Rsync.net warrant canary

In 2006 this was, via Wikipedia[1], &quot;[t]he first commercial use of a warrant canary,&quot; although it was proposed in 2002 on usenet.[2]<p>1: <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Warrant_canary#Usage" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Warrant_canary#Usage</a><p>2: <a href="https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20131103121048&#x2F;http:&#x2F;groups.yahoo.com&#x2F;neo&#x2F;groups&#x2F;cypherpunks-lne-archive&#x2F;conversations&#x2F;topics&#x2F;5869" rel="nofollow">https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20131103121048&#x2F;http:&#x2F;groups.yaho...</a>

The weird thing to me about this canary document and others like it is that they cover <i>all</i> warrants, not just NSLs.<p>Warrant canaries were a reaction to the NSL process, which is invariably (and, I guess, permanently?) gagged, and was seen as exceptional and in some sense extra-judicial. It would be newsworthy for a service to be NSL&#x27;d, and further evidence of dragnet surveillance programs sweeping up Americans.<p>Ordinary search warrants and disclosure demands occur, presumably, all the time; they&#x27;re issued by courts in individual felony cases, such as for drug conspiracies, child pornography, and white collar criminal conspiracies. Serious crime happens all the time; it&#x27;s not really all that newsworthy for a warrant to issue in, like, an insider trading case.<p>So, what does it tell us if this particular canary document was taken down? Perhaps the DOJ is working with the intelligence community to dragnet the service, or establish a durable norm of being able to transactionally extract records that will amount to the same thing as a dragnet. Or, maybe, just some random state court judge in Oklahoma decided it was likely that somebody&#x27;s meth distribution business kept records in that service. One of those is interesting, the other not.<p>Why not just have more than one canary if you&#x27;re going to do it this way?<p>It&#x27;s been this way for a long time, and I&#x27;m just now having this thought, so it&#x27;s equally likely that my take here is just faulty; if so, let me know.

I&#x27;ve always wondered whether this has any chance of holding up in court. I know it depends on jurisdiction, but at least in my region (EU&#x2F;Poland), courts consider intent rather than a literal interpretation of laws. You can try to be oh-so-smart and implement a &quot;canary&quot; that doesn&#x27;t get updated if you get a warrant, but the court would consider not updating the canary as the same thing as notifying people that a warrant has been served.

Related:<p><i>The rsync.net Warrant Canary is now 15 years old</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=26960204" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=26960204</a> - April 2021 (13 comments)<p><i>Rsync.net Warrant Canary (2006)</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=5899197" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=5899197</a> - June 2013 (50 comments)<p><i>Rsync.net Warrant Canary</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=5837351" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=5837351</a> - June 2013 (1 comment)<p><i>Show HN: The rsync.net Warrant Canary</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=4834362" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=4834362</a> - Nov 2012 (1 comment)<p><i>Rsync.net Warrant Canary</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=702247" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=702247</a> - July 2009 (46 comments)

So the law, presumably, says &#x27;you can&#x27;t tell people you&#x27;ve received a warrant&#x27; (or a national security letters?)?<p>Surely this convoluted scheme is still telling people you&#x27;ve received a warrant??<p>Has there been caselaw on this?

I don&#x27;t understand the value of a warrant canary: if it goes away or is not updated, what is the suggested action of users of the service? Is everyone supposed to leave? Because that ain&#x27;t gonna happen, fortunately for the service.<p>The bottom line to me is, encrypt your data before it leaves your control, and cross your fingers that whatever tool you used did it correctly. If the government wants to see which sites you are connecting to, it&#x27;s easy enough for them to just ask Spectrum, Comcast, etc. So IMO, warrant canaries are useless.

Is there a dashboard from some neutral third-party validating that everybody&#x27;s current warrant canary is in fact valid? Who would spot it if it either a) stopped being updated b) had an invalid signature, or c) the headlines were not current?

If a government agency issues a secret warrant, doesn’t that imply rsync.net has to provide a valid canary at the right time as well? I don’t get how this is useful.

Couldn’t a judge issue a warrant to take control of the keys needed to update the warrant thus sidestepping the first amendment prohibition on compelled speech? Everyone would think it is Rsync updating the canary, but it would be law enforcement.

I think this kind of warrant canary doesn&#x27;t bring much value. It takes only one warrant to make this document historical. And then what?<p>I wish every account had its own warrant canary.

What&#x27;s the kings, wizards postscript about?

Warrant canaries do not work, because they violate the spirit and law of what a gag or secret warrant means. No court would allow rsync to alert users this way without considering that a breach of the gag, just as if they said “hey we got a secret search warrant today.”

Go Grizzlies!

I would argue that stopping to publish these statements is equivalent to announcing that some warrant has been served. So if the latter is a criminal offense, why should the former be legal?

I&#x27;d actually prefer people <i>not</i> do warrant canaries, and instead do conscientious periodic compliance reporting.<p>Although a warrant canary sometimes suggests a very principled party (e.g., I first heard of <i>public librarians</i> doing it, decades ago), at the same time, it seems probably counterproductive.<p>For one example, as a customer of a service provider, I want them to be stable -- not potentially antagonizing those who could shut them down, nor getting involved in what (to me) seem like ambiguous technicalities over what they can and can&#x27;t do.<p>For another example, imagine you run a service in which you&#x27;ve committed to a warrant canary. But one day a warrant comes, and you realize it&#x27;s gravely important for the canary not to die and tip off some genocidal warlord you didn&#x27;t realize was a customer. Now you&#x27;re violating the canary assurance to your other customers, which is an assurance that you should&#x27;ve anticipated you couldn&#x27;t give.<p>Alternative: Some of the modern compliance reporting by tech companies, about warrants&#x2F;censorship&#x2F;etc. seems less likely to cause showstopper problems, can convey more info, and is ongoing rather than single-shot.<p>Of course there will be warrants and other compliances, for various jurisdictions, and conscientious periodic reporting seems to help with civic checks&amp;balances.<p>(BTW, I really like the idea of rsync.net and its hard-working founder, have pointed new customers to them, and have a TODO to move some stuff to them myself. The only proviso I&#x27;ve mentioned to people thus far is that there&#x27;s an unclear bus factor.)

No updates since January 2nd, do they not update daily?

What if rsync.net are lying, and the only purpose of the warrant canary is to provide a false sense of trust?<p>Be skeptical. This is almost certainly just a marketing ploy so potential customers feel like their data is safe and secure.

Folks, keep your warrant canary short. 1 paragraph statement of intent, date, maybe a headline, signature. That&#x27;s it.

I wonder about these bits of current news that is embedded in the signed message.<p>Norway: <a href="https:&#x2F;&#x2F;imageio.forbes.com&#x2F;specials-images&#x2F;imageserve&#x2F;60ce8f697bf2efc00def3ce0&#x2F;S-shaped-curves-showing-EV-uptake-by-country--Norway-is-leading--US-is-lagging-&#x2F;960x0.jpg" rel="nofollow">https:&#x2F;&#x2F;imageio.forbes.com&#x2F;specials-images&#x2F;imageserve&#x2F;60ce8f...</a> (2021 - the Norway curve looks like it was headed to 80% but forecasters adjusted it to be in tandem with the other nations.)<p>Tens of thousands view body of former Pope Benedict:<p><a href="https:&#x2F;&#x2F;www.theguardian.com&#x2F;world&#x2F;2020&#x2F;aug&#x2F;03&#x2F;former-pope-benedict-xvi-reported-seriously-ill" rel="nofollow">https:&#x2F;&#x2F;www.theguardian.com&#x2F;world&#x2F;2020&#x2F;aug&#x2F;03&#x2F;former-pope-be...</a> (2020)<p>North Korea&#x27;s Kim sacks No. 2 military official<p>This one is funny. A bit more &#x27;unpredictable&#x27; than having &quot;NK&#x27;s Kim launches missiles towards Sea of Japan&quot; I suppose.<p>So my q, specially given AI, is are these &#x27;current news&#x27; bits really unpredictable? And if the message is signed anyway (and we hope the key is not compromised) what other purpose does this serve beyond key rotation issues (and they don&#x27;t rotate these pub keys, right?)<p>p.s. If these bits are supposed to be as unpredictable as possible, then we should note that any matter related to trends in industrial, technical, political, and major religious organizations (the Vatican) arenas are the bread and butter of security services of state actors. The current bits should be things that can neither be creations of state actors (i.e. sock puppets in 4chan starting a trend) nor matters that they by definition are laser focused (such as industrial output of near peers).