Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Privacy Government Network The Internet United States

Cloudflare Expands Its Government Warrant Canaries (techcrunch.com) 120

An anonymous reader quotes a report from TechCrunch: When the government comes for your data, tech companies can't always tell you. But thanks to a legal loophole, companies can say if they haven't had a visit yet. These so-called "warrant canaries" -- named for the poor canary down the mine that dies when there's gas that humans can't detect -- are a key transparency tool that predominantly privacy-focused companies use to keep their customers aware of the goings-on behind the scenes. Where companies have abandoned their canaries or caved to legal pressure, Cloudflare is bucking the trend. The networking and content delivery network giant said in a blog post this week that it's expanding the transparency reports to include more canaries.

To date, the company: has never turned over their SSL keys or customers' SSL keys to anyone; has never installed any law enforcement software or equipment anywhere on their network; has never terminated a customer or taken down content due to political pressure; and has never provided any law enforcement organization a feed of customers' content transiting their network. Now Cloudflare's warrant canaries will include: Cloudflare has never modified customer content at the request of law enforcement or another third party; Cloudflare has never modified the intended destination of DNS responses at the request of law enforcement or another third party; and Cloudflare has never weakened, compromised, or subverted any of its encryption at the request of law enforcement or another third party. It has also expanded and replaced its first canary to confirm that the company "has never turned over our encryption or authentication keys or our customers' encryption or authentication keys to anyone." Cloudflare said that if it were ever asked to do any of the above, the company would "exhaust all legal remedies" to protect customer data, and remove the statements from its site.
According to Cloudflare's latest transparency report out this week, the company responded to just seven subpoenas of the 19 requests, affecting 12 accounts and 309 domains. Cloudflare also responded to 44 court orders of the 55 requests, affecting 134 accounts and 19,265 domains. They received between 0-249 national security requests for the duration, but didn't process any wiretap or foreign government requests for the duration.
This discussion has been archived. No new comments can be posted.

Cloudflare Expands Its Government Warrant Canaries

Comments Filter:
  • by Rosco P. Coltrane ( 209368 ) on Tuesday February 26, 2019 @10:48PM (#58186912)

    to be honest and truthful, and I place about as much trust in them as any of the big data players out there. That is, not much.

    I suspect their canaries are more about marketing themselves as a company with strong morals than true morality.

    • Yeah, seriously. Does _anyone_ actually believe this crap? We're living in Soviet America. Of fucking course Cloudflare hands over all of your data to the gubmint. I'd be really really surprised if there were any warrants involved. It's "voluntary" cooperation. (For certain values of "voluntary" that include "do it or we'll destroy your lives".)

      • Kind of like the IRS saying they depend on "voluntary compliance", but if you don't "volunteer" we'll take everything you have and put you behind bars...

    • by AmiMoJo ( 196126 )

      There is one obvious omission from their list. They say they have no law enforcement equipment on their network, but don't mention intelligence agencies. Orgs like the NSA and GCHQ are not law enforcement, they are intelligence gathering.

    • I suspect their canaries are more about marketing themselves as a company with strong morals than true morality.

      And what's wrong with that? Companies are in business to make money, and many do so by serving the public. Their practices therefore often mirror the values of the customers they serve, and they do so to keep their customers happy. That's actually how capitalism is supposed to work.

  • ..."Don't be evil"

    We all now how it ends!
  • by Anonymous Coward on Tuesday February 26, 2019 @11:22PM (#58186978)

    "has never terminated a customer or taken down content due to political pressure"
    They totally did, once as I recall, and Matt Prince back pedaled that like a MFer.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      I remember this as well, but couldn't recall exactly who. Stormfront or something?

      • by Anonymous Coward

        It was The Daily Stormer.
        If they tell such a blatant lie right in the summary then why would I trust anything else they claim?

    • by WaffleMonster ( 969671 ) on Wednesday February 27, 2019 @12:32AM (#58187120)

      "has never terminated a customer or taken down content due to political pressure" They totally did, once as I recall, and Matt Prince back pedaled that like a MFer.

      The crazy part of this is cloudflare themselves raised this same point.

      "We're going to have a long debate internally about whether we need to remove the bullet about not terminating a customer due to political pressure. It's powerful to be able to say you've never done something. And, after today, make no mistake, it will be a little bit harder for us to argue against a government somewhere pressuring us into taking down a site they don't like."

      https://blog.cloudflare.com/wh... [cloudflare.com]

      Apparently they decided not to even though it is obvious to everyone they did exactly this.

      Given documented self-admitted instance of lying about a canary why would anyone believe ANY assertions of cloudflare about remaining canaries?

      • Given documented self-admitted instance of lying about a canary why would anyone believe ANY assertions of cloudflare about remaining canaries?

        It's OK -- they meant well, right? And in today's political environment, it's the FEELINGS that exclusively matter, not those silly outdated concepts of actions or truth. After all, truth is relative -- and as we all know, relatives can be a PAIN when they keep showing up to family events uninvited.

        • it's the FEELINGS that exclusively matter,

          This is something very annoying about the current political climate. People don't even try to find out the truth.

      • by AmiMoJo ( 196126 )

        They are deleting comments pointing that out too.

      • by Anonymous Coward

        They didnt cave in to external political pressure. They suppressed an account that "made the claim that we were secretly supporters of their ideology". It's not the same.

  • Anyone know if there is a canary service, I mean I have a horrible memory. I'd never notice if they took something out of the site. Also, what are the limits to this? Could they have a page with say 500,000 lines of stuff saying "The government has never asked for information about company XYZ" and updating it for every customer. Or have a personalized page that only displays information in the customer portal such as "The government has never asked about you"?

    • They're not allowed to signal you in any way, so it is marketing.

      • by Vanyle ( 5553318 )

        Back in 2016 Reddit did this in their transparency report, does that mean it was illegally done? (the surveillance canary, not the service thing)

        • Nobody even knows if it was done; you'll never know unless somebody gets arrested for it. It was probably a false claim, because nobody got arrested. Or even, it actually happened months earlier, and the government told them when the correct time to trigger the canary was. That's much more reasonable than just assuming, "I read about a press release, therefore, it was true.

          Information about these things only comes out after a long time. But in the meantime, does Reddit have more power than the government in

    • There was Canary Watch, which stopped in (IIRC) 2016, for what didn't look to me like an adequately explained reason.

      They could presumably have canaries for individual customers, but I don't know about canaries that depend on taking down statements that have suddenly become false. I'd much rather rely on "We have received no National Security Letters through February 16, 2019", and when it gets into mid-March that canary looks awfully suspicious.

  • Why can't a business publish a whole table of warrant canaries, including each concerned stakeholder? Each customer could have an entry with their name or pseudonym. If a subpoena for Bob were received, the entry reading "We have received no subpoenas regarding Bob" would be removed, but John, Mary, and Mike would still have their entry.
    • by Anonymous Coward

      yes with a blockchain

  • Oh, we never did any of this at the request of law enforcement or another third party. Only at our own discretion.

    (sorry, couldn't resist)

  • What on Earth made people believe courts in most jurisdictions couldnâ(TM)t just order a company to do X, that happens to include NOT touching the canary text?

  • They had a chance to make their moral stand, and they backed down.

    ( -a moral stand is when you defend assholes doing something legal, even when they are still being assholes- )
  • by jaa101 ( 627731 ) on Wednesday February 27, 2019 @06:00AM (#58187634)

    In Australia, it's illegal to make a statement about whether you have or haven't received certain kinds of warrants, because they don't have an equivalent to the US's first amendment. Couldflare appears to operate in Australia so I wonder how they plan to deal with that issue. I also suspect that Australian agencies would be willing to use the powers they have here to assist other Five Eyes governments.

    • Hmmm. They don't really say anything about warrants; i.e. 'we have received no warrants requiring us to turn over SSL keys,' they talk about actions, i.e. 'To date, we have not turned over any SSL keys.' Maybe that's the difference?
    • "In Australia, it's illegal to make a statement about whether you have or haven't received certain kinds of warrants, because they don't have an equivalent to the US's first amendment."

      So you are saying Australians cannot legally say then haven't ever been served a warrant if they haven't? Is that a specific law? Can they say they are definitely not undercover cops, if they aren't? Can you never deny anything, just in case the govt may have compelled you in some manner?

  • by Anonymous Coward

    Much of that post is pure bullshit. Cloudflare HAS terminated users for poltical reasons. The Daily Stormer termination was a personal requirest by Cloudflare's CEO himeself. I don't necessarily agree with the group but to say they don'ttake political positions is an outright lie.

    As for the service itself, they and many others continued to deny SSL had been broken despite reports of it dataing back at least to Wikileaks first few releases. Fact is things like SNI and DNS still leak enough data that yes

  • by Anonymous Coward

    I'll be awful glad when they catch all the terrorists & we can have our rights back. ....any day now.

Save energy: Drive a smaller shell.

Working...