I recently ran across the warrant canary FAQ from the Electronic Frontier Foundation (EFF). The concept is simple – put up a statement now saying that so far you have not been compelled by a secret order to turn over data to the government. Wikipedia has an entry for it. The example I read about was Rsync, see below (the arrow and circle are mine for emphasis). It’s an interesting strategy. There is no way to prevent anyone from putting up such a statement. You might be required to remove it and to do so without an announcement, so having it clearly and prominently displayed is the best way to guarantee people find out. That also seems like an interesting service that someone could use to roll up sites that say they are ok and sites that used to say that.
Is it a good idea? I don’t know. I like transparency and this is a way, sort of, to accomplish that. But what does it change if I see the canary gone? If I’m the “bad guy” I certainly fear the government has the scent and move on to some other service, but for honest users – do we care? I think we only do in the larger sense of wondering how often the government makes the inquires and the scope of the inquiry – is it records for a single user, or did they ask for all of them just in case? Certainly we’d like to know if our data has been requested, but I don’t imagine we’ll see user level warrant canaries. Are we going to stop using the service because the canary is gone? I’d bet not.
If you or I put data into a service – any service – there is always the risk of that data being exposed. It could be accidental (text file on a share, lost laptop), a hacker, or an inquiry from the government. What I care about is the relative value of the data I’m storing on that service. Can I afford to lose it? What will be the impact if it’s made public? What I also care about is the published security policy of the site – do they at least say they do the right things given the service they offer me (and the cost I pay for it)?
Some deep issues here, with no simple answers.