[xja]

Wow hugely interesting, including that Capitol Hill staff felt NSLs could not be issued against Cloudflare, when they were.

One question I have, they chose to voluntarily redact the customers account name in question for obvious reasons. But have they now informed the customer directly?

In any case, thanks Cloudflare for fighting this. I often feel a bit bad about using Cloudflare for my blog, as it exposes users to a potential layer of tracking. This makes me feel a little better.

[jgrahamc]

> I often feel a bit bad about using Cloudflare for my blog, as it exposes users to a potential layer of tracking.

We're not tracking your users.

[xja]

Which is why I said potential rather than actual. Having users terminate their connection at Cloudflare always adds an extra layer, and a dependency on a US corporation and therefore subject to the US legal system.

It's not totally ideal. But I'm glad to hear you're trying your best.

[gcp]

We're not tracking your users.

As far as you're allowed to admit by NSL's, you mean :-)

Intentions != Guarantees

[Jarwain]

I was under the impression a NSL could not force the recipient to do work to comply. For example, they could hand over information they currently have, but they cannot insert a backdoor/vulnerability to start collecting data they previously didn't.

[gcp]

They presumably have some short term logging. Collecting those over a longer period = tracking.

[cesarb]

> We're not tracking your users.

Which is why the parent poster said "potential". You're not tracking, but you could be.

[duckmysick]

Couldn't the same be said about any web service, like DuckDuckGo?

[underyx]

It could, and OP would probably feel icky about serving their site through DuckDuckGo as well.

[duckmysick]

It's not just about serving the sites, it's about any company that claims they don't track users.