top | item 36937625

(no title)

JHorse | 2 years ago

Their Canary has more to do with their infrastructure being compromised. It's likely one or more of these statements are no longer true:

1. Cloudflare has never turned over our encryption or authentication keys or our customers' encryption or authentication keys to anyone.

2. Cloudflare has never installed any law enforcement software or equipment anywhere on our network.

3. Cloudflare has never provided any law enforcement organization a feed of our customers' content transiting our network.

4. Cloudflare has never modified customer content at the request of law enforcement or another third party.

5. Cloudflare has never modified the intended destination of DNS responses at the request of law enforcement or another third party.

6. Cloudflare has never weakened, compromised, or subverted any of its encryption at the request of law enforcement or another third party.

discuss

eastdakota|2 years ago

I'll state right here: all these are still true. We'll get the canary updated. Checking with legal and trust & safety why it hasn't been for so long. Likely just slipped someone's mind. Will make sure that doesn't happen again.

Manouchehri|2 years ago

How about make `https://www.cloudflare.com/.well-known/warrant-canary.txt`, and use a Cloudflare Worker with a Cron Trigger to trigger an email to legal if it's approaching expiry?

greatfilter251|2 years ago

[deleted]

13of40|2 years ago

I wonder how pedantic you could legally get with that.

Cloudflare has never been compelled to give up information to an agency called AAA. Cloudflare has never been compelled to give up information to an agency called AAB. ...etc.

dotnet00|2 years ago

As we sort of saw with the Twitter Files (and other incidents with foreign governments, eg the Indian government), they can get extremely pedantic about describing the kind of cooperation they have with government agencies.

(Not to point to a conspiracy to silence political opposition, just to highlight that, at least to me, the extent of their cooperation was really surprising relative to how little they talked about it)

JHorse|2 years ago

Suuuuper pedantic.

For instance, 2 and 3 narrowly specify just law enforcement agencies, of which the CIA and NSA are not.

evandale|2 years ago

Why do we have to be pedantic and can't just say when the FBI or CIA come after us?

badrabbit|2 years ago

#5 seems most likely.

eastdakota|2 years ago

Agree #5 is the riskiest right now with the Quad9 decision in Germany and some of the cases we're facing in Italy, Austria, and elsewhere. The copyright industry has decided that DNS is their new target; never mind that anyone can setup their own local DNS resolver. Good news: those are extremely public cases. And, if we lose, we'll make a lot of news about how dangerous they are. If you're in Europe, it'd be really helpful for more people to be telling the courts and legislatures: DNS is not the right place to try and censor the Internet.

bragr|2 years ago

They all seem likely given that they all have multinational precedent.

james_in_the_uk|2 years ago

Bear in mind that there are multiple ways for Cloudflare to give law enforcement or intelligence agencies customer information that do not breach one of these six statements.

It doesn’t mean that they are not helpful. Just that - as warrant canaries go - they are not complete.