The beta backup service reminded me of something I've seen on rsync's site -- a "warrant canary" that states that they've never been served with a warrant to reveal a user's data.

http://www.rsync.net/resources/notices/canary.txt

Might be a nice thing for Linode to do -- unless they can't truthfully say that for some reason...

Observe the text rsync.net includes with the warrant canary, and think about it carefully.

While it's a nice thought, warrant canaries are, in reality, kind of silly.

* There's very little stopping authorities from interpreting secrecy requirements to demand the company continue to post updates, and threatening imprisonment for failure to comply.

* It is against the company's financial interests to reveal that they have been forced to surrender user data.

* In rsync.net's particular case, there's a critical word that appears nowhere in their "warrant canary" or even surrounding explanatory text: "subpoena". Subpoenas are an order to produce information, which is legally very different from a warrant and/or search/seizure, and are in fact far more likely to be served upon a data repository than a warrant, assuming the attorney issuing the subpoenas has the remotest understanding of how such things function.

Doing this still provides protection from LEOs that follow the letter of the law. Despairing because some LEOs will kneecap you -- regardless of legal circumstance -- is a losing attitude.


Nope. This demonstrates the best kind of goodwill from a vendor that needs (and necessarily gets) a large amount of trust from its customers.

A warrant canary is useless for a few reasons, some of which have already been touched upon:

1) The infamous National Security Letter requires that the existence of such a letter not be revealed. Not updating the canary would reveal the situation and would thus be a Very Bad Thing for All Concerned. The canary alleges that it's intended to prevent that, sure, but there's no way to know what the specific requirements and reactions would be should it actually happen.

2) It doesn't cover subpoenas, which are not at all uncommon. I suspect Linode handles a reasonable number of them, and I would be surprised if rsync.net has never received one.

3) If a search or seizure of Linode equipment were to occur, it would be extremely obvious and most likely intended as a critical strike on Linode, its datacenters, or its customers. You wouldn't need a weekly canary to tell you newark47 is cooling its heels in an FBI warehouse for the foreseeable future.

The warrant canary is not only completely useless, but it is dangerous because it gives the illusion of being useful against some unspecific threat.

Perhaps some person at rsync.net is indeed willing to martyr themselves by ignoring such an order, assuming that they are subject to such an order.


Thus, the rsync staff has already exposed themselves to some those Bad Things by publishing an intent to do an illegal thing.


So what? The claim is limited to warrants.


These guys can demonstrate you wrong just by having some balls if a warrant is executed. If their promise is false, or if they are compelled to break the promise, then the situation is no different than with any other service provider.


The threat is well specified: "a declaration that, up to that point, no warrants have been served, nor have any searches
or seizures taken place". Introducing the possibility of a subpoena or a total seizure takes the promise out of context.

You sound scared of the legal establishment, which is fair, but you're trying to fault somebody for hinting, just maybe, that they will take a stand.

"…hinting, just maybe…" - there's the problem. Canaries don't hint that there just maybe some firedamp in the coal mine - they reliably drop off their perches.

_________________
/ Peter

I'm not too scared of the legal establishment (it's the illegal establishment I'm afraid of...). However, there's a list of things I'm not willing to do for an employer, and "go to jail (or worse)" is relatively high on that list. Out of all persons with signing authority, only one needs to be successfully coerced and the canary fails.

Also worth considering: the canary is updated weekly. Let's say it gets updated on Monday mornings. The Feds legally deploy a search warrant and peruse the member list and logs from Marigold's Yaoi Zone (not your data at all; for the sake of argument, we'll say it's not physically anywhere near your data) on Monday afternoon. The canary doesn't get updated next Monday morning.

What do you, as a customer, do? The horse is not only already out of the barn, but there's no indication of which horse is out of the barn, which barn it is out of, or when it left the barn, or what the horse was carrying. Is there any reasonable response aside from posting something on Slashdot and fretting?

The more I think about it, it sounds more like a marketing ploy than a sound cryptographic application.

+1 for the QC reference

90% of everything is crap, and at least 90% of all security is security theater. Applying Sturgeon's Law to the Security Theater Law gives:

1% of all security is good in theory and in practice
9% of all security is good in theory but not in practice
9% of all security has no practical purpose but backfires or is so ludicrous as to provide some amount of comic relief
81% of all security is an absolute waste of time.

By that logic, wouldn't the 90% of the 10% that isn't crap be crap too?

Yes - and of the 10% of the 10% that isn't crap, well 90% of that is crap as well - and of of the 10% of the 10% of the 10% that isn't crap, well 90% of that is crap as well. Multiplying out the resulting infinite series reveals that only an infinitesimally small part of anything is any good. Seems a bit pessimistic.

_________________
/ Peter