Cloudflare Expands Its Government Warrant Canaries

An anonymous reader quotes a report from TechCrunch: When the government comes for your data, tech companies can't always tell you. But thanks to a legal loophole, companies can say if they haven't had a visit yet. These so-called "warrant canaries" -- named for the poor canary down the mine that dies when there's gas that humans can't detect -- are a key transparency tool that predominantly privacy-focused companies use to keep their customers aware of the goings-on behind the scenes. Where companies have abandoned their canaries or caved to legal pressure, Cloudflare is bucking the trend. The networking and content delivery network giant said in a blog post this week that it's expanding the transparency reports to include more canaries.

To date, the company: has never turned over their SSL keys or customers' SSL keys to anyone; has never installed any law enforcement software or equipment anywhere on their network; has never terminated a customer or taken down content due to political pressure; and has never provided any law enforcement organization a feed of customers' content transiting their network. Now Cloudflare's warrant canaries will include: Cloudflare has never modified customer content at the request of law enforcement or another third party; Cloudflare has never modified the intended destination of DNS responses at the request of law enforcement or another third party; and Cloudflare has never weakened, compromised, or subverted any of its encryption at the request of law enforcement or another third party. It has also expanded and replaced its first canary to confirm that the company "has never turned over our encryption or authentication keys or our customers' encryption or authentication keys to anyone." Cloudflare said that if it were ever asked to do any of the above, the company would "exhaust all legal remedies" to protect customer data, and remove the statements from its site. According to Cloudflare's latest transparency report out this week, the company responded to just seven subpoenas of the 19 requests, affecting 12 accounts and 309 domains. Cloudflare also responded to 44 court orders of the 55 requests, affecting 134 accounts and 19,265 domains. They received between 0-249 national security requests for the duration, but didn't process any wiretap or foreign government requests for the duration.

Of course, that implies you trust CloudFlare

[Rosco+P.+Coltrane]

to be honest and truthful, and I place about as much trust in them as any of the big data players out there. That is, not much.

I suspect their canaries are more about marketing themselves as a company with strong morals than true morality.

Re:Of course, that implies you trust CloudFlare

[mark-t]

Couldn't the same order that requires that they not disclose they are being investigated also include implicit disclosure to that effect?

Warrant canaries could reasonably constitute such implicit disclosure if they took them down or altered their update policy in any way that is commensurate with any previously made announcement to that effect.

Re:Of course, that implies you trust CloudFlare

[mark-t]

IANAL, of course, but if they explicitly announced sometime before any investigation took place that they would either take down the warrant canary notice or else cease to update it if they are investigated, and they end up getting investigated and they either take down the canary or cease updating it in the precise manner they had explicitly described (which would be part of past record and therefore provable), then that would constitute implicit disclosure, wouldn't it?

Re:Of course, that implies you trust CloudFlare

[WaffleMonster]

Couldn't the same order that requires that they not disclose they are being investigated also include implicit disclosure to that effect?

Warrant canaries could reasonably constitute such implicit disclosure if they took them down or altered their update policy in any way that is commensurate with any previously made announcement to that effect.

Actively taking a canary down in response to subpoena is obviously the same thing as disclosing the existence of a subpoena.

Good warrant canaries are designed to avoid this problem by self destructing on their own when neglected.

The distinction / legal argument here is government cannot compel speech in the form of positive effort required by an individual to maintain existence of canary who no longer wishes to do so.

Re:Of course, that implies you trust CloudFlare

[Rosco+P.+Coltrane]

Do you understand the point of a warrant canary? You'd prefer they didn't have one, do this action expanding them? Or are you just one of those that likes to bitch and FUD based on nothing tangible or able to even be referenced?

Okay, I'll spell it out for you:

How about the canaries are just a tool to get good press, and CloudFlare is perfectly happy to roll over when they get a warrant without telling you?

Do you trust CloudFlare to actually update the canaries when they get one? I don't: they're under no obligation to do so, and like all other big data companies, they're all about earning money by raping people's private data. What possible motive could they have to tell you when the government wants to rape your data too?

The only thing that makes the canaries vaguely believable is, if CloudFlare got caught flauntic a static text for marketing purposes, it would be a much worse PR disaster than if they got caught caving in to warrants. But that's about it.

Re:Of course, that implies you trust CloudFlare

[Gavagai80]

The effect is the same -- but the government can only order you to shut up, it can't order you actively tell lies to people. For now.

Re:Of course, that implies you trust CloudFlare

[AmiMoJo]

There is one obvious omission from their list. They say they have no law enforcement equipment on their network, but don't mention intelligence agencies. Orgs like the NSA and GCHQ are not law enforcement, they are intelligence gathering.

Re:Of course, that implies you trust CloudFlare

[AmiMoJo]

Good warrant canaries are designed to avoid this problem by self destructing on their own when neglected.

I doubt that would stand up in court though. If you deliberately set things up so that the fact you received a secret subpoena will be disclosed by your inaction, all you really did is demonstrate intent to violate the secrecy requirement through pre-meditation.

Courts tend not to be impressed with this kind of argument, and those who claim to have asked lawyers about it (such as Moxie Marlinspike) say they were advised against it.

Some orgs have tried things like having multiple people sign the canary, each in a different legal jurisdiction. But that doesn't really help either, unless all parties have some way of detecting when one of them is served with a secret subpoena, which seems far-fetched. It also doesn't really protect the person receiving the subpoena as it is actually just a conspiracy to thwart the court's legally issued order.

Unfortunately, canaries are not reliable, either for detecting subpoenas/LEA requests or for protecting the person issuing them.

Also Google had that Warrant Canary...

[gef7]

..."Don't be evil"

We all now how it ends!

Re:Also Google had that Warrant Canary...

[93+Escort+Wagon]

..."Don't be evil"

I’d argue that “canary” functioned as we’d want - when it disappeared, we should’ve had a pretty good idea what was coming.

shilling reporting

"has never terminated a customer or taken down content due to political pressure"
They totally did, once as I recall, and Matt Prince back pedaled that like a MFer.

Re:shilling reporting

I remember this as well, but couldn't recall exactly who. Stormfront or something?

Re:shilling reporting

[WaffleMonster]

"has never terminated a customer or taken down content due to political pressure" They totally did, once as I recall, and Matt Prince back pedaled that like a MFer.

The crazy part of this is cloudflare themselves raised this same point.

"We're going to have a long debate internally about whether we need to remove the bullet about not terminating a customer due to political pressure. It's powerful to be able to say you've never done something. And, after today, make no mistake, it will be a little bit harder for us to argue against a government somewhere pressuring us into taking down a site they don't like."

https://blog.cloudflare.com/wh...

Apparently they decided not to even though it is obvious to everyone they did exactly this.

Given documented self-admitted instance of lying about a canary why would anyone believe ANY assertions of cloudflare about remaining canaries?

Re:Canary service?

[Aighearach]

They're not allowed to signal you in any way, so it is marketing.

Finely grained warant canaries

[Iamthecheese]

Why can't a business publish a whole table of warrant canaries, including each concerned stakeholder? Each customer could have an entry with their name or pseudonym. If a subpoena for Bob were received, the entry reading "We have received no subpoenas regarding Bob" would be removed, but John, Mary, and Mike would still have their entry.

Some Warrant Canaries are Illegal in Australia

[jaa101]

In Australia, it's illegal to make a statement about whether you have or haven't received certain kinds of warrants, because they don't have an equivalent to the US's first amendment. Couldflare appears to operate in Australia so I wonder how they plan to deal with that issue. I also suspect that Australian agencies would be willing to use the powers they have here to assist other Five Eyes governments.