Does Cloudflare have a *TOTAL* privacy option that we can pay for?

Hi,
We are starting a company that revolves around complete privacy. That would mean no reselling of data, or using data for any purpose other than serving the functions deemed necessary for the service to be provided such as load balancing, routing, ddos prevention.

We understand your business has put in writing:

“CloudFlare is the sole owner of the information collected on this site and through any CloudFlare service. As visitors browse our web site, or your sites if they are protected by CloudFlare, we sometimes track them in order to provide a better service.”

How do we opt out? Is there a total privacy option? I hear that’s a new idea making a comeback.

I sent this as a message cf directly, but a bot informed me that “the community” should do this work for cloudflare for free, and while I found that ironic at first I think it is only fitting for someone not being paid to tell me there is in fact no way on this platform to give users privacy.

So how about it, is there another offering so people can be anonymous and companies can keep their data which is “where the money is”? (or cloudflare would not be taking so much of it)

The price of this option would reflect the value of the data taken for sure.

In case this was not clear:

It’s ok to collect data to protect my data, however it’s not ok to “anonymise” and resell data. That word has become meaningless as we have known for over a decade that buying multiple data sets allows profiles to be built and then the “anonymous” data is no longer anonymous.

Cloudflare won’t sell your data nor collect anything that isn’t strictly needed.
Thus being said, some people will be paranoid about some of the features that Cloudflare has to offer, particularly the Bot management/fight mode have the most ““invasive”” measures. But again, it’s invasive for those that take things to a level that could be compared with obsession, normal people, especially if they are reasonable, understand that the checks and data collected are required to mitigate more sophisticated bots.

1 Like

Not unless you’re using Enterprise Spectrum. Otherwise, Cloudflare can see all proxied data that is traversing their network.

Thanks for the input. However, I am asking a legal question on a forum, and only the company can answer it. I value your opinion and look forward to hearing the company’s official response on whether my company’s data will be sold.
I mean, only they can give me answer that my legal compliance would accept. I posted it here because cf demands by bot that I do this first, and then after 3 days of me repeating that only an official company response can be accepted. It is what it is.

Now this is a great answer, thank you. Any idea what the cost is to have privacy for my visitors? Even a guesstimate or ballpark? Perhaps I have to call to ask?

Enterprise starts at several thousand dollars per month, and Spectrum is usually an add-on, as are many specialized Enterprise features. Spectrum takes out the MITM part of the proxy and just passes requests straight through. That may be less desirable, as it has less insight into traffic details that may reveal malicious intent. But there’s still the issue of logging visitor IP addresses and what they do with that data.

With all that in mind, it really depends on what your need is for looking into Cloudflare, as you will have to let them see into your traffic to provide maximum service.

3 Likes

This 99% of what I needed to know, thank you very much.

So I see data in 3 ways.

Let us start with “Good” data. This is data that CF needs to perform its job, the same as a Brinks armoured truck. Those drivers know what they need to know, and do not sell, trade, share, or have access or the ability to divulge the information about the delivery, client particulars, etc. The bank pays Brinks to do their job and expects them to not own, sell, or share any information about the bank with anyone. No scorecard “research” cookies unless its used to provide a service to me.

Now there is “bad” data. This is data that CF could sell, share, or “anonymise” for export for compensation from another party. This is what we do not want. Making data anonymous for analysis internally is understood, using it externally and making it anonymous to sell is not a feature we want. Imagine if Brinks had a cheaper model where for less money, they would sell anonymised data about who uses the bank, how large the cash drops are, and so on. This is not ideal, and this mentality leads to a zero sum game where one competitor can buy another company’s data. This is why we do not use google products, they are useless. We built our own survey server, so no need for google surveys. We built our own email servers and added 3 gateways, so no need for “free” email service while we have our own. We will not trade our clients data for a smaller up-front cost, as we acknowledge that client privacy in the long run is worth protecting.

This brings us to the “Grey” data. We do clearly understand that data gathered from our customers will be put in a pot, mixed up with all the clients, and under analysis will be used to help other cloudflare users, in such cases as bot detection, rogue ips blocks, and whatever else one could imagine to be mutually harmful to the community. This data usage also helps my company and that’s ok. This is the same as Brinks sharing data with the FBI that concerns bank robbers.

I am not comfortable with CF learning my customers habits of what they buy, sell, and do online, and it’s that data that I would want separated and isolated so that if/when cloudflare is acquired, sold, or merges with another company, my company’s data goes with our company for export, and thus that data is not accessible to the new parties. We want to know how we would be able to take it with us.

We would not want brinks to install a camera system, facially recognise all of our customers, observing how much money my customers deposit, withdraw, or reading our customer’s IDs and checking their registered vehicles against a database to see where my customer went anytime in their lives for the purpose of CF selling that data in that form to other parties.

Again, I stress its ok to synthesise protection mechanisms based on what CF learns about bad actors in to a positive tool. It is not ok to simply sell any data relating to my customers that could be disseminated by a competitor to gain the upper hand.

We understand that any company can buy 10 tranches of “anonymised” data (like the data CF would possess) and create an accurate profile of an entity. So the term anonymous loses it meaning when it is applied to data gathering because once we put it all in a pot, the value of connecting the dots (the CF data pool) is worth more than the pieces (my data for example).

“True privacy” is the way the world used to function, and is what people are now asking for now. They want the right to be forgotten. It is possible to do such, however it requires advocates like me and knowledgeable people like yourself to look at what was and be able to untangle the technogibberish that has erased the clear definition of privacy in to a sub-part of a 200+ page TOS amongst the 200+ companies people use daily transparently.

So I seem to understand what you are stating here is that my company’s data won’t be gathered to be sold as a product that could harm my company i.e. opposition research. My personal data as the person who registered this product will also be kept private, not sold in any way shape or form, anonymised or not.

As a all conclusive summary, we understand the CF service is based on gathering data, processing it in a proprietary way, and selling protective services to us all using the knowledge gleamed from my company’s and everyone else’s data, nothing more.

If this is the scenario, I will put my tinfoil hat back in a box. Otherwise, I have to wear it while I go shopping for a service that clearly will protect my personal privacy and my customers.

You need to read the Privacy Policy, but it covers off some of your concerns at the very beginning:

We will not sell or rent your personal information to anyone.

1 Like

Oh yes, my personal data is covered, so I as an individual are covered.
I do not see such clarity on my company data, I probably missed it.

I did just get off a call with sales and it seems they have to word their policy in a tortured way to allow them the latitude to use the data to make judgement calls on which traffic or actions are good and bad, and then those judgements are output for a service, ie ddos, etc.

From the call I gathered that CF does not directly sell my company’s data either as a direct product, or as a anonymised industry product that another company in my industry could use against us. I am looking forward to reading that fine print, and then sending it to compliance for the final go ahead. It seems solid as of the moment though, and that’s a relief.

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.