Yesterday Cloudflare released its transparency report for the second half of 2018. It revealed it’s expanding its use of warrant canaries.
A warrant canary is a way for a company to let users know that it has been served by a government subpoena. Although you can’t directly tell people you’ve been served, there’s kind of a loophole.
You can instead put a message on your website saying something like, “The FBI has not been here.” Then, when you get a subpoena, you simply remove that message. Here are Cloudflare’s original canaries it has had since 2013.
- Cloudflare has never turned over our SSL keys or our customers SSL keys to anyone.
- Cloudflare has never installed any law enforcement software or equipment anywhere on our network.
- Cloudflare has never terminated a customer or taken down content due to political pressure.
- Cloudflare has never provided any law enforcement organization a feed of our customers’ content transiting our network.
Because Cloudflare has introduced new services such as its 18.104.22.168 DNS, it feels additional canaries are necessary. Here are the new ones:
- Cloudflare has never modified customer content at the request of law enforcement or another third party.
- Cloudflare has never modified the intended destination of DNS responses at the request of law enforcement or another third party.
- Cloudflare has never weakened, compromised, or subverted any of its encryption at the request of law enforcement or another third party.
- Cloudflare has never turned over our encryption or authentication keys or our customers’ encryption or authentication keys to anyone.
The original canary regarding SSL has been updated. SSL has since been deprecated, and Cloudflare wants to be sure it refers to all encryption and authentication keys.