Cloudflare Expands Its Government Warrant Canaries (techcrunch.com)

← Back to Stories (view on slashdot.org)

Cloudflare Expands Its Government Warrant Canaries (techcrunch.com)

Posted by BeauHD on Tuesday February 26, 2019 @03:30PM from the more-the-merrier dept.

An anonymous reader quotes a report from TechCrunch: When the government comes for your data, tech companies can't always tell you. But thanks to a legal loophole, companies can say if they haven't had a visit yet. These so-called "warrant canaries" -- named for the poor canary down the mine that dies when there's gas that humans can't detect -- are a key transparency tool that predominantly privacy-focused companies use to keep their customers aware of the goings-on behind the scenes. Where companies have abandoned their canaries or caved to legal pressure, Cloudflare is bucking the trend. The networking and content delivery network giant said in a blog post this week that it's expanding the transparency reports to include more canaries.

To date, the company: has never turned over their SSL keys or customers' SSL keys to anyone; has never installed any law enforcement software or equipment anywhere on their network; has never terminated a customer or taken down content due to political pressure; and has never provided any law enforcement organization a feed of customers' content transiting their network. Now Cloudflare's warrant canaries will include: Cloudflare has never modified customer content at the request of law enforcement or another third party; Cloudflare has never modified the intended destination of DNS responses at the request of law enforcement or another third party; and Cloudflare has never weakened, compromised, or subverted any of its encryption at the request of law enforcement or another third party. It has also expanded and replaced its first canary to confirm that the company "has never turned over our encryption or authentication keys or our customers' encryption or authentication keys to anyone." Cloudflare said that if it were ever asked to do any of the above, the company would "exhaust all legal remedies" to protect customer data, and remove the statements from its site. According to Cloudflare's latest transparency report out this week, the company responded to just seven subpoenas of the 19 requests, affecting 12 accounts and 309 domains. Cloudflare also responded to 44 court orders of the 55 requests, affecting 134 accounts and 19,265 domains. They received between 0-249 national security requests for the duration, but didn't process any wiretap or foreign government requests for the duration.

67 of 120 comments (clear)

Min score:

Reason:

Sort:

Of course, that implies you trust CloudFlare by Rosco+P.+Coltrane · 2019-02-26 15:48 · Score: 4, Insightful

to be honest and truthful, and I place about as much trust in them as any of the big data players out there. That is, not much.
I suspect their canaries are more about marketing themselves as a company with strong morals than true morality.

--
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
1. Re: Of course, that implies you trust CloudFlare by astrofurter · 2019-02-26 16:35 · Score: 1
  
  Yeah, seriously. Does _anyone_ actually believe this crap? We're living in Soviet America. Of fucking course Cloudflare hands over all of your data to the gubmint. I'd be really really surprised if there were any warrants involved. It's "voluntary" cooperation. (For certain values of "voluntary" that include "do it or we'll destroy your lives".)
2. Re:Of course, that implies you trust CloudFlare by mark-t · 2019-02-26 16:47 · Score: 2
  
  Couldn't the same order that requires that they not disclose they are being investigated also include implicit disclosure to that effect?
  Warrant canaries could reasonably constitute such implicit disclosure if they took them down or altered their update policy in any way that is commensurate with any previously made announcement to that effect.
  
  --
  File under 'M' for 'Manic ranting'
3. Re:Of course, that implies you trust CloudFlare by Anonymous Coward · 2019-02-26 16:59 · Score: 1
  
  "Implicit disclosure" would be pretty impossible to prove in court. Canaries have been utilized effectively in the past, so unless you know something about law I don't and nobody else seems to, I'd say they still serve "some" role.
4. Re:Of course, that implies you trust CloudFlare by mark-t · 2019-02-26 17:15 · Score: 2
  
  IANAL, of course, but if they explicitly announced sometime before any investigation took place that they would either take down the warrant canary notice or else cease to update it if they are investigated, and they end up getting investigated and they either take down the canary or cease updating it in the precise manner they had explicitly described (which would be part of past record and therefore provable), then that would constitute implicit disclosure, wouldn't it?
  
  --
  File under 'M' for 'Manic ranting'
5. Re:Of course, that implies you trust CloudFlare by WaffleMonster · 2019-02-26 17:18 · Score: 4, Informative
  
  Couldn't the same order that requires that they not disclose they are being investigated also include implicit disclosure to that effect?
  Warrant canaries could reasonably constitute such implicit disclosure if they took them down or altered their update policy in any way that is commensurate with any previously made announcement to that effect.
  Actively taking a canary down in response to subpoena is obviously the same thing as disclosing the existence of a subpoena.
  Good warrant canaries are designed to avoid this problem by self destructing on their own when neglected.
  The distinction / legal argument here is government cannot compel speech in the form of positive effort required by an individual to maintain existence of canary who no longer wishes to do so.
6. Re:Of course, that implies you trust CloudFlare by mark-t · 2019-02-26 17:44 · Score: 1
  
  If they have already *explicitly* stated that they will only neglect to update the canary if they are investigated, how is the destruction of the canary when they don't update exactly the same thing as taking an existing canary down? There is proof that they stated this was their intent, so how would it be any different?
  
  --
  File under 'M' for 'Manic ranting'
7. Re:Of course, that implies you trust CloudFlare by Rosco+P.+Coltrane · 2019-02-26 17:56 · Score: 2
  
  Do you understand the point of a warrant canary? You'd prefer they didn't have one, do this action expanding them? Or are you just one of those that likes to bitch and FUD based on nothing tangible or able to even be referenced?
  Okay, I'll spell it out for you:
  How about the canaries are just a tool to get good press, and CloudFlare is perfectly happy to roll over when they get a warrant without telling you?
  Do you trust CloudFlare to actually update the canaries when they get one? I don't: they're under no obligation to do so, and like all other big data companies, they're all about earning money by raping people's private data. What possible motive could they have to tell you when the government wants to rape your data too?
  The only thing that makes the canaries vaguely believable is, if CloudFlare got caught flauntic a static text for marketing purposes, it would be a much worse PR disaster than if they got caught caving in to warrants. But that's about it.
  
  --
  "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
8. Re:Of course, that implies you trust CloudFlare by Gavagai80 · 2019-02-26 18:11 · Score: 4, Insightful
  
  The effect is the same -- but the government can only order you to shut up, it can't order you actively tell lies to people. For now.
  
  --
  This space intentionally left blank
9. Re:Of course, that implies you trust CloudFlare by Aighearach · 2019-02-26 19:09 · Score: 1
  
  When was that ever true?
  And, they're not requiring that you lie, you're putting yourself in the position of violating the order by telling the truth, so you end up having to lie to stay out of jail. That's all on you! If you understand you can't disclose it, you're not imagining a fake "loophole." There is no loophole; doing a canary is actively disclosing; the lie you're telling is the original one where you promise to do the canary thing, even though you're not allowed to actually do it. When you later have to fail to keep the promise, that's all on you buddy.
  But all of that said, if it is a scenario where the government is allowed to compel you to speak, there is no difference between compelling you to tell the truth or to tell a lie. They rarely can, but there are times it happens; a judge might sentence you to make some sort of public statement, and it doesn't matter at all if you think it is actually true, you'll still have to do it.
10. Re:Of course, that implies you trust CloudFlare by Khyber · 2019-02-26 19:16 · Score: 1
  
  You should damn well know that false advertising is a crime, and the government cannot legally compel anyone to commit a crime.
  The warrant canaries, by their public and noted presence, are advertising.
  Try again when you understand these finer points of law.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
11. Re:Of course, that implies you trust CloudFlare by AmiMoJo · 2019-02-26 21:13 · Score: 2
  
  There is one obvious omission from their list. They say they have no law enforcement equipment on their network, but don't mention intelligence agencies. Orgs like the NSA and GCHQ are not law enforcement, they are intelligence gathering.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
12. Re: Of course, that implies you trust CloudFlare by David+Gould · 2019-02-26 21:38 · Score: 1
  
  Yes, it has that effect, but the "self-destruct" idea is to set it up so there's no other choice. I'm not sure what company I first heard this about, or how it relates to these Transparency Reports, but the way I remember it, the statement was included in official documents filed with the SEC. (Something like "Number of Disclosures: 0" in a state-of-the-company section.) Falsifying information in one of those would be unthinkable(!), so there'd be no choice but to stop including that line. Poof!
  
  --
  David Gould
  main(i){putchar(340056100>>(i-1)*5&31|!!(i<6)<< 6)&&main(++i);}
13. Re:Of course, that implies you trust CloudFlare by AmiMoJo · 2019-02-26 23:58 · Score: 2
  
  Good warrant canaries are designed to avoid this problem by self destructing on their own when neglected.
  I doubt that would stand up in court though. If you deliberately set things up so that the fact you received a secret subpoena will be disclosed by your inaction, all you really did is demonstrate intent to violate the secrecy requirement through pre-meditation.
  Courts tend not to be impressed with this kind of argument, and those who claim to have asked lawyers about it (such as Moxie Marlinspike) say they were advised against it.
  Some orgs have tried things like having multiple people sign the canary, each in a different legal jurisdiction. But that doesn't really help either, unless all parties have some way of detecting when one of them is served with a secret subpoena, which seems far-fetched. It also doesn't really protect the person receiving the subpoena as it is actually just a conspiracy to thwart the court's legally issued order.
  Unfortunately, canaries are not reliable, either for detecting subpoenas/LEA requests or for protecting the person issuing them.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
14. Re:Of course, that implies you trust CloudFlare by mark-t · 2019-02-27 02:47 · Score: 1
  
  So they don't tell anyone about the snooping, they just stop telling that there is no snooping. The loophole is simple: Not updating the canary does not necessarily mean someone is snooping.
  
  I understand the principle, but if they had already publicly promised that the only reason they won't continue to maintain the canary is if they are investigated, when that is exactly what they end up doing, they are still making a conscious choice that has the effect of disclosing to the public what has happened, which is what they are prohibited from doing, and any claim to the effect that they "just got tired of maintaining it" when they are being investigated would sound extremely specious.
  In such a case, It seems like the evidence from the past and the present case is overwhelmingly more likely to indicate a deliberate intention on their part to covertly disclose the incidence of an investigation they are not supposed to disclose than a mere coincidence, and therefore contempt.
  A warrant canary amounts to effectively the same thing as crossing your fingers when you tell a lie... it doesn't change the reality of what purpose is being served.
  
  --
  File under 'M' for 'Manic ranting'
15. Re: Of course, that implies you trust CloudFlare by LVSlushdat · 2019-02-27 02:51 · Score: 1
  
  Kind of like the IRS saying they depend on "voluntary compliance", but if you don't "volunteer" we'll take everything you have and put you behind bars...
  
  --
  THANK YOU, Edward Snowden!! Americans owe you a debt of gratitude (whether they know it or not..)
16. Re:Of course, that implies you trust CloudFlare by mark-t · 2019-02-27 03:13 · Score: 1
  
  Except, as I said, they *DO* disclose the information by following through with the exact course of action that they previously said they would.
  I'm suggesting that if they've already announced in advance that the canary will die if they are investigated, then its death upon being investigated is nothing more or less than a covert way to disclose they are being investigated when they aren't supposed to. Covert disclosure is still disclosure, however, and therefore it seems like that should still be contempt.
  They have, in effect, deliberately made a promise to do something that will ultimately be illegal if or when a particular thing happens to them. The fact that they are disclosing they are being investigated through a mechanism that is only meaningful to someone who might be actively looking for it is no different than if they had disclosed it using sign language, semaphores, or Klingon.
  
  --
  File under 'M' for 'Manic ranting'
17. Re:Of course, that implies you trust CloudFlare by epine · 2019-02-27 03:26 · Score: 1
  
  I doubt that would stand up in court though. If you deliberately set things up so that the fact you received a secret subpoena will be disclosed by your inaction, all you really did is demonstrate intent to violate the secrecy requirement through pre-meditation.
  That is not all you did.
  What you also did was engage in civil protest about legislative hypocrisy.
  For reputational reasons, the government wants to pretend that compelled secrecy is not equivalent for forcing non-governmental bodies (individuals, corporations) to actively tell lies on the government's behalf. Furthermore, also for reputational reasons, the government does not want to go around explicitly saying "the law forbids anyone to discuss, in any terms, positive or negative, whether we just shoved a bug up your ass".
  But you are saying that's what these laws amount to—obviously—even if the government does not see fit to write this down in black and white. I'm saying that this is a clear instance of hypocrisy: wanting it to be true implicitly, without having to say so in black and white.
  Witness that the government could easily amend the legislation in question to actually say so in black and white: that these kinds of canaries are clearly forbidden (and not merely by statist inference chains). The principle is clear. If the government wants to wade into curtailing civil liberties, the standard for legislation in this area ought to be all available explicitness, precisely so that the government doesn't enjoy one kind of PR, while enacting a different kind of reality on the ground.
  If the government wishes to go there, people who wish to argue about excessive government power ought to be able to point to the legislative text in absolute black and white. In no way should the government curtail individual freedom on any chain of mere legislative inference, most definitely not when it's trivial to behave otherwise (e.g add another paragraph of explicit "thou may not" verbiage).
  This might be a slim defense in practice, but it's substantially different than no defense, as your little word "all" would direct people to believe.
18. Re:Of course, that implies you trust CloudFlare by AmiMoJo · 2019-02-27 03:39 · Score: 1
  
  In practice doesn't the government usually just start ranting about terrorists to justify these things? I don't live in the US but in the UK it rarely gets any media coverage anyway.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
19. Re: Of course, that implies you trust CloudFlare by Archangel+Michael · 2019-02-27 03:53 · Score: 1
  
  Who are the rightful masters of the Government?
  
  Writing the canary in the first place is an act of contempt.
  Do we acquiesce simply because threat of government is too great? Wouldn't this be prima facie evidence that we already live in a tyranny?
  Think about what we all are saying here, that government can compel you to say things, a violation of 1st and 5th Amendment rights, all so the government can spy on us, its citizens, undetected.
  And if that is the case, we've already lost our Republic.
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
20. Re:Of course, that implies you trust CloudFlare by WaffleMonster · 2019-02-27 04:40 · Score: 1
  
  I doubt that would stand up in court though. If you deliberately set things up so that the fact you received a secret subpoena will be disclosed by your inaction, all you really did is demonstrate intent to violate the secrecy requirement through pre-meditation.
  Courts tend not to be impressed with this kind of argument, and those who claim to have asked lawyers about it (such as Moxie Marlinspike) say they were advised against it.
  Some orgs have tried things like having multiple people sign the canary, each in a different legal jurisdiction. But that doesn't really help either, unless all parties have some way of detecting when one of them is served with a secret subpoena, which seems far-fetched. It also doesn't really protect the person receiving the subpoena as it is actually just a conspiracy to thwart the court's legally issued order.
  Unfortunately, canaries are not reliable, either for detecting subpoenas/LEA requests or for protecting the person issuing them.
  Why not just cut and paste the entire Wikipedia article while you're at it?
21. Re:Of course, that implies you trust CloudFlare by mark-t · 2019-02-27 06:11 · Score: 1
  
  How do you figure that simply repeating what was already said and I have already provided counter to actually negates what I had said, above?
  As I said... anything that they may deliberately choose which in some way effectively does disclose that they are under investigation is isomorphically equivalent to any other manner of disclosure, which again, one could be forbidden from doing.
  
  --
  File under 'M' for 'Manic ranting'
22. Re: Of course, that implies you trust CloudFlare by david_thornley · 2019-02-27 08:28 · Score: 1
  
  Writing the canary in the first place is an act of contempt.
  
  Contempt of what? Contempt in general is legal. Contempt of court is not, but what court? Until the NSL or warrant arrives, the courts are not involved, and therefore writing the canary is legal. In the US, you can't be legally stopped from saying something out of concern of what might happen in the indefinite future. So, for it to be illegal, there would have to be contempt of some particular court.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
23. Re:Of course, that implies you trust CloudFlare by david_thornley · 2019-02-27 08:31 · Score: 1
  
  Updating the canaries to signify that a warrant has arrived would be illegal. Cloudflare would cease to update the canaries. They can't be required to lie.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
24. Re: Of course, that implies you trust CloudFlare by David+Gould · 2019-02-27 09:10 · Score: 1
  
  At the time you write it, you have never received any such order, nor do you have any specific knowledge that any such order will ever exist.
  No court has ever ordered me not to tell you that I'm wearing pants right now. It's possible that one could do so in the future. Must I refrain from talking about my pants-wearing status now, for fear of some such future order?
  "conspiring to violate a court order" -- conspiring with your own future self?
  "act of contempt" -- contempt of a time-traveling order that binds you retroactively on actions taken before it was written?
  
  --
  David Gould
  main(i){putchar(340056100>>(i-1)*5&31|!!(i<6)<< 6)&&main(++i);}
25. Re:Of course, that implies you trust CloudFlare by david_thornley · 2019-02-27 09:16 · Score: 1
  
  Except that I'm not demonstrating intent to violate the law by writing a canary. I'm writing a true statement. It isn't fighting words. It isn't creating an imminent problem. It isn't defamatory. In the US, there has to be a very good reason to prevent me from writing and publishing a true statement. Even if I'm demonstrating intent, that's not illegal. If I say I'm going to murder someone, that's enough to get a police investigation going, but it isn't illegal per se. I can't be punished until I actually violate the law (or conspire, I suppose, but a criminal conspiracy involves more than one person).
  Now, the warrant with the gag order comes in. I can't tell anyone about it. However, I can't be legally compelled to lie. I can be told to say nothing, and that's exactly what I do.
  I can't comment on courts receiving "this kind of argument" without specifics. Courts don't like legal runarounds, which this is, but there's not necessarily anything they can do about it. The EFF FAQ, which was written by a lawyer, believes these canaries to be legal. It does advise asking a lawyer when you receive one, since you can't be stopped from consulting a lawyer.
  I didn't find any cases of warrant canaries being found illegal, although of course there can be court orders we haven't heard of. Presumably we'd hear of criminal penalties, since criminal trials have to be public by law. This of course doesn't mean the government can't give you a really hard time.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
26. Re: Of course, that implies you trust CloudFlare by David+Gould · 2019-02-27 09:23 · Score: 1
  
  "Contempt of what?" -- Exactly, and that's the brilliance of it! At the time you write it, you've never received any such order. You're aware that such things exist, though you have no specific knowledge as to whether you will ever receive one. Still, they represent a risk to your ability to provide the service your customers rely on; all available information regarding them is therefore clearly important to your shareholders. Seems you're almost *obligated* to include that in your SEC filings, right? At least, for as long as you're at liberty to do so...
  
  --
  David Gould
  main(i){putchar(340056100>>(i-1)*5&31|!!(i<6)<< 6)&&main(++i);}
27. Re: Of course, that implies you trust CloudFlare by David+Gould · 2019-02-27 09:32 · Score: 1
  
  By the way -- again, I don't remember what company this was in reference to, I have no idea how it may relate to CloudFlare's statements, and I might just be imagining the whole thing, but -- I think the context was that some company had been including something like "Number of National Security Letters Received: 0" in their quarterly reports, or some such official documents, and then one day someone noticed they'd stopped doing so, and they wouldn't comment on it.
  
  --
  David Gould
  main(i){putchar(340056100>>(i-1)*5&31|!!(i<6)<< 6)&&main(++i);}
28. Re:Of course, that implies you trust CloudFlare by BitterOak · 2019-02-27 09:44 · Score: 1
  
  I suspect their canaries are more about marketing themselves as a company with strong morals than true morality.
  And what's wrong with that? Companies are in business to make money, and many do so by serving the public. Their practices therefore often mirror the values of the customers they serve, and they do so to keep their customers happy. That's actually how capitalism is supposed to work.
  
  --
  If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
29. Re: Of course, that implies you trust CloudFlare by Obfuscant · 2019-02-27 10:25 · Score: 1
  
  Do we acquiesce simply because threat of government is too great? Wouldn't this be prima facie evidence that we already live in a tyranny?
  No. You do realize that every law on the books today is an expectation that people will "acquiesce" because the threat of government is too great, I hope. Even such obvious laws like stopping at a stop sign. The expectation is that people will stop at stop signs because the threat of getting a ticket is too great. Unless you want to call "stop signs" prima facie evidence of tyranny...
  
  Think about what we all are saying here, that government can compel you to say things, a violation of 1st and 5th Amendment rights,
  The 5th amendment is protection against self-incrimination. Requiring a company to keep saying that they have received no notices is not an issue of self-incrimination, thus the 5th is irrelevant.
  Under the 1st, the government can already compel people to say things, like testify in court when they receive a subpoena.
  
  And if that is the case, we've already lost our Republic.
  Only for those who think that any law at all is an infringement of their rights and a demonstration of absolute tyranny.
30. Re: Of course, that implies you trust CloudFlare by mark-t · 2019-03-01 03:05 · Score: 1
  
  I would suggest that while the canary itself certainly can't be contempt, whatever changes in policy that a person deliberately makes that communicates the information they are supposed to be prohibited from disclosing would be. Allowing a canary to die in response to a secret government investigation *IS* still ultimately willful disclosure, it is simply disclosure that is being attempted via a covert communication mechanism.
  So yes.... it's contempt. It's just contempt that one might have a fair chance of getting away with if everybody else actually perceives it as a form of communication that is not reliable enough to qualify as disclosure, they do not happen to notice it in the first place, or if they happen to believe that any simultaneity of the beginning of the investigation with the change in policy which might have otherwise communicated its existence is supposedly more likely to be a coincidence than not. One could try and make the latter argument if pressed, but would it be the truth? The mere fact that this may not be distinguishable should not be taken as a license to be dishonest... particularly if one cares enough about the truth to deliberately let their canary die as a means to inform someone else.
  And it's worth further noting that any "unreliability" it might be ascribed to have is not a consequence of the mechanism itself but because of the fact that only some (presumably) small subset of the population to whom this raw information was conveyed might extract any particular meaning to it (the canary dying meaning an investigation has started). For the intended recipients of the communication, the mechanism is not unreliable at all. It is entirely isomorphic to having explicitly communicated that one is being investigated via any other otherwise covert channel.
  
  --
  File under 'M' for 'Manic ranting'
31. Re: Of course, that implies you trust CloudFlare by mark-t · 2019-03-01 03:16 · Score: 1
  
  In the case of a warrant canary, the act of contempt happens *after* you've received the order, by deliberately changing some internal policy so that the canary dies, thereby informing anyone who is looking for the canary of the existence of the investigation.
  It is absolutely no different than explicitly communicating the existence of the investigation through any other covert communication mechanism, be it sign language, flag semaphores, or a fictional language like Klingon or Tolkien's Elvish. The only reason one might get away with it is if nobody else happened to notice that this information was communicated as a direct result of a deliberate change in policy that was most likely motivated by the beginning of the investigation, or if the investigators are gullible enough to believe that it was all just a mere coincidence. The fact that one might be able to argue this without being disproven doesn't change reality.
  It's contempt, just contempt that you have some significant non-zero chance of getting away with.
  
  --
  File under 'M' for 'Manic ranting'
32. Re: Of course, that implies you trust CloudFlare by Archangel+Michael · 2019-03-01 07:59 · Score: 1
  
  And this is how Nazis come to power.
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
33. Re:Of course, that implies you trust CloudFlare by Khyber · 2019-03-02 05:34 · Score: 1
  
  "srsly plz stop saying your stupid law thoughts"
  I find that endlessly hilarious given I've beaten EA, Sony, and now Enterprise Rent A Car in court.
  Try again when you actually have a winning legal track record of any sort, moron.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Also Google had that Warrant Canary... by gef7 · 2019-02-26 16:02 · Score: 2

..."Don't be evil"

We all now how it ends!
1. Re:Also Google had that Warrant Canary... by 93+Escort+Wagon · 2019-02-26 16:18 · Score: 4, Insightful
  
  ..."Don't be evil"
  I’d argue that “canary” functioned as we’d want - when it disappeared, we should’ve had a pretty good idea what was coming.
  
  --
  #DeleteChrome
2. Re:Also Google had that Warrant Canary... by swillden · 2019-02-26 18:16 · Score: 1
  
  ..."Don't be evil"
  I’d argue that “canary” functioned as we’d want - when it disappeared, we should’ve had a pretty good idea what was coming.
  It hasn't disappeared. It's still in the Code of Conduct, it just moved from the preface to the conclusion.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
shilling reporting by Anonymous Coward · 2019-02-26 16:22 · Score: 3, Insightful

"has never terminated a customer or taken down content due to political pressure"
They totally did, once as I recall, and Matt Prince back pedaled that like a MFer.
1. Re:shilling reporting by Anonymous Coward · 2019-02-26 17:14 · Score: 2, Insightful
  
  I remember this as well, but couldn't recall exactly who. Stormfront or something?
2. Re:shilling reporting by WaffleMonster · 2019-02-26 17:32 · Score: 5, Insightful
  
  "has never terminated a customer or taken down content due to political pressure" They totally did, once as I recall, and Matt Prince back pedaled that like a MFer.
  The crazy part of this is cloudflare themselves raised this same point.
  "We're going to have a long debate internally about whether we need to remove the bullet about not terminating a customer due to political pressure. It's powerful to be able to say you've never done something. And, after today, make no mistake, it will be a little bit harder for us to argue against a government somewhere pressuring us into taking down a site they don't like."
  https://blog.cloudflare.com/wh...
  Apparently they decided not to even though it is obvious to everyone they did exactly this.
  Given documented self-admitted instance of lying about a canary why would anyone believe ANY assertions of cloudflare about remaining canaries?
3. Re:shilling reporting by Anonymous Coward · 2019-02-26 17:54 · Score: 1
  
  It was The Daily Stormer.
  If they tell such a blatant lie right in the summary then why would I trust anything else they claim?
4. Re:shilling reporting by grep+-v+'.*'+* · 2019-02-26 19:43 · Score: 1
  
  Given documented self-admitted instance of lying about a canary why would anyone believe ANY assertions of cloudflare about remaining canaries?
  It's OK -- they meant well, right? And in today's political environment, it's the FEELINGS that exclusively matter, not those silly outdated concepts of actions or truth. After all, truth is relative -- and as we all know, relatives can be a PAIN when they keep showing up to family events uninvited.
  
  --
  If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
5. Re:shilling reporting by AmiMoJo · 2019-02-26 23:45 · Score: 1
  
  They are deleting comments pointing that out too.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
6. Re:shilling reporting by Anonymous Coward · 2019-02-27 02:04 · Score: 1
  
  They didnt cave in to external political pressure. They suppressed an account that "made the claim that we were secretly supporters of their ideology". It's not the same.
7. Re:shilling reporting by phantomfive · 2019-02-27 03:30 · Score: 1
  
  it's the FEELINGS that exclusively matter,
  This is something very annoying about the current political climate. People don't even try to find out the truth.
  
  --
  "First they came for the slanderers and i said nothing."
Canary service? by Vanyle · 2019-02-26 17:02 · Score: 1

Anyone know if there is a canary service, I mean I have a horrible memory. I'd never notice if they took something out of the site. Also, what are the limits to this? Could they have a page with say 500,000 lines of stuff saying "The government has never asked for information about company XYZ" and updating it for every customer. Or have a personalized page that only displays information in the customer portal such as "The government has never asked about you"?
1. Re:Canary service? by Aighearach · 2019-02-26 19:17 · Score: 2
  
  They're not allowed to signal you in any way, so it is marketing.
2. Re:Canary service? by Vanyle · 2019-02-27 04:49 · Score: 1
  
  Back in 2016 Reddit did this in their transparency report, does that mean it was illegally done? (the surveillance canary, not the service thing)
3. Re:Canary service? by david_thornley · 2019-02-27 09:23 · Score: 1
  
  There was Canary Watch, which stopped in (IIRC) 2016, for what didn't look to me like an adequately explained reason.
  They could presumably have canaries for individual customers, but I don't know about canaries that depend on taking down statements that have suddenly become false. I'd much rather rely on "We have received no National Security Letters through February 16, 2019", and when it gets into mid-March that canary looks awfully suspicious.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
4. Re:Canary service? by Aighearach · 2019-02-28 07:29 · Score: 1
  
  Nobody even knows if it was done; you'll never know unless somebody gets arrested for it. It was probably a false claim, because nobody got arrested. Or even, it actually happened months earlier, and the government told them when the correct time to trigger the canary was. That's much more reasonable than just assuming, "I read about a press release, therefore, it was true.
  Information about these things only comes out after a long time. But in the meantime, does Reddit have more power than the government in these matters? If not, then it is silly to think they were violating a court order.
Finely grained warant canaries by Iamthecheese · 2019-02-26 19:50 · Score: 2

Why can't a business publish a whole table of warrant canaries, including each concerned stakeholder? Each customer could have an entry with their name or pseudonym. If a subpoena for Bob were received, the entry reading "We have received no subpoenas regarding Bob" would be removed, but John, Mary, and Mike would still have their entry.

--
If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
1. Re:Finely grained warant canaries by Anonymous Coward · 2019-02-26 21:57 · Score: 1
  
  yes with a blockchain
Re:Cloudflare: Villains paradise by jonwil · 2019-02-26 20:28 · Score: 1

I send Cloudflare a DMCA take down notification a while back (someone was illegally hosting a copy of some of our source code that had been leaked) and it seemed to work.
at the request of law enforcement or another third by Opportunist · 2019-02-26 21:57 · Score: 1

Oh, we never did any of this at the request of law enforcement or another third party. Only at our own discretion.
(sorry, couldn't resist)

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Serious question by dnaumov · 2019-02-26 22:29 · Score: 1

What on Earth made people believe courts in most jurisdictions couldnâ(TM)t just order a company to do X, that happens to include NOT touching the canary text?
It's kind of an empty gesture now by Slugster · 2019-02-26 22:36 · Score: 1

They had a chance to make their moral stand, and they backed down.

( -a moral stand is when you defend assholes doing something legal, even when they are still being assholes- )
Some Warrant Canaries are Illegal in Australia by jaa101 · 2019-02-26 23:00 · Score: 3, Interesting

In Australia, it's illegal to make a statement about whether you have or haven't received certain kinds of warrants, because they don't have an equivalent to the US's first amendment. Couldflare appears to operate in Australia so I wonder how they plan to deal with that issue. I also suspect that Australian agencies would be willing to use the powers they have here to assist other Five Eyes governments.
1. Re:Some Warrant Canaries are Illegal in Australia by SuiteSisterMary · 2019-02-27 01:56 · Score: 1
  
  Hmmm. They don't really say anything about warrants; i.e. 'we have received no warrants requiring us to turn over SSL keys,' they talk about actions, i.e. 'To date, we have not turned over any SSL keys.' Maybe that's the difference?
  
  --
  Vintage computer games and RPG books available. Email me if you're interested.
2. Re:Some Warrant Canaries are Illegal in Australia by MooseTick · 2019-02-27 07:30 · Score: 1
  
  "In Australia, it's illegal to make a statement about whether you have or haven't received certain kinds of warrants, because they don't have an equivalent to the US's first amendment."
  So you are saying Australians cannot legally say then haven't ever been served a warrant if they haven't? Is that a specific law? Can they say they are definitely not undercover cops, if they aren't? Can you never deny anything, just in case the govt may have compelled you in some manner?
  
  --
  Ninjas don't carry tic tacs
Lies or Canary itself? by Anonymous Coward · 2019-02-26 23:42 · Score: 1

Much of that post is pure bullshit. Cloudflare HAS terminated users for poltical reasons. The Daily Stormer termination was a personal requirest by Cloudflare's CEO himeself. I don't necessarily agree with the group but to say they don'ttake political positions is an outright lie.
As for the service itself, they and many others continued to deny SSL had been broken despite reports of it dataing back at least to Wikileaks first few releases. Fact is things like SNI and DNS still leak enough data that yes, technically they may not have provided the data directly but they don't NEED to. The networks they're on already do and you'll have no fucking idea either since they hide the origin servers. I'm not saying CDN's don't have a place but holy shit can we at least be realistic?
I'll be awful glad by Anonymous Coward · 2019-02-27 02:32 · Score: 1

I'll be awful glad when they catch all the terrorists & we can have our rights back. ....any day now.
Re:READ CRIMINAL LAW. STOP BEING STUPID. by mark-t · 2019-02-27 06:37 · Score: 1

As I have said, this has nothing to prove with intent to disclose, it has to do with the fact that not maintaining a canary such that it expires effectively *IS* disclosure.
If you can show how a warrant canary dying is not entirely equivalent to any other form of disclosure that happens to only be applicable if someone else knew what to look for, then illustrate how, instead of simply repeating your point about the NSL and contract law endlessly.
As I said... one could potentially disclose through semaphores, or sign language, or using ancient Aztec symbols... but it's all still disclosure. The fact that perhaps only a subset of the population will even know what the heck it actually indicates is irrelevant.

--
File under 'M' for 'Manic ranting'
Re:READ CRIMINAL LAW. STOP BEING STUPID. by david_thornley · 2019-02-27 08:17 · Score: 1

It's a form of legal trickery that appears to work. Usually, legal loopholes are iffy because judges tend to disregard them, but this seems to have legs.
I haven't received a government request for information about you as of February 26, 2019. That's a true statement, and it's not really possible to suppress it legally. I can keep updating the date indefinitely. The government can't crack down on that, because any infringement on free speech has to have an overriding reason, and there's no reason to suppress it for an organization not under investigation. This is similar to establishing document retention policies when nobody's asking for the documents.
It's unfortunately easy for the government to tell me I can't say something about a particular legal action. Selling the courts on the idea that the government has the right to force me to lie is going to be a lot harder.
So, what legal mechanism is going to stop this? Canaries are legal under normal circumstances. The government has some legal means to make you say nothing, and that's exactly what you're doing. If I had something saying I'd never received a National Security Letter on my website and took it down when I got one, that's doing something, and the courts can decide I can't do that. If I maintain a canary with a date. I just do nothing. I'd have to be legally compelled to lie in order to not have the canary tell everyone. There really isn't a legal way to stop a canary from functioning. A court can issue a gag order saying I can't do anything, but that's exactly what I'm doing with the canary.

--
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Re: has never terminated ... due to political pres by david_thornley · 2019-02-27 09:24 · Score: 1

The Daily Stormer found itself another host, which shows that freedom of speech still works.

--
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Re:READ CRIMINAL LAW. STOP BEING STUPID. by mark-t · 2019-02-27 09:25 · Score: 1

So, what legal mechanism is going to stop this? Canaries are legal under normal circumstances. The government has some legal means to make you say nothing, and that's exactly what you're doing.

If they say that you are not to disclose to anyone that the investigation is happening, because canaries would be one way to disclose such information, their utilization (or more specifically, their expiration) could still be considered deliberate disclosure, because you are still wilfully altering some operational policy (that keeps the canary alive) which effectively communicates information that you are supposedly forbidden to communicate. This would be particularly troublesome if you had already previously explicitly communicated to the public that such a change in operational policy, if it were to ever occur, would only be brought about by such investigation. If you had never made such a statement, I think you may have a bit more wiggle room, but in all honesty, without such a statement, I'm not sure why one would bother with a warrant canary in the first place.

--
File under 'M' for 'Manic ranting'
Re:READ CRIMINAL LAW. STOP BEING STUPID. by david_thornley · 2019-02-28 05:45 · Score: 1

First, there's no law against putting canaries up before you get a secret request.
Second, the government cannot force you to lie. That's been true for about forever. Under some circumstances, the government can force you to say certain things, but not to lie.
By having a canary, you aren't telling anyone that you've got a secret request. You're just not telling anyone you don't have. This can have strong implications.
So, again, what legal mechanism is going to stop this?

--
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Re:READ CRIMINAL LAW. STOP BEING STUPID. by mark-t · 2019-02-28 06:16 · Score: 1

First, there's no law against putting canaries up before you get a secret request.
Of course not.

Second, the government cannot force you to lie.
Also true, but if you've contrived your circumstances beforehand so that only way you can avoid communicating that you're being investigated if or when it happens to you is to lie, is that the government's fault?

By having a canary, you aren't telling anyone that you've got a secret request.
Not by merely having a canary in the first place, no.... but by deliberately permitting it die where you otherwise would not have, particularly if you had ever previously announced that such a change in operation would be an indication of that situation, you *ARE*, in fact, telling people about the existence of the request when the canary dies, just as certainly as if you had communicated that information through natural language.

So, again, what legal mechanism is going to stop this?
If a secret request comes with a penalty for communicating the existence of the request to anyone else, it doesn't matter how you do it... the fact that you did it would still be an infraction. The changing of some internal policy (ie, letting a canary die) to alert people outside of an organization to the situation is nothing more or less than a covert signalling system, and as far as I can see, the only reason you'd get away with it is if nobody else happened to perceive it that way.

--
File under 'M' for 'Manic ranting'