Earlier today, the Department of Justice and the Director of National Intelligence announced a change in rules governing the disclosure of National Security Orders, including National Security Letters (NSLs) received by a company. The DoJ and DNI now allow companies to disclose the number of NSLs and FISA orders as a single number in bands of 250, starting with 0-249.
For us at CloudFlare, we have long felt that the arguments in support of restricting the disclosure of NSLs to be flawed. We see no threat to national security by acknowledging the program or the number of orders a particular company has received. Further, it is frustrating that most assume the program to be widespread and that tech companies receive NSLs on a daily basis. In fact, Apple is reporting today that it has received between 0-249 National Security Orders. If a company of Apple’s size has received fewer than 250 National Security Orders, the average tech company is most likely receiving a significantly lower amount.
Given the new rules and guidelines, CloudFlare is publishing its initial Transparency Report on National Security Orders. (We will publish a more complete Transparency Report later on this year). CloudFlare has received the following:
National Security Orders Received
Total Accounts Affected
0-249
0-249
In terms of impact on our customers, even assuming the high end of the range, these National Security Orders would affect fewer than 0.02% of CloudFlare customers.
We believe that while it does not go far enough, today’s rule change is a step in the right direction. Moreover, we believe NSLs violate the principles of Due Process. CloudFlare will therefore challenge in court any NSLs we receive. If this means appealing all the way to the US Supreme Court, then so be it.