Cloudflare Expands Its Government Warrant Canaries (techcrunch.com) 120
An anonymous reader quotes a report from TechCrunch: When the government comes for your data, tech companies can't always tell you. But thanks to a legal loophole, companies can say if they haven't had a visit yet. These so-called "warrant canaries" -- named for the poor canary down the mine that dies when there's gas that humans can't detect -- are a key transparency tool that predominantly privacy-focused companies use to keep their customers aware of the goings-on behind the scenes. Where companies have abandoned their canaries or caved to legal pressure, Cloudflare is bucking the trend. The networking and content delivery network giant said in a blog post this week that it's expanding the transparency reports to include more canaries.
To date, the company: has never turned over their SSL keys or customers' SSL keys to anyone; has never installed any law enforcement software or equipment anywhere on their network; has never terminated a customer or taken down content due to political pressure; and has never provided any law enforcement organization a feed of customers' content transiting their network. Now Cloudflare's warrant canaries will include: Cloudflare has never modified customer content at the request of law enforcement or another third party; Cloudflare has never modified the intended destination of DNS responses at the request of law enforcement or another third party; and Cloudflare has never weakened, compromised, or subverted any of its encryption at the request of law enforcement or another third party. It has also expanded and replaced its first canary to confirm that the company "has never turned over our encryption or authentication keys or our customers' encryption or authentication keys to anyone." Cloudflare said that if it were ever asked to do any of the above, the company would "exhaust all legal remedies" to protect customer data, and remove the statements from its site. According to Cloudflare's latest transparency report out this week, the company responded to just seven subpoenas of the 19 requests, affecting 12 accounts and 309 domains. Cloudflare also responded to 44 court orders of the 55 requests, affecting 134 accounts and 19,265 domains. They received between 0-249 national security requests for the duration, but didn't process any wiretap or foreign government requests for the duration.
To date, the company: has never turned over their SSL keys or customers' SSL keys to anyone; has never installed any law enforcement software or equipment anywhere on their network; has never terminated a customer or taken down content due to political pressure; and has never provided any law enforcement organization a feed of customers' content transiting their network. Now Cloudflare's warrant canaries will include: Cloudflare has never modified customer content at the request of law enforcement or another third party; Cloudflare has never modified the intended destination of DNS responses at the request of law enforcement or another third party; and Cloudflare has never weakened, compromised, or subverted any of its encryption at the request of law enforcement or another third party. It has also expanded and replaced its first canary to confirm that the company "has never turned over our encryption or authentication keys or our customers' encryption or authentication keys to anyone." Cloudflare said that if it were ever asked to do any of the above, the company would "exhaust all legal remedies" to protect customer data, and remove the statements from its site. According to Cloudflare's latest transparency report out this week, the company responded to just seven subpoenas of the 19 requests, affecting 12 accounts and 309 domains. Cloudflare also responded to 44 court orders of the 55 requests, affecting 134 accounts and 19,265 domains. They received between 0-249 national security requests for the duration, but didn't process any wiretap or foreign government requests for the duration.
Of course, that implies you trust CloudFlare (Score:5, Insightful)
to be honest and truthful, and I place about as much trust in them as any of the big data players out there. That is, not much.
I suspect their canaries are more about marketing themselves as a company with strong morals than true morality.
Re: (Score:3)
Couldn't the same order that requires that they not disclose they are being investigated also include implicit disclosure to that effect?
Warrant canaries could reasonably constitute such implicit disclosure if they took them down or altered their update policy in any way that is commensurate with any previously made announcement to that effect.
Re: (Score:1)
"Implicit disclosure" would be pretty impossible to prove in court. Canaries have been utilized effectively in the past, so unless you know something about law I don't and nobody else seems to, I'd say they still serve "some" role.
Re: (Score:3)
Re: (Score:2)
Except, as I said, they *DO* disclose the information by following through with the exact course of action that they previously said they would.
I'm suggesting that if they've already announced in advance that the canary will die if they are investigated, then its death upon being investigated is nothing more or less than a covert way to disclose they are being investigated when they aren't supposed to. Covert disclosure is still disclosure, however, and therefore it seems like that should still be conte
Re: (Score:2)
How do you figure that simply repeating what was already said and I have already provided counter to actually negates what I had said, above?
As I said... anything that they may deliberately choose which in some way effectively does disclose that they are under investigation is isomorphically equivalent to any other manner of disclosure, which again, one could be forbidden from doing.
Re:Of course, that implies you trust CloudFlare (Score:5, Informative)
Couldn't the same order that requires that they not disclose they are being investigated also include implicit disclosure to that effect?
Warrant canaries could reasonably constitute such implicit disclosure if they took them down or altered their update policy in any way that is commensurate with any previously made announcement to that effect.
Actively taking a canary down in response to subpoena is obviously the same thing as disclosing the existence of a subpoena.
Good warrant canaries are designed to avoid this problem by self destructing on their own when neglected.
The distinction / legal argument here is government cannot compel speech in the form of positive effort required by an individual to maintain existence of canary who no longer wishes to do so.
Re: (Score:2)
Re:Of course, that implies you trust CloudFlare (Score:5, Insightful)
The effect is the same -- but the government can only order you to shut up, it can't order you actively tell lies to people. For now.
Re: (Score:2)
When was that ever true?
And, they're not requiring that you lie, you're putting yourself in the position of violating the order by telling the truth, so you end up having to lie to stay out of jail. That's all on you! If you understand you can't disclose it, you're not imagining a fake "loophole." There is no loophole; doing a canary is actively disclosing; the lie you're telling is the original one where you promise to do the canary thing, even though you're not allowed to actually do it. When you later ha
Re: (Score:2)
I understand the principle, but if they had already publicly promised that the only reason they won't continue to maintain the canary is if they are investigated, when that is exactly what they end up doing, they are still making a conscious choice that has the effect of disclosing to the public what has happened, which
Re: (Score:2)
As I have said, this has nothing to prove with intent to disclose, it has to do with the fact that not maintaining a canary such that it expires effectively *IS* disclosure.
If you can show how a warrant canary dying is not entirely equivalent to any other form of disclosure that happens to only be applicable if someone else knew what to look for, then illustrate how, instead of simply repeating your point about the NSL and contract law endlessly.
As I said... one could potentially disclose through semap
Re: (Score:2)
It's a form of legal trickery that appears to work. Usually, legal loopholes are iffy because judges tend to disregard them, but this seems to have legs.
I haven't received a government request for information about you as of February 26, 2019. That's a true statement, and it's not really possible to suppress it legally. I can keep updating the date indefinitely. The government can't crack down on that, because any infringement on free speech has to have an overriding reason, and there's no reason to
Re: (Score:2)
If they say that you are not to disclose to anyone that the investigation is happening, because canaries would be one way to disclose such information, their utilization (or more specifically, their expiration) could still be considered deliberate disclosure, because you are still wilfully altering some operational p
Re: (Score:2)
First, there's no law against putting canaries up before you get a secret request.
Second, the government cannot force you to lie. That's been true for about forever. Under some circumstances, the government can force you to say certain things, but not to lie.
By having a canary, you aren't telling anyone that you've got a secret request. You're just not telling anyone you don't have. This can have strong implications.
So, again, what legal mechanism is going to stop this?
Re: (Score:2)
Of course not.
Also true, but if you've contrived your circumstances beforehand so that only way you can avoid communicating that you're being investigated if or when it happens to you is to lie, is that the government's fault?
Not by merely having a canary in the first place, no.... but by deliberately p
Re: Of course, that implies you trust CloudFlare (Score:2)
Yes, it has that effect, but the "self-destruct" idea is to set it up so there's no other choice. I'm not sure what company I first heard this about, or how it relates to these Transparency Reports, but the way I remember it, the statement was included in official documents filed with the SEC. (Something like "Number of Disclosures: 0" in a state-of-the-company section.) Falsifying information in one of those would be unthinkable(!), so there'd be no choice but to stop including that line. Poof!
Re: (Score:2)
Who are the rightful masters of the Government?
Writing the canary in the first place is an act of contempt.
Do we acquiesce simply because threat of government is too great? Wouldn't this be prima facie evidence that we already live in a tyranny?
Think about what we all are saying here, that government can compel you to say things, a violation of 1st and 5th Amendment rights, all so the government can spy on us, its citizens, undetected.
And if that is the case, we've already lost our Republic.
Re: (Score:2)
Do we acquiesce simply because threat of government is too great? Wouldn't this be prima facie evidence that we already live in a tyranny?
No. You do realize that every law on the books today is an expectation that people will "acquiesce" because the threat of government is too great, I hope. Even such obvious laws like stopping at a stop sign. The expectation is that people will stop at stop signs because the threat of getting a ticket is too great. Unless you want to call "stop signs" prima facie evidence of tyranny...
Think about what we all are saying here, that government can compel you to say things, a violation of 1st and 5th Amendment rights,
The 5th amendment is protection against self-incrimination. Requiring a company to keep saying that they have received no not
Re: (Score:2)
And this is how Nazis come to power.
Re: (Score:2)
Contempt of what? Contempt in general is legal. Contempt of court is not, but what court? Until the NSL or warrant arrives, the courts are not involved, and therefore writing the canary is legal. In the US, you can't be legally stopped from saying something out of concern of what might happen in the indefinite future. So, for it to be illegal, there would have to be contempt of some particular court.
Re: Of course, that implies you trust CloudFlare (Score:2)
"Contempt of what?" -- Exactly, and that's the brilliance of it! At the time you write it, you've never received any such order. You're aware that such things exist, though you have no specific knowledge as to whether you will ever receive one. Still, they represent a risk to your ability to provide the service your customers rely on; all available information regarding them is therefore clearly important to your shareholders. Seems you're almost *obligated* to include that in your SEC filings, right? At le
Re: Of course, that implies you trust CloudFlare (Score:2)
By the way -- again, I don't remember what company this was in reference to, I have no idea how it may relate to CloudFlare's statements, and I might just be imagining the whole thing, but -- I think the context was that some company had been including something like "Number of National Security Letters Received: 0" in their quarterly reports, or some such official documents, and then one day someone noticed they'd stopped doing so, and they wouldn't comment on it.
Re: (Score:2)
I would suggest that while the canary itself certainly can't be contempt, whatever changes in policy that a person deliberately makes that communicates the information they are supposed to be prohibited from disclosing would be. Allowing a canary to die in response to a secret government investigation *IS* still ultimately willful disclosure, it is simply disclosure that is being attempted via a covert communication mechanism.
So yes.... it's contempt. It's just contempt that one might have a fair chan
Re: Of course, that implies you trust CloudFlare (Score:2)
At the time you write it, you have never received any such order, nor do you have any specific knowledge that any such order will ever exist.
No court has ever ordered me not to tell you that I'm wearing pants right now. It's possible that one could do so in the future. Must I refrain from talking about my pants-wearing status now, for fear of some such future order?
"conspiring to violate a court order" -- conspiring with your own future self?
"act of contempt" -- contempt of a time-traveling order that binds
Re: (Score:2)
In the case of a warrant canary, the act of contempt happens *after* you've received the order, by deliberately changing some internal policy so that the canary dies, thereby informing anyone who is looking for the canary of the existence of the investigation.
It is absolutely no different than explicitly communicating the existence of the investigation through any other covert communication mechanism, be it sign language, flag semaphores, or a fictional language like Klingon or Tolkien's Elvish. The onl
Re: (Score:3)
Good warrant canaries are designed to avoid this problem by self destructing on their own when neglected.
I doubt that would stand up in court though. If you deliberately set things up so that the fact you received a secret subpoena will be disclosed by your inaction, all you really did is demonstrate intent to violate the secrecy requirement through pre-meditation.
Courts tend not to be impressed with this kind of argument, and those who claim to have asked lawyers about it (such as Moxie Marlinspike) say they were advised against it.
Some orgs have tried things like having multiple people sign the canary, each
Re: (Score:2)
That is not all you did.
What you also did was engage in civil protest about legislative hypocrisy.
For reputational reasons, the government wants to pretend that compelled secrecy is not equivalent for forcing non-governmental bodies (individuals, cor
Re: (Score:2)
In practice doesn't the government usually just start ranting about terrorists to justify these things? I don't live in the US but in the UK it rarely gets any media coverage anyway.
Re: (Score:2)
I doubt that would stand up in court though. If you deliberately set things up so that the fact you received a secret subpoena will be disclosed by your inaction, all you really did is demonstrate intent to violate the secrecy requirement through pre-meditation.
Courts tend not to be impressed with this kind of argument, and those who claim to have asked lawyers about it (such as Moxie Marlinspike) say they were advised against it.
Some orgs have tried things like having multiple people sign the canary, each in a different legal jurisdiction. But that doesn't really help either, unless all parties have some way of detecting when one of them is served with a secret subpoena, which seems far-fetched. It also doesn't really protect the person receiving the subpoena as it is actually just a conspiracy to thwart the court's legally issued order.
Unfortunately, canaries are not reliable, either for detecting subpoenas/LEA requests or for protecting the person issuing them.
Why not just cut and paste the entire Wikipedia article while you're at it?
Re: (Score:2)
Except that I'm not demonstrating intent to violate the law by writing a canary. I'm writing a true statement. It isn't fighting words. It isn't creating an imminent problem. It isn't defamatory. In the US, there has to be a very good reason to prevent me from writing and publishing a true statement. Even if I'm demonstrating intent, that's not illegal. If I say I'm going to murder someone, that's enough to get a police investigation going, but it isn't illegal per se. I can't be punished until I a
Re: (Score:3)
Do you understand the point of a warrant canary? You'd prefer they didn't have one, do this action expanding them? Or are you just one of those that likes to bitch and FUD based on nothing tangible or able to even be referenced?
Okay, I'll spell it out for you:
How about the canaries are just a tool to get good press, and CloudFlare is perfectly happy to roll over when they get a warrant without telling you?
Do you trust CloudFlare to actually update the canaries when they get one? I don't: they're under no ob
Re: (Score:2)
You should damn well know that false advertising is a crime, and the government cannot legally compel anyone to commit a crime.
The warrant canaries, by their public and noted presence, are advertising.
Try again when you understand these finer points of law.
Re: (Score:2)
"srsly plz stop saying your stupid law thoughts"
I find that endlessly hilarious given I've beaten EA, Sony, and now Enterprise Rent A Car in court.
Try again when you actually have a winning legal track record of any sort, moron.
Re: (Score:2)
Updating the canaries to signify that a warrant has arrived would be illegal. Cloudflare would cease to update the canaries. They can't be required to lie.
Re: Of course, that implies you trust CloudFlare (Score:2)
Yeah, seriously. Does _anyone_ actually believe this crap? We're living in Soviet America. Of fucking course Cloudflare hands over all of your data to the gubmint. I'd be really really surprised if there were any warrants involved. It's "voluntary" cooperation. (For certain values of "voluntary" that include "do it or we'll destroy your lives".)
Re: (Score:2)
Kind of like the IRS saying they depend on "voluntary compliance", but if you don't "volunteer" we'll take everything you have and put you behind bars...
Re: (Score:3)
There is one obvious omission from their list. They say they have no law enforcement equipment on their network, but don't mention intelligence agencies. Orgs like the NSA and GCHQ are not law enforcement, they are intelligence gathering.
Re: (Score:2)
I suspect their canaries are more about marketing themselves as a company with strong morals than true morality.
And what's wrong with that? Companies are in business to make money, and many do so by serving the public. Their practices therefore often mirror the values of the customers they serve, and they do so to keep their customers happy. That's actually how capitalism is supposed to work.
Re: (Score:2)
I send Cloudflare a DMCA take down notification a while back (someone was illegally hosting a copy of some of our source code that had been leaked) and it seemed to work.
Also Google had that Warrant Canary... (Score:2)
We all now how it ends!
Re:Also Google had that Warrant Canary... (Score:5, Insightful)
..."Don't be evil"
I’d argue that “canary” functioned as we’d want - when it disappeared, we should’ve had a pretty good idea what was coming.
Re: (Score:2)
..."Don't be evil"
I’d argue that “canary” functioned as we’d want - when it disappeared, we should’ve had a pretty good idea what was coming.
It hasn't disappeared. It's still in the Code of Conduct, it just moved from the preface to the conclusion.
shilling reporting (Score:3, Insightful)
"has never terminated a customer or taken down content due to political pressure"
They totally did, once as I recall, and Matt Prince back pedaled that like a MFer.
Re: (Score:2, Insightful)
I remember this as well, but couldn't recall exactly who. Stormfront or something?
Re: (Score:1)
It was The Daily Stormer.
If they tell such a blatant lie right in the summary then why would I trust anything else they claim?
Re:shilling reporting (Score:5, Insightful)
"has never terminated a customer or taken down content due to political pressure" They totally did, once as I recall, and Matt Prince back pedaled that like a MFer.
The crazy part of this is cloudflare themselves raised this same point.
"We're going to have a long debate internally about whether we need to remove the bullet about not terminating a customer due to political pressure. It's powerful to be able to say you've never done something. And, after today, make no mistake, it will be a little bit harder for us to argue against a government somewhere pressuring us into taking down a site they don't like."
https://blog.cloudflare.com/wh... [cloudflare.com]
Apparently they decided not to even though it is obvious to everyone they did exactly this.
Given documented self-admitted instance of lying about a canary why would anyone believe ANY assertions of cloudflare about remaining canaries?
Re: (Score:2)
Given documented self-admitted instance of lying about a canary why would anyone believe ANY assertions of cloudflare about remaining canaries?
It's OK -- they meant well, right? And in today's political environment, it's the FEELINGS that exclusively matter, not those silly outdated concepts of actions or truth. After all, truth is relative -- and as we all know, relatives can be a PAIN when they keep showing up to family events uninvited.
Re: (Score:2)
it's the FEELINGS that exclusively matter,
This is something very annoying about the current political climate. People don't even try to find out the truth.
Re: (Score:2)
They are deleting comments pointing that out too.
Re: (Score:1)
They didnt cave in to external political pressure. They suppressed an account that "made the claim that we were secretly supporters of their ideology". It's not the same.
Canary service? (Score:2)
Anyone know if there is a canary service, I mean I have a horrible memory. I'd never notice if they took something out of the site. Also, what are the limits to this? Could they have a page with say 500,000 lines of stuff saying "The government has never asked for information about company XYZ" and updating it for every customer. Or have a personalized page that only displays information in the customer portal such as "The government has never asked about you"?
Re: (Score:3)
They're not allowed to signal you in any way, so it is marketing.
Re: (Score:2)
Back in 2016 Reddit did this in their transparency report, does that mean it was illegally done? (the surveillance canary, not the service thing)
Re: (Score:2)
Nobody even knows if it was done; you'll never know unless somebody gets arrested for it. It was probably a false claim, because nobody got arrested. Or even, it actually happened months earlier, and the government told them when the correct time to trigger the canary was. That's much more reasonable than just assuming, "I read about a press release, therefore, it was true.
Information about these things only comes out after a long time. But in the meantime, does Reddit have more power than the government in
Re: (Score:2)
There was Canary Watch, which stopped in (IIRC) 2016, for what didn't look to me like an adequately explained reason.
They could presumably have canaries for individual customers, but I don't know about canaries that depend on taking down statements that have suddenly become false. I'd much rather rely on "We have received no National Security Letters through February 16, 2019", and when it gets into mid-March that canary looks awfully suspicious.
Re: (Score:2)
The Daily Stormer found itself another host, which shows that freedom of speech still works.
Finely grained warant canaries (Score:2)
Re: (Score:1)
yes with a blockchain
at the request of law enforcement or another third (Score:2)
Oh, we never did any of this at the request of law enforcement or another third party. Only at our own discretion.
(sorry, couldn't resist)
Serious question (Score:2)
What on Earth made people believe courts in most jurisdictions couldnâ(TM)t just order a company to do X, that happens to include NOT touching the canary text?
It's kind of an empty gesture now (Score:2)
( -a moral stand is when you defend assholes doing something legal, even when they are still being assholes- )
Some Warrant Canaries are Illegal in Australia (Score:4, Interesting)
In Australia, it's illegal to make a statement about whether you have or haven't received certain kinds of warrants, because they don't have an equivalent to the US's first amendment. Couldflare appears to operate in Australia so I wonder how they plan to deal with that issue. I also suspect that Australian agencies would be willing to use the powers they have here to assist other Five Eyes governments.
Re: (Score:2)
Re: (Score:2)
"In Australia, it's illegal to make a statement about whether you have or haven't received certain kinds of warrants, because they don't have an equivalent to the US's first amendment."
So you are saying Australians cannot legally say then haven't ever been served a warrant if they haven't? Is that a specific law? Can they say they are definitely not undercover cops, if they aren't? Can you never deny anything, just in case the govt may have compelled you in some manner?
Lies or Canary itself? (Score:1)
Much of that post is pure bullshit. Cloudflare HAS terminated users for poltical reasons. The Daily Stormer termination was a personal requirest by Cloudflare's CEO himeself. I don't necessarily agree with the group but to say they don'ttake political positions is an outright lie.
As for the service itself, they and many others continued to deny SSL had been broken despite reports of it dataing back at least to Wikileaks first few releases. Fact is things like SNI and DNS still leak enough data that yes
I'll be awful glad (Score:1)
I'll be awful glad when they catch all the terrorists & we can have our rights back. ....any day now.