faster service.

Cloudflare founders and employees strongly believe in the principle of network neutrality. Cloudflare co-founder and COO Michelle Zatlyn, sat on the FCC's Open Internet Advisory Committee, which guided the FCC to vote to preserve net neutrality in 2015. Cloudflare co-founder and CEO Matthew Prince and other employees have written four blog posts 1, 2, 3, 4, describing Cloudflare’s views on net neutrality.

I am extremely disappointed that net neutrality is under threat. I am extremely grateful that I work at a company made of people who are fighting for it and I'm hopeful our community (you) can make a difference.

Read, watch, listen, and learn much more about net neutrality and its importance below.

For now, here is my favorite video explanation of net neutrality, by John Oliver, host of Last Week Tonight on HBO.

---------------- ### Battle for the Net

Because net neutrality is under attack, the Battle for the Net app is once again live on Cloudflare Apps. The app can be used to “Break the Internet” for the two days before the FCC’s vote, as part of an internet-wide protest.

This app allows site owners to add a pop-up to their sites that will directly connect users to their respective US congresspeople so they may articulate their stance for net neutrality.

On a site that uses the Battle for the Net app, users are greeted with a pop-up which briefly explains that net neutrality is under attack, displays a countdown to the day and time (Thursday, December 14th) the FCC will vote to terminate the net neutrality rules, and provides an entry field for the user to enter their phone number.

When a user enters their phone number and clicks the "CALL CONGRESS" button, they'll immediately receive an automated phone call from Battle for the Net. The recording instructs the user to enter their zip code, so they'll be connected to their specific congressperson.

Users may select the option to become a daily caller by pressing 1. This will initiate a process where users will receive calls at the same time each day, connecting them to their congresspeople.

To make one-time calls, users can just stay on the line. The recording delivers a recommended script to inform the congressperson on the line that the user supports net neutrality and wants the congressperson to contact FCC Chairman Pai and oppose the repeal.

Here's the written script:

Be polite, introduce yourself, and say: “I support the existing Title II net neutrality rules and I would like you to publicly oppose the FCC’s plan to repeal them.”

When done with the first call, users may press * to be directed to another call to their next congressperson.

I live in San Francisco, so my first call was directed to Representative Nancy Pelosi. My second call was directed to Senator Dianne Feinstein.

On Cloudflare Apps, you can preview Battle for the Net and see how it'd look on a site. Cloudflare users can install the app on their site with the click of a button. You can see how a user can enter a phone number into the pop-up. Users are given share links on their screens, so they may share the action they take on Facebook or Twitter. They are also given the option to donate to the cause.

Though the pop-up covers a significant portion of the page, it can be easily discarded by clicking the "x" in the upper right corner.

Use Battle for the Net to Call your Congressperson »

Learn more about Battle for the Net and the Break the Internet protest on their site.

Join us at Cloudflare (or remotely) in the fight for net neutrality

The event will kick off with an introduction to net neutrality and why we think it's important. We'll preview the Battle for the Net app and use it to find our local representatives and call and tweet at them, letting them know we want them to take a stand for net neutrality.

Pizza will be provided for callers. Bring your own cell phone.

Tuesday, December 12th: 12:00pm-1:00pm

Cloudflare San Francisco101 Townsend StreetSan Francisco, CA 94107

Register Here »

If you can't make it on-site, join the effort by calling through the app, remotely.

Key moments for Net Neutrality

• The 1990's: The issue of net neutrality has been a discussion since the early days of the Internet in the 1990s, between users and service providers. There were no clear legal protections requiring net neutrality until 2015.

• 2015: The FCC classified broadband as a Title II communication service with providers being "common carriers", not "information providers", under former Chairman Tom Wheeler. Adoption of this notion would reclassify Internet service from one of information to one of telecommunications and ensure net neutrality. Wheeler stated, "This is no more a plan to regulate the Internet than the First Amendment is a plan to regulate free speech. They both stand for the same concept." Read more about the 2015 rules in this Newsweek article.

• January, 2017: Ajit Pai was named the new Chairman of the FCC by President Trump. Pai opposed the 2015 Open Internet Order which protects and promotes the open Internet and stated the he planned to modernize FCC policies. Read about Pai's October Senate confirmation in this TechCrunch article.

• April/May, 2017: Pai proposed Net neutrality rules be rolled back and service providers instead should voluntarily commit to net neutrality principles. On May 18, 2017 the FCC voted to move forward with the proposal. Over 1,000 companies and investors signed an open letter, opposing the proposal and millions of public pro net neutrality comments were submitted on the FCC website. Read more about the vote in this CNN article.

• June/July, 2017: The Battle for the Net coalition created a Day of Action during which over 50,000 websites participated in the largest online protest in history. Internet companies, CEOs, politicians, and users spoke out in support of net neutrality.

• Now: It's time to make a statement again. Use Battle for the Net to contact your congressperson and find other ways to make a statement to protect net neutrality.

Here are five more great videos, explaining net neutrality and why it's important.

1. Video created by Elisa Solinas, Senior Creative at Vimeo, explaining why net neutrality is so important for video makers, viewers, and all-around Internet video lovers.

2. Video of Julia Reda, a Member of the European (EU) Parliament from Germany, discussing the importance of net neutrality and new EU legislation designed to reinforce the principle.

3. Video of Bernie Sanders, US Senator for Vermont, explaining how it's imperative that we have net neutrality.

4. Video of FCC Commissioner Mignon Clyburn speaking about how "net neutrality is doomed if we're silent."

5. Video of John Oliver, host of Last Week Tonight on HBO, giving a second commentary on net neutrality.

The argument against net neutrality

Watch or read an interview with Ajit Pai by PBS about why he wants to do away with net neutrality.

• The FCC is a 5-member Commission, made up of three Republicans, including Pai, and two Democrats, including Clyburn.

• Its purpose is to regulate interstate and international communications by radio, television, wire, satellite, and cable in all 50 states, the District of Columbia and U.S. territories.

• It's an independent agency of the US government, overseen by Congress. The Commission is responsible for implementing and enforcing America’s communications law and regulations. It has over 1,700 employees and a budget of almost $400 Million.

Read more on the FCC website.

Read more on the FCC Wikipedia page.

I was encouraged, for a moment, when I read an article, claiming that the FCC would not be voting on the repeal of net neutrality in November. But now net neutrality is under attack again, just one month later. We need to fight for it. Join the fight.

Call your Congressperson »

Attend Cloudflare's Save the Internet! Net Neutrality Call-A-Thon »

Moderator: Doug Kramer, General Counsel, Cloudflare

Avril began her career on the National Security Council, and went on to become the first female deputy at the CIA.

DK: How will cyber will play a role in military operations?

AH: We look at it from the perspective of “asymmetric threats”; state actors (those who have high-value assets that they can hold at risk with no threat to them). The US is more technologically advanced and relies on cyber more and more; we are as a consequence more vulnerable to cyber threats. Asymmetric threats thus hold at risk those things that are most important to us.

In the cyber realm we can’t quite define what constitutes a use of force, and saying so can be used against us. So this is an area that is crucial to continue working in; in many respects the US has the most to lose from using a framework that doesn’t work.

“The private sector is utterly critical in creating a framework that is going to work.”

We want to have widely-accepted norms and rules so that we can ask other countries to help us take an appropriate response.

The NSA spent so much time and effort training people in Cybercom that they weren’t spending time on other aspects that they needed to.

DK: Discuss the terrifying possibilities of the murkiness of these terms.

AH: It’s easy to think about cyber as a battlefield; I think of it as part of conflict; a state actor does not perform a cyber attack in a vacuum. This is part of the way we need to think about these issues: comprehensively.

This is one area where there is consistency between the Obama and Trump administrations; we cannot think about responses to cyber solely in cyber.

There is an increasing tension between political structures and the way we organize ourselves as human beings. For instance, we think our political structures are based on geographies. And yet, we are all part of virtual communities with people not in our geographic area. That creates tension between the way we are governed and the way we locate ourselves.

There are also governance challenges: it used to be that people would get their news through a local news network. If you were a politician, you knew where your constituents were getting their news. This is no longer the case.

DK: When you think about the evolution of law and legal standards: traditionally in terms of borders, which don’t exist at all online… as you move to a world without borders, the application of law becomes challenging. Where do you see the challenges around that: enforcing laws and having conversations across nation-states?

AH: I see two sets of issues. Let’s use the law of the seas example. The law of the seas has been developed across time. It’s a great example of how we dealt with a situation of many nebulous issues. The US government has an enormous interest in freedom of navigation across the world. We don’t have the right to create international laws; and yet they’re crucial. There is now an extraordinary amount of detail to it, to what we can and cannot do across the world. This is one reason I have optimism about us being able to get into these issues and think them through.

We have seen how the regulatory structures that we apply are unenforceable in the context of cyber.

DK: How are you seeing people identify their base allegiances in virtual communities?

AH: Two of the mega-trends identified are individual empowerment and diffusion of power. What people are discussing is the role of non-state actors; to my mind this is part of what we’re seeing in terms of the challenge of what it presents to government. As we see governments relying on public institutions less and less, you can see how non-state actors are increasingly having power in this area. And I don’t just mean terrorist groups, but cabals of companies, and so on. Those actors are not subject to the same rules that we subject our institutions to. Are we comfortable with those actors filling the gap of what governments use to do? This is a very interesting space.

DK: Going back to asymmetric threats: do you you have a prediction about when we might cross the line? Within the last four years there are reports that the US government may have listened into conversations of Angela Merkel. Then there are recent allegations about Russia influencing the US election. These things are becoming more tangible; the impacts more real. What do you think could be the first cyber attack that would provoke a military response? You can’t just keep poking at the virtual world and have it not eventually lead to military action, right?

AH: In trying to define what’s a use of force, we’re already taking a position. If you do through cyber what you could have done through dropping a bomb... Russia is a great example of not just using military, but also using cyber. (This might warrant an attack)

DK: What do you see in the next 5-10 years in terms of challenges?

AH: Most of the conversation around cyber and the intelligence community has to do with the amount of information it can collect. There is digital footprint that everybody makes and the near impossibility of keeping things secret. The big crisis is about keeping things secret and how to even do the job of intelligence anymore.

Cyber presents enormous challenges; it is increasingly difficult to keep things secret. On the other hand, there needs to be transparency about the framework in which the intelligence community is operating.

There is great value in being as transparent as possible about what the intelligence community does. And yet the details have to remain secret if they are going to be valuable.

There is a recent article in Wired by Mike Dempsey about this, worth reading: about the importance of the US maintaining an information edge. It’s difficult for the intelligence community to bring something new to the table.

“One of the things I thought I would miss was the daily access to the PDB; but then I started reading the New York Times…”

Q&A:

Q: What will it take to do a Y2K-style investment in security infrastructure to protect old hardware that is vulnerable to security issues?

AH: We spent a lot of time working with Congress on this. I think it’s not just about investing in upgrading, but really thinking through in a comprehensive way how to institute security practices that span the US government. This is an extraordinarily difficult challenge--- it will not happen in the life of any one administration, but over years through continued and consistent investment. I don’t know whether it will happen or not.

Q: Could you talk about the classic tension between privacy and security from a government perspective and how that relates to the eroding faith that people have in government at this point?

AH: I can’t really do this answer justice.

1. I wish that it hadn’t taken Snowden to start this conversation, but we should still keep having it.

2. I worry that the conversation often occurs in the context of a particular attack that has arisen; the discussion requires a level of risk that is not where we should be, meaning that the demand for perfection is extraordinary.

We need to have a public conversation different from the one we’re having, that takes into account the fact that there are some values (liberty, etc.) that we value so much that we are willing to live with a little bit of risk..

All our sessions will be streamed live! If you can't make it to Summit, here's the link: cloudflare.com/summit17

Our terms of service reserve the right for us to terminate users of our network at our sole discretion. The tipping point for us making this decision was that the team behind Daily Stormer made the claim that we were secretly supporters of their ideology.

Our team has been thorough and have had thoughtful discussions for years about what the right policy was on censoring. Like a lot of people, we’ve felt angry at these hateful people for a long time but we have followed the law and remained content neutral as a network. We could not remain neutral after these claims of secret support by Cloudflare.

Now, having made that decision, let me explain why it's so dangerous.

There are a number of different organizations that work in concert to bring you the Internet. They include:

• Content creators, who author the actual content online.

• Platforms (e.g., Facebook, Wordpress, etc.), where the content is published.

• Hosts (e.g., Amazon Web Services, Dreamhost, etc.), that provide infrastructure on which the platforms live.

• Transit Providers (e.g., Level(3), NTT, etc.), that connect the hosts to the rest of the Internet.

• Reverse Proxies/CDNs (e.g., Akamai, Cloudflare, etc.), that provide networks to ensure content loads fast and is protected from attack.

• Authoritative DNS Providers (e.g., Dyn, Cloudflare, etc.), that resolve the domains of sites.

• Registrars (e.g., GoDaddy, Tucows, etc.), that register the domains of sites.

• Registries (e.g., Verisign, Afilias, etc.), that run the top level domains like .com, .org, etc.

• Internet Service Providers (ISPs) (e.g., Comcast, AT&T, etc.), that connect content consumers to the Internet.

• Recursive DNS Providers (e.g., OpenDNS, Google, etc.), that resolve content consumers' DNS queries.

• Browsers (e.g., Firefox, Chrome, etc.), that parse and organize Internet content into a consumable form.

There are other players in the ecosystem, including:

• Search engines (e.g., Google, Bing, etc.), that help you discover content.

• ICANN, the organization that sets the rules for the Registrars and Registries.

• RIRs (e.g., ARIN, RIPE, APNIC, etc.), which provide the IP addresses used by Internet infrastructure.

Any of the above could regulate content online. The question is: which of them should?

The rules and responsibilities for each of the organizations above in regulating content are and should be different. We've argued that it doesn't make sense to regulate content at the proxy, where Cloudflare provides service, since if we terminate a user the content won't go away it will just be slower and more vulnerable to attack.

That's true, and made sense for a long time, but increasingly may not be relevant. The size and scale of the attacks that can now easily be launched online make it such that if you don't have a network like Cloudflare in front of your content, and you upset anyone, you will be knocked offline. In fact, in the case of the Daily Stormer, the initial requests we received to terminate their service came from hackers who literally said: "Get out of the way so we can DDoS this site off the Internet."

You, like me, may believe that the Daily Stormer's site is vile. You may believe it should be restricted. You may think the authors of the site should be prosecuted. Reasonable people can and do believe all those things. But having the mechanism of content control be vigilante hackers launching DDoS attacks subverts any rational concept of justice.

In a not-so-distant future, if we're not there already, it may be that if you're going to put content on the Internet you'll need to use a company with a giant network like Cloudflare, Google, Microsoft, Facebook, Amazon, or Alibaba.

For context, Cloudflare currently handles around 10% of Internet requests.

Without a clear framework as a guide for content regulation, a small number of companies will largely determine what can and cannot be online.

The issue of who can and cannot be online has often been associated with Freedom of Speech. We think the more important principle is Due Process. I, personally, believe in strong Freedom of Speech protections, but I also acknowledge that it is a very American idea that is not shared globally. On the other hand, the concept of Due Process is close to universal. At its most basic, Due Process means that you should be able to know the rules a system will follow if you participate in that system.

Due Process requires that decisions be public and not arbitrary. It's why we've always said that our policy is to follow the guidance of the law in the jurisdictions in which we operate. Law enforcement, legislators, and courts have the political legitimacy and predictability to make decisions on what content should be restricted. Companies should not.

Beginning in 2013, Cloudflare began publishing our semi-annual Transparency Report. At the time we choose to include four statements of things that we had never done. They included:

• Cloudflare has never turned over our SSL keys or our customers' SSL keys to anyone.

• Cloudflare has never installed any law enforcement software or equipment anywhere on our network.

• Cloudflare has never terminated a customer or taken down content due to political pressure.

• Cloudflare has never provided any law enforcement organization a feed of our customers' content transiting our network.

We included them as "warrant canaries" because we thought they could help us push back against the request that governments may try to force us to make. That’s worked and all four of the warrant canaries have survived in every transparency report since 2013.

We're going to have a long debate internally about whether we need to remove the bullet about not terminating a customer due to political pressure. It's powerful to be able to say you've never done something. And, after today, make no mistake, it will be a little bit harder for us to argue against a government somewhere pressuring us into taking down a site they don't like.

Someone on our team asked after I announced we were going to terminate the Daily Stormer: "Is this the day the Internet dies?" He was half joking, but only half. He's no fan of the Daily Stormer or sites like it. But he does realize the risks of a company like Cloudflare getting into content policing.

There's a saying in legal circles that hard cases make bad law. We need to be careful of that here. What I do hope is it will allow us all to discuss what the framework for all of the organizations listed above should be when it comes to content restrictions. I don't know the right answer, but I do know that as we work it out it's critical we be clear, transparent, consistent and respectful of Due Process.

Screenshot of App Page for FFTF’s Battle for the Net app. Source code for this app.

When our co-founders launched Cloudflare in 2011, it was with a firm belief that the Internet is a place where all voices should be heard. The ability for either an ISP or government to censor the Internet based on their opinions or a profit motive rather than law could pose a huge threat to free speech on the Internet.

Cloudflare is a staunch supporter of Net Neutrality and the work done by Fight for the Future, which shows how effective Internet civic campaigns can be.

To get a heads up on Fight for the Future campaigns in the future, sign up for their mailing list.

See source code for FFTF’s Battle for the Net Cloudflare App on Github.

To make your own app, see Cloudflare Apps docs.

In May, the FCC took a first step toward revoking bright-line rules it put in place in 2015 to require ISPs to treat all web content equally. The FCC is seeking public comment on its proposal to eliminate the legal underpinning of the 2015 rules, revoking the FCC's authority to implement and enforce net neutrality protections. Public comments are also requested on whether any rules are needed to prevent ISPs from blocking or throttling web traffic, or creating “fast lanes” for some internet traffic.

To raise awareness about the FCC's efforts, July 12th will be “Internet-Wide Day of Action to save Net Neutrality.” Led by the group Battle for the Net, participating websites will show the world what the web would look like without net neutrality by displaying an alert on their homepage. Website users will be encouraged to contact Congress and the FCC in support of net neutrality.

We wanted to make sure our users had an opportunity to participate in this protest. If you install the Battle For The Net App, your visitors will see one of four alert modals — like the “spinning wheel of death” — and have an opportunity to submit a comment to the FCC or a letter to Congress in support of net neutrality. You can preview the app live on your site, even if you don’t use Cloudflare yet.

To participate, install the Battle For The Net App. The app will appear for your site's visitors on July 12th, the Day of Action for Net Neutrality.

Souvenir Postcard by unknown

The Supreme Court issued an opinion confirming something we at Cloudflare have long believed -- that the First Amendment protects access to the Internet. Using sweeping language, Justice Kennedy compared internet access to access to a street or park, "essential venues for public gatherings to celebrate some views, to protest others, or simply to learn and inquire,” and concluded that "to foreclose access to social media altogether is to prevent the user from engaging in the legitimate exercise of First Amendment rights."

We share this view of the internet as a forum to discuss and debate ideas, and believe that the Court’s opinion is an important reaffirmation of the free speech principles we support.

Like many other First Amendment cases, the law at the heart of the Packingham v. North Carolina case presents complex questions about how to protect the community in ways consistent with the right to free speech.

In 2008, North Carolina passed a law making it a serious criminal offense for a registered sex offender to access certain social media sites that included children as members. Lester Packingham Jr., the defendant in the case, had registered as a sex offender after pleading guilty in 2002 to having sex with a 13 year old when he was a 21 year old college student.

Packingham was charged with a violation of the North Carolina law after he posted a statement on Facebook expressing his relief about the dismissal of a state court traffic ticket. After his conviction, Packingham appealed, arguing that the law was unconstitutional.

The Supreme Court struck down the law as a violation of the First Amendment, which, among other things, prohibits government action (“shall make no law”) that inhibits free expression or assembly. Although all eight justices to rule on the issue (the newest Justice, Neil Gorsuch, didn’t participate in this decision) agreed that the North Carolina law was unconstitutional, the Justices disagreed on the scope of First Amendment protections.

Writing on behalf of five members of the Court, Justice Kennedy emphasized the importance of protecting access to the internet, noting the substantial benefits it provides:

“Social media allows users to gain access to information and communicate with one another about it on any subject that might come to mind. . . . By prohibiting sex offenders from using those websites, North Carolina with one broad stroke bars access to what for many are the principal sources for knowing current events, checking ads for employment, speaking and listening in the modern public square, and otherwise exploring the vast realms of human thought and knowledge. These websites can provide perhaps the most powerful mechanisms available to a private citizen to make his or her voice heard. They allow a person with an Internet connection to ‘become a town crier with a voice that resonates farther than it could from any soapbox.’”

CC BY-SA 2.0 image by shoobydooby

The Court’s broad view of the importance of the internet also prompted the Justices to recommend exercising caution before allowing restrictions on internet speech. As described by Justice Kennedy,

“While we now may be coming to the realization that the Cyber Age is a revolution of historic proportions, we cannot appreciate yet its full dimensions and vast potential to alter how we think, express ourselves, and define who we want to be. The forces and directions of the Internet are so new, so protean, and so far reaching that courts must be conscious that what they say today might be obsolete tomorrow.”

The broad scope of the Court’s ruling suggests that the Supreme Court will look carefully at any restrictions that hinder access to the internet.

In a separate decision setting forth the opinion of the remaining three justices, Justice Alito took issue with the broad sweep and implications of the majority opinion. Because the law would have precluded access to a significant number of websites like Amazon or the Washington Post without furthering the state’s interest in protecting children, Justice Alito agreed that the law violated the First Amendment.

Justice Alito observed, however, that “if the internet or even just ‘social media’ sites are the 21st century equivalent of public streets and parks, then States may have little ability to restrict the sites that may be visited by even the most dangerous sex offenders.” And indeed, this case -- particularly when read in conjunction with other First Amendment cases -- suggests that the Court would have serious concerns about future government restrictions on speech, access, and communication on the Internet.

We recognize, of course, that, regardless of the internet’s value as a critical locale for discussion and debate, there are bad things online. But, as the Court held yesterday, significant restrictions on access to the internet are simply not an appropriate -- or constitutional -- solution. This historic decision confirms U.S. commitment to the freedom of expression online.

Let’s hope that the Court’s broad recognition of the central importance of the internet, along with its concerns about the harmful impact of access restrictions, become a central theme in ongoing discussions about regulation and control of the Internet.

Users benefit enormously from the free movement of data, and it is a highly regarded feature of living and doing business within the European Union. With the appropriate legal protections in place, scientific and societal benefits also flow along with the data, and the quality of our lives is improved immensely.

And the internet is an increasingly busy place:

Image courtesy of @LoriLewis and @OfficiallyChadd

The European Commission reported in a communication earlier this year that the European Data Economy – i.e the marketplace where digital data is exchanged as products or services derived from raw data – was estimated at EUR 272 billion in 2015, and that the value is expected to increase to EUR 643 billion by 2020, in large part thanks to ever-increasing amounts of data being generated by emerging technologies, such as the Internet of Things and Artificial Intelligence. Data is certainly big business.

Assuming no data flow restrictions (such as data localization laws), companies can more readily access performant and secure technologies, enter into new markets, develop new products and services and avail of efficiencies and cost reductions, all of which can be passed on to their customers. This is particularly important for early-stage companies such as Cloudflare, seeking to grow, invest and provide its offering to as many users as possible, and at the lowest price possible.

Having just announced our 110th data center and with more locations coming soon, our enthusiasm and love for data flows should be obvious. With 6 million+ customers, and 10% of internet (HTTPS) requests flowing through our network each month, we are definitely shifting a lot of information in order to provision our services. And almost one third of our data centers are located in Europe, an exciting and growing marketplace for Cloudflare.

Cloudflare, like most companies, is working hard to ensure full and early implementation of the EU’s new General Data Protection Regulation (GDPR), which will apply to all companies offering goods and services to EU citizens as of May 2018. This is a progressive piece of legislation, which will help bolster user trust, and is perfectly in line with Cloudflare’s long-standing commitment to user privacy, transparency and business accountability. We’ll share further updates on our GDPR plans in due course.

Cloudflare’s main European office is located in London and Brexit introduces uncertainty for businesses based in the UK and beyond, which will be worked through as specific challenges arise. However, a particular issue related to data flows and transfers demands the immediate attention of policy makers and legislators.

According to a recent Frontier Economics report for TechUK, 75% of the UK’s data transfer activity is with European Union countries. Those transfers, which are considered “domestic” today, quickly become foreign transfers as Brexit is implemented. It is clear that efforts must be made to maintain the stability of data transfers between EU Member States and the UK following the UK’s official departure from the European Union. Data will, in effect, need a new passport in order to travel and be processed on the other side.

The UK has committed to implement the GDPR in full notwithstanding its withdrawal from the EU, and so will continue to have a robust data protection regime in place. A finding of ‘adequacy’ for the UK by the European Commission – i.e. a legal assessment that the UK’s privacy protection regime is aligned with that of the EU - offers the least burdensome manner of retaining data flows with the EU, and the least friction for business. It is critical that this mechanism is taken seriously and is in place on Brexit Day One, so that businesses can continue to benefit from the seamless flow of data, without jumping through legal hoops and hurdles, and so that users can continue to not even notice the magic at play.

Cloudflare urges the UK Government to maintain its stated commitment to ensuring unhindered data flows after Brexit, and to work towards a strategy for achieving adequacy during the Brexit negotiations.