The glossary entry on warrant canaries is dated December 2020, but there is a more recent canary list in their 2022 transparency report (https://www.cloudflare.com/en-au/transparency/) with the same 6 items in it.
Bizarre they appear to have skipped the H2 2022 transparency report unless I’m missing something
Maybe I’m just getting old and distracted, but I feel like CloudFlare went from “whoa some HN pros are doing great CDN work with some serious chops and an underdog work ethic” to “is it possible to never connect to them” like, really fast.
I love cloudflare, but honestly I assumed they WERE the CIA/FBI not just compromised by them. It would be the perfect front company for the government.
If adamgamble's speculation were the case, I'd go to jail for things I'd have illegally signed in our SEC disclosures attesting to the sources of our revenue and any government contracts. Suffice it to say, I like not being in jail. It's really, really hard for public companies to be part of some grand conspiracy for so many different reasons. So… once we went public I kind of thought this silly speculation would end. But guess not.
Beyond that, if you think about it, it's a way better business to run Cloudflare and serve the world than serve some US intelligence entity. That's just per se true. So if that's the case why would we ever do anything that would remotely compromise the trust necessary to, you know, be Cloudflare?
Lastly, here's a funny story. Early in our history one of our investors suggested that we talk to In-Q-Tel. Here's how naive Michelle and I were: we had no idea it was the CIA's venture capital arm. So we showed up in their office on Sand Hill Road. It was weirdly austere compared with other VCs we'd visited. And lots of security cameras. The partner at some point came out and greeted us. As he was walking us back he looked back right before we crossed the threshold back to the inner offices, "You're both American citizens, right?"
"No," Michelle said. "I'm Canadian."
"Oh." the VC said. Then you can't come back here.”
"I'm not going back there without her," I said.
"Ok, well, I guess we'll have to do the meeting in the reception area," decided the In-Q-Tel VC.
We had a very cordial meeting and then left. As we were driving away Michelle said, "Those guys were weird." And that was the end of that. Never talked to In-Q-Tel again.
But maybe it's the Canadian equivalent of the CIA/FBI/NSA we're beholden to??! ;-)
Warrant canaries are largely believed to be unworkable. Ie federal lawyers are going to say "cute, but no, you cannot disclose that we warranted you in this or any other way."
Compelled speech of any kind has been repeatedly ruled unconstitutional. Also many companies have triggered their canaries, including Apple, Silent Circle, and Reddit. If Apple's legal department considers it valid I'm inclined to agree with them absent positive evidence of the contrary.
Perhaps, but until there's a test case we're all just guessing. So far the Supreme Court has been fairly strict in following the compelled speech doctrine.
They can say "don't do anything". They can't say "don't avoid doing something." That's the point if the age of the warrant canary notification--they stopped updating it. This is in effect a dead canary, they're saying they are subject to an order they can't disclose.
Is there a point to a company as large as Cloudflare even having a warrant canary? Half the internet goes through their servers. Of course the US government had or has hooks in them for something or other.
What is the language around the non-disclosure order? There seems to be speculation that a warrant canary would be construed the same as a disclosure, but are you required to not inform the concerned party, or required to not disclose law enforcement contacting you at all?
From a practical perspective I don't imagine that cloudflare removing a canary could give any one organization a signal - I don't know what the bar for a 'disclosure' is but informally I would not consider it a targeted specific warning.
EDIT: the other component I am curious about is duration, there is still utility in the canary even if it comes late, future users will know that there was a compromise and that further ones are likely, right?
It's weird to me people think warrants are still used.
No warrant is needed by any government agent to read your email that is over six months old and the major providers just give them a backdoor so as not to waste any time/money with requests.
Who is going to stop them from doing that with anything else? The supreme court? Good luck with that belief system. You think the NSA ever stopped just because they were discovered? Or did they just switch to "try to stop us".
Their "canaries" don't make any reference to warrants, and two of them explicitly rule out providing a backdoor for governments ("Cloudflare has never installed any law enforcement software or equipment anywhere on our network" and "Cloudflare has never provided any law enforcement organization a feed of our customers' content transiting our network").
I'm not an expert, but my course of action is to stop using cloudflare. I never used them for whatever that other thing they do is, but I switched my upstream DNS to quad9 (9.9.9.9).
So what's stopping these people that claim to be so righteous by using canaries from lying to you? Anyhow the ISPs and internet backbones are all tapped as many whistle-blowers have already revealed.
Nothing stops anyone from lying to you. In this case it would be considered fraud if the lie was discovered or leaked. Which is one of the rationales on why courts cannot compel a company to lie and post false warrant canaries, because it would incriminate them.
The biggest MITMer should complain about another service being an MITM? How much has Google now routed to go through themselves or be checked by them prior to serving your destination?
Bear in mind Google doesn't have a warrant canary because it is served literally hundreds or thousands of warrants per year, to the tune it's just called a transparency report to count them.
Do you want a similar warning on every site that the server might be compromised? Because I don't think that risk is smaller than the CloudFlare MITM risk.
tsujamin|2 years ago
Bizarre they appear to have skipped the H2 2022 transparency report unless I’m missing something
JHorse|2 years ago
richij|2 years ago
benreesman|2 years ago
tmpX7dMeXU|2 years ago
adamgamble|2 years ago
eastdakota|2 years ago
If adamgamble's speculation were the case, I'd go to jail for things I'd have illegally signed in our SEC disclosures attesting to the sources of our revenue and any government contracts. Suffice it to say, I like not being in jail. It's really, really hard for public companies to be part of some grand conspiracy for so many different reasons. So… once we went public I kind of thought this silly speculation would end. But guess not.
Beyond that, if you think about it, it's a way better business to run Cloudflare and serve the world than serve some US intelligence entity. That's just per se true. So if that's the case why would we ever do anything that would remotely compromise the trust necessary to, you know, be Cloudflare?
Lastly, here's a funny story. Early in our history one of our investors suggested that we talk to In-Q-Tel. Here's how naive Michelle and I were: we had no idea it was the CIA's venture capital arm. So we showed up in their office on Sand Hill Road. It was weirdly austere compared with other VCs we'd visited. And lots of security cameras. The partner at some point came out and greeted us. As he was walking us back he looked back right before we crossed the threshold back to the inner offices, "You're both American citizens, right?"
"No," Michelle said. "I'm Canadian."
"Oh." the VC said. Then you can't come back here.”
"I'm not going back there without her," I said.
"Ok, well, I guess we'll have to do the meeting in the reception area," decided the In-Q-Tel VC.
We had a very cordial meeting and then left. As we were driving away Michelle said, "Those guys were weird." And that was the end of that. Never talked to In-Q-Tel again.
But maybe it's the Canadian equivalent of the CIA/FBI/NSA we're beholden to??! ;-)
adamgamble|2 years ago
cj|2 years ago
Their lack of reply (if that turns out to be the case) on this post would be telling.
eastdakota|2 years ago
EGreg|2 years ago
sulam|2 years ago
causality0|2 years ago
93po|2 years ago
nradov|2 years ago
https://www.mtsu.edu/first-amendment/encyclopedia/case/30/co...
LorenPechtel|2 years ago
They can say "don't do anything". They can't say "don't avoid doing something." That's the point if the age of the warrant canary notification--they stopped updating it. This is in effect a dead canary, they're saying they are subject to an order they can't disclose.
abigail95|2 years ago
Clamchop|2 years ago
causality0|2 years ago
jvanderbot|2 years ago
eastdakota|2 years ago
nathanaldensr|2 years ago
DANmode|2 years ago
There was, is. There likely won't be, going forward.
lallysingh|2 years ago
JHorse|2 years ago
1. Cloudflare has never turned over our encryption or authentication keys or our customers' encryption or authentication keys to anyone.
2. Cloudflare has never installed any law enforcement software or equipment anywhere on our network.
3. Cloudflare has never provided any law enforcement organization a feed of our customers' content transiting our network.
4. Cloudflare has never modified customer content at the request of law enforcement or another third party.
5. Cloudflare has never modified the intended destination of DNS responses at the request of law enforcement or another third party.
6. Cloudflare has never weakened, compromised, or subverted any of its encryption at the request of law enforcement or another third party.
owenmarshall|2 years ago
You would assume, but when the Riseup canary expired plenty of people seemed willing to believe that a procedural issue or carelessness was to blame.
burnished|2 years ago
From a practical perspective I don't imagine that cloudflare removing a canary could give any one organization a signal - I don't know what the bar for a 'disclosure' is but informally I would not consider it a targeted specific warning.
EDIT: the other component I am curious about is duration, there is still utility in the canary even if it comes late, future users will know that there was a compromise and that further ones are likely, right?
ck2|2 years ago
No warrant is needed by any government agent to read your email that is over six months old and the major providers just give them a backdoor so as not to waste any time/money with requests.
Who is going to stop them from doing that with anything else? The supreme court? Good luck with that belief system. You think the NSA ever stopped just because they were discovered? Or did they just switch to "try to stop us".
djur|2 years ago
barrysteve|2 years ago
soared|2 years ago
tedunangst|2 years ago
BillyTheMage|2 years ago
entriesfull|2 years ago
stubish|2 years ago
nepthar|2 years ago
JHorse|2 years ago
Signaling that their infrastructure has been compromised is kind of a weird lie for them to make though...
tamimio|2 years ago
[deleted]
edandersen|2 years ago
ocdtrekkie|2 years ago
Bear in mind Google doesn't have a warrant canary because it is served literally hundreds or thousands of warrants per year, to the tune it's just called a transparency report to count them.
tick_tock_tick|2 years ago
Dylan16807|2 years ago