5 April 2013
About the CloudFlare Logs on Barrett Brown Site
served on CloudFlare, requesting all information on a specific domain related
to Barrett Brown, raises a huge question about CloudFlare's internal procedures.
As far as I can tell, CloudFlare has made no statements in their terms of
service, nor in their privacy and security policy, regarding the issue of
If they have logs of IP addresses that visited the pages on the echelon2.org
domain as they were served through CloudFlare, and if the subpoena stands,
CloudFlare will have to produce such logs. The wording in the subpoena is
very broad. There is no Section 230 "safe harbor" immunity for service providers
under the 1996 Communications Decency Act in this case, because Section 230
does not apply to federal criminal law. The case against Barrett Brown is
a criminal case.
But there is also no legal requirement in the U.S. to retain such logs. If
you have them and they are subpoenaed, then you have to produce them. If
you destroy them at that point, this would be suppression of evidence. But
if you routinely delete old logs, and no longer have them when the subpoena
arrives, then you've done nothing wrong.
Does CloudFlare rotate their logs periodically, and delete their old access
logs? Since CloudFlare takes pride in allowing their customers to hide behind
their proxy, one thing they should have done when they started their service
would be to announce a clear access-log retention policy.
The fact that I cannot find such a statement makes me suspicious. I added
a new box at the bottom of the home page on
raises a similar issue. If it turns out that the prosecutor gets old logs
from CloudFlare about visitors to echelon2.org, then this will increase my
suspicions, and I may expand that box.