Cloudflare posts redacted National Security Letter it received in 2013

Content distribution network and web security startup Cloudflare today published a redacted version of a National Security Letter (NSL) the FBI served the company in 2013, requesting information about an account holder. A few weeks ago, the FBI told Cloudflare that it had chosen to lift the gag order pertaining to the NSL, thus allowing for publication of the document, albeit with certain details removed.

When served, Cloudflare challenged the request, and the FBI subsequently “withdrew the request for information,” so Cloudflare never had to give up information about the account holder in question, Cloudflare counsel Kenneth Carter wrote in a blog post. Cloudflare’s transparency report reflects that in the first half of 2013 it received 0-249 national security orders, but it now has a footnote acknowledging the aforementioned NSL.

The NSL is a tool the FBI can use to gather information under the auspices of national security, and it’s one that has become more powerful, and also more common, particularly following the passage of the USA Patriot Act in 2001. This is not the first time an NSL has been published, but it’s nonetheless telling that Cloudflare — which counts more than 10 million customer domains — was at one point viewed as a potential data source by the U.S. government.

This letter, addressed to Cloudflare cofounder and chief executive Matthew Prince and signed by the special agent in charge of the FBI’s Washington field office, specifically tells Cloudflare not to suspend the account of the particular customer, as that “may alert the subscriber(s)/account user(s) that investigative action being taken.” The letter said Prince, whose company is based in San Francisco, must personally deliver the requested documents to the FBI’s San Francisco division within 14 business days of receiving the NSL.

The document makes a request for several types of information, including the subscriber’s name, account number, payment details, associated addresses, email addresses, IP addresses, phone numbers, screen names, and URLs, along with “the names of any and all upstream and downstream providers facilitating this account’s communications.”

On December 19, Cloudflare received the letter lifting the gag order, also from a special agent in FBI’s Washington field office. The letter states that the FBI decided to lift the gag order “consistent with the requirements of the USA Freedom Act of 2015 and the Termination Procedures for NSL Nondisclosure Requirement.”

Cloudflare’s investors include Baidu, Capital G (formerly Google Capital), Fidelity Management and Research Co., Microsoft, and Qualcomm.

Update at 5:56 p.m. Pacific: Corrected the year Cloudflare received the NSL; while it is dated December 17, 2012, the company received the letter in February 2013, a spokesperson told VentureBeat in an email.