Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cloudflare Expands Its Government Warrant Canaries (techcrunch.com)

Posted by BeauHD on from the more-the-merrier dept.

An anonymous reader quotes a report from TechCrunch: When the government comes for your data, tech companies can't always tell you. But thanks to a legal loophole, companies can say if they haven't had a visit yet. These so-called "warrant canaries" -- named for the poor canary down the mine that dies when there's gas that humans can't detect -- are a key transparency tool that predominantly privacy-focused companies use to keep their customers aware of the goings-on behind the scenes. Where companies have abandoned their canaries or caved to legal pressure, Cloudflare is bucking the trend. The networking and content delivery network giant said in a blog post this week that it's expanding the transparency reports to include more canaries.

To date, the company: has never turned over their SSL keys or customers' SSL keys to anyone; has never installed any law enforcement software or equipment anywhere on their network; has never terminated a customer or taken down content due to political pressure; and has never provided any law enforcement organization a feed of customers' content transiting their network. Now Cloudflare's warrant canaries will include: Cloudflare has never modified customer content at the request of law enforcement or another third party; Cloudflare has never modified the intended destination of DNS responses at the request of law enforcement or another third party; and Cloudflare has never weakened, compromised, or subverted any of its encryption at the request of law enforcement or another third party. It has also expanded and replaced its first canary to confirm that the company "has never turned over our encryption or authentication keys or our customers' encryption or authentication keys to anyone." Cloudflare said that if it were ever asked to do any of the above, the company would "exhaust all legal remedies" to protect customer data, and remove the statements from its site. According to Cloudflare's latest transparency report out this week, the company responded to just seven subpoenas of the 19 requests, affecting 12 accounts and 309 domains. Cloudflare also responded to 44 court orders of the 55 requests, affecting 134 accounts and 19,265 domains. They received between 0-249 national security requests for the duration, but didn't process any wiretap or foreign government requests for the duration.

6 of 120 comments (clear)

  1. Of course, that implies you trust CloudFlare by Rosco+P.+Coltrane · · Score: 4, Insightful

    to be honest and truthful, and I place about as much trust in them as any of the big data players out there. That is, not much.

    I suspect their canaries are more about marketing themselves as a company with strong morals than true morality.

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    1. Re:Of course, that implies you trust CloudFlare by Gavagai80 · · Score: 4, Insightful

      The effect is the same -- but the government can only order you to shut up, it can't order you actively tell lies to people. For now.

      --
      This space intentionally left blank
  2. Re:Also Google had that Warrant Canary... by 93+Escort+Wagon · · Score: 4, Insightful

    ..."Don't be evil"

    I’d argue that “canary” functioned as we’d want - when it disappeared, we should’ve had a pretty good idea what was coming.

    --
    #DeleteChrome
  3. shilling reporting by Anonymous Coward · · Score: 3, Insightful

    "has never terminated a customer or taken down content due to political pressure"
    They totally did, once as I recall, and Matt Prince back pedaled that like a MFer.

    1. Re:shilling reporting by Anonymous Coward · · Score: 2, Insightful

      I remember this as well, but couldn't recall exactly who. Stormfront or something?

    2. Re:shilling reporting by WaffleMonster · · Score: 5, Insightful

      "has never terminated a customer or taken down content due to political pressure" They totally did, once as I recall, and Matt Prince back pedaled that like a MFer.

      The crazy part of this is cloudflare themselves raised this same point.

      "We're going to have a long debate internally about whether we need to remove the bullet about not terminating a customer due to political pressure. It's powerful to be able to say you've never done something. And, after today, make no mistake, it will be a little bit harder for us to argue against a government somewhere pressuring us into taking down a site they don't like."

      https://blog.cloudflare.com/wh...

      Apparently they decided not to even though it is obvious to everyone they did exactly this.

      Given documented self-admitted instance of lying about a canary why would anyone believe ANY assertions of cloudflare about remaining canaries?