
SpiderOak removes its warrant canary - dannyw
https://www.reddit.com/r/privacy/comments/94nspi/spideroak_cans_its_warrant_canary_suffers/
======
newscracker
SpiderOak tweeted three days ago [1] that it's replacing the warrant canary
with a transparency report that'd be updated every six months.

This is what the tweet said/says: [1]

"We just released our most recent transparency report, available at
[https://spideroak.com/transparency/](https://spideroak.com/transparency/) .
This will replace our #warrantcanary. The final version of the canary is
available at [https://spideroak.com/canary](https://spideroak.com/canary) .
The transparency report will be updated every six months."

The transparency report, updated a few days ago this month, shows zeros for
every kind of request, which means there haven't been any kind of court orders
for information from February to August 2018. [2]

Are there still reasons to be concerned? I don't understand how they can list
NSLs in the transparency report, since those are the ones with the gag orders
necessitating legally confounding workarounds like a warrant canary.

[1]:
[https://twitter.com/SpiderOak/status/1025488889564327936](https://twitter.com/SpiderOak/status/1025488889564327936)

[2]:
[https://spideroak.com/transparency/](https://spideroak.com/transparency/)

~~~
Lazare
> I don't understand how they can list NSLs in the transparency report

Correct. You can list the ones you _don 't_ have, but not the ones you do. So
to a first approximation, the transparency report will always say "0".

Now, the theory behind a warrant canary is that the government can compel your
silence but (maybe!) it cannot compel you to make false statements. And if
that applies to NSLs and gag orders, and thus makes warrant canaries valid, it
_might_ apply to the transparency report too.

And in that case maybe we can take the "0" at face value, and we can assume
that they haven't received an NSL, but if they do they'll just silently drop
that section from the transparency report. (Their warrant canary had some
cryptographic signatures, but as far as I know, that's totally irrelevant. If
a court decides to compel you to lie and say you haven't received a NSL when
you have, then they can compel you to sign the canary too. If they opt not to
compel speech, then they won't compel a false transparency report. The crypto
is window dressing.)

But while on paper it looks to me like the transparency report is probably
just as meaningful as the canary, the ham-handed way they've announced it
leaves me suspicious.

~~~
qmarchi
Just to add on, the compelling of speech is made more difficult by the fact
that the signing keys were held by people of three different nationalities, in
three different countries.

The US Government can't force someone to do something if they aren't a US
citizen and not on their territory. Their best option is extradition, but that
would raise more eyebrows than they'd want.

~~~
peterwwillis
Their best option is to simply ask the foreign government to do something to
their own citizens on its behalf because they have evidence of some sort of
potential criminal activity. Quid pro quo ensues, no extradition needed.

------
Confiks
I don't know anything about SpiderOak, except occasionally having browsed
their front page, but they do seem to have some clue about security and secure
software. If that is true, they _must_ have known from the outset that once
you decide to install a canary, you cannot discontinue it except to signal
that it has died.

That canary has now died. It did so along with a statement [1][2] that signing
a canary every 6 months with an airgapped computer is too impractical, which
isn't very plausible as this is a perfectly schedulable event which will take
at most an hour for every person involved, twice a year. I suppose they sign
their (APT, RPM) releases in the same way (please ask them; seems answerable).
Additionally, they were three days late with their statement about moving away
from the canary, which is otherwise irresponsibly late for an event that can
completely erode trust in them as a security company.

The irony is that their conclusion in [1] that the "canary’s effectiveness as
a tool has been questioned, the usage of it at other companies is not
consistent, and verifying it and keeping track of it is complicated for users"
is spot on; the confusion that can be created about whether the canary is dead
or merely deprecated, that after it has died once it cannot be reinstated, and
that the only recourse for users is to move away from the service, makes it a
pretty useless signal to act upon.

[1] [https://spideroak.com/articles/transparency-
report/](https://spideroak.com/articles/transparency-report/)

[2]
[https://twitter.com/SpiderOak/status/1025488889564327936](https://twitter.com/SpiderOak/status/1025488889564327936)

~~~
philipov
There is no confusion. There is a simple bargain with a canary: no matter what
confusion is thrown up by bad actors, once it's activated, you assume the
target is compromised.

If they're not really compromised? You don't need to ask that; trust is based
on evidence, not some abstract Truth. When the trigger activates, you
deprecate trust. It's really that simple.

~~~
JumpCrisscross
> _once it 's activated, you assume the target is compromised_

I don’t think it’s helpful to think in such absolutist terms. Coal mine
canaries died of natural causes. A canary is meant to prompt investigation
(and heightened vigilence), not conclude it.

~~~
dnbgfher
I'm not sure the comparison to the actual canary in a coal mine is
particularly relevant here. Clearly that inspired the name, but beyond that...

Assuming it is a good comparison - if you are the one in the coal mine and the
carnary keels over, are you going to start trying to figure out the exact
cause of death or just hurry up and get the hell out of the mine?

------
Vinnl
Here's a question that crossed my mind: what if you ignore a gag order? You
receive a secret court order to hand over data, and you tell them you're not
giving it to them unless you're allowed to tell the world about it.

Will they give you a fine? And what if you don't pay the fine? Will they
arrest you? And if they do, how can they prevent people from finding out about
it?

~~~
rocqua
Given that national security letters originate from the patriot act, I presume
the consequences are grave. Certainly, jail time seems probable. In general,
if a court says do X, and you refuse, that is contempt of court. The court can
then decide to fine you, and put you in jail until you are willing to comply.

Given gag-orders, and waving the word 'national security'. I expect the court
proceeding dealing with your arrest / punishment would be sealed.

Heck, if certain things are marked as US government secrets and you publish
them, that is treason which can be punished by death.

~~~
Vinnl
> I expect the court proceeding dealing with your arrest / punishment would be
> sealed.

Sure, but at a certain point, surely they will have to come and pick you up?
What if there are journalists present who ask that you are being put away for?
"We can't tell" surely isn't an answer they won't accept? That's eerily close
to arbitrary detention.

------
KenanSulayman
Was it by mistake? The warrant canary is back:
[https://spideroak.com/canary](https://spideroak.com/canary)

 _Edit_ : it seems they had removed it on purpose and added it back to
elaborate on the decision and that it wasn't removed to signal something ---
seemingly: _" So after thinking about this ... we have decided to move away
from ... canaries and instead publish a ... report located at ..."_

~~~
philipov
Doesn't matter. The moment the canary died, they became a compromised agent
whose further statements are to be interpreted as being manipulated by secret
court order.

If your canary dies, you can buy a new one, but you still have deadly gas in
your mine. You can't trust the words or actions of someone who just declared
they have been compromised.

~~~
fauigerzigerk
_> Doesn't matter. The moment the canary died, they became a compromised agent
whose further statements are to be interpreted as being manipulated by secret
court order._

I don't think you can draw that conclusion. As I understand it, the NSL can
only compell them to shut up about it, but it cannot compell them to dish out
arbitrary lies and false justifications for taking the canary down.

~~~
philipov
We can and should draw that conclusion. Anything less compromises the canary
system. I'm not going to bet my security on someone who frivolously shouts
fire in a crowded theater, even if they later say they were only kidding.

~~~
fauigerzigerk
You can of course do whatever you want as a consequence of what they are
saying or doing.

What I'm saying is that it doesn't logically follow from the legal situation
that their "further statements are to be interpreted as being manipulated by
secret court order".

The FBI cannot arbitrarily manipulate SpiderOak's further statements.

~~~
philipov
Whether or not they are actually being manipulated is not important. They
should be treated as if they are.

the logical flow is:

1: "I declare that if this canary is removed for any reason, it is to be
assumed that I have been served an NSL and I may no longer be trusted"

2: Canary is removed.

3: You are no longer trusted.

4: Further statements are made, but they can not be trusted.

QED

~~~
fauigerzigerk
You are drawing conclusions from a false premise.

They never declared that if the warrant canary dies they can no longer be
trusted in anything they say or do ever again.

We know exactly what they can and cannot legally say or do once an NSL has
been served. Therefore we also know that they cannot be legally compelled to
make false statements.

~~~
philipov
You're right, it's more likely they are putting out the statement because they
don't want their business to be ruined by having admitted to receiving an NSL.
There are many ways someone can be coerced, and I don't need to guess the one
in play here to discount their further excuses out of hand. At the point at
which the canary is removed, their untrustworthiness is tautological; there is
no combination of truth values which result in them being considered
trustworthy.

That is the feature of canaries that makes them respected, and the need for
such features is why secret courts are so corrosive to our society.

~~~
dnbgfher
While I agree the canary should be considered dead on principle, I don't find
this particular argument very convincing.

I think the main point here needs to be that the entire notion of a canary
only works if we can count on them being killed only for the purpose they were
created. If it becomes acceptable to kill canaries because the signers are
tired of signing them then we have a bit of a problem.

Now, for this specific case...

It sounds like you are arguing that a NSL has compelled them to make false
statements. This seems fairly unlikely given what we know about the current
legal situation. The idea that they may be lying for the sake of their
business is more convincing.

However, if they are lying for whatever reason, why not just continue to sign
the canary? The only plausible reason to do this is some sort of malicious
compliance with a sloppily worded order compelling them to lie. It would make
no sense for them to decide to lie for the sake of the business and then do
all of this instead of just signing the canary.

If they have received a NSL this basically leaves two sequences of events,
both of which contain some rather unlikely events. If I had to bet, I'd
probably bet against them having received a NSL.

However, the canary should still be considered dead. They literally killed the
canary. Their reasoning provided for it is really quite bad. Basically they
ask users to trust their unsigned website because users already trust their
(closed source) code. So they have either received a much more powerful NSL
than thought legally possible, or are doing the worlds worst job of lying
about not receiving a NSL, or they have not received a NSL and view a regular
page on their website as a suitable alternative to their previous solution
which involved three people in three different countries signing the canaries
with keys stored on air-gapped computers. If you are counting on them for
security, none of options are good.

~~~
philipov
I think there's an argument to be made that the canary continuing to live is
not sufficient to establish trust, for the reason you outlined. However, given
that it is in fact dead, this is sufficient to revoke trust-- as you also
pointed out, none of the scenarios are good for them.

As for why they would kill the canary and then backtrack, I think a plausible
story could be that the canary was killed by an engineer, and then the
backtracking happened by management because they don't want to own the
consequences. This could explain why there was a delay between removing the
canary and putting out a cover story.

Collectively as an organization, they're either acting in bad faith for
whatever reason, or else they're incompetent.

~~~
dnbgfher
I mean, a canary is only as good as your trust in the people putting it out.

As for the engineer/management idea,their statement revoking it was signed the
same as their canary. Aside from the exceptional circumstances I described
earlier, if you trusted their canary then the statement should be trusted too.

Like I said, I think we're most likely looking at incompetence.

------
sinstein
Can someone explain what a Warrant Canary is and why it needs to be removed?

From my understanding, a Warrant Canary is a provision to disclose subpoena(s)
that a company is not allowed to disclose and now SpiderOak is shutting down
that provision?

~~~
wccrawford
Canaries were used in coal mines to detect deadly gas. If your canary dies, it
means you might have a problem.

A warrant canary dies when a warrant is served. If a company has a statement
that says "We have not been served a warrant as of X date" and they update it
monthly, then they suddenly stop updating it or remove that statement, the
canary has died. They might have been served with a warrant.

It's also possible that the canary died of natural causes, of course. It could
be that a lawyer told them it was a bad idea, or maybe a shift in management
removed it. But there's no way to know.

~~~
kilotaras
To expand on this.

This is done as it is usually presumed the government can legally force your
silence, but can't force you to say something (e.g we hadn't received secret
warrant, last updated: Aug, 08)

~~~
cyphar
And to even further expand on it, the reason why they usually have a date is
because it would be possible to argue that a company could be forced to keep
an existing document on their website (since they aren't being forced to say
something against their will, so much as being forced to not stop saying
something they've already said). So the expiry is quite important in the
function of a warrant canary.

Although it should be noted that as far as I'm aware, warrant canaries haven't
actually gone through the court system to determine if they are actually a
legal way of circumventing gag orders. Not to mention that the legality of
warrant canaries has mostly only been discussed by internet lawyers in
relation to US laws -- in other jurisdictions they may not work at all (I've
spoken to some Australian lawyers and they think that even the basis of the
theoretical arguments don't apply in Australia).

On the other hand, I don't know of any company that has actually used warrant
canaries (and has "activated them" like Reddit did) which ended up being tried
for violation of the NSL's gag order.

------
discordance
Regardless of the stated reason for the canary to be removed, there is a
responsibility in deploying a warrant canary that must be upheld. In this
case, the canary is dead and the responsibility is now on users to judge what
they should make of that.

I, for one, would not use their service going forward.

~~~
chmars
Isn't it anyway safe to assume that Internet providers worldwide have to give
access to security services etc. (or are even happy to cooperate without any
legal pressure)?

------
Lazare
I've had some mixed feelings about SpiderOak in the past, but at least they
did this right.

Props to them for making a canary and then following through on it.

~~~
maxerickson
Or it doesn't mean anything. Who knows, that's the beauty of it.

~~~
Cthulhu_
Well no, it means that either they've been compromised and thus shouldn't be
trusted anymore, or they forgot (?) to update their canary which means they
shouldn't be trusted anymore.

Don't "who knows?" on this subject, it makes you look like a government shill
trying to lull privacy conscious people into indifference.

~~~
maxerickson
What if their lawyer explained to them that removing the canary for a reason
was likely to be criminal and they removed it preemptively?

Unless you want to cite a bunch of jurisprudence that warrant canaries
_actually work_ , I'm gonna stick on "who knows", even though I'm not a
government shill (I'm more "pragmatic about who really has the power in that
particular relationship").

~~~
viraptor
> What if their lawyer explained to them that removing the canary for a reason
> was likely to be criminal and they removed it preemptively?

Then a nice solution would be to say "our lawyer explained to us that removing
the canary for a reason is likely to be criminal, so we're letting you know
we're going to remove it in 2 months to make you more sure we're not doing it
in response to a current issue".

~~~
cyphar
And people would have precisely the same primary reaction ( _as they should_ )
but then would also get angry at SpiderOak for "poisoning the well" with
doubts about the legality of warrant canaries. To be clear, as far as I know
there is no legal precedent that says warrant canaries are a legal way of
subverting gag orders (then again, the fact there is no such legal case even
though Reddit activated their warrant canary could point in the favour that
the US government doesn't want to try their luck in court).

------
lwhalen
also note earlier in their feed, a few hours before they announced the death
of the canary, they had a 'full system outage due to a poorly communicated
maintenance by their ISP'. To me, this screams "Narus box at our edge" or
similar shady behavior.

------
fjsousa
I've been using spideroak and encryptr for a while and I'm assuming the data
stored by them up until now is secure given that it was a zero knowledge
service. Any opinions on this?

~~~
throwaway9d0291
Unless you manually manage your keys, it's only zero knowledge if you never
log into their website or use their Android app, either of which gets your key
onto their servers.

------
SeanMacConMara
If your threat model includes any sovereign state's intelligence agency then a
warrant canary is worse than useless. Given their other widely abused powers
it is likely trivial to force a normal company to continue business as normal
and make any statement.

I submit that warrant canaries are at best legally and politically naive
virtue signalling and at worst deliberate obfuscation of the actual threat
model.

------
BrandoElFollito
Why do these companies not make use of international, cross border solutions?

I am bound by the law of France but my associate in the US could not care less
and vice versa. If we cross check, say, code daily and I see a discrepancy
then I raise an alert on my .fr page, controlled by myself. He would not be
involved.

------
Tharkun
IIRC their yum repository is having some GPG signing issues as well. This
isn't increasing my confidence.

------
onetimemanytime
Any ideas on how many people in the company would know about it? If it's quite
a few, one would take the chance on writing anon to a tech writer /activist.
But that too is easier said than done...FBI would not be happy and they have a
lot of cards in their hand.

------
DyslexicAtheist
don't be mad. This is exactly what a canary is for.

------
jokoon
If you look at the comment they debate that a candy can mean the service is
not as secure as it was, like truecrypt did use its canary.

~~~
barking
I think you're wrong about Truecrypt, it's still safe but just won't ever be
updated.

[https://www.grc.com/misc/truecrypt/truecrypt.htm](https://www.grc.com/misc/truecrypt/truecrypt.htm)

~~~
DanBC
Truecrypt may be secure, but linking to GRC is going to persuade me that it
isn't.

~~~
barking
Who can you trust? I use trucrypt to encrypt my windows machine but I've been
thinking about moving away from it because it seems to cause issues with some
windows updates. So if not Truecrypt, what, bitlocker?

~~~
Strom
You can upgrade to VeraCrypt [1] which is a continuation of TrueCrypt. It's
backwards compatible with TrueCrypt volumes but also fixes a bunch of issues
that have been found in TrueCrypt code. It also supports newer features like
EFI boot and Windows 10 big updates.

\--

[1] [https://www.veracrypt.fr/](https://www.veracrypt.fr/)

~~~
barking
Hi strom,do you have experience using this? I tried it a couple of years back
on a new pc but I had some issue (I cant't remember what it was) with full
disk encryption which caused me to go with Truecrypt.

~~~
Strom
Yes I used to use TrueCrypt but have been using VeraCrypt on all my computers
for about a year now. Most recent issue I had was with EFI boot and major
Windows 10 updates, but the latest beta of VeraCrypt addresses that issue as
well.

~~~
barking
Good to know, I'll definitely give it as go as the windows update issue with
Truecrypt is a pain. Thanks.

