Cloudflare expands government warrant canaries in transparency bid. Companies may not be able to tell you what the government and or request of law enforcement has demanded. However, they can tell you what it has not.
Cloudflare has expanded its transparency report to include a wider range of “have nots” when it comes to government demands. An interesting loophole in the law which can give insight into gagging orders without being in contradiction of them.
The concept is known as a warrant canary. Named after the birds which have been used to warn miners of toxic elements in the air down mine shafts. Warrant canaries are used by some companies to let users know that secret requests for data or technological changes have not been received.
These ‘warrant canary‘ statements are posted in a public way and while they may seem counter-productive, the use of warrant canaries is a loophole in the law which simply states that no request has been received. Until these statements are removed.
By doing so, companies uphold the law on secret government requests and subsequent gagging orders which prevent them from revealing these demands, but they also maintain transparency, as users can ‘assume’ that such requests have been received, should the warrant canaries vanish.
The extent of government surveillance in some countries, such as in the United States, prompted the use of warrant canary tactics to maintain trust between companies and their users. Reddit removed its warrant canary in 2016 following what is generally believed to be a US National Security letter, which is used for the purpose of electronic surveillance.
Transparency reports and Cloudflare
Cloudflare has been publishing transparency reports since 2013, and in this year’s biannnual report (.PDF), the extent of the cloud service provider’s warrant canary has expanded.
The company’s existing warrant canaries are below:
- Cloudflare has never turned over our SSL keys or our customers SSL keys to anyone.
- Cloudflare has never installed any law enforcement software or equipment anywhere on our network.
- Cloudflare has never terminated a customer or taken down content due to political pressure.
- Cloudflare has never provided any law enforcement organization a feed of our customers’ content transiting our network.
New warrant canaries added
Three new warrant canaries are now included:
- Cloudflare has never modified customer content at the request of law enforcement or another third party.
- Cloudflare has never modified the intended destination of DNS responses at the request of law enforcement or another third party.
- Cloudflare has never weakened, compromised, or subverted any of its encryption at the request of law enforcement or another third party.
In addition, Cloudflare has changed its first warrant canary,
“Cloudflare has never turned over our SSL keys or our customers SSL keys to anyone,”
to now include the following:
“encryption or authentication keys or our customers’ encryption or authentication keys,”
given the depreciation and increasing age of SSL.
“It’s not enough for us to be transparent about the things we do willingly, because tech companies are pressured every day to take the easy way out and avoid controversy or conflict by doing seemingly small things easily and quietly that are corrosive to these values,” Cloudflare says.
Cloudflare expands government warrant canaries in transparency bid
Within the report, 19 criminal subpoenas received during 2018, and seven of those requests were answered.
21 civil subpoenas — for requests such as copyright claims — were issued in the same year (2018) and all were answered.
55 court orders received, 44 of which were answered.
Cloudflare says that should a request for information be received that is not deemed just, the company would:
“exhaust all legal remedies in order to protect our customers from what we believe are illegal or unconstitutional requests.”
Related Links:
ATM hacking has gotten so easy, the malware’s a game(Opens in a new browser tab)