from the a-little-bird-told-me...6-months-ago dept.
El Reg reports
Edward Snowden-endorsed cloud storage provider SpiderOak has added an additional safeguard to ensure that its users' data doesn't fall into the hands of law enforcement without their knowledge, in the form of a "warrant canary." The term takes its inspiration from the practice of bringing actual canaries into coal mines that could potentially be filled with invisible noxious gases. If the bird drops off its perch, you know something's wrong.
Similarly, a warrant canary is a device that's designed to let you know that something has gone wrong with an online service, even when there are no obvious signs of trouble. In this case, "trouble" means the service provider has been ordered by a court to turn over user data, but a gag order prevents it from disclosing that fact. The service provider can't tell you that a secret warrant exists. But it can stop telling you that everything's OK -- drop off its virtual perch, if you will.
In SpiderOak's case, the "canary" will take the form of a web page that's refreshed periodically with a message explaining that everything is hunky dory, along with a newspaper headline to help verify the date it was last published.
"The canary will be around as long as everything is going smoothly, otherwise it's not going to be updated in the expected timeframe," the company explained in a blog post announcing the new policy.
The canary message will be digitally signed by three separate SpiderOak staffers, who will be chosen based on their geolocations. [...] If there's a catch to SpiderOak's plan, however, it's the interval between canary updates. Initially it thought refreshing it monthly would be a good idea, but then it decided that was too short a period, because it would likely take longer than a month to fight a warrant in court, where possible.
"In cases such as SpiderOak, killing a canary can quite possibly mean killing the business, so we switched to publishing the canary every 6 months," the company said. "It indeed sounds like a lot of time, but it's the best compromise we've found."
(Score: 4, Insightful) by Justin Case on Sunday August 17 2014, @05:39PM
Really? Someone set up a warrant canary? I thought those would be routine by now for any privacy oriented service in today's citizen-hostile environment.
I thought the story would be that one was finally activated as planned. Then we would get to see how the concept plays out.
(Score: 0) by Anonymous Coward on Sunday August 17 2014, @05:47PM
Yeah I thought the title meant that the "canary died" and we now know SpiderOak was compromised.
(Score: 3, Interesting) by zocalo on Sunday August 17 2014, @05:44PM
UNIX? They're not even circumcised! Savages!
(Score: 2) by zocalo on Sunday August 17 2014, @05:47PM
UNIX? They're not even circumcised! Savages!
(Score: 2, Interesting) by BlackHole on Sunday August 17 2014, @06:39PM
Or, to make things even less confusing, why not just set up a page that says "We have not received a warrant today." The trick is: the canary isn't the page, it's just the word "not", which slowly changes to transparent unless it is manually updated on a regular basis. No one could consider that a violation of a gag order, right?
But seriously, i just wish that a large group of intelligent people who care about these issues could get organized, maybe set up their own corporation so that they could use the same tools that large corporations use to wield influence, and actually help put an end to some of these out-of-control practices. ☺
(Score: 3, Interesting) by sjames on Sunday August 17 2014, @07:42PM
How about just daily. BUT don't kill the canary as soon as the warrant comes in, kill it when it becomes clear they will have to comply within the next day or two. If it can be fought in court, go ahead and fight it, keep updating. When the lawyer says sorry guys, it looks like we're going to lose and in a week we'll have to comply, THEN kill the canary.
(Score: 3, Interesting) by tynin on Sunday August 17 2014, @05:44PM
But this is the first one I've read that signs it with 3 people from 3 different parts of the world, assumingly from 3 different countries. If they were all in the same country, they'd all get sent off to prison together. Now at least they have plausible deniability and can still get their message out, even in the face of a NDA/NSL. Granted, I expect if the government was aware of the arrangement, they'd set further conditions that would prohibit the people in country from telling the person out of the country about the warrant.
(Score: 5, Informative) by zocalo on Sunday August 17 2014, @06:03PM
I'd assume that SpiderOak would also pick high-profile people in sensible locations to make sure that extreme physical duress is unlikely; there are plenty of places were Eve would potentially face unpleasant consequences as a result of Alice or Bob failing to sign the canary.
UNIX? They're not even circumcised! Savages!
(Score: 4, Informative) by frojack on Sunday August 17 2014, @07:14PM
Correct.
In this regard the canary is stronger than most I've seen, because those three people are not all within the reach of US authorities, being dispersed in other countries.
Too many canaries don't fail (trigger) if the Feds take physical control of the server, and have paid attention to how the canary is updated over a couple of iterations, and the feds can update the canary themselves.
Or they force ONE person to update it or reveal the passwords that are required to do so.
Spideroak is different from other providers anyway, because they don't know your encryption keys. Your keys are not physically on their machines. So they would have to be forced to deploy new client updates to everyone to harvest passwords under a court order. That takes time.
In the mean time, the Spideroak canary can be forced to trigger at any time by having any one of the key signers revoke their key, and publish the revocation on international key servers. THIS is the aspect that everyone misses about their 6 month interval.
No, you are mistaken. I've always had this sig.
(Score: 3, Informative) by sjames on Sunday August 17 2014, @08:17PM
They don't go to jail, that's the beauty. A court can order you to keep your mouth shut and it can order you to hand things over, but it cannot order you to say something to a 3rd party (particularly if it's not true), for example "no warrants, all's well". That's the key to the idea.
(Score: 5, Interesting) by frojack on Sunday August 17 2014, @05:55PM
I actually set out to test the canary, and found, like a lot of other users that the description of the process eas so flawed that hardly anyone could get it to work.
Finally after back and forth with the blog writer, it was determined that several key steps were left out of step by step instructions, and the instructions were actually listed in a haphazard order.
While one poster finally did post a link to a bash shell script that would do the entire job for you, the blog post was still left in it's programmed-for-failure mode.
The whole thing struck me as a thrown together scheme that is not well implemented, and requires a fairly high level of technical skills and understanding to utilize. They should have built a simple batch/shell script for each platform they support, AND built the detection into their clients.
6 months, is too long an interval. But I can see why they are careful about this while just starting out. On the other hand, something THEY do only twice a year is bound to be screwed up sooner than something they do once a quarter, to say nothing about what the user has to do.
No, you are mistaken. I've always had this sig.
(Score: 1) by Horse With Stripes on Sunday August 17 2014, @08:46PM
So what you are saying is they provided enough information to show they were doing it but enough garbage to make sure no one knew exactly how? Hmmm, sounds like they may be feeding red herring to the canary for lunch.
(Score: 4, Insightful) by Kilo110 on Sunday August 17 2014, @05:59PM
AFAIK "warrant canaries" are just an intellectual exercise between lawyers and haven't actually been tested/challenged in court.
If so, why are people talking as if they're the solution to secret court orders?
(Score: 2) by opinionated_science on Sunday August 17 2014, @06:23PM
Empirical evidence trumps all manner of theory (not just a science thing!).
Perhaps the simple need to have one of these mechanisms highlights the dysfunctional state of affairs...
(Score: 3, Interesting) by sjames on Sunday August 17 2014, @08:26PM
When you reach the point that such radical groups as librarians start advocating civil disobedience, things have certainly gone too far.
(Score: 2, Interesting) by Anonymous Coward on Sunday August 17 2014, @09:00PM
Actually, librarians have been pretty militant about the right to read without interference or surveillance. Sure there have been the occasional jerkbarians looking to control what other people do, but as a group they've been pretty big on resisting. For example, after the patriot act passed there was a big push to change their checkout systems to delete all record of who/what/where/when a book was borrowed so as to make sure there would be no records for the government to take.
(Score: 0) by Anonymous Coward on Tuesday August 19 2014, @07:18AM
Yea, when it comes to books, librarians are pretty pro-liberty.
When it comes to Internet censorship at libraries though, it's a good thing they don't have the funding to pay for anyone who can design a solid firewall.
(Seriously, you go try to write a paper on drug abuse using a library computer to do research on the sociological side of it...).
(Score: 2) by sjames on Friday August 22 2014, @09:05AM
In most libraries, that's for the children. If an adult asks the filter to be suspended on a machine, many libraries will comply.
(Score: 2) by frojack on Sunday August 17 2014, @06:52PM
Wait, what?
The canaries BY DEFINITION work in the absence of being challenged in court. Only when some court rules that you are obligated to feed the canary when ordered to do so would the become ineffective.
You are essentially arguing that the five minute egg timer is a intellectual exercise be cause it hasn't been challenged in court. Egg timer going to time.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Sunday August 17 2014, @09:58PM
IANAL but lets say you were held under a gag order. Would not letting the canaries die be contempt of court? You are by definition telling someone. Absence of information is still information. In this case a specific bit of information. It is a signal.
(Score: 2, Insightful) by Nollij on Sunday August 17 2014, @10:19PM
What he means, is that this may be just as illegal (and just as punishable) as violating the gag order and announcing it in the first place. Arguably it is, since the purpose is to communicate the same thing. But we won't know that until it's challenged.
I'm sure that it'll be challenged the first time it works as intended, and it's (blamed for) interfering in an investigation.
(Score: 3, Interesting) by frojack on Sunday August 17 2014, @11:06PM
There is the obvious fact that no one has been arrested or charged for violating such a GAG order because that would entail a jury trial, bringing Barbra Streisand out of retirement.
Further, legal experts have already stated that the law has no provision for forcing a public statement of a lie. The only thing they can enforce is silence.
No, you are mistaken. I've always had this sig.
(Score: 2, Interesting) by Anonymous Coward on Sunday August 17 2014, @11:41PM
The only thing they can enforce is silence
Not sure a court would look too lightly on you skirting the intent of the gag order by using a technicality of other rulings. Judges are usually fairly plain in what they ask for. If thru omission you cause a gag order to be broken I am not sure a court would look on that with 'oh but you are ok because you worked around my plain intent of shut the hell up'.
(Score: 2) by tangomargarine on Monday August 18 2014, @02:57PM
They worked around the intent of democracy and our ability to be informed in our decisions thereof.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by zocalo on Sunday August 17 2014, @07:09PM
UNIX? They're not even circumcised! Savages!
(Score: 5, Interesting) by zafiro17 on Sunday August 17 2014, @06:15PM
Glad to see it. I use SpiderOak and like it (To all you dropbox users out there: sux it!). But it's ridiculous that we've gotten to this point. And frankly, I'm not sure it would work. If the spooks get you with a "and you may not do anything that would notify in any way, shape or form" kind of message, they've effectively prevented you from modifying that page, and the canary lives, putting in danger everyone in the coal mine. I think the spooks and their lawyers are always going to have the advantage here.
Dad always thought laughter was the best medicine, which I guess is why several of us died of tuberculosis - Jack Handey
(Score: 2) by Professr on Sunday August 17 2014, @06:42PM
From TFA, the canary has to be updated every six months in order to "live". The legal order you described would prevent them from taking down the canary page itself, but it would not force them to update the canary - so it would "die" within six months.
(Score: 3, Informative) by frojack on Sunday August 17 2014, @07:21PM
Or it could die much sooner than that if one of the foreign signers revokes their key at the key servers.
The keys have short 1 year expiration dates anyway.
No, you are mistaken. I've always had this sig.
(Score: 2) by VLM on Sunday August 17 2014, @07:50PM
"killing a canary can quite possibly mean killing the business"
Guess we don't have to worry about the axe ever falling. Lets be realistic.
Also the successful operation of the system assumes the foreigners have anything useful to report. Say you make me a canary signer for a service in Australia. And part of the .au NSL states it'll be illegal to tell a foreigner anything about the NSL. So I'll go on happily signing away.
The above argument is a tiny variation on the "replace you with a tiny little shell script" story. Do you have any idea who I am or that I actually exist beyond something (me? A script? Am I actually a committee?) doing something to a file you've never seen in a foreign country?
Given that its proposed by non-crypto people as the silver bullet that we can rely 100% on without any alternative plans I have the strong feeling that the loudest proponents are actively sabotaging stuff.
Finally you've got "pivot-ish" arguments. I have a S.O account. I got it because I can store stuff cheaply. Thats very nice that they have a PR campaign that they like security but I know better and treat it accordingly and don't care about the stuff I store on it. If most of their customers feel the same way, I could see them pivoting-ish into promoting BS that doesn't mean much because the customers won't care anyway.
(Score: 2) by frojack on Sunday August 17 2014, @08:33PM
Signing what?
If each revised page is not sent to you to sign before being posted, you have nothing to sign.
The canary rests on the principal that you can be ordered not to do something, but you can't be ordered TO DO something, especially if doing something constitutes a fraud.
So the US office simply fails to send you the new text to sign. We also the don't know who is responsible for sending the new text, that might be a revolving responsibility between the signers. If its the Australian guys turn to create the new text, and one suddenly comes from the US guy, the others won't sign it.
Also, as mentioned above, any one of them could silently revoke their key after signing the canary.
No, you are mistaken. I've always had this sig.
(Score: 2, Interesting) by PReDiToR on Sunday August 17 2014, @09:49PM
However, whack a mole is a game that big slow organisations learn to play more effectively over time by buying laws that help them to rule out holes.
I wouldn't be surprised to see at least the Land Of The Free (for very small values of "free") enacting a law that makes canaries illegal in some way if one works and people can get to grips with the checks.
Do not meddle in the affairs of geeks for they are subtle and quick to anger.
(Score: 2) by tangomargarine on Monday August 18 2014, @03:05PM
No, it's the ONLY thing we can rely on AT ALL that the government can't trivially bypass. It has never been about 100% reliability.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 4, Informative) by Thexalon on Sunday August 17 2014, @08:00PM
Seen in the Rutland VT public library shortly after the passage of the Patriot Act:
"The FBI has not been here. Watch for the discreet removal of this sign."
This was the librarians acting in protest of the portions of that law that made it legal for the FBI to demand to know what library patrons were reading (both books and websites).
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by tangomargarine on Monday August 18 2014, @02:59PM
Except that's not a canary because it requires explicit action on the part of the librarians (taking it down), which would be notifying someone through an NDA and lawyerable.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by wonkey_monkey on Sunday August 17 2014, @09:47PM
That makes it sound - slightly garbled though it is - that the warrant canary in question has already notified users of a court order at this time.
"Will eventually notify" or even, to emphasise the very long period chosen, "will notify [...] - eventually" would have been clearer.
systemd is Roko's Basilisk
(Score: 2) by SuperCharlie on Monday August 18 2014, @12:10AM
Don't get me wrong, I appreciate the effort, but I find two big problems.
First seems to be that you can't notify someone without notifying them. Regardless of the method and with every gymnastic taken, if the information has been passed, by action or inaction, notification has occurred.
Second, with the correct amount of "pressure" I feel pretty strongly that the canary system could and would be continued past compromise.
Personally I treat the internet and anything touching it as insecure.,. Has actually made life a lot easier just assuming everything is hacked or hackable. OK.. Tinfoil hat back off now.
(Score: 0) by Anonymous Coward on Monday August 18 2014, @08:17AM
i agree
this is no different to the 'bitcoin is secure' argument
its only secure until proven that its not secure
it is ignorant and foolish to assume that anything on the internet could always be secure
not to say that the pursuit of increased security isn't worthwhile. surely it is, but nothing of value beyond a certain point should be stored in the internet (web/cloud/p2p/darknet/whatever) because eventually it will be hacked and if its value persists to that point it will be taken advantage of by the hackers
unfortunately, there aren't and will never be any exceptions
(Score: 2) by etherscythe on Monday August 18 2014, @08:42PM
Ambiguity is the answer.
Publish a canary. Sign it. When you receive NSL, sign canary again at the proper interval if necessary (depending on frequency), under duress - wait a little while. Then revoke your certificate claiming you were hacked. Fail to sign new canary due to unspecified complications. People will suspect, but due to the non-specific wording you will have plausible deniability that it's actually an NSL that killed the canary. Paranoids who make up your audience will get the message clear enough.
"Fake News: anything reported outside of my own personally chosen echo chamber"
(Score: 0) by Anonymous Coward on Monday August 18 2014, @12:40PM
The real canaries were not killed by someone noting the lack of oxygen, they were killed by the lack of oxygen itself.
What about applying the very same principle to the warrant canary? As far as I can tell, the employees are also not supposed to look at that data. Therefore, make it so that you simply cannot have a look at the data without killing the canary.
(Score: 0) by Anonymous Coward on Monday August 18 2014, @07:14PM
Because that sort of tripwire detector can be circumvented, and in completely legal means. To circumvent the type of canary described here, the government would have to avoid telling anyone that they were seizing the data, which would not be legal.