markn.ca
Archive 5 min read

Warrant Canaries

We rely on some digital services for critical functions around security and privacy. Trusting those services is paramount to their success and ours. But it can be difficult to trust when you don't know what's going on behind the scenes. Gag orders from the courts can amplify those trust

Warrant Canaries

Watch this episode on YouTube.

Reasonably Accurate 馃馃 Transcript

Morning everybody. How you doing today on this episode of the show, we're gonna talk about canaries. Now, not the little tiny cute birds we're talking about warrant canaries. Now, the idea actually relates to the bird originally, way back uh when in coal mines, uh miners used to use canaries in cages to detect carbon monoxide levels.

So unfortunately, if the bird passed, the miners knew something was up or if the bird started to show signs of sickness, they knew there was a challenge within the mine and it's the same core concept of setting someone to think out there and if you start to see problems with it, um you know, something else is up.

Now in the context of today's discussion, this is actually generated by an updated report from the Cloud Flare blog where they publish a semi ire or regular transparency report and they've added new what are called warrant Canaries into the report. Now, Warrant Canary is a really interesting legal work around.

So in the US specifically, but also in a lot of other countries, there are certain actions by the government and by law enforcement that prevent the parties that are involved from talking about it. So whether the gag order is written just into the law period or they actually go to the court and say we don't want anybody to be able to talk about this.

The result is the same, a company, um, normally a service provider or a technology provider is served some sort of warrant or they are served a legal order requiring them to take an action that may or may not compromise some of their services integrity from a privacy or a security aspect.

And because of the gag order, they can't say anything about it. So the idea here as a uh warrant, Canary is actually sort of a clever legal work around in that you're proving the negative constantly and then you can no longer prove it. So if I say I have not been served any orders to crack my encryption screen scheme, and I can continually say that when I am served the order, I take that statement down off of the site or down out of the transparency report and my customers are supposed to then be, oh, wait a minute, the Canary is gone.

There's an issue here that we need to dive further into and for the most part, or canaries can work if people know about them and if you understand the implications. So here's where things start to break down is it is a really good idea if you are under a legal order.

Um and of course, we want all the companies that we work with as users, um as partners to follow the law in the country that they're in. The problem is, is if that law prevents them from telling us things that they've taken that may affect us like steps they have taken that may affect us.

So either breaking encryption or sharing their users' data um with law enforcement or with the government. Um There's a lot of concerns there that are legitimate. Um And you want to know about it, but these gag orders prevent them from talking about it. So if you know that that's a scenario you're concerned about and the company you're dealing with the service provider you're dealing with has a warrant.

Canary that actually works really, really well. If you don't know about the warrant Canary system. And if you don't know if you're really concerned about that, then warrant Canaries don't really help. Furthermore, if you do have a warrant Canary in play with your service provider, um like they are hosting it there and they pull it down, that raises additional challenges because now they aren't allowed to talk about what event triggered the removal of that Canary.

So in cloud fire's case, they um added, I think four new Canaries to their report. Um And one of them was essentially, you know, they haven't modified customer content based on law enforcement's request. So say if that Canary came down and they're now essentially by not stating it, they are stating that they had modified customer content, they aren't going to be allowed to talk about it.

And you as a user have a tiny bit more data but not enough. And really why I want to highlight this on uh issue in an episode was, was twofold a so that you're aware of warrant canaries and you understand their linkage to sort of transparency reports because transparency reports a lot of time, especially around us national security letters or NSL letters um can only report broadly in care in um in groups.

So like 0 to 1000 requests that's not very useful. Um But you know, warrant canaries can help to identify that. Um But the second issue uh I wanted to raise around this point was that this comes to um sort of the larger debate around privacy, around encryption, around law enforcement's power um within our communities.

Um you know, citizens' rights because we don't have enough information. So we saw it a lot during the battle uh very publicly two or three years ago between Apple and law enforcement around encryption of their devices. And the argument was always the uh law enforcement is going dark, they need access to these devices or criminals are going to get away with um uh you know, criminal activity and put citizenry and our communities at harm.

The problem is there's not enough solid data to evaluate the risk to people's privacy. Um and to sort of put it in context. So yes, let's say there was um you know, let's keep the numbers easy. Let's say there was, you know, 3000 cases, which is a low ball estimate in the US where they wouldn't be able to access the data.

Well, there's 330 plus million citizens within the country that are doing activities online all the time. There are billions and billions of transactions that work around the similar types of security. So you know, you get the data to be able to make that decision as a community and more data is better.

The challenge here is these gag order prevent us from gathering that data. So twofold here, canaries are great if you know about them but are still limited in that you can't actually understand the action taken. You just know that something bad happened when your service provider or your service provider was forced to comply with a government order from somewhere about something.

And then you need to take a slightly less uninformed decision as a user. And the second point is that these gag orders really prevent us from gathering the data that we need. Um We need this data in order to make an informed decision as a digital citizenry about what we want that balance to be between government's ability to reach into our technical systems and our personal privacy and the security of our systems.

And this is becoming more and more important as we move all of our stuff into the cloud. And it really emphasizes how little geographic boundaries matter. And right now, we have this sort of loggerheads going on where old school models are still trying to apply in a new school world.

Um And obviously, we're not in a borderless society yet. Um But there are those challenges that are starting to rear up and having the data to properly contextualize the challenges we face is absolutely critical. So little bit of a different topic today, I hope you enjoyed it. Uh Let me know what you think online at Mark NC A in the comments down below.

And as always by email me at Mark N dot ca, I hope you're set up for a fantastic day. We'll see you on the next episode of the show.

Share Tweet Share Share Email

Read next