Warrant Canaries
13 minute read | Last updated 28-Feb-2019 | 
Cybercrime, Security, Privacy
Mornings With Mark no. 0166
Watch the episode on YouTube
Join the discussion on LinkedIn
Share on Twitter
Bad Robot Transcript
Morning, everybody. How you doing today on this episode of the show. We’re going to talk about canaries now not the little tiny cute birds were talking about warrant canaries. Now the idea actually relates to the bird originally way back when in Coal Mines miners used to use canaries in cages to detect carbon monoxide level.
So unfortunately the bird past the miners knew something was up worth of Byrd started to show signs of sickness. They knew there was a challenge with in the mine and it’s the same core concept is setting someone to think out there and if you start to see problems with it, you know, something else is up now in the context of today’s discussion.
This is actually generated by an updated report from the cloudflare blog where they publish a semi irregular or regular on transparency report and they’ve added new what are called warrant canaries into this report now or canaries are really interesting legal work around sew in The US specifically but also in a lot of other countries there are certain actions by the government and by law enforcement and that prevent the parties that are involved from talking about it.
So whether the gag order is written just into the lock. Or they actually go to the court and say we don’t want anybody to be able to talk about this. The result is the same a company. I’m normally a service provider or technology provider is served some sort of Warrant or they are served.
I’m a legal order requiring them to take an action that may or may not compromise at some of their services Integrity from a privacy for a security aspect in because of the gag order. They can’t say anything about it. So the idea here as a warrant Canary is actually sort of a clever legal work around in that you’re proving the negative constantly and then you can no longer prove it.
So if I say I have not been served any orders to crack my encryption screen. Scheme, and I can continually say that when I am served the order I take that statement down off of the site or down out of the transparency report and my customers are supposed to been behold the canaries gone.
There is an issue here that we need to dive further into it for the most part or it can Aries can work if people know about them in if you understand the implications, so here’s where things start to break down. If it is a really good idea. If you are under a legal order and of course, we want all the companies that we work with as users have at Partners to follow the law in the country that they’re in the problem is if that law prevents them from telling us things that they’ve taken that may affect us like steps.
I have taken that may affect us. So either breaking encryption or sharing other users data with law enforcement over the government and there’s a lot of concerns there that are legitimate and you want to know about it but these gag orders prevent them were talking about it. So if you know that that’s a scenario you’re concerned about and the company you’re dealing with a service.
How are you dealing with has a warrant Canary that actually works really really well, if you don’t know about the warrant Canary system, and if you don’t know if you’re really concerned about that than working Ares don’t really help furthermore. If you do have a warrant Canary in play with your service provider like they are hosting it there and they pull it down that raises additional challenges because now they aren’t allowed to talk about what event Richard the removal of that can Eric sew-in cloudflare’s case.
They come out of the thing for new canaries to their report. I’m in one of them was essentially or they haven’t modified customer content on based on law enforcement request so safe if that came down and they’re now essentially by not stating it they are stating that they had modified customer content.
They are going to be allowed to talk about it. I have you as a user have a tiny bit more data, but not enough and really why I wanted to highlight this on our issue in an episode was it was too full day so that you’re aware of Warrant can Aries and you understand their linkage to sort of transparency room.
Because transparency report a lot of time especially around US national security letters or NFL letters and can only report broadly and Care in a group. So like zero at to 1000 request that’s not very useful but you don’t work in Aries can help to identify that but the second issue I wanted to raise around at this point was that this comes to the larger debate around privacy around encryption around law enforcement power within our communities citizens rights because we don’t have enough information.
So we saw it a lot during the Battle of a publicly of two or three years ago between Apple and law enforcement around encryption of their devices and the argument was always the law enforcement. They need access to these devices or criminals are going to get away with your criminal activity and put citizenry and our communities that are the problem is there’s not enough solid data to evaluate the risk to people’s privacy and Mentos.
Put it in context. So yes, let’s say there was you know, let’s keep the numbers easy. I have to let say there was going to three thousand cases and which is a lowball estimate in the US where are they wouldn’t be able to access the day that well, there’s 330 + million citizens within the country that are doing activities online all the time.
There are billions and billions of transaction that work around the similar types of security. So you don’t you get the data to be able to make that decision as a community in more data is better the challenge here. These gag orders prevent us from Gathering that data. So to fold are canaries are great if you know about them, but are still Limited in that you can’t actually understand the action taking you to know that something bad happened when your service provider for your service writer was forced to comply with the government order from somewhere about something and then you need to take slightly less an informed decision as a user and the second point is that the gag orders really prevent us from Gathering the data that Need we need this data in order to make an informed decision as a digital citizenry about what we want that balance to be between government’s ability to reach it or Technical Systems and our personal privacy in the security of our systems in this is becoming more and more important as we move all of our stuff into the cloud and it really emphasizes how little Geographic boundaries matter.
And right now we have this sort of loggerheads going on where old school models are still trying to apply in a new school world. And obviously we’re not in a borderless society yet, but there are those challenges that are starting to clear up and having the data to properly contextualize the challenges we face is absolutely critical so little bit of a different topic today.
I hope you enjoyed it. I let me know what you think online at Mark NCAA the comments down below and as always by email me at Mark and. CA hope your setup for fantastic day will see you on the next episode of the show. Morning, everybody. How you doing today on this episode of the show.
We’re going to talk about canaries now not the little tiny cute birds were talking about warrant canaries. Now the idea actually relates to the bird originally way back when in Coal Mines miners used to use canaries in cages to detect carbon monoxide level. So unfortunately the bird past the miners knew something was up worth of Byrd started to show signs of sickness.
They knew there was a challenge with in the mine and it’s the same core concept is setting someone to think out there and if you start to see problems with it, you know, something else is up now in the context of today’s discussion. This is actually generated by an updated report from the cloudflare blog where they publish a semi irregular or regular on transparency report and they’ve added new what are called warrant canaries into this report now or canaries are really interesting legal work around sew in The US specifically but also in a lot of other countries there are certain actions by the government and by law enforcement and that prevent the parties that are involved from talking about it.
So whether the gag order is written just into the lock. Or they actually go to the court and say we don’t want anybody to be able to talk about this. The result is the same a company. I’m normally a service provider or technology provider is served some sort of Warrant or they are served.
I’m a legal order requiring them to take an action that may or may not compromise at some of their services Integrity from a privacy for a security aspect in because of the gag order. They can’t say anything about it. So the idea here as a warrant Canary is actually sort of a clever legal work around in that you’re proving the negative constantly and then you can no longer prove it.
So if I say I have not been served any orders to crack my encryption screen. Scheme, and I can continually say that when I am served the order I take that statement down off of the site or down out of the transparency report and my customers are supposed to been behold the canaries gone.
There is an issue here that we need to dive further into it for the most part or it can Aries can work if people know about them in if you understand the implications, so here’s where things start to break down. If it is a really good idea. If you are under a legal order and of course, we want all the companies that we work with as users have at Partners to follow the law in the country that they’re in the problem is if that law prevents them from telling us things that they’ve taken that may affect us like steps.
I have taken that may affect us. So either breaking encryption or sharing other users data with law enforcement over the government and there’s a lot of concerns there that are legitimate and you want to know about it but these gag orders prevent them were talking about it. So if you know that that’s a scenario you’re concerned about and the company you’re dealing with a service.
How are you dealing with has a warrant Canary that actually works really really well, if you don’t know about the warrant Canary system, and if you don’t know if you’re really concerned about that than working Ares don’t really help furthermore. If you do have a warrant Canary in play with your service provider like they are hosting it there and they pull it down that raises additional challenges because now they aren’t allowed to talk about what event Richard the removal of that can Eric sew-in cloudflare’s case.
They come out of the thing for new canaries to their report. I’m in one of them was essentially or they haven’t modified customer content on based on law enforcement request so safe if that came down and they’re now essentially by not stating it they are stating that they had modified customer content.
They are going to be allowed to talk about it. I have you as a user have a tiny bit more data, but not enough and really why I wanted to highlight this on our issue in an episode was it was too full day so that you’re aware of Warrant can Aries and you understand their linkage to sort of transparency room.
Because transparency report a lot of time especially around US national security letters or NFL letters and can only report broadly and Care in a group. So like zero at to 1000 request that’s not very useful but you don’t work in Aries can help to identify that but the second issue I wanted to raise around at this point was that this comes to the larger debate around privacy around encryption around law enforcement power within our communities citizens rights because we don’t have enough information.
So we saw it a lot during the Battle of a publicly of two or three years ago between Apple and law enforcement around encryption of their devices and the argument was always the law enforcement. They need access to these devices or criminals are going to get away with your criminal activity and put citizenry and our communities that are the problem is there’s not enough solid data to evaluate the risk to people’s privacy and Mentos.
Put it in context. So yes, let’s say there was you know, let’s keep the numbers easy. I have to let say there was going to three thousand cases and which is a lowball estimate in the US where are they wouldn’t be able to access the day that well, there’s 330 + million citizens within the country that are doing activities online all the time.
There are billions and billions of transaction that work around the similar types of security. So you don’t you get the data to be able to make that decision as a community in more data is better the challenge here. These gag orders prevent us from Gathering that data. So to fold are canaries are great if you know about them, but are still Limited in that you can’t actually understand the action taking you to know that something bad happened when your service provider for your service writer was forced to comply with the government order from somewhere about something and then you need to take slightly less an informed decision as a user and the second point is that the gag orders really prevent us from Gathering the data that Need we need this data in order to make an informed decision as a digital citizenry about what we want that balance to be between government’s ability to reach it or Technical Systems and our personal privacy in the security of our systems in this is becoming more and more important as we move all of our stuff into the cloud and it really emphasizes how little Geographic boundaries matter.
And right now we have this sort of loggerheads going on where old school models are still trying to apply in a new school world. And obviously we’re not in a borderless society yet, but there are those challenges that are starting to clear up and having the data to properly contextualize the challenges we face is absolutely critical so little bit of a different topic today.
I hope you enjoyed it. I let me know what you think online at Mark NCAA the comments down below and as always by email me at Mark and. CA hope your setup for fantastic day will see you on the next episode of the show.
