Time For a Warrant Canary Metatag? 332
An anonymous reader writes "With the advent of national security letters and all the NSA issues of late perhaps the web needs to implement a warrant 'warrant canary' metatag. Something like this: <meta name="canary" content="2013-11-17" />. With this it would be possible to build into browsers or browser extensions a means of alerting users when a company has in fact received such a secret warrant. (Similar to the actions taken by Apple recently.)
The advantage the metatag approach would have its that it would not require the user to search out a report by the company in question but would show the information upon loading of the page. Once the canary metatag was not found or when the date of the canary grows older than a given date a warning could be raised. Several others have proposed similar approaches including Conor Friedersdorf in The Atlantic and Cory Doctorow's Dead Man's Switch." What problems do you see with this approach?
Uhh (Score:5, Insightful)
They would force you to keep the "all-clear" signal with guns pointed at your head? That might be a problem.
Re:Uhh (Score:5, Interesting)
That and if your companies router is compromised at the firmware, who is to say that the company even knows it's data is being compromised?
Even talking about things like a warrant to do a wire tap, I don't think the agencies are forced to tell anyone "Hey we are tapping your communications, here is the warrant."
Also some companies willingly work with these agencies so they probably wouldn't use this tag.
Re:Uhh (Score:5, Insightful)
That and if your companies router is compromised at the firmware, who is to say that the company even knows it's data is being compromised?
However, upon discovering that my router has been compromised by persons unknown, there's nothing stopping me from raising a general alert with my customers.
The warrant problem can be solved by forcing law enforcement to deliver all warrants in the clear. My company exists purely in cyberspace. There is nobody in authority who can be contacted in person. All requests for assistance must be submitted in clear text, deposited in a publicly readable drop box on our server.
Authority to approve hosting expenses (Score:2)
My company exists purely in cyberspace. There is nobody in authority who can be contacted in person.
Other than the registrar of your domain and the owner of the IP address block from which your site is hosted. Follow the money to the identity of the person with authority to approve hosting expenses.
Re: (Score:2)
Follow the money to the identity of the person
Corporation based in the Caymen Islands. Old solution. Very effective.
Attempts to follow ownership trails overseas by US LEAs do not share protection from disclosure like domestic operations do. There is no law in many jurisdictions stopping an overseas attorney from informing me (and anyone else interested) that people have been poking around, asking questions.
Re:Authority to approve hosting expenses (Score:4, Informative)
You forgot 4) most foreign governments will do anything they can to please the USA and/or already have similar programs in effect.
Not to me mention the point made by several others that much of this surveillance is being done either without a warrant or with a warrant to your upstream provider rather than to you.
Re: (Score:3)
4) most foreign governments will do anything they can to please the USA
This seems to be changing quite rapidly. Domestic political pressure is being applied to politicians to cut their espionage ties with the USA. On top of that, I'm not so sure many heads of state appreciate their cell phones, e-mail and other communications being monitored by the NSA.
much of this surveillance is being done either without a warrant or with a warrant to your upstream provider rather than to you.
Fine. If the NSA thinks it can handle an Internet of encrypted communications, they are welcome to tap anything they want. Even if they just spool the encrypted traffic off to a server and hope to come back next month with a war
Re: (Score:3)
3. some parts of U.S. law apply to U.S. citizens no matter where they live.
Actually, that would be 'US persons'. The legal distinction is quite subtle, but think of a US citizen working for a foreign corporation. And some corporations might just wash their hands of the USA altogether. Move their operations overseas and hire local talent.
Re:Authority to approve hosting expenses (Score:4, Insightful)
Re: (Score:3)
Not. Fooling. Anybody.
Please explain how this will prevent federal agents from arriving at your server farm and installing a tap or cloning your drives?
They don't have to serve the warrant on the head owner. Who ever has possession of the box will do.
You can't hide a website's actual location from people who have access to all of your upstream providers.
Re:Authority to approve hosting expenses (Score:4, Insightful)
Folks have been doing this lately, and now it's a 'movement'. I suspect it is all in vain. It seems to me that the secret court would simply interpret removing the tag as informing de facto, and requiring you to leave the tag in place even though it is no longer true. So I think it's a pointless gesture at best, and most likely a deceptive error that is possibly worse, since folks might depend on its veracity / correctness.
Re:Authority to approve hosting expenses (Score:5, Interesting)
It's not quite as simple as requiring you to leave the tag in place. The way the tag is supposed to work is that it tells you a date on which they had not recieved such requests, and if the date gets stale then you can reasonably suppose that they have since that time. The secret court would thus have to not just compel you to leave it, but to also continue updating. This is why Apple's approach is so interesting: it's going to precipitate a court case to determine whether they can be coerced into providing materially false information to the SEC.
Re: (Score:2)
Re: (Score:3)
Because money, and because just 'cause you know who to sue doesn't mean jack anymore in a world where money makes right.
Re:Uhh (Score:5, Funny)
You do all the time. When was the last time you spoke to someone at Amazon? And its not an issue of not being clearly defined. There's a very clear process for contacting the company. Place a message in the public folder*.
*If some private communications is needed, upon determining the nature of your request, we can exchange encryption keys. All law enforcement will be requested to use double ROT13.
Re:Uhh (Score:5, Insightful)
My company exists purely in cyberspace. There is nobody in authority who can be contacted in person.
I call BS. In every jurisdiction I have ever heard of, you are required to provide a physical address when registering a business, and any warrant or summons delivered to that address during normal business hours is generally considered "served".
Re: (Score:3)
Nope that is not true in the United Kingdom. A "sole trader" or "partnership" does not have directors.
Re: (Score:3)
Claims like these are typically only made by 'bulletproof' spam companies and similar service providers. I couldn't begin to tell you how many bulletproof hosts have been taken down from all parts of the world. Frankly you sound like a professional spammer.
Re: (Score:3)
> You don't have to publish the details of an intrusion.
What I'm trying to point out is that there are fiscal reasons not to publish, and you may be contractually blocked from publishing. I'm afraid that if you expect every ISP and service provider to give you enough information to know whether they're being open about intrusions, or simply sweeping them under the rug, you have a very op unrealistic view of most businesses. The only times in the last decade when I've seen a security break published to no
Slavery hack (Score:5, Insightful)
They would force you to keep the "all-clear" signal with guns pointed at your head?
There's a way to hack around this by exploiting a Civil War-era constitutional amendment. The company announces in advance, through the canary meta element or another : "If we receive one of several requests, $NAME and $NAME and $NAME will leave the company's employment." I don't see how the government can compel a private employer to compel an employee to continue working for the employer without it being deemed "involuntary servitude" in violation of the employees' Thirteenth Amendment right to quit. So if a certain set of employees is suddenly working for a different company, it's more likely than not that the company has received a classified order to violate a customer's privacy.
Re:Slavery hack (Score:5, Insightful)
By announcing the plan ahead of time, you are saying the actions are in direct response to, and a way to covertly signal that a warrant with gag order has been issued. Hell, your announcement may trigger legal action BEFORE a warrant is ever issued.
Re:Slavery hack (Score:4, Interesting)
I don't really know the corporate law in US... but what if you say something like - "We will donate 999$ to EFF every time we consider that the rights of our user are in anyway under threat. This is our way of protecting your freedom."
Re:Slavery hack (Score:4, Interesting)
By announcing the plan ahead of time, you are saying the actions are in direct response to, and a way to covertly signal that a warrant with gag order has been issued. Hell, your announcement may trigger legal action BEFORE a warrant is ever issued.
While you may have a technical point here, practically it is far less relevant. Those that are on the other side of this are vulnerable to the light such a prosecution would bring to their actions. They know that what they are doing is so completely fundamentally illegal for so many reasons, that even if they are 100% right legally about the situation you describe, their system of injustice could never withstand actual litigation in such a scenario. Sadly, this means that they will result to less above-board tactics of coercion to achieve their ends.
Re:Slavery hack (Score:5, Insightful)
My guess is, the harder it is to maintain a canary the less likely you are to get in trouble for breaching it.
If you promise to do a silly dance, and put it on Youtube every day, they may find it difficult to force you to continue. They might be able to take some action against you, but you have the paper-thin defence that you forgot to do the silly dance, or that your canary was simply not something that users really expected you to carry on with. Or you could even just make the silly dance less silly.
On the other hand, manually removing a tag from a page, or killing an automated canary is obviously a deliberate step you took to signal the search. They can definitely treat "sudo kill -9 canary", or manually editing a web page as a step you took to breach the gag order.
If you want to risk a canary, don't make it fully automated. There's no way in hell you'll get away with it.
I'm not a lawyer. I don't know if a "dead man's switch" is OK, because they they can't force you to press it. But I'm pretty confident that a fully automated canary is simply not going to work.
Re: (Score:2)
So the day after this announcement, they issue one of those requests.
The FISA court would grant them authority to do so, in order to protect the integrity of the FISA system. They would see the notice itself as grounds to issue one targeting you.
Are you volunteering to be one of the names who promises to quit?
Re:Slavery hack (Score:5, Interesting)
In a police state, almost any sort of behavior can be compelled for any amount of time. You underestimate the moral corruption of those with power and vastly overestimate the value of the US constitution. Hint: The US has been operating an extra-legal KZ for quite some time now. They could not do that if the US constitution had any value.
So just threaten said employees with life in prison for exposing "secrets critical to national security" and you are done.
Re: (Score:3)
In a police state, almost any sort of behavior can be compelled for any amount of time. You underestimate the moral corruption of those with power and vastly overestimate the value of the US constitution. Hint: The US has been operating an extra-legal KZ for quite some time now. They could not do that if the US constitution had any value.
So just threaten said employees with life in prison for exposing "secrets critical to national security" and you are done.
But why bother with the charade? In other police states, people disappear with no reason. There is no secret court. There is no "process". They just do what needs to be done. Opposition politicians, investigative journalists, enemies of those in power, and, in many cases, friends of those in power are arrested one day and never heard from again. That hasn't been happening. Stupid cowboy shit like bugging the phones of world leaders, yes. Compelling the secrecy of secret surveillance, yes. But as far as I k
Re:Slavery hack (Score:5, Insightful)
There's a way to hack around this by exploiting a Civil War-era constitutional amendment. The company announces in advance, through the canary meta element or another : "If we receive one of several requests, $NAME and $NAME and $NAME will leave the company's employment."
Seems like overkill to me. A "canary tag" might actually be the way to go. While the government seems to feel it can compel your silence, compelling speech is a completely different thing under the law. Coercing a company to keep its "canary tag" alive is a very different matter from compelling them to take it down and shut up.
Re: (Score:3)
But they can just upstream you, and put their proxy ahead of your servers and adjust the tags. After all, they have been demanding SSL certificates for some time now.
And where would the get the authority to do that??? The government does not have any legal power to put something out there themselves and claim that it's mine. They have no more authority to lie on my behalf than they do to force me to lie.
Do not confuse technical capability with legality. If they were the same, there would be no hackers in prison.
Re: (Score:3)
That ship as sailed. The first amendment is null and void.
Bullshit. The 1st Amendment is your single best chance of declaring things like gag orders unconstitutional.
I will not accept such a defeatist attitude. If you want to sit on your thumbs and moan in despair about how much you have been wronged, and how useless it is to fight it, go right ahead.
But don't try to tell me to do the same thing. I have too much respect for myself (and the children of the future) to indulge in that kind of whining.
Re:Slavery hack (Score:5, Insightful)
Congress has LONG AGO (well before your birth) passed laws authorizing gag orders, in spite of clear and unambiguous language in the first ammendment, and these have been upheld all the way up to the Supreme Court.
Short of forming a large army and taking over the government, and start hanging Suprhereeme Court Judges, there is exactly ZERO, chance of you winning such an appeal. This is settled law.
The first ammendment is dead. Either DO SOMETHING to prove me wrong or accept it. Boastful chest thumping on Slashdot is useless.
Re: (Score:3)
Re:Uhh (Score:4, Insightful)
Indeed. The feds may be stupid, but even they can learn from experience, and most of them can read. So if this becomes a standard, they will at some time manage to understand the concept (possibly with outside help) and implement countermeasures. Look at Lavabit: The owner decided to use his whole company as a canary and while it worked, he had to stand up to severe legal threats that may only fail because no respective secret law was in place. It will be by now and triggering your canary could award you life in prison.
No, the only way to deal with a police state (and in many respects the US is now one) is to leave the country and move business to the free world.
Incidentally, this whole idea is an example of engineers trying to fix human problems with technology. That does not work. Data leakage, privacy invasion, online fraud, surveillance, etc. all cannot be fixed with technology. "The law" is just as unsuitable as it is a technocratic construct. The only thing that works is banning the scum that commits these heinous acts against freedom, trust and honor from being regarded as part of the human race when discovered. Nothing less will work.
Re: (Score:3)
Indeed. The feds may be stupid, but even they can learn from experience, and most of them can read. So if this becomes a standard, they will at some time manage to understand the concept (possibly with outside help) and implement countermeasures. Look at Lavabit: The owner decided to use his whole company as a canary and while it worked, he had to stand up to severe legal threats that may only fail because no respective secret law was in place. It will be by now and triggering your canary could award you life in prison.
Lavabit did no such thing. All they wanted to do was comply with a pen register order without compromising their entire system in the process. Lavabit folded after they concluded it would not be possible.
As for your life in prison comment...who knows it could be the death penalty or three generations of you and your family doing hard labor NK style. We all get to hand-wave and make all the assertions we want...fun aintit?
No, the only way to deal with a police state (and in many respects the US is now one) is to leave the country and move business to the free world.
I wish to assert my 1st amendment privilege to invoke Godwin's law. Cowardice and c
Re: (Score:3)
Free world? You mean Antarctica?
Alas, not free either. Go ahead, just try setting up a mining facility there. (See Article 7 of the Protocol on Environmental Protection to the Antarctic Treaty.)
Although I don't see anything explicitly prohibiting the set up of a data center, and you wouldn't have to worry about cooling. Power and connectivity would be a bitch, though.
Re: (Score:3)
But an email servers or Cloud Storage that REQUIRED client side encryption, with the provider NOT KNOWING any keys, would limit what can be delivered to the feds to only metadata (from who, to who, date, etc), rather than content.
So yeah, Lavabit had a structural problem. One of their own creation.
Re: (Score:3)
Totally overblown. The NSA doesn't rely on force. It relies on passive agressive legal intimidation. These are two completely seperate things.
If America loses its freedom to a group of people who simply threaten to take people to court.... well there won't be much hope for what the country has become.
Re: (Score:3)
Re: (Score:3)
Re: (Score:3)
Re: (Score:3)
(I am not a lawyer, but I studied military law.) Judges are not stupid. So if you are served with a gag order and then kill your canary through action or inaction, then you will go to jail, because you have signaled something in contravention of the gag order.
There is still a line that they are not allowed to cross. Forcing someone to "speak in the affirmative", especially if it's a lie, is far different from forcing them to shut up.
Re: (Score:3)
I think you could pile Sarbanes-Oxley on top of that. CEOs/CFOs have to certify that their companies' public financial statements and disclosures are true so that they don't mislead their investors. Forcing them to lie on an issue that could have a big financial impact on the company (say they are a cloud storage company) should get the lobbyists into gear ...
to kill Sarbanes Oxley.
The problem I see (Score:5, Insightful)
The person adding the metatag rotting in a federal prison?
Re:The problem I see (Score:4, Informative)
Yup. from the unless-double-secret-probation-prohibits-canaries dept., pretty much.
Your post advocates a
... [craphound.com]
(*) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting NSLs. Your idea will not work. Here is why it won't work.
Re: (Score:2)
Yup. from the unless-double-secret-probation-prohibits-canaries dept., pretty much.
Why am I thinking of the film Birdman of Alcatraz [wikipedia.org]?
Re: (Score:3)
On what charge? The US does not have an official secrets act, and these gag-orders have already been found to be unconstitutional.
The NSA is not some soviet goon squad -- as much as they'd like people to believe otherwise. They are a bloated bureaucracy equipped with legal teams, bluster, and bluff. A large part of the organization consists of mathematicians, the largest part probably clerical staff.
The recent South Park episode on the NSA probably g
Re: (Score:3, Insightful)
The same judge that found them "unconstitutional" also forced Google to comply with it.
Google fails to strike down FBI's 'unconstitutional' secret gagging orders [zdnet.com]
You're right that the NSA isn't a "Soviet goon squad," but I wouldn't go too far in relying upon South Park for insight. Just for starters, I believe there have been reliable sightings of Santa Claus around the world before and after.
Re: (Score:3)
technical fixes for political problems (Score:5, Insightful)
do not work.
like, what the flying fucktonmeister fuck? why do you think it would be exempt from the "don't tell the victim of surveillance" rules because it's a metatag?
best you can do is close down the service. that is it! and even then you'll have to fight in court!
Technical fixes temporarily work (Score:5, Insightful)
like, what the flying fucktonmeister fuck? why do you think it would be exempt from the "don't tell the victim of surveillance" rules because it's a metatag?
Because laws are rarely written to cover every variation that could possibly circumvent them.
People regularly take advantage of this until legislation is written to patch the loopholes.
There might be less wiggle room because "national security," but there is undoubtedly room to maneuver.
And as TFA mentioned, the issue of government compelled speech is much thornier than government compelled silence.
I'd love to see the Supreme Court argument on why the government can compel you to continue digitally signing a certificate that says the government is not spying on you (even when they really are).
Re: (Score:3)
People regularly take advantage of this until legislation is written to patch the loopholes.
There is no way for them to "patch" this "loophole", because the government has no authority to compel speech. At best (even in those cases where it is legal for them to do so), the best they can do is force you to shut up. They have no Constitutional authority to force speech from somebody. (Testimony in court, in some cases, but not public speech.)
So it's exempt from the "don't tell" rule because it's not telling. A "kill switch" is not speaking. It's one thing to force someone to NOT say "we received
Re: (Score:3)
Exactly. These are our governments. Stop trying to fight them and start fixing the governments themselves. Next election ask the candidates repeatedly "what measures are you taking to make the government more transparent? Do you promise to pass a law making all secret warrants illegal? How can you convince us 100% that you will keep your promises?"
That's not going to work.
This might work: Gather plenty of like-minded people and go to the politician's office tomorrow and demand the answer to those questions right away. Then do the same thing again and again until they pass acceptable laws and regulations. If the politician stops showing up at work; go to their house instead.
Re: (Score:3, Interesting)
Gather plenty of like-minded people and go to the politician's office tomorrow and demand the answer to those questions right away.
Which office?
The local one that he only does to during elections?
Or the one in DC that he's hardly ever at for various reasons. And if your group shows up, all of you will be welcomed by Capitol police and other federal agents in riot gear you will be escorted to a "Free Speech Zone". Resist - like don't move - and on the 5 O'Clock news you'll see "Protestors in DC against surveilance arrested for violent behavior." The TV watching zombies watching will just shake their heads over those silly Liberals and
Re: (Score:2)
Re:technical fixes for political problems (Score:4, Funny)
I think you missed something [imgur.com].
Re:technical fixes for political problems (Score:4, Insightful)
They have to prove stuff now?
Re:technical fixes for political problems (Score:4, Insightful)
They have to prove stuff now?
Don't think so. They can already hold people indefinitely without even charging them. Just look at Gitmo. So while technically these people are not serving a life sentence, it seems the only difference is that the conditions they are imprisoned under are worse. No, in a police state they can lock you up any time they want in order to force you to do or do not do whatever they want. The US is at the very brink of being a police state, the only reason it is not is its large size and hence slow movement. All the mechanisms are already in place, it just needs some scaling up.
Re:technical fixes for political problems (Score:4, Insightful)
Just look at Gitmo.
You mean the POW camp that's hosting people captured on foreign battlefields? Is there a single person there of any nationality who was captured on American soil?
The Federal Government has all manner of ways to compel you to assist with a warrant and/or NSL. Gitmo isn't one of them. This guy [readwrite.com] didn't go to Gitmo, in spite of his refusal to cooperate with the Feds. He hasn't even gone to regular Federal prison, even though he arguably refused to enforce a valid court order, one issued after judicial review, not some NSL letter issued in the middle of the night by a faceless DOJ bureaucrat.
I'm not a fan of Gitmo and would like to see it shuttered sooner rather than later, but let's at least confine our discussions about it to reality. Reality: Nobody has been admitted in Gitmo in years, and none of those who were got sent there after being captured for crimes (real or alleged) on American soil.
The US is at the very brink of being a police state
I don't think you know what a real police state is. Stand outside the White House with a sign stating that BHO is an authoritarian asshat. Now try the same exercise in Pyongyang with a sign directed at the Supreme Leader. Repeat the exercise but replace the current leaders with George Washington and Kim Il-sung. What do you suppose the difference in outcomes will be for you?
Want a less extreme example? Hold a LGBT rally in Washington, wherein you call out the current political establishment for being spineless on the issue of LGBT rights. Now fly to Moscow and repeat the exercise. You won't end up in the Gulag like you would in North Korea, but you're going to be "encouraged" not to continue with your activities.
Point being, there are varying degrees of "police state", and on a scale of 1 to 10 the United States might score a 2.5 on our worst day. We're not perfect, but the rhetoric that you're using is unproductive and clearly not grounded in reality.
Re:technical fixes for political problems (Score:5, Insightful)
It's not that it's smarter, it's that it has arrived at this point through a different history. Internal violence has rarely been necessary. But when the police organizations can act on their own autority (and I'm counting the executive arm of the feds as a police organization, though that's only partially true) then you have a police state. So far only small chunks of the executive have become truly independent, and even they pretend that they are obedient to the legislature. That's not a real police state. And while the CIA has at times shown total independence of Congress, no other segment of the executive has been quite that blatant.
I'd say "teetering on the brink" is a correct description. Not quite as close to the brink as the GP suggested, but still only in a quasit-stable position. And the most likely direction of collapse is further into a police state, though likely on the Roman model (with technical refinements) rather than on the Soviet model. I doubt that there will be internal violence even on the level of Marius vs. Sulla. And there probably won't be an internal episode of the drama of Julius Caesar crossing the Rubicon ("Alea iacta est", etc.). OTOH, that may have been a publicists creation anyway. And I really doubt that some future "president" will be stabbed to death in the Senate by the Senators. Parallels don't run that close. Booth's "Sic semper tyrannis!" is a more likely future scenario...and even that's quite unlikely.
P.S.: There is a reasonable argument that Lincoln deserved to be shot for treason. He trampled all over the Constitution during the Civil War, and most of recent history is the result of it, including the drastic centralization of power in the federal gvoernment. OTOH, if it weren't for that the US might have continued to be "these United States" rather than "the United States". But ever since Lincoln the presidents have been more powerful, and allowed much greater latitude in the impositon of central power. This isn't all bad, but it sure isn't all good. And it doesn't appear to be what the Consitution allowed as interpreted at any prior time. One may argue that this was the inevitable result of improvements in transportation and communication, and this is certainly true in part. But that should have been accomplished through ammending the Constitution rather than by twisting what the words meant. That it was done the way it was done was largely due to powerful groups insisting that it be done NOW in a way that they could never have gotten 2/3 of the Senate to agree to, much less 3/4 of the States. So it was done via a power play, i.e., "We're doing it and you can't stop us." And the extension of that method is how the US is turning into a police state.
What does this solve? (Score:5, Insightful)
I'm not really sure what problem this solves, or how the outcome would change if the canary "died."
We're well-aware that many companies are required to produce information via FISA court orders, national security letters, or other means. What we don't know-- in many cases-- is how often, what information is obtained, by whom, and for what purpose. The "canary" doesn't answer any of the unknowns, except that a particular company received at least one such order, which is of extremely limited value (if of any at all).
Are you really this dumb, Timmeh? (Score:3, Insightful)
What problems do you see with this approach?
Gee, I don't know Timmeh. Maybe the fact that it would break the gag order and you'd be sent to the federal pen?
Attempts to communicate receipt of secret orders (Score:3, Insightful)
Under the rug bullshit (Score:2)
How about we stop trying to sweep shit under the rug, while sitting calmly in our homes and playing Candy Crush on facebook, and start acting like responsible citizens and taking steps to improve the government?
Hit the streets protesting, vote responsibly, gather signatures to force your representatives to take measures.
When you propose or implement things like this, you are sending them the mess it is ok to do it.
Re: (Score:3)
force your representatives to take measures
sadly, to get this to work you have to remove THEIR fear, as well.
they answer to superiors (nsa, etc) and their 'parents' won't really agree no matter how much we little people want things to change.
not even money will make this fix happen. this is beyond bribing (which usually works for those in elected offices).
revolution is the only way to fix this. I don't see the NSL's ever going away in the next 20 or so years unless there is a bloody and violent fight abou
Weird legal situation (Score:5, Interesting)
My guess would be that in any of these instances, no judge would rule that you must keep updating the canary. However, I'd imagine that they might rule that you broke the law by setting up the canary in the first place. Of course, there's an obvious problem with that -- as long as you never get a secret warrant, you clearly couldn't be prosecuted for violating one. So it's a weird situation where an action that is otherwise legal, becomes retroactively illegal upon receiving a secret warrant. It's a bit of a mindfuck.
Re: (Score:2)
It's the grey areas I like to avoid... A judge having a bad day or is just in a bad mood may decide that they want to interpret the law such that you end up in prison for 20 years.
My best advise to anyone would be steer away from using anything like this. Even better would be to avoid the situation where something like this would even be useful to anyone.
Re: (Score:2)
Re:Weird legal situation (Score:4, Insightful)
Good idea, but make it company-wide totals (Score:2)
Let companies who really care, keep a tally of individual accounts under scrutiny, total transactional records captured for surveillance purposes: a set of standard metrics for the moment and cumulative by month and year.
Let this information be placed into the Canary meta-tag of every web result for everyone, and let web browsers and plugin developers find ways to display this information on the borders of the page.
People could watch the numbers grow over time easily, and could maintain a constant vigilance
Transparency (Score:2)
What if Google decided to say, "fuck it", and not only publicly post when they're asked for data, but details as to which accounts, what data.... everything! We all assume that the feds will scoop someone off to jail, but who'd it be? It's not like the government will take everyone that works at Google, or the stock holders, to jail. Google is huge, with more money than the government, could they not just bail out of jail, and fight it out in court? I mean the whole idea of
Re: (Score:3)
Senior management arrested, stock plummets, company liquidated. Example made.
Re: (Score:2)
And why can't we do that when a company commits an actual crime?
Re: (Score:2)
Yeah, that'll work (Score:4, Insightful)
Precedent in other law systems (Score:5, Informative)
Same reason the British AA (Automobile Association, not alcoholics) were formed and (later) forced to change their ways.
The whole point of the AA was formed to inform members of police speed traps. Back in the days of red-flags in front of vehicles held by a man. If your were an AA member, and there were no police around, an AA employee would be required to salute you.
If, however, there was a police trap present, they would not. Absence of the salute was seen as just such a canary to warn you despite being a "non-action". Eventually it was ruled illegal and the AA and the RAC both become just "vehicle breakdown" companies
When it comes down to it, if a court / police can argue that they need you NOT to trigger the canary (by inaction or otherwise), they will find a way to make you do it. They already redirect your DNS if they steal your domain, what's to stop them updating the canary themselves apart from a minor technical issue? All it will do is just get your whole domain seized to make you compliant.
ESPECIALLY if the entire point of the canary is to indicate to people whether you are subject to a (potentially LEGAL) court order not to reveal that you're under such an order. Little difference between that and you phoning up your buddy to warn him that you were just busted and the cops have his address - it's seen as deliberate evasion of the law. Even if the message is "I **WON'T** text you at 5pm if I've been raided".
The simple fact, though, is that such warrants are not a problem when they are legal and above-board. The problem is when they are not. Skirting the legal grey area yourself is not the correct response to the agencies skirting the legal grey areas.
If all else fails, they'll just institute a law to stop you doing things like this.
Re:Precedent in other law systems (Score:5, Insightful)
These warrants _are_ legal. Do not confuse "moral", "right", "appropriate" or "just" with "legal". For example, the Nazis killing Jews was perfectly "legal". Once you have secret courts and secret laws, you can make basically everything you like "legal". That is why only totalitarian states (or the ones on their way there) have secret courts or secret laws. The law is just a bureaucratic instruction on how to deal with people the government does not like. Once the government starts to dislike or fear the population of a country (and the US is clearly there already), the law just becomes a tool of oppression.
Re: (Score:3)
Woops, sorry. You just exceeded the language sophistication I expect here. You are entirely correct, of course.
Magical thinking, (Score:5, Insightful)
With the advent of national security letters and all the NSA issues of late perhaps the web needs to implement a warrant 'warrant canary' metatag
"The web" doesn't implement anything. You do.
The exposure of a warrant in violation of a court order will land you in jail.
The judge won't give a damn about how cleverly you went about it --- until you come up for sentencing, of course.
Shades of gray (Score:2)
Once you accepted that you can have secret laws to force providers to not tell something, how far is that from forcing them to keep updating that metatag or lying? Before that becomes a standard or something popular enough the law covering that chance will follow.
The system is broken already, there is no possible trust if you have secret laws to force even the most trustfully provider to follow their orders, stop playing boiling frog.
And if you think that things are bad enough already, think that we know
Simple solution (Score:5, Insightful)
Re:Simple solution (Score:4, Insightful)
What makes you think overseas is safe? Because once it's outside the United States it's then legally fair game for the NSA and CIA to tap because spying on foreign assets is supposed to be their jobs.
After all who are they buying vendor support services from? How many of the leading tech support agents from companies like Microsoft, IBM, Oracle, Cisco, also draw a nice second pay check from the 3-letter agencies to install special devices/software/updates for said agency against a particular target. Even the local tech support guys can be bought or blackmailed. And if it's in a foreign country, that's within the CIA's mandate. Again, that's their job.
The US intelligence agencies run a fleet of international cable tapping submarines. If your traffic travels across an ocean, any ocean, or major body of water with ocean access it's tapped. How many "weather" satellites also contain communications intercept gear?
So you think your safe not hosting in the United States? Well think again.
Re: (Score:3)
That is a rather simplistic view of what happened. It is also inaccurate in many respects. For example, the US military did not prevent a 3rd world war, it very nearly destroyed the word several times being on the brink of fighting it. These lunatics though for a long time that a global nuclear war could have been "won". Not so, says modern climate science. As to C and microprocessors, taking what was created in Europe instead would have been far better in quality. For example, the atrocity that is x86 woul
Cory's solution won't work, at least (Score:3)
Yeah, *you* sign it. Because the NSA won't have access to your private key, suuuuure....
What company in it's right mind (Score:2)
It's not that easy - (Score:2)
First off - Any company/individual that receives ANY warrant should be allowed to publish that fact. I think what's being searched might be reasonably kept secret but the government should never have the right to force you into an anal probe and then demand you keep it secret. That's just dictatorial BS and it needs to stop NOW.
That being said - Let's say you implement the canary... Then the government just makes a small request of the site in a regular time period. Now it becomes an effective whipping
Re:It's not that easy - (Score:4, Informative)
They shouldn't have the right, but that doesn't mean they don't do it anyway [cnn.com].
Another implementation (Score:2)
A company (I've forgotten which, think it was a "pre-cloud" storage solution) used this approach: ... I remember wondering if there is some legal way to
Each day post a photo of the front page from a local newspaper, with the message that if said image was no longer updated, they had received a 'request'. The idea being that the government/law agency/whatever only have the legal means to make them STOP doing something, but are unable to force them to go through the trouble of uploading a new image each day.
Re: (Score:2)
They don't need to force a company to upload anything.
They just require the company's co-operation to inform them of the correct process to reproduce what they would normally do, and access to their systems. Pretty much if you get to that point, you already have that.
And, again, uploading an image of a newspaper isn't authentication that the message came from the people who set up the canary. Any agency could say "Okay, we require access to your systems to perform law enforcement tasks that you cannot be
Easy government workaround (Score:4, Insightful)
All the government has to do to make this useless is to regularly send a warrant request to every web property of any note.
What's more interesting is the suit filed by several tech companies demanding permission to provide counts of National Security Letters and the number of accounts affected. Google has already negotiated permission to share this data as long as it's in ranges no smaller than 1000, which actually tells us most of what we want to know already (e.g. in 2012 Google received between 0 and 999 NSLs, affecting between 1000 and 1999 user accounts, which, assuming Google has about a billion users, means the NSLs have affected ~0.0001% of their user base), but exact numbers would be better.
As another poster said, technological solutions to policy problems don't work, at least not well. We need to fix the law.
Does this even work? (Score:3)
Is there any source where an actual legal professional posits that removing a statement does not violate a gag order the same way that publishing one does? Let alone a case where a court decides that?
It just seems like such a stupid and obvious loophole.
Re: (Score:3)
(And if that loophole doesn't work, here's a conundrum: What if you put up a statement that falsely claims you are under a gag order? If you get a warrant then, are you forced to remove it - which might signal people that it has become true - or forced to keep it up?)
wrong approach (Score:3, Insightful)
You're focusing on the wrong problem.
Re: (Score:2)
Courts are not deterministic machines executing the law and applying the facts of the case as if they were parameters to some sort of code.
They are if they don't want their cases overturned by a higher court.
Right to quit (Score:2)
Injunction against telling the individual who updates the metatag to stop updating it.
The employee who updates the metatag is no longer with the company, and he has a constitutional right to quit [slashdot.org].
Re: (Score:3)
We are to the point where I wonder why everybody keeps falling back on things like "constitutional right to quit".. Its now to the point where this government has spit on the constitution for so many years, and are now to the point of actively setting it on fire, bringing on its total and complete disregard by this government.. I love this country, served in its military in the 70s, but am embarrased and sickened by its government.. We are WELL beyond "the ballot box" being able to fix the MANY problems, an
Re: (Score:2)
Better get someone else to update it, under penalty of law, says mr injunction.
Re:Right to quit (Score:5, Insightful)
Re: (Score:3)
Indeed. This is not a technological problem. The only meta-technological solution that would work is to stop doing business in the US. Corporate greed will prevent that from happening.
Re: (Score:2)
Nobody has to force YOU to lie. They just have to have you demonstrate how THEY could lie using your systems. And that they can legally coerce you to do already. And non-cooperation will see you up in court for failing to comply with a valid court order, so 99% of people will comply.
The rest is just obvious.
Re:What type of canary? (Score:5, Funny)
European.