SpiderOak tweeted three days ago [1] that it's replacing the warrant canary with a transparency report that'd be updated every six months.
This is what the tweet said/says: [1]
"We just released our most recent transparency report, available at https://spideroak.com/transparency/ . This will replace our #warrantcanary. The final version of the canary is available at https://spideroak.com/canary . The transparency report will be updated every six months."
The transparency report, updated a few days ago this month, shows zeros for every kind of request, which means there haven't been any kind of court orders for information from February to August 2018. [2]
Are there still reasons to be concerned? I don't understand how they can list NSLs in the transparency report, since those are the ones with the gag orders necessitating legally confounding workarounds like a warrant canary.
My hunch is that they were indeed served with an NSL. The transparency report bullshit is an extra thing they've done to have mercy of NSA or whatever at the expense of confusing (quite) a few people (people mentioned that canary practice wasn't confirmed as illegal or legal by any court proceeding).
One thing to realise is that they (AFAIR) never said they'd quit the business if they ever get served with an NSL.
> I don't understand how they can list NSLs in the transparency report
Correct. You can list the ones you don't have, but not the ones you do. So to a first approximation, the transparency report will always say "0".
Now, the theory behind a warrant canary is that the government can compel your silence but (maybe!) it cannot compel you to make false statements. And if that applies to NSLs and gag orders, and thus makes warrant canaries valid, it might apply to the transparency report too.
And in that case maybe we can take the "0" at face value, and we can assume that they haven't received an NSL, but if they do they'll just silently drop that section from the transparency report. (Their warrant canary had some cryptographic signatures, but as far as I know, that's totally irrelevant. If a court decides to compel you to lie and say you haven't received a NSL when you have, then they can compel you to sign the canary too. If they opt not to compel speech, then they won't compel a false transparency report. The crypto is window dressing.)
But while on paper it looks to me like the transparency report is probably just as meaningful as the canary, the ham-handed way they've announced it leaves me suspicious.
I don't know anything about SpiderOak, except occasionally having browsed their front page, but they do seem to have some clue about security and secure software. If that is true, they must have known from the outset that once you decide to install a canary, you cannot discontinue it except to signal that it has died.
That canary has now died. It did so along with a statement [1][2] that signing a canary every 6 months with an airgapped computer is too impractical, which isn't very plausible as this is a perfectly schedulable event which will take at most an hour for every person involved, twice a year. I suppose they sign their (APT, RPM) releases in the same way (please ask them; seems answerable). Additionally, they were three days late with their statement about moving away from the canary, which is otherwise irresponsibly late for an event that can completely erode trust in them as a security company.
The irony is that their conclusion in [1] that the "canary’s effectiveness as a tool has been questioned, the usage of it at other companies is not consistent, and verifying it and keeping track of it is complicated for users" is spot on; the confusion that can be created about whether the canary is dead or merely deprecated, that after it has died once it cannot be reinstated, and that the only recourse for users is to move away from the service, makes it a pretty useless signal to act upon.
There is no confusion. There is a simple bargain with a canary: no matter what confusion is thrown up by bad actors, once it's activated, you assume the target is compromised.
If they're not really compromised? You don't need to ask that; trust is based on evidence, not some abstract Truth. When the trigger activates, you deprecate trust. It's really that simple.
Hmmm the language used to justify dropping the Canary sounds very similar to other services which ditched it in the past. Cant remember exactly but IIRC Reddit and Riseup said something like this.
Here's a question that crossed my mind: what if you ignore a gag order? You receive a secret court order to hand over data, and you tell them you're not giving it to them unless you're allowed to tell the world about it.
Will they give you a fine? And what if you don't pay the fine? Will they arrest you? And if they do, how can they prevent people from finding out about it?
Given that national security letters originate from the patriot act, I presume the consequences are grave. Certainly, jail time seems probable.
In general, if a court says do X, and you refuse, that is contempt of court. The court can then decide to fine you, and put you in jail until you are willing to comply.
Given gag-orders, and waving the word 'national security'. I expect the court proceeding dealing with your arrest / punishment would be sealed.
Heck, if certain things are marked as US government secrets and you publish them, that is treason which can be punished by death.
Edit: it seems they had removed it on purpose and added it back to elaborate on the decision and that it wasn't removed to signal something --- seemingly: "So after thinking about this ... we have decided to move away from ... canaries and instead publish a ... report located at ..."
Doesn't matter. The moment the canary died, they became a compromised agent whose further statements are to be interpreted as being manipulated by secret court order.
If your canary dies, you can buy a new one, but you still have deadly gas in your mine. You can't trust the words or actions of someone who just declared they have been compromised.
Can someone explain what a Warrant Canary is and why it needs to be removed?
From my understanding, a Warrant Canary is a provision to disclose subpoena(s) that a company is not allowed to disclose and now SpiderOak is shutting down that provision?
Canaries were used in coal mines to detect deadly gas. If your canary dies, it means you might have a problem.
A warrant canary dies when a warrant is served. If a company has a statement that says "We have not been served a warrant as of X date" and they update it monthly, then they suddenly stop updating it or remove that statement, the canary has died. They might have been served with a warrant.
It's also possible that the canary died of natural causes, of course. It could be that a lawyer told them it was a bad idea, or maybe a shift in management removed it. But there's no way to know.
Miners used to bring canary birds with them when mining. If they hit poisonous gas, the canary would die before the miners, alerting them to the gas.
The government can issue secret warrants to companies that they are not allowed to disclose, requiring them to hand over customer data. A warrant canary is a periodical statement from a company that they have not received such a warrant. The idea is that if they do receive a warrant, they will stop publishing the warrant, and the court can't compel them to.
A warrant canary states "We have not complied with any subpoenas that disclosed user data". All that has to happen upon complying with a warrant that requires user data is to remove / not republish the canary.
The idea being that a gag order cannot force you to speak, only prohibit you from speaking. Thus, a gag-order cannot force you to continue publishing a canary. Often, canaries have an 'expiry date' after which they will be republished. This is to avoid 'removing a document' as being interpreted as speech, and thus prohibited by gag order.
Now spideroak had a canary with an expiration of 1 aug. They did not republish; and 3 days later, gave an explanation why. In this explanation they state they will switch to a slightly different, non-cryptographically signed document that is much like a warrant canary. The 3 day gap is most notable here. Spideroak states that the cryptographic signing wasn't useful because you need to trust the signers, who are the same people that publish on the website.
Regardless of the stated reason for the canary to be removed, there is a responsibility in deploying a warrant canary that must be upheld. In this case, the canary is dead and the responsibility is now on users to judge what they should make of that.
I, for one, would not use their service going forward.
Isn't it anyway safe to assume that Internet providers worldwide have to give access to security services etc. (or are even happy to cooperate without any legal pressure)?
also note earlier in their feed, a few hours before they announced the death of the canary, they had a 'full system outage due to a poorly communicated maintenance by their ISP'. To me, this screams "Narus box at our edge" or similar shady behavior.
I've been using spideroak and encryptr for a while and I'm assuming the data stored by them up until now is secure given that it was a zero knowledge service. Any opinions on this?
Unless you manually manage your keys, it's only zero knowledge if you never log into their website or use their Android app, either of which gets your key onto their servers.
Give that it looks like the canary just did its job, it would be prudent to assume SpiderOak is now compromised in some way. Therefore, it's probably safer to assume that all data stored on it up to this point is also somehow compromised too.
That would depend on whether you trust that they are zero-knowledge. It is certainly possible to build a client that works like that, but their client wasn't open source, so there is no way to confirm this.
However, if you trust them on the canary, why distrust them on the claim their service was zero-knowledge. It might make sense if they are 'amoral enough' to lie about being zero-knowledge, but 'moral enough' to admit to being served a warrant. I think space for that level of morality exists, but is small. The other issue would be if they weren't zero-knowledge through an unintended bug.
If your threat model includes any sovereign state's intelligence agency then a warrant canary is worse than useless.
Given their other widely abused powers it is likely trivial to force a normal company to continue business as normal and make any statement.
I submit that warrant canaries are at best legally and politically naive virtue signalling and at worst deliberate obfuscation of the actual threat model.
Why do these companies not make use of international, cross border solutions?
I am bound by the law of France but my associate in the US could not care less and vice versa. If we cross check, say, code daily and I see a discrepancy then I raise an alert on my .fr page, controlled by myself. He would not be involved.
Any ideas on how many people in the company would know about it? If it's quite a few, one would take the chance on writing anon to a tech writer /activist. But that too is easier said than done...FBI would not be happy and they have a lot of cards in their hand.
If the meaning of the removal of a warrant canary is debatable, it has not done its job very well. Presumably, there are people who would prefer that whatever the removal implies does not become the widely accepted view, and one tactic they could use, against it so becoming, is to raise doubts about what its removal does mean.
[+] [-] newscracker|7 years ago|reply
This is what the tweet said/says: [1]
"We just released our most recent transparency report, available at https://spideroak.com/transparency/ . This will replace our #warrantcanary. The final version of the canary is available at https://spideroak.com/canary . The transparency report will be updated every six months."
The transparency report, updated a few days ago this month, shows zeros for every kind of request, which means there haven't been any kind of court orders for information from February to August 2018. [2]
Are there still reasons to be concerned? I don't understand how they can list NSLs in the transparency report, since those are the ones with the gag orders necessitating legally confounding workarounds like a warrant canary.
[1]: https://twitter.com/SpiderOak/status/1025488889564327936
[2]: https://spideroak.com/transparency/
[+] [-] forkerenok|7 years ago|reply
One thing to realise is that they (AFAIR) never said they'd quit the business if they ever get served with an NSL.
[+] [-] Lazare|7 years ago|reply
Correct. You can list the ones you don't have, but not the ones you do. So to a first approximation, the transparency report will always say "0".
Now, the theory behind a warrant canary is that the government can compel your silence but (maybe!) it cannot compel you to make false statements. And if that applies to NSLs and gag orders, and thus makes warrant canaries valid, it might apply to the transparency report too.
And in that case maybe we can take the "0" at face value, and we can assume that they haven't received an NSL, but if they do they'll just silently drop that section from the transparency report. (Their warrant canary had some cryptographic signatures, but as far as I know, that's totally irrelevant. If a court decides to compel you to lie and say you haven't received a NSL when you have, then they can compel you to sign the canary too. If they opt not to compel speech, then they won't compel a false transparency report. The crypto is window dressing.)
But while on paper it looks to me like the transparency report is probably just as meaningful as the canary, the ham-handed way they've announced it leaves me suspicious.
[+] [-] dannyw|7 years ago|reply
So you can legally say you’ve received no NSLs; until you get a NSL.
[+] [-] Confiks|7 years ago|reply
That canary has now died. It did so along with a statement [1][2] that signing a canary every 6 months with an airgapped computer is too impractical, which isn't very plausible as this is a perfectly schedulable event which will take at most an hour for every person involved, twice a year. I suppose they sign their (APT, RPM) releases in the same way (please ask them; seems answerable). Additionally, they were three days late with their statement about moving away from the canary, which is otherwise irresponsibly late for an event that can completely erode trust in them as a security company.
The irony is that their conclusion in [1] that the "canary’s effectiveness as a tool has been questioned, the usage of it at other companies is not consistent, and verifying it and keeping track of it is complicated for users" is spot on; the confusion that can be created about whether the canary is dead or merely deprecated, that after it has died once it cannot be reinstated, and that the only recourse for users is to move away from the service, makes it a pretty useless signal to act upon.
[1] https://spideroak.com/articles/transparency-report/
[2] https://twitter.com/SpiderOak/status/1025488889564327936
[+] [-] philipov|7 years ago|reply
If they're not really compromised? You don't need to ask that; trust is based on evidence, not some abstract Truth. When the trigger activates, you deprecate trust. It's really that simple.
[+] [-] ricardobeat|7 years ago|reply
https://support.spideroak.com/hc/en-us/articles/360009029531...
[+] [-] secfirstmd|7 years ago|reply
[+] [-] Vinnl|7 years ago|reply
Will they give you a fine? And what if you don't pay the fine? Will they arrest you? And if they do, how can they prevent people from finding out about it?
[+] [-] rocqua|7 years ago|reply
Given gag-orders, and waving the word 'national security'. I expect the court proceeding dealing with your arrest / punishment would be sealed.
Heck, if certain things are marked as US government secrets and you publish them, that is treason which can be punished by death.
[+] [-] e12e|7 years ago|reply
[+] [-] KenanSulayman|7 years ago|reply
Edit: it seems they had removed it on purpose and added it back to elaborate on the decision and that it wasn't removed to signal something --- seemingly: "So after thinking about this ... we have decided to move away from ... canaries and instead publish a ... report located at ..."
[+] [-] philipov|7 years ago|reply
If your canary dies, you can buy a new one, but you still have deadly gas in your mine. You can't trust the words or actions of someone who just declared they have been compromised.
[+] [-] sinstein|7 years ago|reply
From my understanding, a Warrant Canary is a provision to disclose subpoena(s) that a company is not allowed to disclose and now SpiderOak is shutting down that provision?
[+] [-] wccrawford|7 years ago|reply
A warrant canary dies when a warrant is served. If a company has a statement that says "We have not been served a warrant as of X date" and they update it monthly, then they suddenly stop updating it or remove that statement, the canary has died. They might have been served with a warrant.
It's also possible that the canary died of natural causes, of course. It could be that a lawyer told them it was a bad idea, or maybe a shift in management removed it. But there's no way to know.
[+] [-] tutts|7 years ago|reply
The government can issue secret warrants to companies that they are not allowed to disclose, requiring them to hand over customer data. A warrant canary is a periodical statement from a company that they have not received such a warrant. The idea is that if they do receive a warrant, they will stop publishing the warrant, and the court can't compel them to.
[+] [-] rocqua|7 years ago|reply
The idea being that a gag order cannot force you to speak, only prohibit you from speaking. Thus, a gag-order cannot force you to continue publishing a canary. Often, canaries have an 'expiry date' after which they will be republished. This is to avoid 'removing a document' as being interpreted as speech, and thus prohibited by gag order.
Now spideroak had a canary with an expiration of 1 aug. They did not republish; and 3 days later, gave an explanation why. In this explanation they state they will switch to a slightly different, non-cryptographically signed document that is much like a warrant canary. The 3 day gap is most notable here. Spideroak states that the cryptographic signing wasn't useful because you need to trust the signers, who are the same people that publish on the website.
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] discordance|7 years ago|reply
I, for one, would not use their service going forward.
[+] [-] chmars|7 years ago|reply
[+] [-] Lazare|7 years ago|reply
Props to them for making a canary and then following through on it.
[+] [-] maxerickson|7 years ago|reply
[+] [-] Caipenghui|7 years ago|reply
[deleted]
[+] [-] lwhalen|7 years ago|reply
[+] [-] fjsousa|7 years ago|reply
[+] [-] throwaway9d0291|7 years ago|reply
[+] [-] ablation|7 years ago|reply
[+] [-] rocqua|7 years ago|reply
However, if you trust them on the canary, why distrust them on the claim their service was zero-knowledge. It might make sense if they are 'amoral enough' to lie about being zero-knowledge, but 'moral enough' to admit to being served a warrant. I think space for that level of morality exists, but is small. The other issue would be if they weren't zero-knowledge through an unintended bug.
I can't really give a definitive judgement.
[+] [-] SeanMacConMara|7 years ago|reply
I submit that warrant canaries are at best legally and politically naive virtue signalling and at worst deliberate obfuscation of the actual threat model.
[+] [-] BrandoElFollito|7 years ago|reply
I am bound by the law of France but my associate in the US could not care less and vice versa. If we cross check, say, code daily and I see a discrepancy then I raise an alert on my .fr page, controlled by myself. He would not be involved.
[+] [-] Tharkun|7 years ago|reply
[+] [-] onetimemanytime|7 years ago|reply
[+] [-] DyslexicAtheist|7 years ago|reply
[+] [-] jokoon|7 years ago|reply
[+] [-] mannykannot|7 years ago|reply
[+] [-] barking|7 years ago|reply
https://www.grc.com/misc/truecrypt/truecrypt.htm
[+] [-] Caipenghui|7 years ago|reply
[deleted]