
AutoCanary: machine-readable, digitally signed warrant canary statements - danso
https://firstlook.org/code/project/autocanary/
======
NeutronBoy
I can't help but feel canary's are missing the 'spirit of the law' (I don't
like calling it that, but the phrase fits) of the gag order, and will
ultimately not stand up in court.

The gag order says you can't do anything to notify people that you're received
one. By having the canary expire, you're alerting them. No questions, end of
story.

I get the concept of 'they can't force you to sign a false document because of
the First Amendment' line of thinking, but the gag orders themselves don't
respect your constitutional rights, why would you expect it's different in
regards to canaries?

~~~
adevine
Well, here's a somewhat analogous issue where the courts have decided
differently. A 10b5-1 plan is set of rules set up by someone, like a company
exec, to trade stock even if that person holds inside information at the time
of the trade. That is, you could set up a plan that automatically sells 100
shares of stock per month. You can NOT change the rules of the plan while you
have inside information.

However, you CAN cancel plan orders even if you have inside info. For example,
if you knew great news was coming, you could cancel a sell order. If I
understand it, this is because courts have ruled that insider trading laws can
only be applied when a trade occurs, not when one doesn't occur. IANAL so
someone correct me if I'm wrong.

~~~
chii
that is an interesting line of argument...but i think ultimately, the fight
over the application of law isn't one which can be won over by sheer logic.
Men in power who wish to manipulate the world for their own agenda will be
able to do it, if the common folk don't care or fight back.

------
SilasX
We've been over this before.

If you communicate, by any signal, including the lack of sending a signal, or
any prearranged protocol, that you received a warrant when you were ordered
not to talk about it, then you are in violation of the order.

No amount of technical trickery changes that; courts are run by humans.

The page includes a note about warrant canaries never having been tested in a
court of law, but you shouldn't be hopeful.

~~~
peteretep

        >  courts are run by humans
    

Not only that, courts are run by humans who have the ability to imprison you
indefinitely if they think you are disrespecting the spirit of their rulings

[http://en.wikipedia.org/wiki/Contempt_of_court](http://en.wikipedia.org/wiki/Contempt_of_court)

~~~
MCRed
Which is a violation of due process itself.

------
nickpsecurity
If country X's laws are the problem, then the owners must not be citizens of
X, the servers must not be in X, plaintext must not hit X, the jurisdiction of
the organization must not be X, and preferably there's no import/export
agreement for commercial activity in X. Knowing this, the companies that are
merely changing jurisdictions or server locations shouldn't trick you into a
false sense of security.

The only sure-fire way to do things is to (a) not become popular amongst
targets in X or (b) don't do business in X whatsoever. I've met a number of
chip designers and security engineers that have been doing (b) for a long
time. I did that for foreign threats. Even if you practice these, your OPSEC
and INFOSEC still must be good enough to stop the attackers they send.

No surprise some governments and companies are just eliminating electronics
from security-sensitive areas. I think the Russians even use typewriters now
for some things. Not that they don't have their own vulnerabilities. ;)

------
getpost
I'm curious, has the constitutionality of warrant gag orders ever been tested
in court? How does the government's interest in a gag order trump my right of
free speech?

~~~
getpost
This is a sincere question. It's one thing to be involved in a court case and
have a gag order in place while a case is in progress. But here, I'm operating
my business lawfully, and out of the blue, the government tells me what I can
and can not say.

------
techdragon
This is illegal in Australia, no bill of rights /constitution to safeguard
anything so when the spineless maggots we have as our elected legislature say
"warrant canaries are illegal" [1] then we are fucked, it's illegal, and the
extremely long fight to convince the next batch of spineless maggots to vote
the shit out of existence, begins.

1 -
[https://www.schneier.com/blog/archives/2015/03/australia_out...](https://www.schneier.com/blog/archives/2015/03/australia_outla.html)

------
djoldman
In the spirit of what others have said, why not take it a step further? Say:
"we have not received 1 request," "we have not received 2 requests" etc etc.
Somehow, I think this won't work.

~~~
goodside
Or even: "The first byte of a message we are unable to deliver is not 0x00.
The first byte of a message we are unable to deliver is not 0x01. The first
byte..."

~~~
plorg
While we're playing games of semantics, we might as well have fun.

 _" A message we are unable to deliver is NOT
0xa89adf8d9a9c9a96899a9bdf9edfb19e8b9690919e93dfac9a9c8a8d968b86dfb39a8b8b9a8ddf8d9a8e8a9a8c8b969198..."_

------
GoodIntentions
Using this might give you a warm feeling inside, but if anything, it has the
potential to cause harm by providing confidence in an entity that is being
compelled to continue issuing the canary.

"The legal theory behind warrant canaries is based on the concept of compelled
speech. The First Amendment protects against this in most circumstances."

These things are pointless if they compel surrender of the key. Does anyone
think even for a moment that "constitutional rights" will be considered?

------
madez
What speaks against putting a system in place that makes it impossible to
comply with a gag order? Maybe even technically impossible, e.g. backed by a
hardware fuse that you'd need to break to comply with a search but by doing so
making it impossible for you to sign another canary?

Or, say, you cooperate with someone overseas in a safe country that requires
you to visit him every quarter to make the canary together?

------
DavidSJ
How many organizations have warrant canaries by now? Of those, how many have
let the canary expire, indicating a warrant was issued? If the answer is zero,
which is more plausible: 1) that no such warrants have ever been issued, or 2)
that they have, and warrant canaries have already failed the test in secret?

~~~
icebraining
It's not zero, see Silent Circle.

------
areed
What if there were a third-party polygraph service to sign the warrant canary
statements? It would need to solve the problem of a remote polygraph since it
would have to be located in another jurisdiction.

~~~
sgift
First the service would have to serve the problem that polygraphs are not
working very well:
[http://en.wikipedia.org/wiki/Polygraph#National_Academy_of_S...](http://en.wikipedia.org/wiki/Polygraph#National_Academy_of_Sciences)

------
rdl
I'm kind of concerned about "mere instrumentality" being said by some
prosecutor at some point in the future, here.

