
Cloudflare expands its government warrant canaries - jbegley
https://techcrunch.com/2019/02/26/cloudflare-warrant-canary/
======
rsync
The rsync.net warrant canary is 13 years old this April:

[https://www.rsync.net/resources/notices/canary.txt](https://www.rsync.net/resources/notices/canary.txt)

"The first commercial use of a warrant canary was by the US cloud storage
provider rsync.net, which began publishing its canary in 2006. In addition to
a digital signature, it provides a recent news headline as proof that the
warrant canary was recently posted as well as mirroring the posting
internationally."[1]

[1]
[https://en.wikipedia.org/wiki/Warrant_canary](https://en.wikipedia.org/wiki/Warrant_canary)

~~~
skrebbel
I've never completely understood this. What prevents you from lying about
this? I mean, let's imagine a hypothetical 100% evil three letter agency.
They'd just threaten you and your family members' lives and you'd keep
updating the canary right? How can we know you keep updating it out of your
own free will?

~~~
balabaster
The problem with this threat is that once the cat is out of the bag, you can't
put it back in. It's similar as making defamatory statements in court and
having it stricken from the record - "OBJECTION!"

The problem is, you can't force the jury to un-hear that. The damage is done.
You can't unring a bell. You've tainted their opinion, whether the judge tries
to undo it or not.

If you put a gag order on me and suggest trying me for contempt of court if I
say anything and I think the value of me talking is greater than that of my
freedom, I will speak up. If I can get around the gag order by using a warrant
canary to implicitly say what I'm not allowed to say without being tried for
being in contempt of court, then that's what I will do. Until the laws are
rewritten to prevent the use of warrant canaries, there's nothing the courts
can do about this. It's a valid loophole.

There's little point in killing my family if everything I know is already out
there in the wind. I can't do any more harm than has already been done. All
you have is retribution. Our agencies often take a pretty dim view of
retribution. Chances are, I'd just end up with a contempt of court charge and
be thrown in jail, potentially indefinitely. But realistically, the damage is
done. Once again, you can't unring a bell.

There's little they can legally do to pursue my family, there would be
political uproar. So beyond charging me, I imagine they'd be relatively safe.

~~~
fossuser
I'm not sure there's much of a distinction between removing a warrant canary
and breaking a gag order. Judges tend to have a low opinion of loop hole
technicalities like this that provide the same function.

I'd suspect the legal punishment/risk is the same so at best they're kind of
pointless and at worst they might be extra misleading since users may believe
the presence of the canary means there wasn't a request when there actually
might have been.

~~~
DannyB2
Maybe you don't actively do anything. It is the absence of action.

You don't REMOVE a warrant canary. You DO NOT update it.

As of date X we have not been forced to do BAD THING.

I simply stop updating X on the notice.

In the past, the updates had happened at interval Z. Once interval Z passes
without an update, everyone knows that I've done BAD THING.

I didn't take any action to disclose anything. I simply stopped updating
something.

~~~
goto11
Developers often thinks laws work just like computers: If you can find a
loophole where you technically follow the letter of the law, while undermining
its intent, then you have hacked the law and can't be punished!

Judges do not think like that though.

Remember when Microsoft was forced by a judge to offer a version of Windows
without the Internet Explorer browser? Microsoft just removed all the dll's IE
used. But since some of the dll's were also used in other parts of the OS,
this version of Windows could not run. But they had complied with the ruling!

Microsoft thought it was very unfair when they were ruled in contempt of
court.

~~~
balabaster
Does this mean that if you were screaming from the rooftops "I'VE DONE NOTHING
WRONG" every day leading up to the gag order and then you stop screaming from
the rooftops that you'll be in contempt of court?

Can the court compel you to continue with behaviour to cover something up?

Would that be akin to conspiracy to commit fraud or wire fraud if electronic?
Wouldn't that make the court and thus the judge complicit in conspiracy to
commit wire fraud?

I have a feeling a judge is not about to risk being disbarred for such
behaviour.

Of course, I'm not a lawyer and this is purely conjecture on my part.

~~~
jrochkind1
It doesn't matter if "screaming from the rooftops" seems to you _logically_
the same as a warrant canary. The courts tend to care about the _practical_
effect too. If the practical effect is to violate the gag order (because
people were actually paying attention to you screaming from the rooftops,
maybe), then... maybe? We aren't sure.

And dude, judges don't get disbarred even when they do CRAZY stuff. A judge
getting disbarred (or even dis-judged) is _exceedingly_ rare.

A judge is _definitely_ not going to get disbarred for making a ruling _you_
think is irrational, but isn't actually inconsistent with any established case
law, because it's not estabished yet.

Not even going to get _reprimanded_, let alone disbarred.

The U.S. just doesn't work how you think it works.

------
Sephr
Here is my interpretation of Cloudflare's statements (and lack thereof) in
their transparency report:

"We received 0-249 National Security Letters" = "We are subject to one or more
National Security Letters with associated gag orders."

"Cloudflare has never installed any law enforcement software or equipment
anywhere on our network." = "Someone other than us installed law enforcement
software and equipment on our network, or we provide software interfaces used
by law enforcement to comply with an NSL."

"Cloudflare has never turned over our encryption or authentication keys or our
customers' encryption or authentication keys to anyone." = "Law enforcement
may MitM Cloudflare customers' websites through first-party interfaces
provided to comply with NSLs."

"Cloudflare has never weakened, compromised, or subverted any of its
encryption at the request of law enforcement or another third party." = "Law
enforcement may MitM Cloudflare customers' websites through first-party
interfaces provided to comply with NSLs."

------
Sir_Cmpwn
>has never terminated a customer or taken down content due to political
pressure

[https://blog.cloudflare.com/why-we-terminated-daily-
stormer/](https://blog.cloudflare.com/why-we-terminated-daily-stormer/)

No comment on whether or not the termination was justified.

~~~
Cthulhu_
> Our terms of service reserve the right for us to terminate users of our
> network at our sole discretion.

By political pressure they mean pressure from a political entity, that is, a
government. That's what I'm assuming anyways, I'd love for a Cloudflare
representative to confirm.

~~~
robertcope
"The tipping point for us making this decision was that the team behind Daily
Stormer made the claim that we were secretly supporters of their ideology."
Seems pretty clear to me?

~~~
JakeTheAndroid
I worked for Cloudflare when this happened, and this is the correct answer.

------
oldgregg
Could a company create a warrant canary for every user? Just a simple notice
when you login to your account? If the premise of the canary is that they can
force you to keep silent but can't compel you to speak, what would prevent a
company from doing this?

~~~
arkades
That that degree of behavior would be completely unsympathetic to both jurists
and jurors, pretty much guaranteeing it would get slapped down in court
eventually, even if totally legit

~~~
eastdakota
That’d be my read too. You can definitely be “too clever.” Laws aren’t like
computer code. They’re interpreted by humans. And, if you’re “too cute” and
violate the spirit of the law, you can quickly find yourself on the wrong
side.

~~~
jake_the_third
I think you're making a mistake. The primary intention behind warrant canaries
isn't to shield you from legal retaliation, but to make it very hard to
/legally/ force you to lie directly or by omission.

~~~
zaarn
IMO it's questionable if a court in the US couldn't force you to continue
signing it once they have the appropriate gag order, not signing the canary
would be communicating to others you have a warrant with gag order and
therefore not signing it would constitute speech which you aren't allowed to
disclose as per gag order.

------
natch
If they are serious they should scrub out all the weasel words and other
opportunities for lawyers to squeeze stuff through loopholes. A lot of the
wording doesn’t cover disclosure to third parties or use of third party tools
acting on behalf of law enforcement. Also it should be expanded beyond LE to
cover any entity other than Cloudflare and the owner of the data.

------
mrmondo
It's a real shame warranty canaries are illegal in Australia, it has on
several occasions made me feel less confident about software, services or
people involved in them here.

src (there are many but...):
[https://www.schneier.com/blog/archives/2015/03/australia_out...](https://www.schneier.com/blog/archives/2015/03/australia_outla.html)

------
sixhobbits
unpopular opinion: the main point of these canaries is PR. As far as I
understand (and I understand nearly nothing about US law, so pinch of salt
blah blah), exploiting legal loopholes is something that makes people excited
and talk about your product, but doesn't really change anything in a court.

If you assume the US govt is an adversary or potential adversary, and you
assume that they are fairly powerful through direct and indirect influences,
then I just can't imagine the NSA or whichever three-letter agency deals with
this kind of thing going "oh no, they have _canaries_ , can't do anything
there" and going back to spying on private Facebook messages that old people
send to each other or whatever they usually do in their free time

~~~
nabla9
The way I understand the issue, it's complicated. It may or may not work. It
can work in some country and not in some others.

* A online warrant statement canary that disappears when it does not apply anymore. If there is a gag order preventing this Cloudfare promises to challenge this in the court.

>if Cloudflare were asked to take an action violating one of the warrant
canaries, we would pursue legal remedies challenging the request in order to
protect our customers from what we believe are improper, illegal, or
unconstitutional requests.

* A periodically given statement. For example in annual letter to shareholders or periodic transparency update It's very hard or impossible for the western governments to force companies to give misleading statements to consumers and shareholders.

* Caveat: If there is a gag order that prevents informing the people responsible for any public statements, nothing works. Usually the company lawyers know. For example: Coudfare HQ may not know what their workers in France are asked to do.

~~~
SahAssar
> For example: Coudfare (sic) HQ may not know what their workers in France are
> asked to do.

IIRC this is one of the things that the Chinese surveillance law includes,
that it may force individuals at a company to provide them with information
without alerting the normal channels in the company.

------
3pt14159
Here is what I don't understand:

On my website I can make every path resolve. I.e., I can have

www.zachaysan.com/I-havent-been-paid-off-by-the-Mossad

Render a page that says:

> I haven't been paid off by the Mossad

Easy peasy. Then, if I take a grubby payment to fuck over a client (with an
NDA, of course) I don't write about it, I just make _that one path_ fail to
resolve.

It's writing by omission.

This is why I'm ideologically against these canaries. They paper over a real
problem and they expose a new one without really solving the first.

Tech naturally centralizes while politicians naturally push the limits of
governmental power to enact their objectives to the furthest degree possible,
and these things come into conflict. But some information should not be shared
and, at times, we need to allow the government to decide when. Sometimes we
need to pushback too. It's not an all or nothing thing, but these canaries are
inherently anarchistic and, to me, distasteful.

~~~
LinuxBender
They are just good for business.

No company is going to defy an order from a secret court or a NSL that states
they are not to modify statements on their website until further notice.
People will dispute the legality of such orders, but companies know how long
they can be off the internet before going out of business. At least, that is
based on conversations I have had with a corporate legal executive.

~~~
SahAssar
> order from a secret court or a NSL that states they are not to modify
> statements on their website until further notice

That's the point. The theory is that a NSL can compel you to not speak, but it
can't compel you to speak. Not updating a canary is the latter, not the
former.

If a canary isn't updated in the period it is expected to update it is
considered "dead" or "tripped".

~~~
LinuxBender
Assuming they can't compel speech, this would require the canary to be updated
and PGP signed daily by someone that can represent the company. Perhaps a
principal officer or a board member?

Even then, unless your contract states that the canary is managed in a
particular way, they can simply lie. I can put a "canary" on a site and update
it daily, even if every three letter agency were logged in and watching you
real time. A recent example of this was that VPN provider that stated they
don't log anything. Turned out they did and someone got nailed.

~~~
SahAssar
A canary in itself does not offer any cryptographic proof. The entire
foundation is that the government cannot legally compel speech.

The canary does not protect you against the service provider and nobody has
claimed that. The theory is that it protects you against NSLs that would
otherwise force the service provider to not disclose the NSL.

Sometimes a canary is attached to a public financial report or something else
that it is already illegal to lie in, so that would require the government to
compel you to break a separate law.

It seems like you are thinking of canaries in the engineering, cryptographic
or social sense, in which case the are useless. They only have purpose in a
legal sense as a literal "canary in the coalmine".

~~~
LinuxBender
That is basically what I am saying. Unless all of this is tied into a counter-
signed contract, it is all rather meaningless. I would suggest that almost
nobody has such an agreement with their end user service providers.

I am no lawyer, but I don't see a problem with putting a lie into a financial
statement that is in no way related to financial data. It would just be
disregarded as unrelated to financial reporting. I am also not aware of any
companies doing this. I could see this causing a deeper dive into an audit
however.

------
rhema
>has never installed any law enforcement software or equipment anywhere on our
network;

Is the NSA a law enforcement agency? Does looking the other way while an
agency installs it count? Can you really know if the hardware you get has not
been tampered with by a government agency?

I'm not sure how any company could assure me about these issues.

~~~
close04
> the hardware you get has not been tampered with

The warrant canary protects against warrants that come with a gag order
preventing anyone from informing the public. Being hacked does not fall into
that category. If such a hack is discovered there's no legal means to block
them from publicly disclosing it. While the hack may be done with a warrant,
the company would never get the gag order.

What I wonder is how enforceable are these in court. I remember reading that
the chances of successfully defending a canary are slim to none but can't find
any reference now. The reason was that while the law can't force you to lie it
does prevent you from disclosing the existence of the warrant in _any way_. So
you wouldn't be punished for lying but rather for having the mechanism there
in the first place.

Is there a way to know if a canary was taken down because the company tried to
avoid testing this in court or a warrant was actually issued?

------
luckystarr
These canaries seem overly specific.

> [To date, the company] has never installed any law enforcement software or
> equipment anywhere on our network;

Someone else might have, or they might have allowed other people to do so.

~~~
DannyB2
Being overly specific is one potential problem.

Another is that the person who routinely updates the canary might be UNAWARE
that the company has been forced to do some bad thing.

Maybe the General Counsel has been notified and gagged. It seems that maybe
the General Counsel should be the person who routinely updates the canary.
Come in to work. Get coffee. Check messages. Update canary. Read news. Attend
daily meeting. Etc.

Just skip that Update canary part. You didn't actively do anything to disclose
anything. It was lack of action. You didn't actively communicate anything. You
just changed your daily routine.

It is important that the person who updates the canary is the one who KNOWS
whether the company has been forced to do something bad.

------
billpg
Suppose I ran a business and regularly published a statement "As of (date) I
have not done (thing)."

Now suppose I've been forced to do (thing) with the additional instruction not
to reveal what I've done. Do I stop publishing that statement?

If I stop publishing, my customers are going to draw the worst possible
conclusions, that they were the specific customer targeted. So, my existing
customers start moving away and new customers are deterred from signing up.

Also, I'd probably get in trouble for revealing that I did (thing). Any
protests I could make that I didn't technically reveal anything probably won't
be effective.

On the other hand, if I keep publishing updated statements as if nothing
happened, my customers keep paying and I don't have to be martyr.

What would you do?

------
miki123211
Wonder if they could stretch the law even further and do per customer
canaries? We won't tell you that we've handed your data over because we can't,
but we will tell you if we didn't.

------
RcouF1uZ4gsC
I wonder if it is in the government’s interest to serve warrants to all the
canaried providers simultaneously . The thing about a warrant canary is that
it is a one time use feature. If one day all the warrant canaries disappear
from all the services that had them, what will the public do?

------
jaredwiener
Potentially naive question, but genuinely curious. How does someone know if a
warrant canary has been "abandoned," as the article mentions, or used as
intended?

If they disappear, that indicates something. If they stay there without
change, that indicates something too. Or am I missing something?

~~~
rsync
" If they stay there without change, that indicates something too."

Usually they stipulate that they are to be updated every X
days/weeks/months/whatever. So if you see one that promises to update every
Monday, for instance, and it's old, that would be the same as being abandoned.

~~~
legohead
What is to stop them from lying? They get a warrant, but don't remove the
canary. Later on, someone finds proof of the warrant, but then what? You sue
Cloudflare for...what? False advertising?

~~~
floofy222
> What is to stop them from lying?

Nothing, at the end of the day, whether giving someone else your data is a
good idea or not remains a question of trust.

Do you trust them to stop updating the canary in case they become compromised?

If the answer is no, then you probably shouldn't be giving them valuable data.

------
netsec_burn
> Cloudflare has never modified the intended destination of DNS responses at
> the request of law enforcement or another third party.

Didn't they modify the DNS responses of mit.edu to point back to MIT (during
the 2013 domain hijack incident)? This canary seems a bit ambiguous.

~~~
jakejarvis
I assume by "third party" they mean an outside request from someone who
doesn't own the service they're hosting. MIT is unambiguously the first-party
owner of MIT.edu, even though a third party used Cloudflare to hijack it.

------
jrochkind1
Does anyone have a list of instances where a warrant canary was _succesfully_
used to signal government surveillance or other court order, that the company
involved would have been otherwise legally forbidden to communicate?

It's been at least a decade since the 'warrant canary' was proposed. We _know_
the government has been doing all sorts of things by sealed court order in
that decade. I'm not sure it has proven useful. I'm not sure the courts
_would_ allow you to communicate via canary. The warrant canary disappearing
can be a _mistake_ often enough, that even if we see one disappear, we don't
know whether to lend it much credence.

~~~
gus_massa
Where _succesfully_ also means that they didn't end in jail.

Edit: hail -> jail. Thanks.

~~~
jrochkind1
"end in hail"? oh, jail. I mean, I'd want a list of those too.

Basically a list of _anything_ interesting that's happened with a warrant
canary. Even a short list.

------
komali2
I wonder about this loophole:

Fully public communication, 24/7\. Absurd, sure, but could it work? Set up
your email so that anybody in the world can read it (not send from your
address, though). Have a camera in your mailroom that streams to the internet
that's high def enough to read off your letters as you open them (oops, top
secret! Too late I already opened it here!). Have all your phone audio
streaming to the internet.

Absurd, silly, but a fun thought experiment - is this a way to become "immune"
to the type of requests the US government is allowed to make where you can't
tell anyone?

~~~
hermitdev
> Have all your phone audio streaming to the internet.

This may be illegal in many jurisdictions. There are at least a few states
that require 2 party consent to a recording of a phone call. There are some 1
party consent states. Not sure about the ratio...

Not sure what how it'd pan out across state line phone calls.

~~~
komali2
I thought that works wherein you inform someone at the beginning of the call
so they have the chance to "opt out" (by hanging up)? Like how all support
calls go.

------
trumped
Can a company create a warrant canary after a warrant was issued? because I'm
pretty sure that I this point Cloudflare is part of the program that followed
PRISM...

------
deca6cda37d0
Would a central source for warrant canaries be helpful? Like one place where
you can find all those individual warrant canaries from companies you care
about...

~~~
xxdesmus
[https://canarywatch.org/](https://canarywatch.org/) does essentially this.

Crap: just noticed they stopped updating it.

~~~
deca6cda37d0
even the server is not reachable for me anymore.. maybe crowdsource a new
website?

~~~
xxdesmus
Good idea, will look into that.

------
kernelPan1c
> "has never turned over their SSL keys or customers’ SSL keys to anyone;"

How would they be able to give up customers' SSL keys?

~~~
fivre
Customers on some plan can upload a certificate of their choice, and generally
have to provide the key along with it. Keyless SSL exists, but isn't
widespread.

~~~
kernelPan1c
Ah, I guess the point I'm missing is that with a 'serverless' setup, the cloud
provider must have access to your private key? Unless you use some sort of key
server setup (what they call Keyless SSL)

------
ParadisoShlee
They still dropped switter without comment tho?

------
jwineinger
What's to stop the government from forbidding a company from removing their
canary?

------
ashelmire
Why not give each user or account on a given service their own warranty
canary?

------
egberts1
Ummmm, Great. More loopholes for NOT reporting such dead canaries.

------
ypolito
What prevents NSA from requesting Cloudflare, under the table, put a false
message?

If I owned Cloudflare, I wouldn't mind lying to my customers if it was related
to the national security or if it gave me some kind of unfair advantage or
special treatment against my competitors.

~~~
dragonwriter
> What prevents NSA from requesting Cloudflare to put a false message?

The fact that the FBI would be the one doing that part of the NSL dance.

