Hacker News new | past | comments | ask | show | jobs | submit login
Cloudflare expands its government warrant canaries (techcrunch.com)
262 points by jbegley 26 days ago | hide | past | web | favorite | 151 comments

The rsync.net warrant canary is 13 years old this April:


"The first commercial use of a warrant canary was by the US cloud storage provider rsync.net, which began publishing its canary in 2006. In addition to a digital signature, it provides a recent news headline as proof that the warrant canary was recently posted as well as mirroring the posting internationally."[1]

[1] https://en.wikipedia.org/wiki/Warrant_canary

Glad you guys included this part:

> "Although signing the declaration makes it impossible for a third party to produce arbitrary declarations, it does not prevent them from using force to coerce rsync.net to produce false declarations."

That's always been a question in the back of my mind when seeing all these canaries. Anyone know if ordering a company to do this is feasible under US law, either by force or by authorities taking over private keys and doing it themselves? Canaries appear to be pretty much untested in court.

The EFF has a FAQ about warrant canaries which addresses some of these topics: https://www.eff.org/deeplinks/2014/04/warrant-canary-faq

It is believed to be unlikely that a court would compel a company's false speech to maintain a warrant canary.

> Have courts upheld compelled speech?

> Rarely. In a few instances, the courts have upheld compelled speech in the commercial context, where the government shows that the compelled statements convey important truthful information to consumers. For example, warnings on cigarette packs are a form of compelled commercial speech that have sometimes been upheld, and sometimes struck down, depending on whether the government shows there is a rational basis for the warning.

> Have courts upheld compelled false speech?

> No, and the cases on compelled speech have tended to rely on truth as a minimum requirement. For example, Planned Parenthood challenged a requirement that physicians tell patients seeking abortions of an increased risk of suicidal ideation. The court found that Planned Parenthood did not meet its burden of showing that the disclosure was untruthful, misleading, or not relevant to the patient’s decision to have an abortion.

The right question isn't “will courts issue a direct order to maintain a warrant canary to conceal a warrant (or, more likely, an administrative subpoena like an NSL) protected by a non-disclosure order”, it is “will courts punish signalling the existence of a warrant (etc.) protected by a non-disclosure order by dropping a warrant canary as they would any other action done to signal the existence of such a warrant.”

Which is why even the EFF doesn't recommend dropping the canary immediately but instead going to court to seek vindication of the right to drop the canary before so doing.

I don’t think it would be forced directly. I think they’d put the company under a gag with threat of criminal punishment if they do anything to “signal” an investigation. Then an operator has to ask themself “is it worth risking jail time by updating this page?”

The appeal of the Warrant Canary design is that the operator simply has to take no action (i.e. not update the page) to signal that they've been contacted by law enforcement, in theory making it safer. It's still a risk though.

Taking no action can be illegal, as child neglect and negligent homicide demonstrate.

Yeah but here the action would be to make a false publication, which as discussed higher up the courts have been reluctant to force people to do.

If the warrant canaries were updated automatically, could a court compel a company to not change the script?

> That's always been a question in the back of my mind when seeing all these canaries. Anyone know if ordering a company to do this is feasible under US law, either by force or by authorities taking over private keys and doing it themselves? Canaries appear to be pretty much untested in court.

The evidence shows (IMHO) it is likely the government has enough power to obtain your keys by force, issue a gag order, and take actions against your users before the case works its way through an appeal process. The only question is if you'll be willingly participating in the activity or if it'll happen while you're in lockup.

"Pete Ashdown, CEO of XMission, an internet service provider in Utah, knows. He received a Foreign Intelligence Service Act (FISA) warrant in 2010 mandating he let the feds monitor one of his customers, through his facility. He also received a broad gag order."


"My company, Lavabit ... [snipped, see URL for this background info paragraph]

But that wasn't enough. The federal agents then claimed that their court order required me to surrender my company's private encryption keys, and I balked. What they said they needed were customer passwords – which were sent securely – so that they could access the plain-text versions of messages from customers using my company's encrypted storage feature. (The government would later claim they only made this demand because of my "noncompliance".)"


If you’re an international organization and that comes out, prepare to be sued for fraud in other countries.

Um... wouldn't the act of compelling them to produce false declarations for the purpose of obtaining sales under false pretenses fall under conspiracy to commit (wire) fraud which is a federal crime?

Are there any lawyers that could comment on this?

> wouldn't the act of compelling them to produce false declarations for the purpose of obtaining sales under false pretenses fall under conspiracy to commit (wire) fraud which is a federal crime?

No, it would not, among other reasons because that is not the purpose.

Definitions stolen from Wikipedia:

Conspiracy - In criminal law, a conspiracy is an agreement between two or more persons to commit a crime at some time in the future. E.g. the court (judge) and the seller.

Fraud - wrongful or criminal deception intended to result in financial or personal gain... for example making untruthful claims for the purpose of continuing to sell a product under false pretenses.

Mail and Wire Fraud - Fraud by facilitated through the mail system or via electronic means.

Can you elaborate as to how a compelled untruthful (electronic) declaration for the purpose of continuing to obtain sales of your product is NOT (wire) fraud?

Not trying to be an ass, I'd just like to understand.

> Can you elaborate as to how a compelled untruthful (electronic) declaration for the purpose of continuing to obtain sales of your product is NOT (wire) fraud?

I'm saying—and I said this expressly in the post you responded to—that that isn't the purpose, which is the strongest reason it isn't criminal fraud.

Your initial purpose in the warrant canary was sales, sure, but the government wasn't involved in that and it wasn't (presumably) false.

The government order isn't for the purpose of sales.

Your compliance with that order is quite likely not for that purpose, either; it's to avoid the consequences of non-compliance (which is why it's compelled and not voluntary.)

Your compliance with that order is not for that purpose. HOWEVER, your statement which was originally to generate sales went from being truthful to being untruthful.

So now that your warrant canary is false, you are making an untruthful statement supporting sales generation for your company, which is what makes it fraudulent; and in my mind at least, because you've been compelled to do so, that's conspiracy to commit fraud.

I guess they could argue that you weren't compelled to continue operating. You could have shuttered your business. So in that sense, I suppose if they made that argument, the fraud would be on your head and they'd get off on that technicality.

You should really try to learn from the well-reasoned explanation of why your initial hunch was wrong, instead of continuing to try to argue the point with increasing levels of obviously wrong grammatical and legalistic hairsplitting.

Law is a system that, to a certain degree, depends on reasonable people employing commonly accepted rules of logic and teleology. It is not a programming language that can be “tricked” by superficial attempts at “being clever”.

> HOWEVER, your statement which was originally to generate sales went from being truthful to being untruthful.

You made a true statement with the purpose of generating sales, and later a false statement with a different purpose. The fact that the two statements have the same content doesn't make the intent of one transfer to the other, or the falsity of one transfer to the other.

The required mental state for a crime must connect to the required act, not just a generally similar act at a different time.

(Of course, the government compelling your action by force means it cannot be prosecuted as a crime of yours, because when the government induces a crime you would not otherwise have committed by threats, that's called “entrapment”.)

> and in my mind at least, because you've been compelled to do so, that's conspiracy to commit fraud.

No, aside from the fact that you don't have a false statement made with the required purpose to start with, the fact that you are compelled by the government doesn't make a conspiracy.

> I guess they could argue that you weren't compelled to continue operating. You could have shuttered your business. So in that sense, I suppose if they made that argument, the fraud would be on your head and they'd get off on that technicality.

No, they’d get off because their power to issue and enforce non-disclosure directives with NSLs, etc., is an express power granted in law.

According to this argument, it seems like you don't even need a warrant canary. If you told your customers you would inform them of a warrant, and the government compelled you not to, under your arguments wouldn't that also be conspiracy to commit fraud?

I've never completely understood this. What prevents you from lying about this? I mean, let's imagine a hypothetical 100% evil three letter agency. They'd just threaten you and your family members' lives and you'd keep updating the canary right? How can we know you keep updating it out of your own free will?

There is also the possibility that we take your money for cloud storage and run away to Costa Rica without providing anything to you.

Or our ZFS filesystems are actually raid-5 ext2 volumes and we fake the snapshots.

Or one of the locations is just running in my basement.

There are all kinds of ways for a service provider to act in bad faith. In many ways, the warrant canary is an attempt to signal what kind of people we are and the manner in which we act in good faith.

Except all those are examples of acting in bad faith. The question at hand here is whether the government can compel you to keep the canary in place after a search/siezure.

The only bad faith might be using warrant canaries knowing that they may still be able to be compelled legally to comply.

"The question at hand here is whether the government can compel you to keep the canary in place after a search/siezure."

I personally (which is the only viewpoint that matters here) would consider falsely updating the canary to be acting in bad faith. I would consider it to be morally negative. I consider it to be of the same kind as the other examples I gave of acting in bad faith.


> falsely updating the canary to be acting in bad faith. I would consider it to be morally negative. I consider it to be of the same kind as the other examples I gave of acting in bad faith.

Except that in the case of the canary, there might be the very real threat of violence or jail time for you or your loved ones.

If it were me, I can see a world where I would do things I think are morally negative if it keeps me and my loves ones alive and out of jail, and I think many other people are the same.

> might be the very real threat of violence or jail time for you or your loved ones

I mean, hypothetically there could be. But in the real world, in some countries, you can be fairly sure that the rule of law will be followed.

Just take a look at this:


And these are just the ones we know about, and the page only pertains to experimentation.

You have to give some consideration to what "legal" even means when you're dealing with a government.

The last instance on that page occurred in the early 1970s. I never claimed the past was free of bad events. I said, prospectively, that a person could be relatively sure the rule of law would be followed on the subject of warrant canaries, in some countries.

> But in the real world, in some countries, you can be fairly sure that the rule of law will be followed

I think it's fairly clear we're talking about the US, and in this case everything is a secret. We have no idea what will happen, or if anything has happened in the past.

Obviously I can't prove the nonexistence of secret proceedings where people have been made to lie to the public. This is ever the domain of conspiracy theorists, because you can never really prove that no such thing has happened, to say nothing of proving it won't. Proving non-existence in general is a nearly impossible problem in the real world. But I think it's unlikely. People can feel free to let their irrational fears dominate their behavior if they want.

Wow, so you are saying you will go to jail if given the choice between that and not updating your warrant canary? Brava, but talk is cheap.

Of course they could compel you to keep it, the CIA has overthrown countries, performed psychological experiments on unwilling US citizens, they've sold crack and smuggled arms against Congress's wishes, the list goes on. There is nothing stopping a part of the US government from compelling a company to keep a warrant canary.

But that doesn't mean canaries are useless, they're just not protective if the US government has deemed it important enough to force it.

Love what you folks do. Keep up the hard work!

The problem with this threat is that once the cat is out of the bag, you can't put it back in. It's similar as making defamatory statements in court and having it stricken from the record - "OBJECTION!"

The problem is, you can't force the jury to un-hear that. The damage is done. You can't unring a bell. You've tainted their opinion, whether the judge tries to undo it or not.

If you put a gag order on me and suggest trying me for contempt of court if I say anything and I think the value of me talking is greater than that of my freedom, I will speak up. If I can get around the gag order by using a warrant canary to implicitly say what I'm not allowed to say without being tried for being in contempt of court, then that's what I will do. Until the laws are rewritten to prevent the use of warrant canaries, there's nothing the courts can do about this. It's a valid loophole.

There's little point in killing my family if everything I know is already out there in the wind. I can't do any more harm than has already been done. All you have is retribution. Our agencies often take a pretty dim view of retribution. Chances are, I'd just end up with a contempt of court charge and be thrown in jail, potentially indefinitely. But realistically, the damage is done. Once again, you can't unring a bell.

There's little they can legally do to pursue my family, there would be political uproar. So beyond charging me, I imagine they'd be relatively safe.

I'm not sure there's much of a distinction between removing a warrant canary and breaking a gag order. Judges tend to have a low opinion of loop hole technicalities like this that provide the same function.

I'd suspect the legal punishment/risk is the same so at best they're kind of pointless and at worst they might be extra misleading since users may believe the presence of the canary means there wasn't a request when there actually might have been.

Maybe you don't actively do anything. It is the absence of action.

You don't REMOVE a warrant canary. You DO NOT update it.

As of date X we have not been forced to do BAD THING.

I simply stop updating X on the notice.

In the past, the updates had happened at interval Z. Once interval Z passes without an update, everyone knows that I've done BAD THING.

I didn't take any action to disclose anything. I simply stopped updating something.

Developers often thinks laws work just like computers: If you can find a loophole where you technically follow the letter of the law, while undermining its intent, then you have hacked the law and can't be punished!

Judges do not think like that though.

Remember when Microsoft was forced by a judge to offer a version of Windows without the Internet Explorer browser? Microsoft just removed all the dll's IE used. But since some of the dll's were also used in other parts of the OS, this version of Windows could not run. But they had complied with the ruling!

Microsoft thought it was very unfair when they were ruled in contempt of court.

Does this mean that if you were screaming from the rooftops "I'VE DONE NOTHING WRONG" every day leading up to the gag order and then you stop screaming from the rooftops that you'll be in contempt of court?

Can the court compel you to continue with behaviour to cover something up?

Would that be akin to conspiracy to commit fraud or wire fraud if electronic? Wouldn't that make the court and thus the judge complicit in conspiracy to commit wire fraud?

I have a feeling a judge is not about to risk being disbarred for such behaviour.

Of course, I'm not a lawyer and this is purely conjecture on my part.

It doesn't matter if "screaming from the rooftops" seems to you _logically_ the same as a warrant canary. The courts tend to care about the _practical_ effect too. If the practical effect is to violate the gag order (because people were actually paying attention to you screaming from the rooftops, maybe), then... maybe? We aren't sure.

And dude, judges don't get disbarred even when they do CRAZY stuff. A judge getting disbarred (or even dis-judged) is _exceedingly_ rare.

A judge is _definitely_ not going to get disbarred for making a ruling _you_ think is irrational, but isn't actually inconsistent with any established case law, because it's not estabished yet.

Not even going to get _reprimanded_, let alone disbarred.

The U.S. just doesn't work how you think it works.

Has anyone been held in contempt of court for failing to update a warrant canary. I don't believe so. So it seems to be working?

Another poster pointed out that courts generally do not uphold orders to compel speech when that speech is untruthful. So a court order to untruthfully update a warrant canary will not likely survive a legal challenge.

Has anyone used a warrant canary to succesfully convey the information it's intended to _without_ being held in contempt? Is there a list somewhere?

If the warrant canary is in the company's financial statements, is the judge going to now try to force the company to introduce inaccurate information into their public financial disclosures? The SEC might take a dim view of that.

The company can take the 'can neither confirm nor deny' posture, and simply remove the warrant canary from public financial statements. Or leave the most recent accurate and dated one unchanged.

The judge can punish the company severely for breaking the law.

I’m guessing this depends on the judge? I was in traffic court and one of the lawyers argued that the statute did not explicitly say what his client did was illegal.

I don’t recall what it was, but he read the statute and explained the technicality and the judge agreed with him.

Part of the job of lawyers is to know the judges they interact with and what sorts of claims they'll take seriously and which ones they'll overrule. That has very little to do with the kind of immutable logic outsiders tend to try to read into the law.

Often, the law does treat action and inaction very differently. Eg: it’s illegal to poison your ailing grandparent, but legal to let them die by removing the feeding tube (because you are just “not feeding them anymore”).

Intent and spirit of the law matter more than the difference between action and inaction.

The law doesn’t care if you say “let’s put him out of his misery” before pulling out the feeding tube, even though it demonstrates a clear intent to kill.

Be careful and speak with a layer first.

In my country (Slovenia), you would still be found in breach of the court order.

If court orders you not to reveal a certain item, and then you go and reveal it[1], at least here details of how you revealed it do not matter.

If you set up things in a way that you have to lie in order to comply with court order, that's your problem and not courts. Court will not compel you to lie. It will punish you for breaking a court order.

And that fact that you did it in advance in anticipation of such order, would only make matters worse for yourself. (willful disregard, or however it's translated)

[1]: Setting up a canary and then not updating it, is revealing it. Just because you went through convoluted means to do so, its the results that courts care about.

It’s like a dead-man switch. You can also set it so every few hours, you have to enter in a password to keep it up.

If you are held for questioning, most likely you won’t have access to a device to update it.

> I didn't take any action to disclose anything. I simply stopped updating something.

This might work if judges are fucking idiots.

This would conspiracy to commit wire fraud with a maximum sentence of 20 years and a $250,000 fine.

They surely can't compel you to break the law, even to cover up a gag order?

Of course, I'm not a lawyer and this is just conjecture on my part.

See my post immediately above about if the warrant canary is in the company's public financial statements.

OK, what if you provided total read-only access, to everything on all of your machines, networks, communications and so on, to someone like me. Someone who you could trust 100%. And whose reputation depended on that. Someone who was totally anonymous (which I'm not, but I could have another persona that was). And someone with such deep backdoors into your stuff that they couldn't be evicted.

And so it's that person who maintains the warrant canary.

Or instead, it could be an ~undocumented feature of your outside counsel. Because you do have the right to outside counsel, I think, even regarding NSLs.

Edit: For example http://www.cryptohippie.net/AnonAdmin.html

You don't know if it's a "valid loophole" until it's tested in court. You could later find yourself under prosecution, and possibly eventually in jail and/or with a business-destroying fine. If you are willing to risk that, because you think "the value of talking is greater than that of your freedom" -- I think that's actually quite honorable and respectful!

You could of course violate the terms of a sealed warrant or other enforced-confidential court order without a warrant canary too, although of course that goes from "we're not sure if I can get away with it", to "this is definitely going to be a really big legal battle, that _maybe_ I can come out of, if there's enough political uproar."

Using a warrant canary _might_ end up being just as much legal jeopardy, we're just not sure.

Retribution could serve a useful purpose to those in power: a warning to others who are considering doing what you've done.

Well, of course anyone can point a gun at your newborn baby. But a government agency have to comply with the law, and the law makes certain requirements on officers of companies. The details are complicated, but simplifying, if a company is publicly traded and someone whose title starts with V or C says something in public, then it has to be true.

Three-letter government agencies can't both comply with the law and at the same time force you to break the law.

Didn’t Snowden reveal that government agencies routinely break the law?

Indeed he did. He didn't reveal that they routinely compel random CxOs to do so, though.

... and break the law themselves.

Speaking from an engineering perspective, this is part of the reason I've never been comfortable with warrant canary or "extra-warrant" compromise canary.

Let's say you run some kind of service for which you offer privacy/security assurances, but, at some point, you're compelled in some extra-warrant way to violate those assurances. Or you're simply compelled by warrant, while also being compelled not to implicitly signal that by canary. Or you discover a compromise, previously without your knowledge, and are compelled not to disclose it.

I could easily imagine that many of the same official powers (public or secret), or de facto powers, that would enable the compelling wouldn't see the legal arguments of some lawyers as showstopper barriers to keeping the canary intact. If you think that kind of scenario is plausible, then touting a canary is arguably doing a disservice, from the start.

At least half of engineering is honesty and specification, so the introduction of a canary, in an environment in which you can't be sure you can comply with it, and perhaps can't disclose when you realize you definitely can't comply-- doesn't seem like good engineering.

If we're not sure we can honor canaries, then perhaps it's better not to do canaries at all -- and perhaps to instead specify our assurances better, including broad exceptions we anticipate we can't cover. Maybe lawyers and C-suite ultimately determine it makes sense to qualify the assurances with language like, "conceivably could be compelled by [particular government where company is based]" and "conceivably compelled not to disclose".

Personally, some of the hypotheticals are way outside my expertise (and stomach), and I'd rather focus only on engineering good solutions. But canary-type situations and assurances sometimes involve engineering, and sometimes we can foresee potential future problems that we should discuss with the appropriate people in our organization, before it becomes a problem. Then, hopefully we work with people who use all the information, from engineering and other sources, to do the best thing.

(BTW, I'm in the US, and I think, for example, that a practice of warrants is a very good thing, in principle, and I have some trust in the mechanisms and checks&balances of our system. I appreciate that different countries and people have different situations and perspectives, and that things are very complicated and imperfect, even in my own country.)

The government can issue a gag order on a specific subject. This prevents you from disclosing the existence of a subpoena. However, the opposite is not true. The government cannot compel speech.

Sure, the government can take illegal actions...

However, they cannot force someone to make an untrue statement.

Maybe they can't force you but you might still be found in contempt of court and jailed or fined large amounts of money.

Either option, force or contempt of court, isn't that well explored in the domain of cyber security yet, especially because the lack of updates on the warrant canaries are supposed to communicate something and the lack of updates would therefore also constitute communicating the presence of a warrant to outside parties.

Law isn't like logic puzzles.

The idea (and reality) is that government entities in democracy tend to follow the law.

Trying to invent schemes to defend against the breakdown of the rule of law is sort of like buying insurance against the world ending.

Whats the purpose? Most judges will understand what warrant canary is, and can simply ask them to continue signing it. Judge has the power to gag you, or force you to sign or continue doing something. Its very common in multi-scheme crimes where forcing one criminal to continue their criminal conduct is "greater good" for the sake of a whole investigation.

Surely if the criminal is an assassin, the judge wouldn’t order them to continue taking contracts for “the greater goood.”

They certainly won't order them to continue fulfilling contracts, but they might order them to continue accepting (and reporting) them.

There is a difference between killing people and continuing to make cryptographic signatures that even the most densest of judges should recognize.

Here is my interpretation of Cloudflare's statements (and lack thereof) in their transparency report:

"We received 0-249 National Security Letters" = "We are subject to one or more National Security Letters with associated gag orders."

"Cloudflare has never installed any law enforcement software or equipment anywhere on our network." = "Someone other than us installed law enforcement software and equipment on our network, or we provide software interfaces used by law enforcement to comply with an NSL."

"Cloudflare has never turned over our encryption or authentication keys or our customers' encryption or authentication keys to anyone." = "Law enforcement may MitM Cloudflare customers' websites through first-party interfaces provided to comply with NSLs."

"Cloudflare has never weakened, compromised, or subverted any of its encryption at the request of law enforcement or another third party." = "Law enforcement may MitM Cloudflare customers' websites through first-party interfaces provided to comply with NSLs."

>has never terminated a customer or taken down content due to political pressure


No comment on whether or not the termination was justified.

> Our terms of service reserve the right for us to terminate users of our network at our sole discretion.

By political pressure they mean pressure from a political entity, that is, a government. That's what I'm assuming anyways, I'd love for a Cloudflare representative to confirm.

"The tipping point for us making this decision was that the team behind Daily Stormer made the claim that we were secretly supporters of their ideology." Seems pretty clear to me?

I worked for Cloudflare when this happened, and this is the correct answer.

Maybe it should read "external political pressure"?

Yeah technically they terminated that one with no pressure.

I am hesitant to conflate actual neo-nazis with actual politics

They are actual politics, regardless of your or my beliefs. They vote, and if there are enough of them, someone will cater to them. To willfully ignore them is to ignore a sad reality, they will continue to grow unabated; to meaningfully engage them is to platform a disingenuous group (not to mention giving their beliefs acknowledgement).

It seems to be a catch-22 to me.

I'm arguing that people wanting the removal of a hate group who's largest purpose is the purge of specific ethnic groups is not a political matter, but a humanitarian one, therefore taking down Stormfront was not due to political pressure

The child porn guy also votes. Are you going to call that political too?

My now deceased great aunt married when she was 13 to a man of 33.

Now, we'd be screaming "PEDO" from the rooftops while calling for castration and prison, or even execution. What actually happened, was marrying when you were 13 as a female was the norm. It was OK. She had 4 children.. And if you asked her, had a wonderful life.

But in a fairly short time, social norms went from "Puberty means you're an adult, or darn near one" to 'pushing up the definitions of adulthood up to 21 year olds'. And in this case, the social norms were also backed by loads of well-meaning laws that end up being abhorrent in practice (how dare two 17 year olds sext pictures, but they can have as much sex as they want).

If you didn't learn from 2016, laws and words matter. A lot.

There were plenty of 13 year old child brides, but very few child husbands... Strange how the child brides never married another child. Until the 1940s it wasn't uncommon to see preteens and teens working hard labor, does that mean it was ever OK?

I also doubt it was ever the "norm" in the modern civilized world. A quote from wikipedia [1]:

"In the last decades of the [16th] century the age at marriage had climbed to averages of 25 for women and 27 for men in England..."

1: https://en.wikipedia.org/wiki/Western_European_marriage_patt...

Neonazis/Daily Stormer was a canary.

I think back to the Skokie Nazi trial on how this should have played out. The Constitution wasn't for protecting when times and situations were good, but when they were off the rails and terribad. https://en.wikipedia.org/wiki/National_Socialist_Party_of_Am...

Cloudflare tried to be this impartial "we're only a data delivery agent - we make no ethics claims of anyone who uses our service - we're a common carrier like service".... Except when it came down to the hard decisions, they sided in smashing the canary into tiny pieces.

Cloudflare are still providing services to a lot of politically noxious sites.

What The Stormer did was claim that since Cloudflare accepted them as customers, Cloudflare must have been sympathetic to their ideology and secretly Nazis themselves. The Stormer made a pretty big deal out of this, potentially doing severe damage to Cloudflare's reputation and driving away customers.

If The Stormer had kept their mouth shut and not made a big public thing out of it, Cloudflare would probably still be providing services to them.

Instead, they forced Cloudflare's hand by claiming them as ideological allies.

It was justified.

Could a company create a warrant canary for every user? Just a simple notice when you login to your account? If the premise of the canary is that they can force you to keep silent but can't compel you to speak, what would prevent a company from doing this?

That that degree of behavior would be completely unsympathetic to both jurists and jurors, pretty much guaranteeing it would get slapped down in court eventually, even if totally legit

That’d be my read too. You can definitely be “too clever.” Laws aren’t like computer code. They’re interpreted by humans. And, if you’re “too cute” and violate the spirit of the law, you can quickly find yourself on the wrong side.

I think you're making a mistake. The primary intention behind warrant canaries isn't to shield you from legal retaliation, but to make it very hard to /legally/ force you to lie directly or by omission.

IMO it's questionable if a court in the US couldn't force you to continue signing it once they have the appropriate gag order, not signing the canary would be communicating to others you have a warrant with gag order and therefore not signing it would constitute speech which you aren't allowed to disclose as per gag order.

I've heard that Google asks you re-sign ToS if there's been a request by authorities to access your email account.

That sounds urban legend-y, and it seems like you'd get an insane number of false positives every time something like GDPR rolls around.

It's difficult to imagine how this could be implemented in practice without automation. Stopping an automatic process seems more like action than inaction. With a site-wide canary, an person updates the document and asks legal to confirm that the new version is accurate - the update isn't automatic.

If they are serious they should scrub out all the weasel words and other opportunities for lawyers to squeeze stuff through loopholes. A lot of the wording doesn’t cover disclosure to third parties or use of third party tools acting on behalf of law enforcement. Also it should be expanded beyond LE to cover any entity other than Cloudflare and the owner of the data.

It's a real shame warranty canaries are illegal in Australia, it has on several occasions made me feel less confident about software, services or people involved in them here.

src (there are many but...): https://www.schneier.com/blog/archives/2015/03/australia_out...

unpopular opinion: the main point of these canaries is PR. As far as I understand (and I understand nearly nothing about US law, so pinch of salt blah blah), exploiting legal loopholes is something that makes people excited and talk about your product, but doesn't really change anything in a court.

If you assume the US govt is an adversary or potential adversary, and you assume that they are fairly powerful through direct and indirect influences, then I just can't imagine the NSA or whichever three-letter agency deals with this kind of thing going "oh no, they have canaries, can't do anything there" and going back to spying on private Facebook messages that old people send to each other or whatever they usually do in their free time

The way I understand the issue, it's complicated. It may or may not work. It can work in some country and not in some others.

* A online warrant statement canary that disappears when it does not apply anymore. If there is a gag order preventing this Cloudfare promises to challenge this in the court.

>if Cloudflare were asked to take an action violating one of the warrant canaries, we would pursue legal remedies challenging the request in order to protect our customers from what we believe are improper, illegal, or unconstitutional requests.

* A periodically given statement. For example in annual letter to shareholders or periodic transparency update It's very hard or impossible for the western governments to force companies to give misleading statements to consumers and shareholders.

* Caveat: If there is a gag order that prevents informing the people responsible for any public statements, nothing works. Usually the company lawyers know. For example: Coudfare HQ may not know what their workers in France are asked to do.

> For example: Coudfare (sic) HQ may not know what their workers in France are asked to do.

IIRC this is one of the things that the Chinese surveillance law includes, that it may force individuals at a company to provide them with information without alerting the normal channels in the company.

What's to stop the courts and three letter orgs from strongarming you into continuing to send the canary? Couldn't they consider stopping a form of speech that violates a court order, in other words contempt.

But isn't the primary point of the canaries to give people the information that the government has been requesting some sort of information? A secondary point would be that this might prevent the government from doing so in the first place.

If the government has declared that giving people such information is illegal, it doesn't matter how that information is conveyed.

It absolutely does matter once the case comes before a federal court. Those cases are often decided based on very subtle issues of law and precedent, and they don't always go in the government's favor.

Here is what I don't understand:

On my website I can make every path resolve. I.e., I can have


Render a page that says:

> I haven't been paid off by the Mossad

Easy peasy. Then, if I take a grubby payment to fuck over a client (with an NDA, of course) I don't write about it, I just make that one path fail to resolve.

It's writing by omission.

This is why I'm ideologically against these canaries. They paper over a real problem and they expose a new one without really solving the first.

Tech naturally centralizes while politicians naturally push the limits of governmental power to enact their objectives to the furthest degree possible, and these things come into conflict. But some information should not be shared and, at times, we need to allow the government to decide when. Sometimes we need to pushback too. It's not an all or nothing thing, but these canaries are inherently anarchistic and, to me, distasteful.

To make the path stop resolving, you'd have to perform an action (update the server, etc.).

These canaries are not automatically updated: they are manually updated (that's the whole point).

If you receive a gag order you just do nothing.

They are just good for business.

No company is going to defy an order from a secret court or a NSL that states they are not to modify statements on their website until further notice. People will dispute the legality of such orders, but companies know how long they can be off the internet before going out of business. At least, that is based on conversations I have had with a corporate legal executive.

> order from a secret court or a NSL that states they are not to modify statements on their website until further notice

That's the point. The theory is that a NSL can compel you to not speak, but it can't compel you to speak. Not updating a canary is the latter, not the former.

If a canary isn't updated in the period it is expected to update it is considered "dead" or "tripped".

Assuming they can't compel speech, this would require the canary to be updated and PGP signed daily by someone that can represent the company. Perhaps a principal officer or a board member?

Even then, unless your contract states that the canary is managed in a particular way, they can simply lie. I can put a "canary" on a site and update it daily, even if every three letter agency were logged in and watching you real time. A recent example of this was that VPN provider that stated they don't log anything. Turned out they did and someone got nailed.

A canary in itself does not offer any cryptographic proof. The entire foundation is that the government cannot legally compel speech.

The canary does not protect you against the service provider and nobody has claimed that. The theory is that it protects you against NSLs that would otherwise force the service provider to not disclose the NSL.

Sometimes a canary is attached to a public financial report or something else that it is already illegal to lie in, so that would require the government to compel you to break a separate law.

It seems like you are thinking of canaries in the engineering, cryptographic or social sense, in which case the are useless. They only have purpose in a legal sense as a literal "canary in the coalmine".

That is basically what I am saying. Unless all of this is tied into a counter-signed contract, it is all rather meaningless. I would suggest that almost nobody has such an agreement with their end user service providers.

I am no lawyer, but I don't see a problem with putting a lie into a financial statement that is in no way related to financial data. It would just be disregarded as unrelated to financial reporting. I am also not aware of any companies doing this. I could see this causing a deeper dive into an audit however.

> But some information should not be shared and, at times, we need to allow the government to decide when.

I agree with the first part of your statement but not the second. I don't trust the government with that absolute power.

That's why we have an adversarial legal system: to challenge the government when we think they're doing wrong. Unfortunately, the government has effectively created a shadow legal system where challenges are ineffective. This is why things like warrant canaries are necessary, when the government tries to do an end run around checks on its power.

> www.zachaysan.com/I-havent-been-paid-off-by-the-Mossad

Well, it doesn't resolve for me... The only conclusion is that you've been paid off by the Mossad.

>has never installed any law enforcement software or equipment anywhere on our network;

Is the NSA a law enforcement agency? Does looking the other way while an agency installs it count? Can you really know if the hardware you get has not been tampered with by a government agency?

I'm not sure how any company could assure me about these issues.

> the hardware you get has not been tampered with

The warrant canary protects against warrants that come with a gag order preventing anyone from informing the public. Being hacked does not fall into that category. If such a hack is discovered there's no legal means to block them from publicly disclosing it. While the hack may be done with a warrant, the company would never get the gag order.

What I wonder is how enforceable are these in court. I remember reading that the chances of successfully defending a canary are slim to none but can't find any reference now. The reason was that while the law can't force you to lie it does prevent you from disclosing the existence of the warrant in any way. So you wouldn't be punished for lying but rather for having the mechanism there in the first place.

Is there a way to know if a canary was taken down because the company tried to avoid testing this in court or a warrant was actually issued?

The NSA is an intelligence agency, not a law enforcement agency, but for domestic surveillance it relies on the FBI, which is a law enforcement agency.

I don't think the NSA is a LEA, but it does have its own small police unit.

These canaries seem overly specific.

> [To date, the company] has never installed any law enforcement software or equipment anywhere on our network;

Someone else might have, or they might have allowed other people to do so.

Being overly specific is one potential problem.

Another is that the person who routinely updates the canary might be UNAWARE that the company has been forced to do some bad thing.

Maybe the General Counsel has been notified and gagged. It seems that maybe the General Counsel should be the person who routinely updates the canary. Come in to work. Get coffee. Check messages. Update canary. Read news. Attend daily meeting. Etc.

Just skip that Update canary part. You didn't actively do anything to disclose anything. It was lack of action. You didn't actively communicate anything. You just changed your daily routine.

It is important that the person who updates the canary is the one who KNOWS whether the company has been forced to do something bad.

Suppose I ran a business and regularly published a statement "As of (date) I have not done (thing)."

Now suppose I've been forced to do (thing) with the additional instruction not to reveal what I've done. Do I stop publishing that statement?

If I stop publishing, my customers are going to draw the worst possible conclusions, that they were the specific customer targeted. So, my existing customers start moving away and new customers are deterred from signing up.

Also, I'd probably get in trouble for revealing that I did (thing). Any protests I could make that I didn't technically reveal anything probably won't be effective.

On the other hand, if I keep publishing updated statements as if nothing happened, my customers keep paying and I don't have to be martyr.

What would you do?

Wonder if they could stretch the law even further and do per customer canaries? We won't tell you that we've handed your data over because we can't, but we will tell you if we didn't.

I wonder if it is in the government’s interest to serve warrants to all the canaried providers simultaneously . The thing about a warrant canary is that it is a one time use feature. If one day all the warrant canaries disappear from all the services that had them, what will the public do?

Potentially naive question, but genuinely curious. How does someone know if a warrant canary has been "abandoned," as the article mentions, or used as intended?

If they disappear, that indicates something. If they stay there without change, that indicates something too. Or am I missing something?

" If they stay there without change, that indicates something too."

Usually they stipulate that they are to be updated every X days/weeks/months/whatever. So if you see one that promises to update every Monday, for instance, and it's old, that would be the same as being abandoned.

What is to stop them from lying? They get a warrant, but don't remove the canary. Later on, someone finds proof of the warrant, but then what? You sue Cloudflare for...what? False advertising?

> What is to stop them from lying?

Nothing, at the end of the day, whether giving someone else your data is a good idea or not remains a question of trust.

Do you trust them to stop updating the canary in case they become compromised?

If the answer is no, then you probably shouldn't be giving them valuable data.

Ideally, sure. But even CloudFlare's doesnt indicate any sort of update date that I can see: https://www.cloudflare.com/transparency/

Maybe it's buried in footnotes to that page or in their ToS or something.

In my mind, the "correct" way to do this is to:

1) pgp sign the entire warrant canary statement with a published key.

2) add unfakeable news headlines to the canary itself (such as recent stock prices or sports scores)

3) date the warrant canary and include a well defined schedule of updates

I believe this is the authoritative example:


Other then the scheduling piece, this seems like the kind of problem a block chain would _actually solve_. I know we're all tired of "The banks/shipping industry/insurance need to use webscale blockchain!!!!"

But a signed message that's publicly audited as authentic and stored non-centrally seems perfect for canaries....

IIRC a while ago there was something like a canary for whether Julian Assange is still alive, with a message indicating it has to be updated every x period of time; it was not updated for an x amount of time. Wikileaks' governance has been questioned for a long time due to glitches like that. Same with a set of keys for encrypted data files.

> Cloudflare has never modified the intended destination of DNS responses at the request of law enforcement or another third party.

Didn't they modify the DNS responses of mit.edu to point back to MIT (during the 2013 domain hijack incident)? This canary seems a bit ambiguous.

I assume by "third party" they mean an outside request from someone who doesn't own the service they're hosting. MIT is unambiguously the first-party owner of MIT.edu, even though a third party used Cloudflare to hijack it.

That would not be either law enforcement or another third party though, if MIT requested it point back to them.

Does anyone have a list of instances where a warrant canary was _succesfully_ used to signal government surveillance or other court order, that the company involved would have been otherwise legally forbidden to communicate?

It's been at least a decade since the 'warrant canary' was proposed. We _know_ the government has been doing all sorts of things by sealed court order in that decade. I'm not sure it has proven useful. I'm not sure the courts _would_ allow you to communicate via canary. The warrant canary disappearing can be a _mistake_ often enough, that even if we see one disappear, we don't know whether to lend it much credence.

Riseup previously received an NSL and stopped updating their canary for a few months (only to resume later with new wording).

The NSL was most likely related to getting access to WikiLeaks' Riseup email address and to get r/w access to WikiLeaks' direct messages on Twitter. WikiLeaks had a Riseup email associated with their Twitter account.

Where _succesfully_ also means that they didn't end in jail.

Edit: hail -> jail. Thanks.

"end in hail"? oh, jail. I mean, I'd want a list of those too.

Basically a list of _anything_ interesting that's happened with a warrant canary. Even a short list.

I wonder about this loophole:

Fully public communication, 24/7. Absurd, sure, but could it work? Set up your email so that anybody in the world can read it (not send from your address, though). Have a camera in your mailroom that streams to the internet that's high def enough to read off your letters as you open them (oops, top secret! Too late I already opened it here!). Have all your phone audio streaming to the internet.

Absurd, silly, but a fun thought experiment - is this a way to become "immune" to the type of requests the US government is allowed to make where you can't tell anyone?

> Have all your phone audio streaming to the internet.

This may be illegal in many jurisdictions. There are at least a few states that require 2 party consent to a recording of a phone call. There are some 1 party consent states. Not sure about the ratio...

Not sure what how it'd pan out across state line phone calls.

I thought that works wherein you inform someone at the beginning of the call so they have the chance to "opt out" (by hanging up)? Like how all support calls go.

Can a company create a warrant canary after a warrant was issued? because I'm pretty sure that I this point Cloudflare is part of the program that followed PRISM...

Would a central source for warrant canaries be helpful? Like one place where you can find all those individual warrant canaries from companies you care about...

https://canarywatch.org/ does essentially this.

Crap: just noticed they stopped updating it.

even the server is not reachable for me anymore.. maybe crowdsource a new website?

Good idea, will look into that.

> "has never turned over their SSL keys or customers’ SSL keys to anyone;"

How would they be able to give up customers' SSL keys?

Customers on some plan can upload a certificate of their choice, and generally have to provide the key along with it. Keyless SSL exists, but isn't widespread.

Ah, I guess the point I'm missing is that with a 'serverless' setup, the cloud provider must have access to your private key? Unless you use some sort of key server setup (what they call Keyless SSL)

It means the ones they use for the customers site, versus the ones they use for their own site.

They still dropped switter without comment tho?

What's to stop the government from forbidding a company from removing their canary?

Why not give each user or account on a given service their own warranty canary?

Ummmm, Great. More loopholes for NOT reporting such dead canaries.

What prevents NSA from requesting Cloudflare, under the table, put a false message?

If I owned Cloudflare, I wouldn't mind lying to my customers if it was related to the national security or if it gave me some kind of unfair advantage or special treatment against my competitors.

> What prevents NSA from requesting Cloudflare to put a false message?

The fact that the FBI would be the one doing that part of the NSL dance.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact