Time For a Warrant Canary Metatag?

An anonymous reader writes "With the advent of national security letters and all the NSA issues of late perhaps the web needs to implement a warrant 'warrant canary' metatag. Something like this: <meta name="canary" content="2013-11-17" />. With this it would be possible to build into browsers or browser extensions a means of alerting users when a company has in fact received such a secret warrant. (Similar to the actions taken by Apple recently.) The advantage the metatag approach would have its that it would not require the user to search out a report by the company in question but would show the information upon loading of the page. Once the canary metatag was not found or when the date of the canary grows older than a given date a warning could be raised. Several others have proposed similar approaches including Conor Friedersdorf in The Atlantic and Cory Doctorow's Dead Man's Switch." What problems do you see with this approach?

Uhh

[Anonymous Coward]

They would force you to keep the "all-clear" signal with guns pointed at your head? That might be a problem.

The problem I see

[elrous0]

The person adding the metatag rotting in a federal prison?

technical fixes for political problems

[gl4ss]

do not work.

like, what the flying fucktonmeister fuck? why do you think it would be exempt from the "don't tell the victim of surveillance" rules because it's a metatag?

best you can do is close down the service. that is it! and even then you'll have to fight in court!

What does this solve?

[Anonymous Coward]

I'm not really sure what problem this solves, or how the outcome would change if the canary "died."

We're well-aware that many companies are required to produce information via FISA court orders, national security letters, or other means. What we don't know-- in many cases-- is how often, what information is obtained, by whom, and for what purpose. The "canary" doesn't answer any of the unknowns, except that a particular company received at least one such order, which is of extremely limited value (if of any at all).

Are you really this dumb, Timmeh?

[Desler]

What problems do you see with this approach?

Gee, I don't know Timmeh. Maybe the fact that it would break the gag order and you'd be sent to the federal pen?

Attempts to communicate receipt of secret orders

[Anonymous Coward]

either through action or inaction are considered illegal by the secret laws ruled by the secret courts. Secret.

Re:Uhh

[PPH]

That and if your companies router is compromised at the firmware, who is to say that the company even knows it's data is being compromised?

However, upon discovering that my router has been compromised by persons unknown, there's nothing stopping me from raising a general alert with my customers.

The warrant problem can be solved by forcing law enforcement to deliver all warrants in the clear. My company exists purely in cyberspace. There is nobody in authority who can be contacted in person. All requests for assistance must be submitted in clear text, deposited in a publicly readable drop box on our server.

Yeah, that'll work

[14erCleaner]

I'm sure online businesses will be eager to add a tag that says "don't visit my site".

Slavery hack

[tepples]

They would force you to keep the "all-clear" signal with guns pointed at your head?

There's a way to hack around this by exploiting a Civil War-era constitutional amendment. The company announces in advance, through the canary meta element or another : "If we receive one of several requests, $NAME and $NAME and $NAME will leave the company's employment." I don't see how the government can compel a private employer to compel an employee to continue working for the employer without it being deemed "involuntary servitude" in violation of the employees' Thirteenth Amendment right to quit. So if a certain set of employees is suddenly working for a different company, it's more likely than not that the company has received a classified order to violate a customer's privacy.

Re:Weird legal situation

[GIL_Dude]

None of this matters. If any sort of canary became popular - EVERY site that had one would immediately get one of these secret orders. That order may be for something ludicrous (home phone of the CEO or something), but they would ALL get a secret order immediately. Boom. All the canarys are dead. And they no longer provide any information. Your move internet...

Magical thinking,

[westlake]

With the advent of national security letters and all the NSA issues of late perhaps the web needs to implement a warrant 'warrant canary' metatag

"The web" doesn't implement anything. You do.

The exposure of a warrant in violation of a court order will land you in jail.

The judge won't give a damn about how cleverly you went about it --- until you come up for sentencing, of course.

Re:Slavery hack

[Predius]

By announcing the plan ahead of time, you are saying the actions are in direct response to, and a way to covertly signal that a warrant with gag order has been issued. Hell, your announcement may trigger legal action BEFORE a warrant is ever issued.

Simple solution

[vikingpower]

Don't host anything in the USA. Don't use USA-based cloud services. Don't do business with USA companies. At my employer's, the national R & D institute of a smaller European country, we already don't anymore. Business keeps on going as usual. We live as if the USA would not exist. Can we be subject to surveillance, or eavesdropped upon ? Of course. But we are out of the legal hassle. As simple as that.

Re:technical fixes for political problems

[Anonymous Coward]

They have to prove stuff now?

Re:Uhh

[ShanghaiBill]

My company exists purely in cyberspace. There is nobody in authority who can be contacted in person.

I call BS. In every jurisdiction I have ever heard of, you are required to provide a physical address when registering a business, and any warrant or summons delivered to that address during normal business hours is generally considered "served".

Re:Right to quit

[qbast]

Sigh, gag order compels company to not communicate something. It does not really matter what cute scheme you are going to think up, you are still liable. Actually this idiocy with canary metatag would probably cause harsher penalty as it plainly shows that you planned to violate any gag order you were served.

Technical fixes temporarily work

[TubeSteak]

like, what the flying fucktonmeister fuck? why do you think it would be exempt from the "don't tell the victim of surveillance" rules because it's a metatag?

Because laws are rarely written to cover every variation that could possibly circumvent them.
People regularly take advantage of this until legislation is written to patch the loopholes.

There might be less wiggle room because "national security," but there is undoubtedly room to maneuver.
And as TFA mentioned, the issue of government compelled speech is much thornier than government compelled silence.
I'd love to see the Supreme Court argument on why the government can compel you to continue digitally signing a certificate that says the government is not spying on you (even when they really are).

Re:Uhh

[gweihir]

Indeed. The feds may be stupid, but even they can learn from experience, and most of them can read. So if this becomes a standard, they will at some time manage to understand the concept (possibly with outside help) and implement countermeasures. Look at Lavabit: The owner decided to use his whole company as a canary and while it worked, he had to stand up to severe legal threats that may only fail because no respective secret law was in place. It will be by now and triggering your canary could award you life in prison.

No, the only way to deal with a police state (and in many respects the US is now one) is to leave the country and move business to the free world.

Incidentally, this whole idea is an example of engineers trying to fix human problems with technology. That does not work. Data leakage, privacy invasion, online fraud, surveillance, etc. all cannot be fixed with technology. "The law" is just as unsuitable as it is a technocratic construct. The only thing that works is banning the scum that commits these heinous acts against freedom, trust and honor from being regarded as part of the human race when discovered. Nothing less will work.

Re:technical fixes for political problems

[gweihir]

They have to prove stuff now?

Don't think so. They can already hold people indefinitely without even charging them. Just look at Gitmo. So while technically these people are not serving a life sentence, it seems the only difference is that the conditions they are imprisoned under are worse. No, in a police state they can lock you up any time they want in order to force you to do or do not do whatever they want. The US is at the very brink of being a police state, the only reason it is not is its large size and hence slow movement. All the mechanisms are already in place, it just needs some scaling up.

Easy government workaround

[swillden]

All the government has to do to make this useless is to regularly send a warrant request to every web property of any note.

What's more interesting is the suit filed by several tech companies demanding permission to provide counts of National Security Letters and the number of accounts affected. Google has already negotiated permission to share this data as long as it's in ranges no smaller than 1000, which actually tells us most of what we want to know already (e.g. in 2012 Google received between 0 and 999 NSLs, affecting between 1000 and 1999 user accounts, which, assuming Google has about a billion users, means the NSLs have affected ~0.0001% of their user base), but exact numbers would be better.

As another poster said, technological solutions to policy problems don't work, at least not well. We need to fix the law.

Re:Precedent in other law systems

[gweihir]

These warrants _are_ legal. Do not confuse "moral", "right", "appropriate" or "just" with "legal". For example, the Nazis killing Jews was perfectly "legal". Once you have secret courts and secret laws, you can make basically everything you like "legal". That is why only totalitarian states (or the ones on their way there) have secret courts or secret laws. The law is just a bureaucratic instruction on how to deal with people the government does not like. Once the government starts to dislike or fear the population of a country (and the US is clearly there already), the law just becomes a tool of oppression.

Re:technical fixes for political problems

[Shakrai]

Just look at Gitmo.

You mean the POW camp that's hosting people captured on foreign battlefields? Is there a single person there of any nationality who was captured on American soil?

The Federal Government has all manner of ways to compel you to assist with a warrant and/or NSL. Gitmo isn't one of them. This guy [readwrite.com] didn't go to Gitmo, in spite of his refusal to cooperate with the Feds. He hasn't even gone to regular Federal prison, even though he arguably refused to enforce a valid court order, one issued after judicial review, not some NSL letter issued in the middle of the night by a faceless DOJ bureaucrat.

I'm not a fan of Gitmo and would like to see it shuttered sooner rather than later, but let's at least confine our discussions about it to reality. Reality: Nobody has been admitted in Gitmo in years, and none of those who were got sent there after being captured for crimes (real or alleged) on American soil.

The US is at the very brink of being a police state

I don't think you know what a real police state is. Stand outside the White House with a sign stating that BHO is an authoritarian asshat. Now try the same exercise in Pyongyang with a sign directed at the Supreme Leader. Repeat the exercise but replace the current leaders with George Washington and Kim Il-sung. What do you suppose the difference in outcomes will be for you?

Want a less extreme example? Hold a LGBT rally in Washington, wherein you call out the current political establishment for being spineless on the issue of LGBT rights. Now fly to Moscow and repeat the exercise. You won't end up in the Gulag like you would in North Korea, but you're going to be "encouraged" not to continue with your activities.

Point being, there are varying degrees of "police state", and on a scale of 1 to 10 the United States might score a 2.5 on our worst day. We're not perfect, but the rhetoric that you're using is unproductive and clearly not grounded in reality.

Re:Simple solution

[ducomputergeek]

What makes you think overseas is safe? Because once it's outside the United States it's then legally fair game for the NSA and CIA to tap because spying on foreign assets is supposed to be their jobs.

After all who are they buying vendor support services from? How many of the leading tech support agents from companies like Microsoft, IBM, Oracle, Cisco, also draw a nice second pay check from the 3-letter agencies to install special devices/software/updates for said agency against a particular target. Even the local tech support guys can be bought or blackmailed. And if it's in a foreign country, that's within the CIA's mandate. Again, that's their job.

The US intelligence agencies run a fleet of international cable tapping submarines. If your traffic travels across an ocean, any ocean, or major body of water with ocean access it's tapped. How many "weather" satellites also contain communications intercept gear?

So you think your safe not hosting in the United States? Well think again.

wrong approach

[larry bagina]

If your wife kept having sex with other men, would you buy her wifi-enabled panties that texted you every time she took them off?

You're focusing on the wrong problem.

Re:Slavery hack

[Jane Q. Public]

There's a way to hack around this by exploiting a Civil War-era constitutional amendment. The company announces in advance, through the canary meta element or another : "If we receive one of several requests, $NAME and $NAME and $NAME will leave the company's employment."

Seems like overkill to me. A "canary tag" might actually be the way to go. While the government seems to feel it can compel your silence, compelling speech is a completely different thing under the law. Coercing a company to keep its "canary tag" alive is a very different matter from compelling them to take it down and shut up.

Re:The problem I see

[cold fjord]

The same judge that found them "unconstitutional" also forced Google to comply with it.

Google fails to strike down FBI's 'unconstitutional' secret gagging orders [zdnet.com]

You're right that the NSA isn't a "Soviet goon squad," but I wouldn't go too far in relying upon South Park for insight. Just for starters, I believe there have been reliable sightings of Santa Claus around the world before and after.

Re:technical fixes for political problems

[HiThere]

It's not that it's smarter, it's that it has arrived at this point through a different history. Internal violence has rarely been necessary. But when the police organizations can act on their own autority (and I'm counting the executive arm of the feds as a police organization, though that's only partially true) then you have a police state. So far only small chunks of the executive have become truly independent, and even they pretend that they are obedient to the legislature. That's not a real police state. And while the CIA has at times shown total independence of Congress, no other segment of the executive has been quite that blatant.

I'd say "teetering on the brink" is a correct description. Not quite as close to the brink as the GP suggested, but still only in a quasit-stable position. And the most likely direction of collapse is further into a police state, though likely on the Roman model (with technical refinements) rather than on the Soviet model. I doubt that there will be internal violence even on the level of Marius vs. Sulla. And there probably won't be an internal episode of the drama of Julius Caesar crossing the Rubicon ("Alea iacta est", etc.). OTOH, that may have been a publicists creation anyway. And I really doubt that some future "president" will be stabbed to death in the Senate by the Senators. Parallels don't run that close. Booth's "Sic semper tyrannis!" is a more likely future scenario...and even that's quite unlikely.

P.S.: There is a reasonable argument that Lincoln deserved to be shot for treason. He trampled all over the Constitution during the Civil War, and most of recent history is the result of it, including the drastic centralization of power in the federal gvoernment. OTOH, if it weren't for that the US might have continued to be "these United States" rather than "the United States". But ever since Lincoln the presidents have been more powerful, and allowed much greater latitude in the impositon of central power. This isn't all bad, but it sure isn't all good. And it doesn't appear to be what the Consitution allowed as interpreted at any prior time. One may argue that this was the inevitable result of improvements in transportation and communication, and this is certainly true in part. But that should have been accomplished through ammending the Constitution rather than by twisting what the words meant. That it was done the way it was done was largely due to powerful groups insisting that it be done NOW in a way that they could never have gotten 2/3 of the Senate to agree to, much less 3/4 of the States. So it was done via a power play, i.e., "We're doing it and you can't stop us." And the extension of that method is how the US is turning into a police state.

Re:Slavery hack

[icebike]

Congress has LONG AGO (well before your birth) passed laws authorizing gag orders, in spite of clear and unambiguous language in the first ammendment, and these have been upheld all the way up to the Supreme Court.

Short of forming a large army and taking over the government, and start hanging Suprhereeme Court Judges, there is exactly ZERO, chance of you winning such an appeal. This is settled law.

The first ammendment is dead. Either DO SOMETHING to prove me wrong or accept it. Boastful chest thumping on Slashdot is useless.

Re:Authority to approve hosting expenses

[currently_awake]

American law applies to whoever the men with guns says it does. If the NSA is willing to spy on everyone, why would they balk at hacking your account and posting their own canary?

Re:Slavery hack

[wisty]

My guess is, the harder it is to maintain a canary the less likely you are to get in trouble for breaching it.

If you promise to do a silly dance, and put it on Youtube every day, they may find it difficult to force you to continue. They might be able to take some action against you, but you have the paper-thin defence that you forgot to do the silly dance, or that your canary was simply not something that users really expected you to carry on with. Or you could even just make the silly dance less silly.

On the other hand, manually removing a tag from a page, or killing an automated canary is obviously a deliberate step you took to signal the search. They can definitely treat "sudo kill -9 canary", or manually editing a web page as a step you took to breach the gag order.

If you want to risk a canary, don't make it fully automated. There's no way in hell you'll get away with it.

I'm not a lawyer. I don't know if a "dead man's switch" is OK, because they they can't force you to press it. But I'm pretty confident that a fully automated canary is simply not going to work.

Re:Authority to approve hosting expenses

[garyebickford]

Folks have been doing this lately, and now it's a 'movement'. I suspect it is all in vain. It seems to me that the secret court would simply interpret removing the tag as informing de facto, and requiring you to leave the tag in place even though it is no longer true. So I think it's a pointless gesture at best, and most likely a deceptive error that is possibly worse, since folks might depend on its veracity / correctness.