Late last week, Cloudflare put up a fascinating and thoughtful blog post discussing (among other things) a change to its warrant canary list. As you hopefully know, a warrant canary is when a service provider makes a proactive statement about something it has supposedly never done. The idea is that if that statement disappears at a later date, one might reasonably infer that the company had been forced to do the thing it claimed it had not ever done — and, additionally, that it had possibly been gagged from saying so. There are (somewhat reasonable) criticisms of warrant canaries, and to date, they’re probably more well known for false alarms than any actual report of gagged pressured malfeasance.
Still, Cloudflare’s public (so, not gagged) decision to delete a line from its warrant canary is interesting and worth thinking about. The original warrant canary from Cloudflare stated that the company hadn’t done any of the following:
- Cloudflare has never turned over our SSL keys or our customers SSL keys to anyone.
- Cloudflare has never installed any law enforcement software or equipment anywhere on our network.
- Cloudflare has never terminated a customer or taken down content due to political pressure.
- Cloudflare has never provided any law enforcement organization a feed of our customers’ content transiting our network.
Recently it added a few more and slightly modified the old ones, so that Cloudflare at the beginning of 2019 insisted that it had never done any of the following.
- Turned over our encryption or authentication keys or our customers’ encryption or authentication keys to anyone.
- Installed any law enforcement software or equipment anywhere on our network.
- Terminated a customer or taken down content due to political pressure*
- Provided any law enforcement organization a feed of our customers’ content transiting our network.
- Modified customer content at the request of law enforcement or another third party.
- Modified the intended destination of DNS responses at the request of law enforcement or another third party.
- Weakened, compromised, or subverted any of its encryption at the request of law enforcement or another third party.
Now, you might notice that at the end of number three, there’s an asterisk. That was done when Cloudflare kicked up quite a debate after it decided to remove Daily Stormer from its service. The asterisk was more or less a nod to the idea that things can be a bit more complicated than “political pressure.” Cloudflare kicked off Daily Stormer because its CEO got sick of a bunch of neo-Nazis laughing and joking about Cloudflare for protecting them and keeping them online. Is that political pressure? Seems pretty subjective. Even Cloudflare’s CEO, Matthew Prince, acknowledged this at the time, noting:
We’re going to have a long debate internally about whether we need to remove the bullet about not terminating a customer due to political pressure. It’s powerful to be able to say you’ve never done something. And, after today, make no mistake, it will be a little bit harder for us to argue against a government somewhere pressuring us into taking down a site they don’t like.
The solution that Cloudflare came up with was to keep the line in there with the asterisk and an explanation. And now it’s decided to remove the line entirely, as part of the decision earlier this year to remove 8chan from its service as well. However, it’s still not an easy call, and the company wants you to understand the thought process it went through:
In August 2019, Cloudflare terminated service to 8chan based on their failure to moderate their hate-filled platform in a way that inspired murderous acts. Although we don’t think removing cybersecurity services to force a site offline is the right public policy approach to the hate festering online, a site’s failure to take responsibility to prevent or mitigate the harm caused by its platform leaves service providers like us with few choices. We’ve come to recognize that the prolonged and persistent lawlessness of others might require action by those further down the technical stack. Although we’d prefer that governments recognize that need, and build mechanisms for due process, if they fail to act, infrastructure companies may be required to take action to prevent harm.
And that brings us back to our warrant canary. If we believe we might have an obligation to terminate customers, even in a limited number of cases, retaining a commitment that we will never terminate a customer “due to political pressure” is untenable. We could, in theory, argue that terminating a lawless customer like 8chan was not a termination “due to political pressure.” But that seems wrong. We shouldn’t be parsing specific words of our commitments to explain to people why we don’t believe we’ve violated the standard.
We remain committed to the principle that providing cybersecurity services to everyone, regardless of content, makes the Internet a better place. Although we’re removing the warrant canary from our website, we believe that to earn and maintain our users’ trust, we must be transparent about the actions we take. We therefore commit to reporting on any action that we take to terminate a user that could be viewed as a termination “due to political pressure.”
I think this was probably the right call, but I’m just as on the fence about it as Cloudflare itself seems to be. There are strong arguments in either direction. The one thing I will say, though, is that I appreciate Cloudflare’s willingness to be transparent in this way, and publicly discuss the tough calls its making on things like this. That’s something few other companies (especially those as large as Cloudflare) would do. Instead, they’d either hide the removal, or try to PR the issue to death with some vague and noncommittal explanation. This, on the other hand, is direct and quite understandable, even if you disagree with various parts of it.