Back in late 2009, CloudFlare's service began to take shape and our website first went online. While in the early days I had contributed to CloudFlare's early code, we quickly hired engineers to join Lee's team who were far smarter than I. That left me to turn my attention to another area of the site more appropriate for a recovering lawyer: our Terms of Service and Privacy Policy.
Generally, these documents have held up pretty well since December 5, 2009 when we first published them. However, today we're making some updates to address some issues that have come up over the last two years. I wanted to take the time to walk through the changes here so everyone is clear why we made the updates we have.
Apps
Many of the changes to the Terms of Service and Privacy Policy are the result of CloudFlare's Apps Marketplace. From early in our history, we realized we had an opportunity to help webmasters install services to enhance their sites. Oliver Roup, a friend of mine from business school, approached up about allowing CloudFlare's users to automatically incorporate the service of a company he'd started: Viglink. Viglink's service automatically adds an affiliate code to appropriate links on your site so you can make money when people click on a link and then go on to purchase something.
It seemed like a no-brainer that we offer Viglink as an option to our users. We always thought it would be a service that people could turn on or off, but I wanted to make sure our Terms of Service included the possibility that if someone had the service on then affiliate codes could be added. I included the following sentence in our terms: "[CloudFlare may] Add tracking codes or affiliate codes to links that do not previously have tracking or affiliate codes." That has, over time, caused endless confusion, customer service inquiries, and even conspiracy theories.
We're building a platform that, through Apps, can allow you to update your site in a wide number of ways. While we want to acknowledge that, we also want to make something clear: it is always your choice as to what apps are enabled. As a result, we updated this key section to now read:
You retain full copyrights in any materials served through CloudFlare. Depending on the features you select or Apps you enable, CloudFlare may modify the content of your site. For example, CloudFlare may detect any email addresses and replace them with a script in order to keep it from being harvested, or CloudFlare may insert code to improve page load performance or enable a Third Party App. Depending on the features you enable, you acknowledge CloudFlare may:
Intercept requests determined to be threats and present them with a challenge page.
Add cookies to your domain to track visitors, such as those who have successfully passed the CAPTCHA on a challenge page.
Add script to your pages to, for example, add services, Apps, or perform additional performance tracking.
Other changes to increase performance or security of your website.
CloudFlare will make it clear whenever a feature will modify your content and, whenever possible, provide you a mechanism to allow you to disable the feature.
We've made updates elsewhere to also reflect that we allow you to install third party apps. For example, our Privacy Policy now acknowledges that you should check the Terms of Service and Privacy Policies of these app providers since they may be different from CloudFlare's. The idea of the Apps Marketplace is something that really came into focus after our initial launch, so it's appropriate now for us to update our policies to account for it.
Abuse
Section 11 of our old Terms of Service included a long list of things that, if you did on our network, we could terminate you for. The history of this section is that I searched a number of other major services to see what they had prohibited and then included just about everything that had ever been listed. This list was largely pulled from hosting providers and similar sites that actually hosted content.
This list may be appropriate for a hosting service, but it isn't as appropriate for a network provider. CloudFlare is much more akin to a network provider. People also interpreted the list as if it was self-executing computer code. Someone would find a site that told people how to build a grenade, or whatever, and write to us saying we had to terminate them. We, on the other hand, saw the list as reasons we could terminate people, not reasons we must terminate them.
Given the confusion the list created we simplified it. Today our policy remains as it was before, just without the list. If you're using CloudFlare in a way we deem inappropriate we will, at our sole discretion, terminate your use of the CloudFLare network. As I've written about before, our general position is that CloudFlare is building a better Internet and it's not our role to determine what content should or should not be allowed to be published. That said, if you're using our network solely as a file locker, distributing malware or phishing, or otherwise causing per se harm then we will terminate use.
We also updated our abuse process to reflect what we've learned about running an abuse desk in front of hundreds of thousands of websites. What we learned was that as our technical defenses improved, hackers turned to abusing our abuse process to determine the identity of sites on our network. That, effectively, was a mechanism to bypass our technical protections. Our new abuse process allows legitimate rights holders to file complaints that we relay to the owners of sites with alleged violations without compromising the technical protections we offer our customers.
Miscellaneous Other Cleanup
There was a lot of other cruft in our terms that we cleaned up. For example, we previously included the following paragraph:
You are granted a limited, revocable, and nonexclusive right to create a hyperlink to any non-password protected directories, so long as the link does not portray CloudFlare, its affiliated websites, or its services in a false, misleading, derogatory, or otherwise offensive matter. You may not use any of CloudFlare's proprietary graphics or trademarks as part of the link without express written permission.
While most Terms of Service you'll find around the Internet include such paragraphs, they really are silly. We've deleted the paragraph so you can go ahead and link to our site, even if what you say is false, misleading, derogatory and offensive.
When we first started CloudFlare we also had something called the Automated Setup Tool that would login to your DNS provider and Registrar and make the changes for you if you gave us your username and password. While it was very cool and made the signup process even faster than it is today, we decided it was a very bad security practice to ask for people's username/password for a third party service. Much like we got rid of the Automated Setup Tool, we've now gotten rid of the section that covered how it worked. (Section 6 is now about Apps.) We also now provide software (e.g., mod_cloudflare and Railgun) so the terms were updated in various places to include that.
While I'm a recove ring lawyer, I'm not a big believer that the legal system is the best way to resolve disputes. As a result, we added an arbitration clause. Should a dispute arise in the future, it seems like a more civilized way to resolve it. We also had some problems with machine translated versions of the Terms of Service containing oddities. As a result, we added a section to make it clear that the English version of the terms is the one that is controlling. We also moved from Palo Alto, CA to San Francisco, CA more than a year ago so we finally updated the jurisdiction information.
That's the gist of the updates. For those who are interested, we'll keep the old versions of the Terms of Service and Privacy Policies available for a few months. While I'm sure we'll have to make additional updates to the Terms of Service and Privacy Policies in the future as we learn more about running a global network, I am confident that we will continue to operate as we always have: respecting our publishers and their visitors' privacy, operating a responsible network, and working toward building a faster, safer, smarter web for everyone.