Short and informative, no citations needed, discusses interesting early internet lore... This is what a good hackernews comment looks like!
edit: Yikes, remind me not to compliment people here. It boggles the mind how this could be seen as controversial. Did people assume sarcasm? I was being sincere. It is a good comment.
double edit: back up to 0! Suppose I sounded a bit sarcastic.
The weird thing to me about this canary document and others like it is that they cover all warrants, not just NSLs.
Warrant canaries were a reaction to the NSL process, which is invariably (and, I guess, permanently?) gagged, and was seen as exceptional and in some sense extra-judicial. It would be newsworthy for a service to be NSL'd, and further evidence of dragnet surveillance programs sweeping up Americans.
Ordinary search warrants and disclosure demands occur, presumably, all the time; they're issued by courts in individual felony cases, such as for drug conspiracies, child pornography, and white collar criminal conspiracies. Serious crime happens all the time; it's not really all that newsworthy for a warrant to issue in, like, an insider trading case.
So, what does it tell us if this particular canary document was taken down? Perhaps the DOJ is working with the intelligence community to dragnet the service, or establish a durable norm of being able to transactionally extract records that will amount to the same thing as a dragnet. Or, maybe, just some random state court judge in Oklahoma decided it was likely that somebody's meth distribution business kept records in that service. One of those is interesting, the other not.
Why not just have more than one canary if you're going to do it this way?
It's been this way for a long time, and I'm just now having this thought, so it's equally likely that my take here is just faulty; if so, let me know.
"Why not just have more than one canary if you're going to do it this way?"
It's not entirely clear from the canary itself but the idea is that we will list all (non secret) warrants in the signed message.
Currently, the PGP signed message starts with the line:
No warrants have ever been served to rsync.net, or rsync.net principals or employees.
No searches or seizures of any kind have ever been performed on rsync.net assets,
including:
... and if we were ever to receive a lawful warrant or notice, etc., we would then change that wording to reflect the date, service, location, etc. (in addition, presumably, to complying fully with this lawful order).
So the warrant canary would continue to be updated, on schedule, but with a new listing of all warrants served in the signed message.
On the other hand, if a NSL / secret / extrajudicial warrant were to be served we would be unsure of the correct course of action and would need to carefully consult our legal team, advisors, board of directors, etc. ... and that would take weeks.
The warrant canary would become stale as we performed our due diligence and retained and received proper legal counsel.
I don't understand. What I perceive you to be saying here is that, if you receive a sealed search warrant, you're simply going to log the warrant in this document. But the warrant is going to require you not to log it. So, that's not so much a "warrant canary" as a "we're just going to defy the court" canary. I must be missing something!
No, I am saying that if we receive a "normal" warrant we will log it in the canary in the signed portion.
A normal warrant, or a "normal" order for search or seizure, etc., is not out of bounds in a free society - we will happily comply with such lawful orders which have proper jurisdiction, etc.
We will also log them, publicly, as is our right. It just so happens that as of today we have never received such a warrant or order so the canary contains zero of them.
However, if we receive a NSL or other such "gagged" orders then we will need to consult with our principals and legal counsel, directors, etc. and that takes time.
The canary will surely expire as we perform that due diligence.
See also, below, my characterization of the warrant canary not as a legal hack or nose-thumbing, but as a poison pill provision that we ingested 17 years ago.
What will you do when you receive a sealed warrant? Sealed warrants to service providers in ordinary criminal cases are the common case I was talking about upthread. You will not be allowed by a court to log those orders when you receive them (you'll usually be able to log them when the case goes to trial).
I don't think service of a plain-jane sealed warrant is obstructed or hampered in any way by anything we do, or don't do, with the warrant canary.
Therefore it's a very easy call to stop publishing the canary, keep running our business as usual, and then update the canary with the relevant (probably non-personal) details of the warrant we received once the dust has settled.
Alternatively, our counsel, along with the jurisdiction involved, might find a satisfactory "we were served with a lawful warrant in blah blah District in Colorado" and nothing else that does not violate the seal.
One gigantic advantage (among many) of running a very tightly held, lean business firm with no debt is that you can be patient.
From what I take it, the canary isn’t taken down. They simply do not update it.
They can’t be compelled to update it, because that would be compelling them to lie in real time to their customers and the general public.
National security can be used to make you stay silent, and cooperate by not hinting at secret material, but it can’t be used to force you to create and stand by a made up story.
Since the main purpose of the warrant canary is to be able to inform the public of being served one if they are gagged, I indeed think non-gagging warrants aren't super relevant for them, but it also doesn't matter much that they are included: the next warrant canary can simply say "we got a routine warrant, asking for X information; no other warrants have been served". Whether that is then interesting or not is up to the public to decide.
In fact, if they didn't inform the public of regular warrants, only (indirectly, via the warrant canary) when they were gagged, it might incentivize the government to only serve regular warrants instead of NSLs, which surely isn't the intention.
If regular warrants happen often, I guess they could make a separate mechanism to inform the public about them, but I guess it doesn't, so far? In any case, if they aren't gagging, they wouldn't need a canary to inform the public about them.
OK, but now we're not "killing" the canary when we're served with a court order, we're training it to sing a different song. Part of the idea of a canary is that the simplicity of ceasing a continuous public assertion has more legal protections than simply violating a gag order would.
At the point where you're logging warrants, you're not doing a canary, you're doing a transparency report. The transparency reports we read are, as I understand it, the product of negotiations between companies and the DOJ.
Sure. My assumption was that the "routine" warrants wouldn't have gag orders, but I might be wrong on that. But yeah, if it doesn't, the transparency report might be a better place to put it, and then it might make sense to make the warrant canary specific to warrants that aren't / can't be in there for one reason or another (gag orders or milder forms of coercion / negotiations).
If they are gagging, multiple warrant canaries might work, but I think it becomes harder to argue that you aren't communicating anything if you stop publishing one but still publish the others. Taken to the extreme, you could have many canaries, for example one for every user ("there has been no warrant for your information"), and users might even appreciate that, but stopping with publishing a specific subset of them can communicate a lot of information.
It also removes some of the plausible deniability ("maybe they just forgot to update the warrant canary") that comes with having only one, I think.
I would characterize the legal opinions we have received as "wildly divergent".
Some of the best discussion and counsel I have had took place during the EFF Canary Summit which was held at NYU in 2014. These disussions took place under Chatham House Rules, however, so I can't attribute it to anyone. Again, best characterized as "wildly divergent".
Of note:
rsync.net is, to a layperson, best described as a virtual safe deposit box. There are no abilities to publish, share or work collaboratively on data. In addition, an rsync.net account is relatively expensive. The kinds of activities that might attract a NSL or gagged order are naturally repulsed by these structural factors.
It's also a good filtering mechanism for non-technical clients, but I'm drifting off-topic now ...
I've always wondered whether this has any chance of holding up in court. I know it depends on jurisdiction, but at least in my region (EU/Poland), courts consider intent rather than a literal interpretation of laws. You can try to be oh-so-smart and implement a "canary" that doesn't get updated if you get a warrant, but the court would consider not updating the canary as the same thing as notifying people that a warrant has been served.
About a century ago in the UK, the Automotive Association (AA) did a similar thing.
Lots of towns were setting up speed traps to catch speeding motorists, with very low speed limits, so the AA paid uniformed boys on bicycles to find the speed traps and flag down motorists to warn them before they reached the speed trap. This practice was legally challenged as obstructing the police, so the AA inverted the scheme. They instead paid boys on bicycles to salute motorists by default, except when there was a speed trap. If you saw the uniformed AA boy standing by the side of the road and he wasn't saluting you, you knew there was something wrong ahead.
The idea was that the law might be able to ban saluting to warn motorists of the police, but the law couldn't ban not saluting to warn motorists. The law couldn't compel a salute. Evidently this worked, because the AA kept up the practice for a few more decades, before eventually discontinuing the practice in the 60s.
"You can try to be oh-so-smart and implement a "canary" that doesn't get updated if you get a warrant, but the court would consider not updating the canary as the same thing as notifying people that a warrant has been served."
The warrant canary is always thought of as a gimmick or a "legal hack" or a "smartypants" construct ... but this is the wrong way to think about it.
The warrant canary is a poison pill provision.
rsync.net is a real company. We have a proper board of directors and outside advisors. We have legal counsel. We have shareholders.
We could not possibly respond to any kind of warrant - extrajudicial or otherwise - without careful consultation with all of these stakeholders. That takes time and that means the canary will expire.
So it's wrong to think of this as an act of defiance at the time of service - that ship has long since sailed (2006).
Instead, it has shifted the landscape of warrant service, irrevocably, in advance.
The idea that you'll take the warrant down because it has "expired" during your "deliberation" of a warrant is logic an order of magnitude cutesier than that of the warrant canary itself. Further, it cuts against the legitimacy of a warrant canary: the canary is defensible (if it's defensible) because it's expressive, and restraints on expression about government actions are subject to strict scrutiny. Here, you're saying that there isn't anything expressive at all about your canary being removed; you're simply not exerting the effort required to maintain it.
That's not expression; that's like being told you have to put a notice on the front door of your business, and trying to avoid it by saying "I wasn't disagreeing with the notice, I just haven't had time to put it up". Yeah, they're going to shut your restaurant down.
I agree with your take across the thread that this is mostly moot because of the nature of your business; I think the discussion of whether warrant canaries work is interesting, but the question of whether rsync.net is going to have to resist government searches is not, like, a major controversy. You're just not going to get searches at all, because you're not that kind of company.
> The idea that you'll take the warrant down because it has "expired"
I do not see rsync saying that they will necessarily take down the canary when it expires. Just that they will not update it while they consult their lawyers and stakeholders.
> being told you have to put a notice on the front door of your business, and trying to avoid it
In the US, the case West Virginia State Board of Education v. Barnette established that the government cannot compel speech. That is the basis of the presumption that the government cannot force a company to update a warrant canary.
The government routinely compels speech. It's weird that we'd be trying to derive this from first principles: you can just go to your pantry and pick up any packaged food item.
It's an interesting example, food nutrition labeling. A couple of my initial reactions are that
(1) Courts initially make a decision about whether or not something constitutes "speech" versus a part of a business transaction or something like that. It's possible that a nutritional label isn't considered speech as much as it is product or a commercial transactional component or something. That doesn't mean the same arguments would or would not apply to a warrant canary.
(2) The food labeling analogy is generally forced transparency. So for example, the alternatives are to either not report nutritional information or to lie about it. The former is a legitimate concern I think from a free speech perspective but refusing to report contents might be reasonably argued to drift into the latter alternative, which is basically fraud. The government coerced speech is to move speech away from fraud.
Asking someone to continue posting a warrant canary basically amounts to coercing fraudulent speech, which is kind of tricky. It would be akin to the government compelling you to not only put nutritional labels on your food, but also to put false nutritional labels on your food. The government coercing continued posting of a warrant canary when a warrant has been served moves speech toward fraud, which seems really different to me from the case with nutritional labels.
rsync has posted here on the thread that they'd have to consult lawyers and whatnot about whether or not to continue posting the canary, and that might take time. I think this is more nontrivial than some people seem to give them credit for, in the sense that lying about it might induce various lawsuits about fraud from customers and stakeholders that have a a financial material interest in them being transparent.
I'm playing devil's advocate here and not trying to adopt any particular position. I think it's entirely possible a court could throw out the idea of the warrant canary on trivial grounds. But it seems to me coerced fraud is different in subtle but important ways from coerced silence.
Your (1) has a term of art: "commercial speech". Warrant canaries, at least of the sort we're talking about, are commercial speech --- even the EFF canary site implies it agrees with this.
"Commercial speech", the term you're looking for, is any speech that has any nexus at all to commerce. Warning labels are commercial speech (that's why the government can compel them), as, I'd presume, are anti-warning-labels.
There may very well be reasons warrant canaries will hold up in court, but "canaries aren't commercial speech" seems very unlikely to be one of them.
Again, I liken this to a poison pill which suggests the die has already been cast - the decision was made not now, in response to a warrant but in 2006.
If we do something - like remove the canary - that model starts to fall apart.
Doing something is interesting and provocative and actionable, etc.
But if we do nothing it fits the poison pill model very well.
I'm not a lawyer, but that's a double-edged sword because then the feds would be opening up questions about the constitutionality of the gag order in the first place. These secret national security warrants are still a thing in part because nobody has successfully challenged them in court. It's possible that if the government wants to argue that taking down a warrant canary constitutes violation of the gag order, the court could ultimately rule that the gag order itself is an unconstitutional prior restraint on constitutionally protected free speech.
This whole thing I believe was a result of litigation with USGOV. Can the government entirely censor people acting onbehalf of a company from saying something? The answer was something like "It can prevent you from stating specific details but it cannot prevent you from making general statements on whether you have received a warrant or force speech by preventing you from taking down the canary" they even came up with a spefific granularity that you can state regarding the number of warrants you received.
But if I was the gov, I would go to your webhost or colo provider first, the gag order would prevent them from telling the subject like rsync.net and the search warrant would allow access to read and tamper with code and data. This is why GPG signing is great, private keys won't be on devices you don't physically control if you do it right. And also why you shouldn't trust native encryption of cloud providers like iCloud where ultimately you are not managing the private key directly.
Updating the canary to say "we haven't been served any warrants" when there was, in fact, a warrant served would be an intentional lie. Compelling that kind of speech generally requires a much higher legal bar if it's possible at all.
You are correct that it is a convoluted scheme, but the goal of warrant canary users is to deliberately create a situation where their first amendment rights would be infringed by attempts to vigorously enforce the laws around NSL gag orders.
What isn't firmly tested in court is this specific application of the idea that the first amendment protects against compelled speech, although there have been other similar cases (see the Wiki article [1])
The problem with this analysis is that First Amendment rights were already successfully infringed with the gag order that necessitated the canary, which itself has to meet the (maximal) strict scrutiny standard; in other words, there's no prima facie reason to believe that the legal argument defending the canary would fare any better than the legal argument objecting to the gag order.
There are subtle and/or complicated reasons to believe the canary would work! I'm not here to make the case that canaries are invalid, only to establish that among legal experts, this is not a settled issue.
I think there may be a useful distinction here between prior restraint and compelled speech. If you post the statement "we have not received a gagged warrant since January 3 2023" and you receive a gagged warrant on January 4 2023, does the government really have the power to compel you to post the statement "we have not received a gagged warrant since January 5 2023" the next day? You don't even have to take down the January 3 canary; just leave it up long enough that people get suspicious that you haven't updated it.
> The problem with this analysis is that First Amendment rights were already successfully infringed with the gag order that necessitated the canary, which itself has to meet the (maximal) strict scrutiny standard
Has the supreme court actually ruled on the constitutionality of gag orders? Until then it's not completely settled that it's despite rulings in lower courts.
These specifically, not that I know of. But gag orders in general? Nebraska Press v. Stuart, 3 part test: harm to the person being gagged, least restrictive means, and effectiveness of the order. That was in a press case, where the burden is much higher on the government than in these cases.
Specific gag orders can and have failed in appeals!
The problem with this argument as it pertains to warrant canaries is that defeating the gag order also defeats the purpose of the warrant canary. The question we're begging here is: if the gag order survives strict scrutiny, why won't the order to keep the canary up?
There's plenty of compelled speech in a commercial context. Just one example: look at your bottle of milk. It probably says "made with milk from cowsnot treated with rBST hormone", but the FDA also compels them to say effectively "not that there is anything wrong with rBST".
I was struck by the negativity and fatalism of these comments, because in my memory we've discussed warrant canaries, and rsync's in particular, on HN many times over the years.
In my memory the comments used to be more positive about both the effectiveness of canaries and about the sheer cleverness, ingenuity and spirit of fighting back against tyranny.
I wondered what happened to the HN hive mind over the years, has it become more deferential to the authoritarian state, more accepting of the erosion of essential freedoms in exchange for ostensible safety, more dismissive of clever hacks?
Since Snowden we've discovered just how lawless the government is, and what's worse, the spooks also got away scot-free with no consequences whatsoever for wanton violations of the Fourth Amendment.
Saying that you shouldn't rely on legally untested warrant canaries as a sure-fire protection is not the same as agreeing with the executive branch's overreach abetted by a supine & craven Congress and a Judicial branch all too inclined to defer to the executive when spurious security justifications are trotted out.
>I wondered what happened to the HN hive mind over the years, has it become more deferential to the authoritarian state, more accepting of the erosion of essential freedoms in exchange for ostensible safety, more dismissive of clever hacks?
>While there's a noticeable positive sentiment, many of the skeptical comments of today could have been copied verbatim from July, 2009.
The difference is that in 2009 and now a Democrat is in the White House, so those who are convinced that "their side" can't do anything wrong are more willing to accept the authoritarian state.
Look at the Warrant Canary Wikipedia page. Would Jessamyn West—associated so closely with Metafilter, a site that basically self-destructed because its hivemind became so self-reinforcing as to immediately shun anyone at any variance with it in a way that would make a Maoist struggle session conductor proud[1]—have created her sign for libraries if George W. Bush had not been president at the time? I doubt it.
There is an argument that compelled factual speech (such as disclosures, warnings, safety, ingredient information, "truth in lending", etc) is different than compelling someone to say something that isn't true.
> but the FDA also compels them to say effectively "not that there is anything wrong with rBST".
Source?
Edit, found this. Wonder why this reasoning is not used for false implications in all the other labeling for supplements, vitamins, herbal, and organic food.
Even for milk, there is “A2” milk sold next to regular milk implying that A2 is somehow more nutritious, but it is not required to say “A1 milk has not been shown to be any worse than A2”.
> Because of the presence of natural bST in milk, no milk is
``bST-free,'' and a ``bST-free'' labeling statement would be false.
Also, FDA is concerned that the term ``rbST free'' may imply a
compositional difference between milk from treated and untreated
cows rather than a difference in the way the milk is produced.
Instead, the concept would better be formulated as ``from cows not
treated with rbST'' or in other similar ways. However, even such a
statement, which asserts that rbST has not been used in the
production of the subject milk, has the potential to be
misunderstood by consumers. Without proper context, such statements
could be misleading. Such unqualified statements may imply that milk
from untreated cows is safer or of higher quality than milk from
treated cows. Such an implication would be false and misleading.
>FDA believes such misleading implications could best be avoided
by the use of accompanying information that puts the statement in a
proper context. Proper context could be achieved in a number of
different ways. For example, accompanying the statement ``from cows
not treated with rbST'' with the statement that ``No significant
difference has been shown between milk derived from rbST-treated and
non-rbST-treated cows'' would put the claim in proper context.
Proper context could also be achieved by conveying the firm's
reasons (other than safety or quality) for choosing not to use milk
from cows treated with rbST, as long as the label is truthful and
nonmisleading.
Well, rBST is banned in the EU, non on health or safety but on animal welfare grounds, as cow udders are not made for that level of milk production and mechanical milking causes distress and injury (mastitis) to the cows.
Also there is a difference between BST (bovine somatotropinnatural) and rBST (r stands for recombinant, the manufacturing process) the synthetic kind. The FDA's "concerns" are transparently based purely on the commercial interests of rBST producers like Monsanto and their customers'.
Feds always get what they want. You cannot afford to appeal to the supreme court, both financially and because non cooperation will cause you to receive retaliation. FBI has made it so an accusation of a crime can easily become a conspiracy, and a conspiracy felony is more prison time than cooperation for most non-violent crime. This is why big gov is fascism, they can do whatever they want. You'll never see the court documents.
Even if you file USSC appeal via petition for certiorari, they get to choose if they want to hear it.
The State SCs I have researched are the same; they choose if they want to hear the case. If they decide to not hear it, the cert is denied which doesn't mean the argument was decided. It just wasn't heard by the court.
I don't understand this meme, which is absurdly popular.
"Not updating a warrant canary" isn't the crime here. "Creating a warrant canary" is the crime, as it's an action whose only purpose is to violate a gag order.
> "Not updating a warrant canary" isn't the crime here. "Creating a warrant canary" is the crime, as it's an action whose only purpose is to violate a gag order.
It walks a really fine line IMO. The way I see it is it works in two ways:
* When you create one, you're not referencing a current gag order, but rather an imaginary future one. If creating one is a crime then doing just about anything (deleting an email or throwing away a letter) is also a crime because you can be destroying evidence in a potential future case or investigation not brought yet.
* Once this warrant is issued, then your run into this case where any associated gag order is "one way". That is the government can order you not to disclose the warrant but they cannot compel you to lie and update the canary to reflect that you still have not gotten one yet.
Ok so for example I deleted a confirmation email that Delta sent me for a flight I had yesterday. Suppose for some reason the US Govt opens some investigation into my travel, should I be charged with conspiracy to destroy evidence since I should have "known" that I "might" be investigated.
No that would be silly and there would be no way to prove malicious intent. You could make a million arguments for a canary in the same way.
If you had reason to believe that the particular email will be called for in a court, and that is the reason you are deleting it, then it is definitely a crime yes.
You did not have a reason. You just have this general notion that any one of your emails could, hypothetically, become evidence in some unspecified court case sometime in the future.
of course the government has to prove intent (beyond reasonable doubt), which is not easy, but also getting sued in US federal criminal court, even with good odds is also not what you'd call a non-issue.
setting up warrant canaries is probably a good idea if you have the ideological conviction to face the government's bullying. spending some money on getting lawyers' opinion is also probably a very good idea.
but all this serves as evidence for intent.
so it's not that simple to do it with some persuasive/plausible alternative explanation.
the whole point of gag orders and the mandated/compelled performance is to help whatever investigation. of course if someone doesn't cooperate with law enforcement and/or the prosecutor that's their choice, and in this case it's basically itself a charge. (obstruction of justice is not a new thing after all.) the complication is that speech is a special action.
If we have to pick between the first amendment and the courts helping to secretly enforce what are quite often shady laws, how should a people born to the Enlightenment choose?
The only way that warrant canaries could be successfully outlawed would be to have laws that apply retroactively or possibly outlaw anyone from any discussion of warrants at any time (with the exception of officers of the law - would make their job difficult).
The issue is that people post a warrant canary before they have any warrant served, so it'd be a strange situation of being legal before receiving a warrant and then suddenly transitioning to illegal. Maybe one way round it would be to make it illegal to change any procedures upon receiving a warrant so that they would be forced to continue posting warrant canaries that are then false.
I don't know why you think this is the case, but I haven't read any analysis of canary legality that pivots on ex-post-facto laws. As I understand it, the question comes down to: a court order requiring a company to maintain its warrant canary will amount to compelled false speech (compelled speech happens already, compelled false speech is unique to this situation) and will as such be subject to the strict scrutiny standard. The case against warrant canaries: the gag order itself is already subject to strict scrutiny, and people who post warrant canaries have gone out of their way to put themselves in a situation where they will need to make false statements. The case for canaries: compelled false statements are more intrusive than a gag order and will receive, somehow, more scrutiny.
Well, I'm not any kind of legal expert and don't have any specific domain knowledge, but it just seems logical to me that it's perfectly legal to post a warrant canary before any warrants have been served.
I was addressing the parent's comment about how warrant canaries should be illegal due to them being an attempt to get around the gag order, but doesn't that involve a gag order making a previously legal action into an illegal action and assumes knowledge that a gag order will be issued in the future?
I think courts often encounter people who have clever interpretations of laws, but who then get a bit of a rude awakening when their "Air Bud" style workaround gets slapped down when it meets a surly judge who has no time for their shit. Obviously not a lawyer, so I don't know whether this is one of these, whether it's something yet to be tested in court or whether Warrant Canaries are already accepted as valid.
The is substantial precedent that the US constitution prevents the government from compelling speech, litigated all they way to supreme court. This isn't some sovcit-level workaround, there is actual legal theory behind it.
It is important to note that the more "low-effort" style of warrant canary, or simply posting a static page that says that you have not been served a warrant, is probably not safe. Taking the page down is possibly an action you can be legally prevented from doing. However, that's not what rsync.net is doing. They are specifically posting a new one every week, because no court or authority can compel them to post one if they don't want to under US law.
Then why does every food product have a "nutrition facts" label, mandated by the FDA, if said mandate is unconstitutional? Either some compelled speech is constitutional, or Nestle hasn't bothered to litgate it (strains credibility), or all the food manufacturers think that American consumers care enough about having the nutrition facts that they'd have a competitive disadvantage if they removed them (even less credible).
Edit: My point is that "compelled speech" isn't the issue, it's "compelled false speech" vs "compelled silence", either of which infringes on the right to free speech in some way.
Further, if this actually gets litigated, it seems pretty likely that the DOJ will argue that the government isn't compelling "false" speech, so much as the canary's owners deliberately created a situation where compliance with a lawful compulsion to silence would require them to lie; that they more or less "banked" a lie, and then tried to pin that on the government when it was time to make the withdrawal.
(That's not to say this argument, or any canary argument, would avail; who the hell knows, should be our watchwords in this matter.)
> why does every food product have a "nutrition facts" label, mandated by the FDA
The FDA can't compel you to say anything you don't want to. But they can refuse to let you sell your product. The right to sell food isn't as strongly protected as the right to political expression.
The government compels speech like, all the time. Can you cite this substantial precedent you're referring to? The cancer warning label on my couch wants to have words.
> On Friday, the 9th U.S. Circuit Court of Appeals joined a slowly emerging consensus among the federal circuits, holding that governments have the right to mandate corporate speech “if the information in the disclosure is reasonably related to a substantial governmental interest and is purely factual.”
The latter requirement does not seem to be held in the case of compelling rsync to post an updated warrant canary claiming not to have received a warrant if they have.
Furthermore, in the case of cancer warnings, the actual law is phrased as:
> No person in the course of doing business shall knowingly and intentionally expose any individual to a chemical known to the state to cause cancer or reproductive toxicity without first giving clear and reasonable warning to such individual
so, it's not so much compelled speech "out of the blue", rather it's a requirement of doing business. There are other ways the business can comply with the law, such as not including the chemical in the product. In the case of warrant canaries, I'd be surprised if there's a similar law requiring them to be posted to do business.
If you force somebody (who's not even the defendent, just a witness in the case) to (cryptographially) sign a message of your own choosing, why not just take the shortcut of forcing the defendant to sign whatever confession you want them to? Much easier, quicker and cheaper than these fancy workarounds.
You must be referencing a court case where a modern warrant canary has ended with the perp in jail. Who might that be? You prefaced with "I think", but spoke with quite steadfast certainty, surely this piqued your interest for a reason.
No, nothing specifically related to Warrant Canaries but some law podcasts I listened to - ALAB and Mic Dicta for example - have referenced this phenomenon a few times. It's usually a tech bro or sovereign citizen with a novel interpretation of a law that ends up failing when they eventually have to try to argue their case it in court.
True, and it's been elaborated elsewhere that these have already been tested in the supreme court. But you have to admit that without that precedent, it does seem a little bit cheeky - "oh the law says I can't do X, well it doesn't say I can't simply not do inverse(X)" :)
For a funny / not funny example, see the attempts to ban analogs of illegal drugs. The whole research chemical thing is a result of the need to legislate exactly what’s illegal.
Supreme Court decisions can sound like sovcit stuff when they reference English common law, the Magna Carta, etc. Warrant canaries are just intended to exploit a technicality. There are a lot of technicalities in law that authoritarians don't like.
I have to agree with you. Freeman of the land come to mind.
I think the danger here is the interpretation of the prohibition on telling people you've been served with a secret warrant.
Whilst you seemingly can't force someone to do something the fact that not doing that thing is effectively telling people you've been served a warrant is grounds at least to take you to court.
I can only imagine this canary process being manual, if it were automated I'm unsure it could be considered speech (obvs: IANAL).
I think you're taking non-US[0], non-lawyers speculating about US law a little bit too seriously. I mean it could be argued that we shouldn't even be commenting if we don't know, but where's the fun in that? It's Hacker News, not Lawyer News :)
I'm not comparing them, in that paragraph I'm commenting on the parents comment about people being slapped down by surly judges. That's why is in the first paragraph on its own.
I don't think this thread had the tone of an argument at all. If there were two people seriously butting heads going back and forth on something, yeah sure. But pulling a [Citation Needed] on some people who aren't experts but want to have a sincere and pretty civil discussion feels a bit much.
I don't understand the value of a warrant canary: if it goes away or is not updated, what is the suggested action of users of the service? Is everyone supposed to leave? Because that ain't gonna happen, fortunately for the service.
The bottom line to me is, encrypt your data before it leaves your control, and cross your fingers that whatever tool you used did it correctly. If the government wants to see which sites you are connecting to, it's easy enough for them to just ask Spectrum, Comcast, etc. So IMO, warrant canaries are useless.
"I don't understand the value of a warrant canary: if it goes away or is not updated, what is the suggested action of users of the service?"
It really depends on how you use rsync.net.
The stated purpose of our product is: An empty UNIX filesystem to do anything you'd like with.
So ... if you are using a sophisticated tool like 'borg'[1] or 'restic' or 'duplicity' then no action would be necessary. Your data at rsync.net is garbage ciphertext that we do not hold a key to.
On the other hand, you may, as many thousands of people do, use rsync.net as a dead simple SFTP/SCP endpoint[2] and just copy files there. In this case your threat model and exposure is very different - but presumably you realize that.
Yes, you are thinking correctly when you describe your bottom line as:
"... encrypt your data before it leaves your control ..."
... and we encourage all of our customers to approach it this way.
None of these points really explain why a warrant canary can't have value it just explains why you in particular don't find value in it which isn't necessarily supposed to be surprising.
Why is every user of a service supposed to care about something for it to have value in the service? Why is everyone supposed to agree on what level of connectivity obfuscation makes them feel comfortable? Why can't someone find value in simply knowing the government isn't monitoring how they use services without notice? If it has no impact on monitoring ability why would the government bother getting a warrant in the first place? Why can't someone be interested in knowing how pervasive invisible warrant requests are? Why should everyone equally be comfortable with just encrypting and calling it a day?
Even though I don't really have any direct utility from a warrant canary (e.g. Reddit's warrant canary went away ~7 years ago and it didn't trigger any direct consequences with me using Reddit) I still find them useful and, knowing how relatively lax I am about privacy/security compared to many, I have no doubts many find direct use of them. For some other specific companies/services/projects though I could even see a warrant canary possibly having high direct value.
I guess that's what I was asking, is why or how? I didn't say they don't have value as a fact, I said I don't understand the value. Why are they useful to you, ie, what would you do with this knowledge if your storage service had a warrant canary and stopped updating it?
For me personally this one "Why can't someone be interested in knowing how pervasive invisible warrant requests are?" is my primary use out of them as I think more transparency in government surveillance is a net good for society but the point of that larger section was, independent of individual conclusions, if you phrase the same type of questions you started with in a more open ended way you get plenty of reasons a warrant canary has value and those are all examples.
It's a kind of mutually assured destruction. It's not that "everyone" will leave. But the people the cops are targeting probably will. The tension reminds me of the Backpage/Craigslist Adult Services saga. Prostitution isn't legal in most of the US, but regardless of its legality, it will always exist. So, given the choice of having a place where they know prostitution is happening, and a place where they know it isn't, cops would prefer the former.
Wild tangent follows. I promise it'll connect to the original thread.
From a certain perspective, all discussions about personal rights are silly. Almost every free-speech case started with someone being an asshole. Fourth Amendment search & seizure cases almost always defend a person caught red-handed. Bitcoin is evil because it's used only for drugs and prostitution. And so on. Most of us live in a world where we don't ever need to assert our rights. As long as we're not an asshole, we don't have strange religious convictions, we aren't a journalist trying to expose outlandishness, we don't commit crimes, etc., then we can live our whole lives as if the Bill of Rights didn't exist.
The problem with that observation is that the borders describing acceptable conduct are defined by something, and that something is our personal rights. If the Bill of Rights didn't exist, then "acceptable conduct" would surely be a smaller set of actions. We'd have less freedom, and we'd all miss the things we couldn't do.
So the fact that nearly all controversy about personal rights seems silly (including the "I don't care about privacy because I have nothing to hide!" argument) is extremely significant. If the average person thought these discussions were important, then society would already be feeling constrained by lack of freedom, and we'd be in bad shape -- dictatorship, surveillance state, etc. And if nobody discussed them at all, then we'd probably be in a state of chaos -- survival more important than freedom, etc. Having silly discussions about personal rights is probably right at the sweet spot. The only thing worse than believing Bitcoin is useless is living in a society where everyone believes it's essential!
This is why it's OK to feel like a warrant canary is silly. You should. But you should also take very seriously the fact that you're able to feel it's silly. The moment you feel warrant canaries are important, it's too late for our society.
(The word "silly" is mine, not yours, but I believe the sentiment is in the same neighborhood as your question.)
Is there a dashboard from some neutral third-party validating that everybody's current warrant canary is in fact valid? Who would spot it if it either a) stopped being updated b) had an invalid signature, or c) the headlines were not current?
EFF used to run a "Canary Watch"[1] website which is now defunct.
In fact, EFF even held a "Canary Summit" at NYU in 2014 which I was invited to. It was only held that one year, however, and once Apple and other large firms discontinued their canaries all of the steam was seemingly lost ...
If a government agency issues a secret warrant, doesn’t that imply rsync.net has to provide a valid canary at the right time as well?
I don’t get how this is useful.
Where in the US has number 1 been done? I am not aware of any places where the offender is required to alert people. Most commonly they need only to report to the local government/police who then may (and may be required) to publish that info.
Often that is also often a condition of probation, meaning they are still under the authority of the courts and are still being "punished" by the system in leiu of prison. This is seen as the individual "giving up" some of their rights either by committing the offense or agreeing to the terms of probation instead of prison. This would also apply to #2.
Neither one of those justification for infringement of the 1st amendment would apply in the cases of an NSL which are already on very very shaky legal ground and gag orders on them have been ruled constitutional in the past, currently they are only constitutional because a person getting an NSL now as the ability to appeal the NSL to a federal court, something that was previously missing
Forcing factual speech (such as disclosures, warnings, product information, truth-in-lending, etc) is a lot different than forcing someone to say something that isn't true.
The better example here is warning labels. Presumably, part of the reasons warning labels are easily compelled by the government is that they involve commercial speech, which receives a lower degree of 1A scrutiny. But then, most warrant canaries fall into the same bucket; they're basically just an inverted warning label.
For people who have become involved with national security issues, aren't they often required to deny being involved with national security issues if asked? Would that count?
No I don't think it does. The paperwork they sign when they get their security clearances put those people in a special circumstance. American journalists, not having security clearances, are allowed to spill the beans on national secrets.
This is a colorable argument, but I think it's ultimately a pretty poor argument:
First, freedom from compelled speech is not an inherently stronger (or weaker) freedom than freedom of speech. If the government can prevent you from saying something, then it can almost certainly prevent you from saying it by not not saying it.
Second, national security is one of the most powerful legal trump cards in practice. The government saying that something is necessary for national security will be treated as fact by the court, no matter how much evidence there is to the contrary.
Third, the purpose of freedom of speech is to protect freedom of expression. Speech that isn't expressive in nature has a much lower bar to clear for the government to be able to restrict it. Warrant canaries strike me as essentially commercial speech, which the government has pretty wide latitude to regulate.
>>The government saying that something is necessary for national security will be treated as fact by the court, no matter how much evidence there is to the contrary.
Citation please
>> Speech that isn't expressive in nature has a much lower bar to clear for the government to be able to restrict it. Warrant canaries strike me as essentially commercial speech, which the government has pretty wide latitude to regulate.
This case law around NSL have not been vary favorable for the government, Appeals courts have struck down the gag order provisions of the laws in the place, and are poised to do so again should a case come before them. The current make up the Supreme Court also leads me to believe they would not look favorably on Gag orders, though they would on the larger issue of National Security
This is a circular argument. If the gag orders in question are struck, the canary doesn't do anything: you can just tell people you were served with the court order. But if the canary matters, that means we're dealing with a nondisclosure order that did, at least for the moment, survive strict scrutiny. Since there isn't a legal concept of "super strict scrutiny", that leaves the question of why people believe the canary will fare any better than the objection to the gag order.
That would apply (probably) if the government put you under a gag order and ordered you to keep updating your warrant canary.
But what if they just put you under a gag order, and then when you stop updating the warrant canary they charge you with violating the gag order? Would that still fall under the compelled speech cases?
Not a lawyer, but IIRC the theory was that generally speaking the bar for compelling you to lie is higher than that for compelling you to stay silent, even when those are equivalent information-theoretically. It’s not clear if the legal exploit of a warrant canary has ever been tested in court.
I don’t think so. I think there’s a pretty significant legal difference between ordering someone not to say something, and ordering them to specifically publicly say something that’s false.
The former has been tested and is (for some reason) within the bounds of the first amendment. While forcing someone to publicly say something false almost certainly is outside the bounds of the first amendment.
If they're brave enough, they'll render themselves unable to sign the canary with the key they previously used (by "accidently" destroying it), and accept whatever punishment is headed their way because of that.
Couldn’t a judge issue a warrant to take control of the keys needed to update the warrant thus sidestepping the first amendment prohibition on compelled speech? Everyone would think it is Rsync updating the canary, but it would be law enforcement.
I thought Reddit had a page with a bunch of canaries (pictures of canaries) on it, and their idea was to remove one at a time. Can't find that now so it must have been some other service.
I think an elegant way for rsync to handle this would be to just move the page from ".../canary.txt" to ".../canary-2.txt".
Sends the message that the first canary is dead, but leaves a second one up for the next warrant.
What is the specific attack addressed here? A secret cache of canaries generated before the destruction of the secret key material?
If we can't trust rsync.net to not do that then how can we trust them to actually stop producing canaries after the gag order? Is it something to do with how they are produced?
> What is the specific attack addressed here? A secret cache of canaries generated before the destruction of the secret key material?
It is to prevent 'pregenerated' message. Also increases the entropy of the message vs just a simple date change.
> If we can't trust rsync.net to not do that then how can we trust them to actually stop producing canaries after the gag order?
Elsewhere in thread it was discussed that, legally compelling someone NOT TO say something is somewhat easier than compelling them TO say something.
As an interesting theory, if they were somehow 'compelled' by a court order to say they were OK for X weeks, they could just pregen the next X weeks without headlines, which would possibly be another way for the canary to squawk.
Headlines from the date of the canary; including them demonstrates that the canary was produced and signed on or after the date indicated, not before. See "notes" at the bottom.
But that's something you could prepare now, or if you need specifics then at the start of the new plague. Then subsequent releases won't be proven to have been created within the prior week.
Then they just post something else to make it obvious. I mean seriously, come on. Just because you can come up with an incredibly specific and unlikely scenario in which this exact thing wouldn't work doesn't mean anything. They just stop doing that exact thing.
I understand that in this scenario we trust rsync.net and are afraid of secret warrants. If rsync.net wanted to deceive is, they could do that by... just lying? What incentives do they have to pregenerate these messages?
Warrant canaries do not work, because they violate the spirit and law of what a gag or secret warrant means. No court would allow rsync to alert users this way without considering that a breach of the gag, just as if they said “hey we got a secret search warrant today.”
I would argue that stopping to publish these statements is equivalent to announcing that some warrant has been served. So if the latter is a criminal offense, why should the former be legal?
You can argue that, but other people argue the other side. To my knowledge it hasn't been firmly tested in a US court yet.
There are supreme court precedents finding that the first amendment prohibits the government from compelling speech, which is the legal theory for why warrant canaries are not equivalent to directly disclosing the NSL's existence: https://en.wikipedia.org/wiki/Warrant_canary
The former is legal, the thinking goes, because the government cannot force you to continue posting a warrant canary.
Nobody can say, “you have this on your web site saying you have never received a warrant; here’s a warrant, and by the way, you must also continue saying (now lying) that you have never received a warrant.”
The government can tell you to /stop/ posting a daily or weekly notice. It can say “here’s a warrant; you may not tell anyone you have received this.” In that case, you would be lying to say you had /not/ received it, and discussing whether you have received it or not received it at all can be prohibited. In which case, you would be obligated to remove or cease updating any statements related to a warrant.
The law can compel you to not disclose that you were server a warrant but *in theory it cannot compel you to explicitly make a statement, particularly if it's false I presume.
*I say "in theory" because I understand that this was never tested in court and some big name law professors did not agree that this would stand up in a court of law. A judge would look at the spirit of the law that bans the warrant disclosure and consider that the entire setup of the warrant canary is aimed at breaking it. I tend to agree with this interpretation because any reasonable person would consider the whole design is aimed at breaking that law.
> judge would look at the spirit of the law that bans the warrant disclosure and consider that the entire setup of the warrant canary is aimed at breaking it
The point of gag orders is to keep a criminal from destroying evidence while an investigation is underway. Having an individual warrant canary for every customer would defeat this purpose. A general canary doesn’t appear to.
The point is that the law is unjust, so why would people observe it? How does it serve the people to not be able to say you were compelled to share their personal information with what amounts to a bully?
Courts are not supposed to look at the spirit of laws, but the letter.
It would be a sad day for US justice if a judge ruled that every action was within the law but, because a reasonable person would conclude that the actions in aggregate were intended to circumvent a law, the defendant is guilty.
(English) Common Law gives judges a wide latitude to decide, and in effect make law, as was the case with Roe v. Wade, in a way (Roman) Civil Law jurisdiction don't allow. Sometimes this goes in a liberal direction, sometimes the other way.
I would not assume anything about warrant canaries, and would expect the FBI et al to get the judge who gave them a gag order to also issue a warrant canary falsification order at the same time. Most organizations would not have the werewithal to resist, or the fortitude of a Judy Miller or James Risen and their willingness to go to jail rather than reveal their sources (yes, I know Judy Miller is a warmongering sorry excuse for a journalist, but her stand in this respect is admirable).
Row v. Wade was not decided on anything like the purported logic making warrant canaries illegal. Roe v Wade found that the right to privacy includes medical decisions, or similar. That’s a far cry from a criminal court finding a defendant guilty because they achieved an end that was supposed to be illegal but which no actual statute made illegal.
Also gag orders aren’t perpetual. If there were orders compelling businesses to lie, past examples would have come to light the same way we know gag orders exist.
What the Constitution says is not how the system actually works. The magic phrase "national security" means they can compel you to do as they please, and find you guilty without due process if you don't. Hell, the FBI is one of the largest CSAM distribution rings in the world, and they can simply "discover" CSAM on your computer if you don't knuckle under. Then you will be legit found guilty and morally discredited for the rest of your life.
If the Feds really want to nail you -- to teach you a lesson and/or make an example out of you -- you're nailed.
> they can compel you to do as they please, and find you guilty without due process if you don't
The Supreme Court has repeatedly ruled on compelled speech [1], most colourfully on the pledge of allegiance [2]. It’s the theory Apple ran with in the San Bernardino case to avoid creating a decryption key [3]. A theory that was so successful the FBI pulled their case rather than risk a precedent for encryption.
"...the state system which has emerged in the United States is a constitutional deformation which menaces the freedom and well being of its citizenry, and Which poses a danger to world civilization. What is hanging in the balance in the last twenty-five years of this century is whether the people, scholars, lawyers and judges, and members of the government, can so organize their understanding and their political actions as to avert fascism or Bonapartism, a debilitating arms race that could end in the kind of horror from which there will be no redemption, and a decaying economic system which impoverishes Americans as well as people elsewhere."
"Democracy Versus The National Security State" by Marcus Raskin, 1976
This is true. Prominent conspiracy theorist Chuck Schumer warned people about this when he blew the whistle about the intelligence agencies having six ways from Sunday to get back at anybody who crosses them, even the president.
Assange is being held without bail during pre-trial motions in the UK because he jumped bail the last time he had bail. If they are making an example of him it’s “if you jump bail you won’t get it again”.
Which law would apply to someone that hasn't been served with a warrant and state that they haven't been served with a warrant? Until they are possibly served with a warrant, the publishing of such statements would be legal and protected under free speech (I guess, I'm not in the U.S.), and when served with a warrant, surely removing any statements about warrants would be a wise move to avoid prosecution for releasing information about it.
A slight problem would be as soon it looked like such a legal precedent were about to be set, anyone publishing the statements would therefore be incentivised to cease publishing them while they still could legally.
More succinctly, the legal precedent would compel people to "break the law".
I'd argue such a conflicted legal outcome could only be resultant from unsound base principles.
It's going to be a very difficult legal debate at some point in the future. And I bet there are a lot of constitutional lawyers salivating over it :-)
If the government can compel you to hand over some information, well that's government. They can also injunct you not to tell people.
But, can they compel you to lie, publically ? Can they compel you to not publish such canaries - just in case they want to compel you later on?
And frankly, does it matter - is such a canary really just a form of social performance? If I don't want the US government to know something about me, I should stay the hell away from modern life, internet and so forth.
They have locations outside the US for example Zürich Switzerland. If they are served a secret warrant for data in that location I would want to know and I would legally have the right to know under Swiss jurisdiction.
I'd actually prefer people not do warrant canaries, and instead do conscientious periodic compliance reporting.
Although a warrant canary sometimes suggests a very principled party (e.g., I first heard of public librarians doing it, decades ago), at the same time, it seems probably counterproductive.
For one example, as a customer of a service provider, I want them to be stable -- not potentially antagonizing those who could shut them down, nor getting involved in what (to me) seem like ambiguous technicalities over what they can and can't do.
For another example, imagine you run a service in which you've committed to a warrant canary. But one day a warrant comes, and you realize it's gravely important for the canary not to die and tip off some genocidal warlord you didn't realize was a customer. Now you're violating the canary assurance to your other customers, which is an assurance that you should've anticipated you couldn't give.
Alternative: Some of the modern compliance reporting by tech companies, about warrants/censorship/etc. seems less likely to cause showstopper problems, can convey more info, and is ongoing rather than single-shot.
Of course there will be warrants and other compliances, for various jurisdictions, and conscientious periodic reporting seems to help with civic checks&balances.
(BTW, I really like the idea of rsync.net and its hard-working founder, have pointed new customers to them, and have a TODO to move some stuff to them myself. The only proviso I've mentioned to people thus far is that there's an unclear bus factor.)
>I'd actually prefer people not do warrant canaries, and instead do conscientious periodic compliance reporting.
The whole point of warrant canaries is that you can literally be compelled to silence under US law when dealing with intelligence organizations. It is impossible to state
"The FBI has requested our data, all our users reporting on police brutality might wanna get off our platform"
It might be legal to state "The FBI has never asked for our data", it might not, this hasn't been tested in court. They're not being hostile towards them, the CIA has literally arranged for multiple individuals to be assassinated, they should freak you out lol
If we emulate the big kids, and only commit to do periodic compliance reporting only of what we can, when we can-- then we don't have to worry so much about stepping on the wrong toes.
I'd guess in-house counsel could handle the day-to-day of this, looping in leadership when appropriate.
That home government might also be a resource (not an adversary), such as if a difficult request comes from another government, and advice or diplomatic assistance is needed.
No $5 wrenches nor soiled drawers necessary. No making assurances that you can't keep.
> It might be legal to state "The FBI has never asked for our data", it might not, this hasn't been tested in court.
My opinion (beware, IANAL): by itself, stating this once, or as many times as one wants, is definitely legal. What's not tested is whether it's legal to give the promise to make such statements in the future with predictable periodicity.
I don’t believe gag orders preclude inclusion in a count like this, since that does not inform about the existence of a particular warrant. But I’d love to hear from someone more knowledgeable.
What, exactly, do you mean by "periodic compliance reporting"?
If you mean reporting "we responded to X government subpoenas during this time," the whole point of a warrant canary is that the government can force you not to reveal that.
If your main concern is the instantaneous removal of the canary once they've actually been served an NSL or whatever, then a) that's assuming that such a canary is, in fact, removed the moment they respond to such a government action, and b) seems to be positing fairly exotic situations, which are unlikely to be pertinent for the vast majority of cases where such a canary is being used.
Warrant canaries are a response to government orders that prevent transparent compliance reporting.
In the US at least the government can order you to not reveal the existence of a warrant. They cannot (in theory) compel you to state that you have not received any such warrants. Thus the canary.
I agree that being able to report on these activities transparently, even if it is done with a delay, would be preferable. But my understanding is that to accomplish that would require legislative changes to the current system.
You're being downvoted, but I don't know why: If a warrant canary is removed, that may be a sign that the authorities are asking for your data. But, just because it hasn't been removed, that doesn't mean your data is safe. Perfectly reasonable position to take. Cynical, but cynicism is congruent with the whole concept of a warrant canary. Imagine, a company lying about protecting your data!
Do you suggest there is any security benefit of a short canary? Or is it just about keeping a canary simple and comprehensible even for non-technical users?
You haven't provided any argument to rebut, only an assertion.
On the surface, there appears to be no actual canary-specific value to keeping the text short. If you have a specific reason you disagree, feel free to bring that argument forward.
rsync.net and rsync the open source project aren't related, afaik/afict. At the very least, no one at rsync.net has been the maintainer or original dev of rsync. Rsync either doesnt enforce their trademark, or rsync.net has an agreement with the project.
This one is funny. A bit more 'unpredictable' than having "NK's Kim launches missiles towards Sea of Japan" I suppose.
So my q, specially given AI, is are these 'current news' bits really unpredictable? And if the message is signed anyway (and we hope the key is not compromised) what other purpose does this serve beyond key rotation issues (and they don't rotate these pub keys, right?)
p.s. If these bits are supposed to be as unpredictable as possible, then we should note that any matter related to trends in industrial, technical, political, and major religious organizations (the Vatican) arenas are the bread and butter of security services of state actors. The current bits should be things that can neither be creations of state actors (i.e. sock puppets in 4chan starting a trend) nor matters that they by definition are laser focused (such as industrial output of near peers).
They're sufficiently unpredictable, especially the exact phrasing (and the sport scores), that they offer pretty good proof that the message was signed recently. I suspect it's mostly to show that they have not been lazy and prepared all the messages well in advance (which if they did could conceivable weaken the scheme somewhat). But I agree it's probably a minimal improvement in the usefulness of the canary.
The problem with sports scores is that it would be trivial to procedurally generate signed messages ahead of time for thousands of different team names and scores, and then select one that matches the eventual reality.
Let's say a state actor needs a window of 1 week to do some mischief. Just a couple of days to comprise network x. Assume the exploit is worth knocking off a known person, or creating a news worthy event. I think these bits give a false sense of security.
This doesn't really protect from a targeted attack of nation state dead set on keeping it a secret. That would be almost impossible. This is supposed to protect against the much more likely scenario that some government authority or government official decides to commit and overreach and order the disclosure of data and a gag order, but without the full support of the nations information agency.
It's not supposed to guarantee Putin that the US hasn't seen his porn collection. It's supposed to tell me (a regular guy) that the government hasn't seen my vacation photos in secret.
> If these bits are supposed to be as unpredictable as possible
That isn't the purpose of the embedded headlines. They are to show that the canary file was not created and signed two years ago and only just now posted to the website.
They serve the same purpose as what used to be used in movies and TV years ago for "kidnapping" story lines where a photo of the kidnapped person, holding up a current copy of some major newspaper, was sent to the person who was being asked to pay the ransom (or perform some other action) in order to secure release of the kidnapped individual. They show that the item in question is current and not prepared well in advance.
That is understood. The life cycle of canary is n days, in this case apparently 7 days. Industrial output, economic stats, health of world figures, and Vatican whispers are precisely what a state intelligence agency is supposed to know before the general public. The idea is that the message embeds bits of information that were disclosed at a specific point in time and my point is that these types of bits are not that that unpredictable for the sort of adversary that necessitates canaries.
1: https://en.wikipedia.org/wiki/Warrant_canary#Usage
2: https://web.archive.org/web/20131103121048/http:/groups.yaho...