Over the course of four days, 23-26 May 2019, each of the 28 EU countries will elect a different number of Members of the European Parliament (“MEPs”) roughly mapped to population size and based on a proportional system. The 751 newly elected MEPs (a number which includes the UK’s allocation for the time being) will take their seats in July. These elections are not only important because the European Parliament plays a large role in the EU democratic system, being a co-legislator alongside the European Council, but as the French President Emmanuel Macron has described, these European elections will be decisive for the future of the continent.

Political focus on the potential cybersecurity threat to the EU elections has been extremely high, and various EU institutions and agencies have been engaged in a long campaign to drive awareness among EU Member States and to help political parties prepare. Last month for example, more than 80 representatives from the European Parliament, EU Member States, the European Commission and the European Agency for Network and Information Security (ENISA) gathered for a table-top exercise to test the EU's response to potential incidents. The objective of the exercise was to test the efficacy of EU Member States’ practices and crisis plans, to acquire an overview of the level of resilience across the EU, and to identify potential gaps and adequate mitigation measures.

Earlier this year, ENISA published a paper on EU-wide election security which described how as a result of the large attack surface that is inherent to elections, the risks do not only concern government election systems but also extend to individual candidates and individual political campaigns. Examples of attack vectors that affect election processes can include spear phishing, data theft, online disinformation, malware, and DDoS attacks_._ ENISA went on to propose that election systems, processes and infrastructures be classified as critical infrastructure, and that a legal obligation be put in place requiring political organisations to deploy a high level of cybersecurity.

Last September, in his State of the Union address, European Commission President Juncker announced a package of initiatives aimed at ensuring that the EU elections are organised in a free, fair and secure manner. EU Member States subsequently set up a national cooperation network of relevant authorities – such as electoral, cybersecurity, data protection and law enforcement authorities – and appointed contact points to take part in a European cooperation network for elections.

In July 2018, the Cooperation Group set up under the EU NIS Directive (composed of Member States, the European Commission and ENISA) issued a detailed report, "Compendium on Cyber Security of Election Technology". The report outlined how election processes typically extend over a long life cycle, consisting of several phases, and the presentation layer is as important as the correct vote count and protection of the interface where citizens learn of the election results. Estonia - a country that is known to be a digital leader when it comes to eGovernment services - is currently the only EU country that offers its citizens the option to cast their ballot online. However, even electoral systems that rely exclusively on paper voting typically take advantage of digital tools and services in compiling voter rolls, candidate registration or result tabulation and communication.

The report described various election/cyber incidents witnessed at EU Member State level and the methods used. As the electoral systems vary greatly across the EU, the NIS Cooperation Group ultimately recommended that tools, procedures, technologies and protection measures should follow a “pick and mix” approach which can include DDoS protection, network flow analysis and monitoring, and use of a CDN. Cloudflare provides all these services and more, helping to prevent the defacement of public-facing websites and Denial of Service attacks, and ensuring the high availability and performance of web pages which need to be capable of withstanding a significant traffic load at peak times.

Cloudflare’s CTO John Graham-Cumming recently spoke at a session in Brussels which explored Europe’s cyber-readiness for the EU elections. He outlined that while sophisticated cyber attacks are on the rise, humans can often be the weakest link. Strong password protection, two factor authentication and a keen eye for phishing scams can go a long way in thwarting attackers’ attempts to penetrate campaign and voting web properties. John also described Cloudflare’s experience in running the Athenian Project, which provides free enterprise-level services to government election and voter registration websites.

Source: Politico

Cloudflare has protected most of the major U.S Presidential campaign websites from cyberattacks, including the Trump/Pence campaign website, the website for the campaign of Senator Bernie Sanders, and websites for 14 of the 15 leading candidates from the two  political parties. We have also protected election websites in countries like Peru, Ecuador and, most recently, North Macedonia.

Thanks to the high profile awareness campaign across the EU, Europeans have had time to prepare and to look for solutions according to their needs. Election interference is certainly not a new phenomenon, however, the scale of the current threat is unprecedented and clever disinformation campaigns are also now in play. Experts have recently identified techniques such as spear phishing and DDoS attacks as particular threats to watch for, and the European Commission has been monitoring industry progress under the Code of Practice on Disinformation which has encouraged platforms such as Google, Twitter and Facebook to take action to fight against malicious bots and fake accounts.

What is clear is that this can only ever be a coordinated effort, with both governments and industry working together to ensure a robust response to any threats to the democratic process. For its part, Cloudflare is protecting a number of political group websites across the EU and we have been seeing Layer 4 and Layer 7 DDoS attacks, as well as pen testing and firewall probing attempts. Incidents this month have included attacks against Swedish, French, Spanish and UK web properties, with particularly high activity across the board around 8th May. As the elections approach, we can expect the volume/spread of attacks to increase.

Further information about the European elections can be found here - and if you are based in Europe, don’t forget to vote!

Since we first started reporting in 2013, our transparency report has focused on requests from U.S. law enforcement. Previous versions of the report noted that, as a U.S. company, we ask non-U.S. law enforcement agencies to obtain formal U.S. legal process before providing customer data.

As more countries pass laws that seek to extend beyond their national borders and as we expand into new markets, the question of how to handle requests from non-U.S. law enforcement has become more complicated. It seems timely to talk about our engagement with non-U.S. law enforcement and how our practice is changing. But first, some background on the changes that we’ve seen over the last year.

The explosion of cloud services -- and the fact that data may be stored outside the countries of residence of those who generated it -- has been a challenge for governments conducting law enforcement investigations. A number of U.S. laws, like the Stored Communications Act or the Electronic Communications Privacy Act restrict companies from providing particular types of data, such as the content of communications, to any person or entity, including foreign law enforcement agencies, without U.S. legal process. To get access to electronic data stored outside their home borders, law enforcement agencies around the world have long used Mutual Legal Assistance Treaties (MLATs) that allow one country to ask for another country’s help to get access to evidence. Unfortunately, the MLAT process can be slow and cumbersome.

Countries frustrated by the inability of law enforcement to quickly gather evidence held outside their borders have taken matters into their own hands. Some have proposed laws mandating that important data about their citizens remain in country, where it can be easily accessed when requested. Others have proposed laws that would allow law enforcement to get access to data wherever it is stored, which puts companies in the position of potentially violating one country’s laws in order to comply with another’s.

In short, a new paradigm that allows law enforcement to access appropriate digital evidence across borders, with sufficient procedural safeguards to protect our users’ privacy and ensure due process, is long overdue.

In March 2018, the U.S. Congress passed the Clarifying Lawful Overseas Use of Data (CLOUD) Act as part of a large bill funding the government. The idea behind the law is that governments that protect their citizens’ due process rights and civil liberties should be able to get access to electronic content related to their citizens when conducting law enforcement investigations, wherever that data is stored.

The CLOUD Act anticipates that the U.S. government will enter into agreements with other countries’ governments to give each of the participating governments access to data stored in other participating countries for the purpose of investigating and prosecuting certain crimes. Under the law, the U.S. government will have to determine that a country has “robust substantive and procedural protections for privacy and civil liberties” before entering into an agreement with that country. After a country enters a formal agreement with the United States, U.S. companies would no longer be restricted by U.S. law from providing that country’s law enforcement with access to content data in response to a valid law enforcement request.

From a practical standpoint, the CLOUD Act envisions that U.S. companies like Cloudflare will be providing information directly to governments that have entered into agreements with the U.S. government. The idea is to change the relevant question away from “where is the data stored?” to “is the person being investigated a citizen or resident of the country asking for the information?”, recognizing every government’s right to investigate crimes that occur within its borders or affect its citizens.

Governments outside the United States have also moved forward with proposals that would provide law enforcement agencies authority to obtain information related to their citizens across borders. The United Kingdom, for example, has been working to update their laws and negotiate a bilateral agreement with the United States for access to data maintained by U.S. companies, consistent with the framework established in the CLOUD Act.

The European Union has also been active in moving forward with a framework on obtaining electronic evidence across borders. Much like the U.S. CLOUD Act, the European Commission’s eEvidence Regulation would allow EU Member States to seek digital evidence outside of their national borders provided that fundamental rights are protected. The European Commission also envisions entering into negotiations with U.S. authorities on data sharing arrangements under the mandate of EU Member States.

As a U.S. company that stores customer records inside the United States, Cloudflare has long held the view that non-U.S. governments should have to follow U.S. due process requirements in order to obtain any records about our customers. When non-U.S. governments have come to us requesting records, we have explained the nature of our service and, to the extent they were interested in obtaining data, encouraged them to submit a request to the U.S. Department of Justice through the MLAT process.

But it’s important to note that these processes serve an important function and are not just intended to delay the efforts of foreign law enforcement. They have helped us address some of the more challenging requests that we have seen. Let’s say, for example, law enforcement from an otherwise-respected nation sent us a court order demanding information about websites run by a vocal group of dissenters or even the organizers of a separatist referendum and also asked us to redirect that website to a location of their choosing. In that case, we would direct that foreign agency to submit an MLAT request. In situations like this, we might not receive subsequent legal process from the U.S. government, either because the government declined to ask the Department of Justice for an MLAT related to activity that could be viewed as political or because the Department of Justice declined to process it.

With the changing legal and policy landscape, as well as our increased presence in non-U.S. locations, we think it’s time to take a step towards the new framework that is taking shape.

The overwhelming majority of information that U.S. law enforcement seeks from Cloudflare through legal process is what we consider to be basic subscriber data -- the type of information that customers give us when they sign up for service. That includes things like name, email address, physical address, phone number, the means and source of payment, and non-content information about a customer’s account, such as data about login times and IP addresses used to login to the account.

Although we consider this account information to be private customer data, worthy of protection, we share the commonly held view that it is less sensitive than information considered to be content, such as email communications or documents created by users. In fact, U.S. law allows law enforcement to compel us to provide basic subscriber data with a subpoena, a type of legal process that does not require prior judicial review.

Recent policy discussions have convinced us that there may be situations where it is appropriate to provide this type of basic subscriber information to non-U.S law enforcement in response to non-U.S. legal process similar to a subpoena, a view in line with that of many other tech companies. We may therefore respond to requests for subscriber information if a government is seeking information about a crime in its country or about its citizens, we have employees in the country, and appropriate due process requirements and international standards have been met. We will also consider whether the country has signed a CLOUD Act agreement with the United States.

The CLOUD Act and other existing U.S. laws govern the provision of more sensitive, content data to non-U.S. law enforcement. U.S. companies are legally prohibited from providing content data to a non-U.S. government absent a U.S. CLOUD Act agreement with that country. Given the nature of our service, however, we rarely have records that constitute content that we could provide to law enforcement regardless of jurisdiction.

When we talk about our relationship with law enforcement, we often say that it is not Cloudflare's intent to make law enforcement's work any harder or any easier. We respect both that law enforcement agencies have a job to do and that our customers have rights relating to how their data is shared with law enforcement.

Regardless of what government is asking, there are certain standards we believe must be followed before we turn over customer data. Our goal is to maintain a healthy and open relationship with law enforcement officials so that they understand and respect our positions on each of these standards. The principles which remain important to us are as follows:

• Require Due Process. Cloudflare requires government entities seeking access to personal customer information to obtain appropriate legal process, including prior independent judicial review of any request for content.

• Provide Notice. We believe our customers deserve to be notified when we receive legal requests for their information, whether the requests come from law enforcement or private parties involved in civil litigation. We will provide that notice before we disclose the information, unless prohibited by law.

• Protect Privacy and User Rights. Whether inside or outside the United States, Cloudflare will fight law enforcement requests that we believe are overbroad, illegal, or wrongly issued. This includes requests to delay or prevent notice that appear unnecessarily broad, given the government interests at stake.

• Be Transparent. We believe the ability to report on the numbers and types of requests that we get from law enforcement, as well as how we respond, is critical to building trust with our customers. We will fight requests that unnecessarily restrict our ability to be transparent with our users.

Consistent with the last standard, we also intend to update our transparency report to reflect any requests that we receive from non-U.S. law enforcement authorities, whether for user information or anything else.

In particular, we have all committed to implementing, promoting and spreading five specific actions to achieve equality of opportunities for women in our companies and in the digital sector at large:

1. Instil an inclusive, open, female-friendly company culture

2. Recruit and invest in diversity

3. Give women in tech their voice and visibility

4. Create the leaders of the future

5. Become an advocate for change

The project, spearheaded by the Digital Commissioner as part of a range of actions to promote gender balance in the digital industry, allows for the exchange of ideas and best practices among companies, with opportunities to chart progress and also to discuss the challenges we face. Many companies around the table shared their inspiring stories of steps taken at company level to encourage diversity, push back against societal restraints and address unconscious biases at work. Flexible work practices and policies, the importance of network building and mentoring, employee training, clear career progression paths for women and pay equality can all play a part in creating a more diverse workplace. Confidence building, including for public speaking, was also an important factor raised by many participants.

Despite ongoing efforts, such as the No Women No Panel Campaign launched in Brussels last year, a recent report issued by EU Panel Watch noted that women’s voices are still not distributed evenly across conference topics with a very clear feminisation, masculinisation and radicalisation of sectors. Sectors showing the lowest levels of speaker participation of women, particularly for keynotes, included telecommunications and technology. Although progress is taking place, it is happening much too slowly.

European Commission, DG Connect: Commissioner Gabriel and company signatories 

Despite being one of the youngest companies at the table, Cloudflare has put significant effort into diversity and inclusion programmes, including gender, as we have an unwavering commitment to the idea that everybody should be treated fairly and feel comfortable and respected at work. We also strongly believe in the importance of  having diverse teams design, build and test our products in order to ensure their success. We have found that diversity, in all its forms, fosters better innovation and creativity in our company through a greater variety of problem-solving approaches and perspectives, while increasing employee satisfaction and collaboration. McKinsey has also explored the link between financial performance of a company and gender diversity, which underscores the importance of non-homogenous teams in the workplace.

Cloudflare’s commitment comes from the very top line of management - with no finer example than our co-founder Michelle Zatlyn - but we also adopt a bottom-up approach, with our Cloudflare Aware (Diversity & Inclusion) Programme which offers everyone a chance to contribute to different initiatives through employee-driven working groups. We also partner with external organisations, such as Toastmasters, which facilitates sessions for all employees to practice their public speaking and communication skills in a ‘safe’ environment. This enables our female employees in particular to build a pathway towards high profile speaking engagements externally - should they wish to do so - and so play their part in bringing increased diversity to public debates. In fact, we take every opportunity we can to underline the importance of closing the gender gap, even if it means doing something as simple as allowing early access to our Registrar service with donations made to Girls Who Code.

The majority of Cloudflare’s jobs exist in Software Engineering and it can be challenging to recruit female talent in this area. We are particularly keen to speak to women from an engineering background, so please do check out our careers page and spread the word! As a sector, we need to do more collectively to close the gender gap, and with this in  mind, we have also recently added our name to the UK Tech Talent Charter. This UK Government-supported initiative is an industry collective which recognizes that only through working together and joining forces can any real meaningful change happen.

As International Womens’ Day approaches, and with this year’s campaign theme being #BalanceforBetter, we will be announcing more activities in this space and seizing the opportunity to celebrate women's achievements with groups worldwide.

Photo by Sara Kurfeß / Unsplash

In September, the European Commission presented a legislative proposal to address the removal of terrorist content online. There has been significant political pressure, particularly as the EU elections of 2019 approach, towards internet companies taking on increased responsibility in the area of terrorist propaganda online. This proposal would be a marked move from various voluntary initiatives taken up by some social media companies in recent times towards a legal responsibility framework for many.  

While appreciating the concerns around terrorism, Cloudflare is not only troubled by the late presentation of this proposal – which leaves inadequate time for a thorough review before this EU legislative term expires – but also much of the substance. Along with others such as CDT, GSMA/ETNO and Mozilla, we have significant concerns around the legal implications, practical application and possible unintended consequences of the proposal, some of which we outline below. Furthermore, we believe that little evidence has been presented as to the necessity of the proposed measures.

The Commission’s proposal does not account for the complexity and range of information society services having a storage component - not all services have the same reach and impact, and so a one-size-fits-all approach is not justified. This has been a concerning trend overall with EU legislative proposals: in wishing to regulate the behaviour of a few large social media platforms, many other providers of differing sizes and types are brought within scope with sweeping and clumsy definitions. The reality is that only the largest providers have the resources and means to address many of the requirements, which further cements their position as gate-keepers and dominant players in the marketplace.

We also have concerns that the proposal will chill legitimate online speech. The overly broad definition of “terrorist content” covers the “inciting or advocating, including by glorifying, the commission of terrorist offences” and other activities related to the encouragement, instruction or promotion of terrorist-related activities. Under this definition, almost any type of terrorism-related content, including of an educational, journalistic or academic-based nature, could be within scope of a removal order. This poses very real risks of removal of legitimate content, with its consequent effects on freedom of expression and information, as companies are incentivized to avoid any possibility of liability. The proposal is simply not robust enough to ensure that legitimate content actually remains online.

Cloudflare would suggest that given the high risk of unintended consequences, if a proposal like this is to go forward as a result of political pressure, additional due process should be required and the proposal should be significantly narrowed. Judicial authorities alone should be empowered to issue removal orders. From a practical standpoint, having all EU countries, each with multiple potential authorities, issuing orders for content removal seems likely to exacerbate concerns about the effect on freedom of expression. Each EU country should instead elect just one authority to issue the orders or better still, a one-stop-shop model could be established with one European entity serving as the single interface for hosting service providers. Given that providers are in turn asked to appoint one company and legal representative, this seems like a practical way to streamline the process and reduce the likelihood of divergent views about what constitutes content deemed appropriate for removal.

The proposal calls for the removal of terrorism content within a one-hour timeframe. Regardless of the fact that a legal assessment of the content is not required, an operational discussion still has to take place within a company as to the appropriate type of removal measure and how and where it is effected. As noted in the Commission’s Impact Assessment, over 90% of European companies are SMEs and so asking all providers to fulfil the removal requirements within 60 minutes is highly unreasonable.

A growing number of regulatory and policy initiatives at European level have seen Internet service providers encouraged to proactively decide on the legality and nature of content online, undertake risk assessments along with the balancing of fundamental rights and freedoms, and evaluate any conflicts of law, all while potentially facing liability if they make those assessments incorrectly. This has effectively resulted in a privatisation of law enforcement, with the additional risk that smaller providers will look to crude, untested tools in order to help meet compliance. The shifting of the burden of responsibility from the State to the provider is also seen here in the ask to providers to manage complaints from content providers, with no role foreseen for the competent authorities.

Furthermore, this proposal foresees a scenario whereby companies could be asked to take on proactive measures – which could include filtering – if they receive even one removal order. Not only is this not a proportionate ask but it is a departure from the well-established legal principle of “no general monitoring” as set out in Article 15 of the EU eCommerce Directive. The idea of internet filtering has been creeping into a range of legislative proposals and should be a concern for all.

Member States are advancing at pace with their review and may already reach an agreed position this week. Meanwhile the European Parliament, which also has to undertake a review, has yet to commence its work in earnest. Cloudflare will be working to ensure that our concerns around this proposal are heard and that due process, legality and proportionality are not sacrificed in the political rush. You can follow progress of this file here.

Since that blogpost, the European Parliament Plenary narrowly voted on 5th July to reject the proposal tabled by the Legal Affairs (JURI) Committee and a mandate to negotiate, and now the proposed Directive will undergo a full discussion and rescheduled vote in the next Plenary meeting on 12th September. This was a fantastic outcome, thanks in large part to a groundswell of support from those who value the fundamental right of freedom of expression online. It has presented a window of opportunity to correct the deeply flawed approach to copyright reform in Europe and find a more balanced solution. Campaigning has continued throughout the summer period and MEPs are now set to vote again on a proposal that has heavy consequences for the open Internet if passed in its current form.

• Widespread disruption to the webThe Article 13 proposal has an incredibly broad reach in terms of who can be impacted. We face a scenario in which not only the large content sharing platforms, such as Facebook and YouTube, but other businesses involved in storing and giving access to material uploaded by users - music, pictures and videos - will be forced to try and conclude licensing agreements with rights-holders, and could have to resort to content surveillance and removal activities to protect their business. This could include blogging and discussion platforms. This could also potentially impact Cloudflare and its ability to innovate in the European market with new services that offer a storage component.

• Your freedoms and rightsThe proposal threatens the freedom of expression and information and upsets the balance of rights that has been so important to Internet innovation. Creators, users and independent businesses alike - any content that is uploaded may be deleted without your consent by Internet providers anxious not to incur legal liability. The right to freedom to access information and the right to conduct a business are also now at risk.

• User experienceAs the Internet has improved in terms of speed and delivery, the visual Internet buffering experience of yore is now a rarity. Add in a new monitoring and filtering function however, tracking the vast range of content that is uploaded by users against databases of flagged copyright content, and we now have a new layer of complexity which could have a negative impact on user experience. This could range from delays in downloading to vast and confusing blank spaces on the web.

• DiversityStart-ups and smaller businesses will  be heavily burdened by the new obligations, meaning that the internet giants will gain an even deeper foothold in the marketplace. Smaller players will not have the presence, ability or market power to engage in appropriate licensing agreement discussions with the range of rights-holders that exists. Furthermore, in some cases, these arrangements do not even make practical sense.  And so in every sense, diversity in Europe will be diminished, both in terms of providers who can afford to operate in such a market and also the availability of culturally diverse, rich content. Europe will simply lose out, as smaller companies look to other geographic markets and users face restricted choice.

Image courtesy of EDRi

There is still some time left to share your views with MEPs who have a key role in this debate and with those who may have hesitated over the July vote. We particularly appeal to all our European users and readers to contact their MEPs and pass the message that the Article 13 proposal is flawed, upload filters and online monitoring are not the way forward, and fundamental rights must be preserved. You can  check the voting statistics for MEPs in different European countries and contact your local representatives using this website. You can also call your MEP, locating their details using this tool.

As an ardent supporter of the open Internet, Cloudflare has been deeply troubled by the Article 13 proposal and some of the discussions that have taken place. We hope you will join us, and many others, in this important campaign and help to #SaveYourInternet.

Unfortunately, as is now so often the case in Brussels, the new law is being drafted with a small set of large Internet companies in mind. This blinkered approach to rule-making frequently results in unintended and negative consequences for other parts of the Internet ecosystem, and indeed for end users, many of whom are often unaware that such policies are being created.

The draft copyright proposal has been undergoing EU Parliamentary and Council scrutiny since it was tabled by the European Commission in 2016, and it has been heavily criticised by civil society organisations, numerous industry associations, renowned academics and research institutions. Articles 11 (the so-called “snippet tax”, by which Internet aggregators would be forced to pay publishers for displaying snippets of their articles online) and Article 13 have been the most contentious proposals. Under the latter, licensing arrangements with rights-holders are encouraged and Internet platforms would no longer be able to avail of safe harbour protections, being held legally responsible for any content that their users upload. In order to avoid such liability, platforms would have to turn to technological solutions such as upload filters, effectively requiring a general monitoring of the Internet. Furthermore, the proposal as currently drafted casts the net widely, covering any Internet platform which “optimises” content - most online services in other words. For a more in-depth analysis of some of the challenges that the legal text presents, see this interview with one of the leading copyright experts in the European Parliament, German MEP Julia Reda.

The proposal has piqued the interest of the UN Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression, David Kaye, who recently contributed to the debate by writing a compelling 9 page letter. Kaye argues that Article 13 in particular places pressure on content sharing providers to err on the side of caution and implement intrusive content recognition technologies that monitor and filter at the point of upload. Such activity will, Kaye stresses, subject users to restrictions on the freedom of expression without prior judicial review of the legality, necessity and proportionality of such restrictions.

Organisations such as Engine have published reports highlighting the shortcomings of filtering, describing how “content filtering technologies are at best capable of simply identifying the contents of a file, not making the often complex determination as to whether the use of a particular file constitutes an infringement”. And many other notable Internet visionaries, including Tim Berners-Lee and Vint Cerf, have also shared their concerns, adding that “far from only affecting large American Internet platforms (who can well afford the costs of compliance), the burden of Article 13 will fall most heavily on their competitors, including European startups and SMEs”. Allied for StartUps puts an even finer point on this, stating that developing filtering technology (at cost) will do little to attract investors to Europe and the most responsible decision will be to move operations outside of the EU - sentiments also expressed in this report.

Photo by Alex Knight / Unsplash

The text that was voted in the JURI Committee of the European Parliament on 20th June is convoluted and littered with contradictory asks. Furthermore, as many have pointed out, the text is potentially in contravention of European law and the EU Charter of Fundamental Rights. A number of EU Member States have also previously raised legal questions during Council discussions. Considerable doubts remain and there is still a chance to improve the draft.

The next steps in the legislative process are a Parliament Plenary vote (possibly as early as the first week in July), negotiations between the Parliament and the Council and then final Parliamentary approval, all likely taking us up to end of the year / start of 2019. Once the text has been approved, Member States will then have to transpose the Directive nationally. It is imperative that efforts are quickly made to straighten out the definitions, remove some of the ambiguities and undo some of the damage that this proposal, as currently drafted, may do to the open Internet as we know it today.

Although not a content distribution platform, Cloudflare is passionate about the freedom of expression and Internet innovation. We believe, as many do, that Internet filters have their considerable limits, and their widespread adoption will only serve to stagnate start-up activity and stifle creativity. Furthermore, any policies that effectively strengthen the monopoly of large Internet providers, leaving smaller companies in the lurch and scrambling to comply, will only cement the gate-keeper position of the larger players.

Interested to get involved in the debate and express your opinion to the relevant politicians? There are a variety of online tools you can use such as Mozilla’s ChangeCopyright online tool, Vox Scientia’s webform and Save the Internet’s website. And this would be our call to action:

• Further clarity on definitions and scope: exclude any service of a mere technical, automatic and passive nature from the scope of the Directive

• No filtering: remove any obligation or incentive for Internet platforms to implement content recognition technologies

• No monitoring: remove any obligation on Internet platforms to monitor the information which they transmit or store

• Due process: allow users the possibility to appeal any restrictive measures via redress mechanisms

It is fitting, therefore, that it is under Estonia’s Presidency that the European Commission announced a number of initiatives last month aimed at stepping up the European Union’s cybersecurity capacity and response to cyber attacks, while laying the foundations for increased cyber awareness and better cyber hygiene overall.

This EU’s Cybersecurity Strategy is a welcome initiative, as we already know that the overall cyber threat level is rising. At Cloudflare, we deal with a new type of DDoS attack every 3 minutes, and it has been that way for the last 6 months. This year alone, we've seen a DDoS attack that peaked at 300 Mpps and another at 480 Gbps. Furthermore, as DDoS mitigation companies like Cloudflare have become adept at handling 'traditional' DDoS attacks, the attackers have also adapted and increasingly try out new techniques.

In its Communication announcing the Cybersecurity Strategy, the European Commission sets out a multi-pronged approach to ensuring that Europe is better placed to face the rise in cybercrime, increasingly sophisticated cyber tools leveraged for malicious purposes, and attacks on critical infrastructure. The proposals range from educational initiatives to encourage increased cyber awareness and skills, to investment in research projects and public-private partnerships where technology in cybersecurity and industrial capabilities are developed, to encouraging the use of cyber secure tools in eGovernment operations.

Cybersecurity is a common societal challenge which should involve multiple layers of stakeholders, including industry, Government and individuals. The cybersecurity industry can, however, play a key role in helping the fight against cybercrime and attacks by providing training and educational information to better inform policy makers, politicians and law enforcement on what is happening on the ground, and highlight emerging technologies and best practices. Companies such as Cloudflare are on the front line, reacting and adapting to dynamic and evolving threat landscapes, such as that recently seen with infected IoT devices. We are, in a sense, in a somewhat privileged position, and we want to do and share what we can to help raise the bar.

Cloudflare has been actively participating in a number of European initiatives which feature in the Commission’s Cybersecurity Strategy. Earlier this year, we joined Europol's Advisory Group on Internet Security to share our knowledge on matters related to internet security and emerging threats, along with other industry peers. We are also participating in the IoT Security Group set up by the European Union Agency for Network and Information Security. We shared our well-known views and strong support for encryption during discussions held by the European Commission on cross-border access to electronic evidence, and we are now participating in some work related to software vulnerability disclosures in Europe, led by the Brussels think-tank CEPS.

Next year, the EU Network and Information Security Directive will usher in a new era of security awareness and protection in the EU. This new legal framework will ensure that security is an essential consideration for an even broader range of actors than before - such as companies in the banking, transport, energy and digital infrastructure sectors - and it asks that businesses take a risk-based approach in their cyber security activities and preparations. While most of the ideas are not new to a security-conscious company like Cloudflare, we are now in the process of preparing for this new framework.

There are numerous strands to the Commission’s Cybersecurity strategy and it will be important that all stakeholders work quickly and cohesively to make the words a reality. However, with all these initiatives in play, Europe will certainly be in a better position to address the latest cybersecurity challenges, while helping ensure that the internet remains open, secure and resilient.

A game-changer

The road towards implementation of the new European GDPR (the General Data Protection Regulation) has been a long one, even though public awareness of its impact, especially outside of Europe, is only now really starting to take hold. This game-changing piece of EU legislation will require companies to fundamentally change how they process and use personal data (broadly defined) they receive from EU citizens, including through consent and data handling agreements with their customers, supply chains, and vendors. It will come into effect on 25th May, 2018, and will have tremendous reach, touching on all business sectors. More than that, the GDPR has extra-territorial scope and will apply to any business that processes the personal data of European users, irrespective of whether that business has any physical presence in the European Union.

The aim of the GDPR, which will replace the currently applicable European Data Protection Directive of 1995, is to both meet the challenges of globalization and address dynamic new products and services, while also trying to create a future-proof framework that will comfortably accommodate emerging technologies and scenarios, including the Internet of Things. It is also a response to Europeans’ growing concerns over the control and use of their personal data in the new data powered environment. By way of illustration (below), in March 2015 a Eurobarometer study asked 28,000 EU citizens what they thought about the protection of their personal data, and 67% of respondents stated that they did not believe they had complete control over the information they provide online.

Base: Respondents who feel like they don't have complete control over the info they provide online (n=16,244 in EU28)

Almost three quarters of the respondents did acknowledge and accept that providing personal data is an increasing part of modern life, but only one third indicated that providing such data was not a big issue. Clearly, something had to be done to help build user trust.

The GDPR process began back in 2009 with a consultation launched by the European Commission, along with stakeholder meetings held throughout 2010 and 2011. Speeches given by the then EU Justice Commissioner, Viviane Reding, were combed over for clues as to the Commission’s plans, and finally in January 2012, all was revealed when the first draft of the GDPR was published. That triggered a four-year process in Brussels, involving the European Parliament and the European Council (EU Member States), ongoing Commission input and intense lobbying efforts by business and civil society representatives which resulted in many thousands of amendments (4,000 submitted in the lead European Parliament Committee, LIBE, alone). The text was finally agreed in December 2015 and the Regulation was formally adopted in April 2016, kicking-off the two-year implementation clock at a national level and for businesses preparing to comply.

An issue that had to be tackled was the fragmentation of data protection laws across Europe under the current Data Protection Directive, as each Member State had applied its own set of rules to broadly implement the EU legislation. This has been confusing not only for end users but also for those businesses trying to operate across the European Union and tailor their offerings accordingly. As such, while national derogations on some issues remain possible under the GDPR, there will now be a more solid and predictable framework in place, since the new law is a Regulation rather than a Directive and so is directly-applicable in each Member State.

The GDPR sets out a coherent risk-based approach to privacy protection and also codifies certain important principles, such as control and transparency (for users), accountability (for data processors and controllers), and privacy by design and default. Consent of users for the use of their data must be “freely given, specific, informed and unambiguous” and data portability has been enabled, allowing users to move between providers with ease. Sensitive data, such as health and genetic data, have a higher level of protection and the right to erasure, more commonly known as the “right to be forgotten” has been clarified.

This last provision is a headline GDPR item that has perhaps attracted the most media attention but is often misunderstood. The concept of a right to erasure already exists and can be applied through extensive interpretations of the current Data Protection Directive. However, this right will now be formally fortified by the GDPR. Importantly, this is not a carte blanche for content removal, and freedom of expression and historical and scientific research considerations remain safeguarded. That said, there will always be challenging cases and technical implementation for search engines in particular is tricky. More troubling are recent attempts to apply the right and treatment across multiple territories, an issue that is now the subject of legal challenges in the European Court of Justice and the Canadian courts, as led by Google, who has been asked to delist certain search results globally.

Security and privacy go to the very core of Cloudflare’s value proposition and we already use “state of the art” (to use GDPR phraseology) technology and encryption as security features to ensure the confidentiality, integrity, availability and resilience of our processing systems and services. As such, we’ve been working hard to get ahead of the game and to be in full compliance before the May 2018 deadline. This in turn will help our customers and partners to prepare for GDPR compliance on their side, without operational overhead.

GDPR provides an opportunity for Cloudflare to strengthen its privacy offerings by introducing added control mechanisms for our users, and new features to help businesses, partners and vendors with their own GDPR compliance journey. We are working internally to see how best we can evolve our service with new functionalities, and are updating any agreements that need to be updated to reflect the GDPR framework. This is a full team effort at Cloudflare, as privacy will be further embedded into all of our engineering and product development processes, in addition to detailed data audits and privacy impact assessments.

While GDPR roll-out is a resource intensive programme for any company that wishes to do it right, there are many upsides to introducing such rigour across the business and ultimately our users and partners will be the beneficiaries. Ensuring absolute trust in our services and empowering our users is something that has always been inherently important to Cloudflare, and the GDPR is an important step forwards further clarifying, enabling and advancing individual privacy rights.

Users benefit enormously from the free movement of data, and it is a highly regarded feature of living and doing business within the European Union. With the appropriate legal protections in place, scientific and societal benefits also flow along with the data, and the quality of our lives is improved immensely.

And the internet is an increasingly busy place:

Image courtesy of @LoriLewis and @OfficiallyChadd

The European Commission reported in a communication earlier this year that the European Data Economy – i.e the marketplace where digital data is exchanged as products or services derived from raw data – was estimated at EUR 272 billion in 2015, and that the value is expected to increase to EUR 643 billion by 2020, in large part thanks to ever-increasing amounts of data being generated by emerging technologies, such as the Internet of Things and Artificial Intelligence. Data is certainly big business.

Assuming no data flow restrictions (such as data localization laws), companies can more readily access performant and secure technologies, enter into new markets, develop new products and services and avail of efficiencies and cost reductions, all of which can be passed on to their customers. This is particularly important for early-stage companies such as Cloudflare, seeking to grow, invest and provide its offering to as many users as possible, and at the lowest price possible.

Having just announced our 110th data center and with more locations coming soon, our enthusiasm and love for data flows should be obvious. With 6 million+ customers, and 10% of internet (HTTPS) requests flowing through our network each month, we are definitely shifting a lot of information in order to provision our services. And almost one third of our data centers are located in Europe, an exciting and growing marketplace for Cloudflare.

Cloudflare, like most companies, is working hard to ensure full and early implementation of the EU’s new General Data Protection Regulation (GDPR), which will apply to all companies offering goods and services to EU citizens as of May 2018. This is a progressive piece of legislation, which will help bolster user trust, and is perfectly in line with Cloudflare’s long-standing commitment to user privacy, transparency and business accountability. We’ll share further updates on our GDPR plans in due course.

Cloudflare’s main European office is located in London and Brexit introduces uncertainty for businesses based in the UK and beyond, which will be worked through as specific challenges arise. However, a particular issue related to data flows and transfers demands the immediate attention of policy makers and legislators.

According to a recent Frontier Economics report for TechUK, 75% of the UK’s data transfer activity is with European Union countries. Those transfers, which are considered “domestic” today, quickly become foreign transfers as Brexit is implemented. It is clear that efforts must be made to maintain the stability of data transfers between EU Member States and the UK following the UK’s official departure from the European Union. Data will, in effect, need a new passport in order to travel and be processed on the other side.

The UK has committed to implement the GDPR in full notwithstanding its withdrawal from the EU, and so will continue to have a robust data protection regime in place. A finding of ‘adequacy’ for the UK by the European Commission – i.e. a legal assessment that the UK’s privacy protection regime is aligned with that of the EU - offers the least burdensome manner of retaining data flows with the EU, and the least friction for business. It is critical that this mechanism is taken seriously and is in place on Brexit Day One, so that businesses can continue to benefit from the seamless flow of data, without jumping through legal hoops and hurdles, and so that users can continue to not even notice the magic at play.

Cloudflare urges the UK Government to maintain its stated commitment to ensuring unhindered data flows after Brexit, and to work towards a strategy for achieving adequacy during the Brexit negotiations.