Don’t trust Cloudflare with your personal data

by @edent | # # # | 11 comments | Read ~9,254 times.

It has been over a year since I cancelled my Cloudflare account. They keep emailing me and haven’t taken me off their marketing lists despite repeated requests. Their CTO told me he would investigate, but nothing changed. Their Data Protection Office hasn’t respond to my requests.

Cloudflare do not appear to respect the GDPR.

I’ve escalated this to the highest levels of Cloudflare, but they just don’t seem to be able to take any action. This is concerning.

JGC promising he'll look into it.

Sadly, John Graham-Cumming – the CTO – deleted his Tweet saying that he’d look into it. I assume that JGC doesn’t like his personal data being misused. If only I were able to delete my personal data from Cloudflare, eh?

Luckily, the Internet Archive has a backup

Despite promising an investigation and a response from their Data Protection Office – I’ve received no assurance that they have respected my rights.

Timeline

At the start of August last year, I cancelled my Cloudflare account. I received confirmation from them that I was no longer a customer. My login was disabled. That should have been the last I heard from them.

Two months later, I received an email update about their privacy policy.

Email with CloudFlare's new privacy policy.

I complained on Twitter, and their CTO promised he’d look into it:

(Again, tweet deleted, but saved in the Internet Archive)

I never heard back from John. But one of his minions sent me this:

When we receive a request for account deletion, we may retain the email address on the account up to a year to ensure that we comply with internal policies and legal obligations.

*Pffft* Whatever. No mention of that is made in their privacy policy.

At the end of August this year – well over 12 months after I unsubscribed – I received another email from Cloudflare. This time apologising for their downtime!

There was no option to unsubscribe. I’m not a customer – but apparently I still have to receive emails from them.

I got a message from someone at Cloudflare who said that they have multiple customer mailing lists and they are rarely in sync with each other. They don’t have a good idea of who they are sending emails to, or whether people have consented. I think this is unacceptable for a company of this size to be so lax about their GDPR obligations.

I asked Cloudflare to report this breach to the Information Commissioners Office, and I suggested that they may need to notify the SEC if they are expecting a large fine. They may also need to let investors know if they have misrepresented their customer numbers.

I asked JGC and Cloudflare PR for a comment – but they were not inclined to provide one. They said their DPO would get back to me last week, but I heard nothing.

At this point, I can only conclude that Cloudflare do not respect their users’ privacy. Cloudflare has no idea who its customers are, nor how many they have. Cloudflare doesn’t care about your data rights.

CLOUDFLARE’S PROMISE

Our mission to help build a better Internet is rooted in the importance we place on establishing trust with our Customers, users, and the Internet community globally. To earn and maintain that trust, we commit to communicating transparently, providing security, and protecting the privacy of data on our systems.
Cloudflare’s privacy policy

*bitter laugh*

11 thoughts on “Don’t trust Cloudflare with your personal data

  1. Yikes. Expect better

  2. I see that he says it is now fixed. A tenner says it’s not 🙂

    And his “I delete all tweets after 3 weeks” is er interesting from a corporate governance perspective.

  3. AntiSol says:

    “Our mission to help build a better Internet”

    Then why do you break a large percentage of the internet for anybody running TOR, or who dares to use a browser that isn’t chrome or firefox?

  4. R.V.Klein says:

    Why does somebody working at a company doing internet content distribution network stuff delete their tweets? I would think that somebody in their position might be a bit more keen on policies regarding data retenti– oh, right then.

  5. Andy Piper says:

    Where did you see him say this? I can’t find a Tweet today that states this.

  6. Cloudflare keeps sending emails over a year after account was cancelled shkspr.mobi/blog/2020/09/d… (news.ycombinator.com/item?id=246057…)

  7. Are we surprised by CF?

    Orgs are allowed to retain the minimal amount of data to respect your opt out (otherwise if they lawfully buy another marketing list, they won’t be able to take you out) so for emails this is usually forgetting name, etc but just remembering your email.


  8. If @Cloudflare can’t handle simple opt-out for marketing emails, how do they handle the immense amount of traffic and DNS information? #Privacy #GDPR #dataprotection

  9. so this is the company mozilla wants to send all our dns requests to shkspr.mobi/blog/2020/09/d…

  10. And that’s before one even starts digging into their repurposing of ‘security and performance’ analytics to profit from the data/profiling industry. Cloudflare and the other CDNs are on very thin ice with these practices.


Leave a Reply

Your email address will not be published. Required fields are marked *