I recently ran across the warrant canary FAQ from the Electronic Frontier Foundation (EFF). The concept is simple – put up a statement now saying that so far you have not been compelled by a secret order to turn over data to the government. Wikipedia has an entry for it. The example I read about was Rsync, see below (the arrow and circle are mine for emphasis). It’s an interesting strategy. There is no way to prevent anyone from putting up such a statement. You might be required to remove it and to do so without an announcement, so having it clearly and prominently displayed is the best way to guarantee people find out. That also seems like an interesting service that someone could use to roll up sites that say they are ok and sites that used to say that.
Is it a good idea? I don’t know. I like transparency and this is a way, sort of, to accomplish that. But what does it change if I see the canary gone? If I’m the “bad guy” I certainly fear the government has the scent and move on to some other service, but for honest users – do we care? I think we only do in the larger sense of wondering how often the government makes the inquires and the scope of the inquiry – is it records for a single user, or did they ask for all of them just in case? Certainly we’d like to know if our data has been requested, but I don’t imagine we’ll see user level warrant canaries. Are we going to stop using the service because the canary is gone? I’d bet not.
If you or I put data into a service – any service – there is always the risk of that data being exposed. It could be accidental (text file on a share, lost laptop), a hacker, or an inquiry from the government. What I care about is the relative value of the data I’m storing on that service. Can I afford to lose it? What will be the impact if it’s made public? What I also care about is the published security policy of the site – do they at least say they do the right things given the service they offer me (and the cost I pay for it)?
Some deep issues here, with no simple answers.
3 thoughts on “Warrant Canaries & Transparency”
The interesting part of the Warrant Canary is how that some of the bigger firms (ie Facebook, Google) are using them. They put them in their Financial statements, which the Officers of the company, have to swear is factual, under the penalty of perjury.
So in situations where they are compelled by law to remove it once it doesn’t apply, will they then be breaking the law by simply omitting the canary?
Fascinating questions tha won’t be answered until someone goes to jail over it unfortunately.
Unfortunately since a lot of the things these canaries are supposed to indicate bar communicating in any way that they were received taking them down after getting an NSL or warrant is likely illegal. I’m not even sure how putting them in financial documents that need to be sworn to be factual will affect it. I’m betting the state secret laws override the financial regulations.
Chris, I hear you – at that point the definition of “legal” is not going to simple. Funny thing is you might even be presented with a reason why you don’t want to spill the beans and backed yourself into a corner.
Comments are closed.