5 April 2013

About the CloudFlare Logs on Barrett Brown Site

Daniel Brandt, cloudflare-watch.org, writes:

The subpoena served on CloudFlare, requesting all information on a specific domain related to Barrett Brown, raises a huge question about CloudFlare's internal procedures. As far as I can tell, CloudFlare has made no statements in their terms of service, nor in their privacy and security policy, regarding the issue of access-log retention.

If they have logs of IP addresses that visited the pages on the echelon2.org domain as they were served through CloudFlare, and if the subpoena stands, CloudFlare will have to produce such logs. The wording in the subpoena is very broad. There is no Section 230 "safe harbor" immunity for service providers under the 1996 Communications Decency Act in this case, because Section 230 does not apply to federal criminal law. The case against Barrett Brown is a criminal case.

But there is also no legal requirement in the U.S. to retain such logs. If you have them and they are subpoenaed, then you have to produce them. If you destroy them at that point, this would be suppression of evidence. But if you routinely delete old logs, and no longer have them when the subpoena arrives, then you've done nothing wrong.

Does CloudFlare rotate their logs periodically, and delete their old access logs? Since CloudFlare takes pride in allowing their customers to hide behind their proxy, one thing they should have done when they started their service would be to announce a clear access-log retention policy.

The fact that I cannot find such a statement makes me suspicious. I added a new box at the bottom of the home page on www.cloudflare-watch.org that raises a similar issue. If it turns out that the prosecutor gets old logs from CloudFlare about visitors to echelon2.org, then this will increase my suspicions, and I may expand that box.