Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Time For a Warrant Canary Metatag?

timothy posted about 9 months ago | from the unless-double-secret-probation-prohibits-canaries dept.

The Internet 332

An anonymous reader writes "With the advent of national security letters and all the NSA issues of late perhaps the web needs to implement a warrant 'warrant canary' metatag. Something like this: <meta name="canary" content="2013-11-17" />. With this it would be possible to build into browsers or browser extensions a means of alerting users when a company has in fact received such a secret warrant. (Similar to the actions taken by Apple recently.) The advantage the metatag approach would have its that it would not require the user to search out a report by the company in question but would show the information upon loading of the page. Once the canary metatag was not found or when the date of the canary grows older than a given date a warning could be raised. Several others have proposed similar approaches including Conor Friedersdorf in The Atlantic and Cory Doctorow's Dead Man's Switch." What problems do you see with this approach?

cancel ×

332 comments

Sorry! There are no comments related to the filter you selected.

Uhh (5, Insightful)

Anonymous Coward | about 9 months ago | (#45448351)

They would force you to keep the "all-clear" signal with guns pointed at your head? That might be a problem.

Re:Uhh (4, Interesting)

JDeane (1402533) | about 9 months ago | (#45448389)

That and if your companies router is compromised at the firmware, who is to say that the company even knows it's data is being compromised?

Even talking about things like a warrant to do a wire tap, I don't think the agencies are forced to tell anyone "Hey we are tapping your communications, here is the warrant."

Also some companies willingly work with these agencies so they probably wouldn't use this tag.

Re:Uhh (4, Insightful)

PPH (736903) | about 9 months ago | (#45448445)

That and if your companies router is compromised at the firmware, who is to say that the company even knows it's data is being compromised?

However, upon discovering that my router has been compromised by persons unknown, there's nothing stopping me from raising a general alert with my customers.

The warrant problem can be solved by forcing law enforcement to deliver all warrants in the clear. My company exists purely in cyberspace. There is nobody in authority who can be contacted in person. All requests for assistance must be submitted in clear text, deposited in a publicly readable drop box on our server.

Authority to approve hosting expenses (1)

tepples (727027) | about 9 months ago | (#45448503)

My company exists purely in cyberspace. There is nobody in authority who can be contacted in person.

Other than the registrar of your domain and the owner of the IP address block from which your site is hosted. Follow the money to the identity of the person with authority to approve hosting expenses.

Re:Authority to approve hosting expenses (1)

PPH (736903) | about 9 months ago | (#45448635)

Follow the money to the identity of the person

Corporation based in the Caymen Islands. Old solution. Very effective.

Attempts to follow ownership trails overseas by US LEAs do not share protection from disclosure like domestic operations do. There is no law in many jurisdictions stopping an overseas attorney from informing me (and anyone else interested) that people have been poking around, asking questions.

Re:Uhh (1)

roninmagus (721889) | about 9 months ago | (#45448555)

Why would I want to do business with a company with no clearly defined contacts?

Re:Uhh (2)

Opportunist (166417) | about 9 months ago | (#45448649)

Because money, and because just 'cause you know who to sue doesn't mean jack anymore in a world where money makes right.

Re:Uhh (4, Funny)

PPH (736903) | about 9 months ago | (#45448659)

You do all the time. When was the last time you spoke to someone at Amazon? And its not an issue of not being clearly defined. There's a very clear process for contacting the company. Place a message in the public folder*.

*If some private communications is needed, upon determining the nature of your request, we can exchange encryption keys. All law enforcement will be requested to use double ROT13.

Re:Uhh (5, Insightful)

ShanghaiBill (739463) | about 9 months ago | (#45448669)

My company exists purely in cyberspace. There is nobody in authority who can be contacted in person.

I call BS. In every jurisdiction I have ever heard of, you are required to provide a physical address when registering a business, and any warrant or summons delivered to that address during normal business hours is generally considered "served".

Slavery hack (5, Insightful)

tepples (727027) | about 9 months ago | (#45448491)

They would force you to keep the "all-clear" signal with guns pointed at your head?

There's a way to hack around this by exploiting a Civil War-era constitutional amendment. The company announces in advance, through the canary meta element or another : "If we receive one of several requests, $NAME and $NAME and $NAME will leave the company's employment." I don't see how the government can compel a private employer to compel an employee to continue working for the employer without it being deemed "involuntary servitude" in violation of the employees' Thirteenth Amendment right to quit. So if a certain set of employees is suddenly working for a different company, it's more likely than not that the company has received a classified order to violate a customer's privacy.

Re:Slavery hack (5, Insightful)

Predius (560344) | about 9 months ago | (#45448571)

By announcing the plan ahead of time, you are saying the actions are in direct response to, and a way to covertly signal that a warrant with gag order has been issued. Hell, your announcement may trigger legal action BEFORE a warrant is ever issued.

Re:Slavery hack (0)

Anonymous Coward | about 9 months ago | (#45448781)

I know this sounds Dumb but if you think you're being bugged sometimes those transmitters show up on antique Am/Fm Radios when you key the keyboard you'll hear a click....... if you cant beat them at least you can do is waste time money and irritate the fuck out of them.

Re:Slavery hack (1)

djmurdoch (306849) | about 9 months ago | (#45448637)

So the day after this announcement, they issue one of those requests.

The FISA court would grant them authority to do so, in order to protect the integrity of the FISA system. They would see the notice itself as grounds to issue one targeting you.

Are you volunteering to be one of the names who promises to quit?

Re:Slavery hack (4, Interesting)

gweihir (88907) | about 9 months ago | (#45448819)

In a police state, almost any sort of behavior can be compelled for any amount of time. You underestimate the moral corruption of those with power and vastly overestimate the value of the US constitution. Hint: The US has been operating an extra-legal KZ for quite some time now. They could not do that if the US constitution had any value.

So just threaten said employees with life in prison for exposing "secrets critical to national security" and you are done.

Re:Uhh (0)

Anonymous Coward | about 9 months ago | (#45448633)

The first post is redundant?

Re:Uhh (3, Insightful)

gweihir (88907) | about 9 months ago | (#45448801)

Indeed. The feds may be stupid, but even they can learn from experience, and most of them can read. So if this becomes a standard, they will at some time manage to understand the concept (possibly with outside help) and implement countermeasures. Look at Lavabit: The owner decided to use his whole company as a canary and while it worked, he had to stand up to severe legal threats that may only fail because no respective secret law was in place. It will be by now and triggering your canary could award you life in prison.

No, the only way to deal with a police state (and in many respects the US is now one) is to leave the country and move business to the free world.

Incidentally, this whole idea is an example of engineers trying to fix human problems with technology. That does not work. Data leakage, privacy invasion, online fraud, surveillance, etc. all cannot be fixed with technology. "The law" is just as unsuitable as it is a technocratic construct. The only thing that works is banning the scum that commits these heinous acts against freedom, trust and honor from being regarded as part of the human race when discovered. Nothing less will work.

Re:Uhh (0)

Anonymous Coward | about 9 months ago | (#45448907)

No, the only way to deal with a police state (and in many respects the US is now one) is to leave the country and move business to the free world.

Free world? You mean Antartica?

The problem I see (5, Insightful)

elrous0 (869638) | about 9 months ago | (#45448357)

The person adding the metatag rotting in a federal prison?

Re:The problem I see (3, Informative)

game kid (805301) | about 9 months ago | (#45448379)

Yup. from the unless-double-secret-probation-prohibits-canaries dept., pretty much.

Your post advocates a

(*) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting NSLs. Your idea will not work. Here is why it won't work. ... [craphound.com]

Re:The problem I see (1)

tepples (727027) | about 9 months ago | (#45448423)

Yup. from the unless-double-secret-probation-prohibits-canaries dept., pretty much.

Why am I thinking of the film Birdman of Alcatraz [wikipedia.org] ?

Re:The problem I see (1)

girlintraining (1395911) | about 9 months ago | (#45448839)

The person adding the metatag rotting in a federal prison?

You're ignoring another part of the equation, perhaps even more important: A 100% conviction rate. Law enforcement need only enter a properly-formatted search string into one of dozens of popular search engines, and it will happily print out a list of every website bearing this meta tag. A whois search and a phone call later, it's time to kick in the door of Sir Web Provider, demand the customer records for the web site, and then rain down upon him like... well, like the NSA. -_-

The fact that a company has received a NSL doesn't provide any context by itself; Any sufficiently large company can probably be expected to have received at least one. It offers you no guidance on a course of action, either as a citizen or a criminal.

And you're giving them an argument to expand their powers that may just hold weight with the current sitting justices: If companies are leaking that they're receiving NSLs, then one easy solution would be to spam them on pretty much every company with over 500 employees. Thus your "canary" meta tag appears on every. damn. page., and loses any value as an indicator.

technical fixes for political problems (5, Insightful)

gl4ss (559668) | about 9 months ago | (#45448365)

do not work.

like, what the flying fucktonmeister fuck? why do you think it would be exempt from the "don't tell the victim of surveillance" rules because it's a metatag?

best you can do is close down the service. that is it! and even then you'll have to fight in court!

Re:technical fixes for political problems (1)

Anonymous Coward | about 9 months ago | (#45448467)

Disclose it through Wikileaks. They'd have to prove you leaked it.

Re:technical fixes for political problems (4, Insightful)

Anonymous Coward | about 9 months ago | (#45448629)

They have to prove stuff now?

Re:technical fixes for political problems (3, Insightful)

gweihir (88907) | about 9 months ago | (#45448841)

They have to prove stuff now?

Don't think so. They can already hold people indefinitely without even charging them. Just look at Gitmo. So while technically these people are not serving a life sentence, it seems the only difference is that the conditions they are imprisoned under are worse. No, in a police state they can lock you up any time they want in order to force you to do or do not do whatever they want. The US is at the very brink of being a police state, the only reason it is not is its large size and hence slow movement. All the mechanisms are already in place, it just needs some scaling up.

Re:technical fixes for political problems (0)

Anonymous Coward | about 9 months ago | (#45448519)

Exactly. These are our governments. Stop trying to fight them and start fixing the governments themselves. Next election ask the candidates repeatedly "what measures are you taking to make the government more transparent? Do you promise to pass a law making all secret warrants illegal? How can you convince us 100% that you will keep your promises?"

Re:technical fixes for political problems (2)

rasmusbr (2186518) | about 9 months ago | (#45448547)

Exactly. These are our governments. Stop trying to fight them and start fixing the governments themselves. Next election ask the candidates repeatedly "what measures are you taking to make the government more transparent? Do you promise to pass a law making all secret warrants illegal? How can you convince us 100% that you will keep your promises?"

That's not going to work.

This might work: Gather plenty of like-minded people and go to the politician's office tomorrow and demand the answer to those questions right away. Then do the same thing again and again until they pass acceptable laws and regulations. If the politician stops showing up at work; go to their house instead.

Re:technical fixes for political problems (3, Interesting)

Anonymous Coward | about 9 months ago | (#45448621)

Gather plenty of like-minded people and go to the politician's office tomorrow and demand the answer to those questions right away.

Which office?

The local one that he only does to during elections?

Or the one in DC that he's hardly ever at for various reasons. And if your group shows up, all of you will be welcomed by Capitol police and other federal agents in riot gear you will be escorted to a "Free Speech Zone". Resist - like don't move - and on the 5 O'Clock news you'll see "Protestors in DC against surveilance arrested for violent behavior." The TV watching zombies watching will just shake their heads over those silly Liberals and their desire for "Civil Liberties" - because we all know, only pinko communist-socialist-anti-capitalist-hippy dirtbags are interested civil liberties. The TV watching zombies only care about issues that they are told to care about - and this issue is disappearing from the zobie tube.

No thanks to the asshats who resort to violence, those corrupt sub-human people can now justify the use of force.

Here IS what's working - the Billionaire class is pissed that the Snowden leaks are hurting their income (folks in other countries don't want to buy US products because of the NSA back doors in them. NOW the politicians are listening.

Re:technical fixes for political problems (1)

houghi (78078) | about 9 months ago | (#45448593)

What measures are you taking to make the government more transparent?
* We will taker any measure needed to do this.
Do you promise to pass a law making all secret warrants illegal?
* We promise to not only pass such laws, but to uphold them as well.
How can you convince us 100% that you will keep your promises?
* I have stated this publicly AND I give my word as a politician.

Now please be a nice citizen and vote, so I can get my check from the people who really matter.

Re:technical fixes for political problems (0)

Anonymous Coward | about 9 months ago | (#45448675)

Your answers are worthless. Note to public: do not vote for houghi or any member of his party, if you do you will give up any freedom that is left. Better to have no government at all than have someone as evasive as houghi run the country. And make sure you remember houghi and never ever let him/her near any form of government.

Re:technical fixes for political problems (1)

srichard25 (221590) | about 9 months ago | (#45448613)

This would be great if a majority of the voting public actually gave a damn. Unfortunately they are too concerned with Miley Cyrus to care about our government spying on us.

Re:technical fixes for political problems (0)

Anonymous Coward | about 9 months ago | (#45448945)

So how much does it cost to run ads in YouTube & Google that say "if you elect goughi [slashdot.org] you will not be able to listen to Miley Cyrus anymore"?

Re:technical fixes for political problems (1)

Anonymous Coward | about 9 months ago | (#45448595)

The idea is that you can't tell them, but they can't force you to lie. They can just force you to say "no comment", instead of "no, we have no such warrant".

Logically:
Day 1 "No, we have no such order."
Day 2 "No, we have no such order."
Day 3 "No, we have no such order."
Day 4 "No, we have no such order."
Day 5 "No, we have no such order."
Day 6 "No comment."

Oh oh.

Technical fixes temporarily work (4, Insightful)

TubeSteak (669689) | about 9 months ago | (#45448751)

like, what the flying fucktonmeister fuck? why do you think it would be exempt from the "don't tell the victim of surveillance" rules because it's a metatag?

Because laws are rarely written to cover every variation that could possibly circumvent them.
People regularly take advantage of this until legislation is written to patch the loopholes.

There might be less wiggle room because "national security," but there is undoubtedly room to maneuver.
And as TFA mentioned, the issue of government compelled speech is much thornier than government compelled silence.
I'd love to see the Supreme Court argument on why the government can compel you to continue digitally signing a certificate that says the government is not spying on you (even when they really are).

Re:technical fixes for political problems (0)

Anonymous Coward | about 9 months ago | (#45448793)

I find it amusing that, given the courts lack of keeping up with technology, not that they really can anyways, and US legislators over-reaction to technology out of fear and control, something like this is even being suggested by anyone with competence.

I won't go down the rabbit hole with where the problems are with even suggested something like this, other than to say, ABUSE ABUSE ABUSE, and NOT by the FEDs.

Subject to phishing.. (1)

blueboy13 (2861519) | about 9 months ago | (#45448369)

Never mind the Canary insert. A company's reputation is at risks. Quick! Make a page that copies this and we'll use it to our advantage. My company will not go down in flames because someone writes/posts something bad about us. I wanna be like Amazon! Likes, likes, likes, and a reputation for filter out the bad and inserting only the good. Times a wastin'! Let's get crackin'! (end of sarcasm)

What does this solve? (5, Insightful)

Anonymous Coward | about 9 months ago | (#45448377)

I'm not really sure what problem this solves, or how the outcome would change if the canary "died."

We're well-aware that many companies are required to produce information via FISA court orders, national security letters, or other means. What we don't know-- in many cases-- is how often, what information is obtained, by whom, and for what purpose. The "canary" doesn't answer any of the unknowns, except that a particular company received at least one such order, which is of extremely limited value (if of any at all).

What type of canary? (1)

marcroelofs (797176) | about 9 months ago | (#45448381)

Is was temporarily confused because of the word 'canary' also meaning a 'singing bird' in mobster circles. I assume the miners' version is meant (the one that faints of mine gasses).

Re:What type of canary? (0)

Anonymous Coward | about 9 months ago | (#45448461)

Any kind of canary associated with content and a date. You can use this information as you please.

Re:What type of canary? (0)

Anonymous Coward | about 9 months ago | (#45448529)

Is was temporarily confused because of the word 'canary' also meaning a 'singing bird' in mobster circles. I assume the miners' version is meant (the one that faints of mine gasses).

You're only adding to the confusion. What is a 'singing bird' in 'mobster circles'?

Re: What type of canary? (0)

Anonymous Coward | about 9 months ago | (#45448561)

I don't know 'bout them corrupt furriner o'er in Rebrobatia, but in 'Merica we say "Stool Pigeon."

Re:What type of canary? (0)

Anonymous Coward | about 9 months ago | (#45448855)

As in 'Singing like a canary' http://goo.gl/xdo6Hv

Re:What type of canary? (5, Funny)

dotancohen (1015143) | about 9 months ago | (#45448607)

European.

Re:What type of canary? (0)

Anonymous Coward | about 9 months ago | (#45448757)

oblig xkcd [xkcd.com]

Are you really this dumb, Timmeh? (3, Insightful)

Desler (1608317) | about 9 months ago | (#45448399)

What problems do you see with this approach?

Gee, I don't know Timmeh. Maybe the fact that it would break the gag order and you'd be sent to the federal pen?

Attempts to communicate receipt of secret orders (3, Insightful)

Anonymous Coward | about 9 months ago | (#45448401)

either through action or inaction are considered illegal by the secret laws ruled by the secret courts. Secret.

Stupid idea (0)

Anonymous Coward | about 9 months ago | (#45448409)

Either
1) feds catch you removing the canary (yes not telling them about the canary and the canary removing itself automatically makes you guilty) and you can expect a hefty prison sentence in fed pen. or
2) they realize you are using a canary, and force you (thru warrant, or just plain "you want 20 year of fed pen , punk ?") to still transmit the canary, thus giving a false sense of security to your user.

Either way i doubt of the usefulness of the scheme.

Under the rug bullshit (1)

morcego (260031) | about 9 months ago | (#45448415)

How about we stop trying to sweep shit under the rug, while sitting calmly in our homes and playing Candy Crush on facebook, and start acting like responsible citizens and taking steps to improve the government?

Hit the streets protesting, vote responsibly, gather signatures to force your representatives to take measures.

When you propose or implement things like this, you are sending them the mess it is ok to do it.

Re:Under the rug bullshit (2)

TheGratefulNet (143330) | about 9 months ago | (#45448489)

force your representatives to take measures

sadly, to get this to work you have to remove THEIR fear, as well.

they answer to superiors (nsa, etc) and their 'parents' won't really agree no matter how much we little people want things to change.

not even money will make this fix happen. this is beyond bribing (which usually works for those in elected offices).

revolution is the only way to fix this. I don't see the NSL's ever going away in the next 20 or so years unless there is a bloody and violent fight about it.

I wish it were not true. but I have zero hope that using 'conventional methods' we can reverse the trend in gov spying and secret powers. 'asking' your elected officials to change it is less than useless, can't you see that?

as long as people think that the system will fix itself (it won't), nothing will change.

Weird legal situation (4, Interesting)

martas (1439879) | about 9 months ago | (#45448421)

I've heard similar proposals before, and it seems very murky from a legal standpoint. With a highly automated system like this meta tag, I think most judges wouldn't have a problem deciding that you violated the terms of a secret warrant by not updating it. The proposal I heard was to try to circumvent this by making the "canary" something more complicated -- imagine that, every day that you didn't receive a secret warrant, you went to some location in your city, took a photo, and posted it on your webpage. Could a judge then force you to keep doing so? Or even more extreme -- every day that you don't receive a warrant, you run a 10K. Could a judge force you to keep running? Or keep going to work? Or keep self-mutilating in some way? At what point are a person's basic liberties more important than the secrecy of the warrant?

My guess would be that in any of these instances, no judge would rule that you must keep updating the canary. However, I'd imagine that they might rule that you broke the law by setting up the canary in the first place. Of course, there's an obvious problem with that -- as long as you never get a secret warrant, you clearly couldn't be prosecuted for violating one. So it's a weird situation where an action that is otherwise legal, becomes retroactively illegal upon receiving a secret warrant. It's a bit of a mindfuck.

Re:Weird legal situation (1)

JDeane (1402533) | about 9 months ago | (#45448463)

It's the grey areas I like to avoid... A judge having a bad day or is just in a bad mood may decide that they want to interpret the law such that you end up in prison for 20 years.

My best advise to anyone would be steer away from using anything like this. Even better would be to avoid the situation where something like this would even be useful to anyone.

Re:Weird legal situation (1)

martas (1439879) | about 9 months ago | (#45448497)

I agree, I personally wouldn't take this kind of chance. However, I think it's a really interesting legal question, so I'd kind of like to see someone attempt something like this. Might go all the way up to the SCOTUS (though it might be kept secret, too).

Re:Weird legal situation (0)

Anonymous Coward | about 9 months ago | (#45448645)

There have already been cases like this. Gag orders are designed to PREVENT COMMUNICATING MESSAGES. Therefore, if you have a canary on your website, they can and will make you communicate the message or, more likely, take over your website and do it for you to PREVENT COMMUNICATING a message. They've done similar things in the past (albeit not involving websites) and they will in the future.

Re:Weird legal situation (3, Insightful)

GIL_Dude (850471) | about 9 months ago | (#45448537)

None of this matters. If any sort of canary became popular - EVERY site that had one would immediately get one of these secret orders. That order may be for something ludicrous (home phone of the CEO or something), but they would ALL get a secret order immediately. Boom. All the canarys are dead. And they no longer provide any information. Your move internet...

Re:Weird legal situation (1)

wvmarle (1070040) | about 9 months ago | (#45448863)

The proposal I heard was to try to circumvent this by making the "canary" something more complicated -- imagine that, every day that you didn't receive a secret warrant, you went to some location in your city, took a photo, and posted it on your webpage. Could a judge then force you to keep doing so? Or even more extreme -- every day that you don't receive a warrant, you run a 10K. Could a judge force you to keep running? Or keep going to work? Or keep self-mutilating in some way? At what point are a person's basic liberties more important than the secrecy of the warrant?

In that case, one thing the judge can definitely not do, is put you in jail.

Re:Weird legal situation (1)

gweihir (88907) | about 9 months ago | (#45448901)

Don't be naive. Of course they can already force you to do that. The only way to break this at this time is if somebody sacrifices themselves. And they will plug that hole with a secret law as soon as possible. Don't forget you are living in a police state.

The key about secret laws is not that they are secret. The key is that you cannot fight them. And they get used whenever a government gets totalitarian, just look at history. Free countries do not have secret laws or secret courts.

Also look at what sorts of civil disobedience worked in Stalin's USSR or Nazi Germany or today's North Korea. The US is not quite there yet, but the authorities are working hard on it and many mechanisms are already in place. I see even less resistance from the US population top this as there was in Germany or the USSR.

Good idea, but make it company-wide totals (1)

TheRealHocusLocus (2319802) | about 9 months ago | (#45448427)

Let companies who really care, keep a tally of individual accounts under scrutiny, total transactional records captured for surveillance purposes: a set of standard metrics for the moment and cumulative by month and year.

Let this information be placed into the Canary meta-tag of every web result for everyone, and let web browsers and plugin developers find ways to display this information on the borders of the page.

People could watch the numbers grow over time easily, and could maintain a constant vigilance and awareness of this problem. What you're accomplishing is the same aim as these companies issuing regular bulletins you must fetch and read.

Its inclusion into the very protocol of the Web and placed on the status areas of browsers by default, would send a clear message that we are not amused.

If the government counters that releasing real-time stats on surveillance orders should be censored for reasons of National Security, let that one fly all the way to the Supreme Court.

In Soviet style USA (0)

Anonymous Coward | about 9 months ago | (#45448443)

In countries like USA where statistically every 3rd neighbor works for military complex or security forces questioning surveillance methods will land you in jail if lucky or landfill if your are P.I.T.A
Stop resisting changes. The void after official slavery ended has to be filled somehow.
That's how "American Dream(Nightmare)" works, by taking advantage of others.

NSA Response (0)

Anonymous Coward | about 9 months ago | (#45448449)

Of course the NSA will issue a secret cease letter to browser vendors to prevent them from supporting any organically designed feature that bypasses their goal. Information awareness on demand.

Transparency (1)

BringsApples (3418089) | about 9 months ago | (#45448469)

What I've never understood:

What if Google decided to say, "fuck it", and not only publicly post when they're asked for data, but details as to which accounts, what data.... everything! We all assume that the feds will scoop someone off to jail, but who'd it be? It's not like the government will take everyone that works at Google, or the stock holders, to jail. Google is huge, with more money than the government, could they not just bail out of jail, and fight it out in court? I mean the whole idea of there being a way that the American government can legally be able to go into private organizations and get their data puts in my mind the feeling that the American government is the head (CEO?) of all companies.

In short, who cares to know the numbers of accounts "searched", I'd only want to know if my account was searched. The rest is nonsense.

Re:Transparency (2)

elrous0 (869638) | about 9 months ago | (#45448521)

Senior management arrested, stock plummets, company liquidated. Example made.

Re:Transparency (1)

Opportunist (166417) | about 9 months ago | (#45448701)

And why can't we do that when a company commits an actual crime?

Re:Transparency (1)

gweihir (88907) | about 9 months ago | (#45448917)

And why can't we do that when a company commits an actual crime?

They could, but they have no reason to. A company that commits a crime is more pliable to their "requests".

I also suspect that they find their own image reflected in criminal companies and hence feel some sort of kinship.

Re:Transparency (1)

wvmarle (1070040) | about 9 months ago | (#45448893)

Google is too big to fail.

And I'm afraid that's indeed not a joke - Google is how people find stuff on the Internet. Without it, the Internet uses most of it's value.

And no, also-runs like Bing and Yahoo will not be able to pick up the slack.

Re:Transparency (1)

BringsApples (3418089) | about 9 months ago | (#45448895)

Is that what they did when Google drove around the planet, finding.. er, "hacking" (I know, I know), people's wifi?

Re:Transparency (1)

qbast (1265706) | about 9 months ago | (#45448549)

Google has no mouth so it is not going to say "fuck it". Some person working for google will have to decide and authorize this.Then you have people who actually implemented the decision.It is not really a big problem to find out who is going rot in prison. Even if personal immunity was guaranteed, Google would never risk doing something like that - they have way too much to lose. For example if Google declines to hand over data quietly, FBI (or whoever) could take it themselves - seize all Google datacenters and search them for evidence for next several years.

The only people... (0)

Anonymous Coward | about 9 months ago | (#45448473)

Who get to skirt the spirit of the law in favor of the word of the law is the government. A judge would laugh at a company implementing this before throwing the book at them.

stupid programmers (0)

Anonymous Coward | about 9 months ago | (#45448479)

Courts are not deterministic machines executing the law and applying the facts of the case as if they were parameters to some sort of code. The Court, a.k.a. the judge, is a nondeterministic human being that is capable of stepping out from the rules and determining that you're trying to blow smoke up it's ass, which The Court does not appreciate.

Re:stupid programmers (1)

tepples (727027) | about 9 months ago | (#45448505)

Courts are not deterministic machines executing the law and applying the facts of the case as if they were parameters to some sort of code.

They are if they don't want their cases overturned by a higher court.

Re: stupid programmers (0)

Anonymous Coward | about 9 months ago | (#45448817)

SCOTUS is the ultimate backstop. You still feelin' lucky with your NSA foiling scheme?

Yeah, that'll work (3, Insightful)

14erCleaner (745600) | about 9 months ago | (#45448487)

I'm sure online businesses will be eager to add a tag that says "don't visit my site".

Injunctions (0)

Anonymous Coward | about 9 months ago | (#45448507)

Injunction against removing the metatag.
Injunction against telling the individual who updates the metatag to stop updating it.

Right to quit (1)

tepples (727027) | about 9 months ago | (#45448515)

Injunction against telling the individual who updates the metatag to stop updating it.

The employee who updates the metatag is no longer with the company, and he has a constitutional right to quit [slashdot.org] .

Re:Right to quit (2)

LVSlushdat (854194) | about 9 months ago | (#45448579)

We are to the point where I wonder why everybody keeps falling back on things like "constitutional right to quit".. Its now to the point where this government has spit on the constitution for so many years, and are now to the point of actively setting it on fire, bringing on its total and complete disregard by this government.. I love this country, served in its military in the 70s, but am embarrased and sickened by its government.. We are WELL beyond "the ballot box" being able to fix the MANY problems, and the government is well on its way to be SURE that no corrections in it can be made by "the ammo box"... May God Bless and keep this wonderful country, as we certainly don't seem to be able to...

Re:Right to quit (1)

Predius (560344) | about 9 months ago | (#45448591)

Better get someone else to update it, under penalty of law, says mr injunction.

Re:Right to quit (4, Insightful)

qbast (1265706) | about 9 months ago | (#45448727)

Sigh, gag order compels company to not communicate something. It does not really matter what cute scheme you are going to think up, you are still liable. Actually this idiocy with canary metatag would probably cause harsher penalty as it plainly shows that you planned to violate any gag order you were served.

Too big to fail (1)

tepples (727027) | about 9 months ago | (#45448899)

What would the United States do if employees of Google, Apple, Microsoft, or another too-big-to-fail tech company whose absence could cripple the economy decided to file into the county jail one by one?

Three problems (1)

DMiax (915735) | about 9 months ago | (#45448543)

First, depending on how automated it is, the webmaster might be ordered to keep updating it. So updating the metatag must be a deliberate action and forcing you to update it would be akin to forcing you to lie. Still not clear that they would not do it or try to, though.

Second, in a larger organization the person updating the tag does not need to know whether the data has been compromised or not.

Third, many companies shared data "on a voluntary basis". Whether this is really voluntary or under some thinly veiled threat, there is nothing guaranteeing they won't lie on their own accord.

In conclusion, there is absolutely no way to make "the cloud" safe via tehnical means.

Re:Three problems (1)

ledow (319597) | about 9 months ago | (#45448565)

Nobody has to force YOU to lie. They just have to have you demonstrate how THEY could lie using your systems. And that they can legally coerce you to do already. And non-cooperation will see you up in court for failing to comply with a valid court order, so 99% of people will comply.

The rest is just obvious.

Precedent in other law systems (5, Informative)

ledow (319597) | about 9 months ago | (#45448553)

Same reason the British AA (Automobile Association, not alcoholics) were formed and (later) forced to change their ways.

The whole point of the AA was formed to inform members of police speed traps. Back in the days of red-flags in front of vehicles held by a man. If your were an AA member, and there were no police around, an AA employee would be required to salute you.

If, however, there was a police trap present, they would not. Absence of the salute was seen as just such a canary to warn you despite being a "non-action". Eventually it was ruled illegal and the AA and the RAC both become just "vehicle breakdown" companies

When it comes down to it, if a court / police can argue that they need you NOT to trigger the canary (by inaction or otherwise), they will find a way to make you do it. They already redirect your DNS if they steal your domain, what's to stop them updating the canary themselves apart from a minor technical issue? All it will do is just get your whole domain seized to make you compliant.

ESPECIALLY if the entire point of the canary is to indicate to people whether you are subject to a (potentially LEGAL) court order not to reveal that you're under such an order. Little difference between that and you phoning up your buddy to warn him that you were just busted and the cops have his address - it's seen as deliberate evasion of the law. Even if the message is "I **WON'T** text you at 5pm if I've been raided".

The simple fact, though, is that such warrants are not a problem when they are legal and above-board. The problem is when they are not. Skirting the legal grey area yourself is not the correct response to the agencies skirting the legal grey areas.

If all else fails, they'll just institute a law to stop you doing things like this.

Re:Precedent in other law systems (1)

Anonymous Coward | about 9 months ago | (#45448761)

@ The simple fact, though, is that such warrants are not a problem when they are legal and above-board. :
This is in many cases untrue. There are many horrible laws on the books. Furthermore, there are situations where a company can be served a warrant which can be used to tap information about me, even though I myself haven't done anything wrong.

Magical thinking, (4, Insightful)

westlake (615356) | about 9 months ago | (#45448563)

With the advent of national security letters and all the NSA issues of late perhaps the web needs to implement a warrant 'warrant canary' metatag

"The web" doesn't implement anything. You do.

The exposure of a warrant in violation of a court order will land you in jail.

The judge won't give a damn about how cleverly you went about it --- until you come up for sentencing, of course.

pointless effort (0)

Anonymous Coward | about 9 months ago | (#45448575)

Folks, even the most free society in the world will have requirements for lawful collection of private digital data. It's a pipedream of utopia to think otherwise. Trying to create canary tags will not help. In the real world, there are criminals, hackers, hostile countries that want to undermine other countries. Not every bogey man is a political phantom--there are real threats in the real world. It's one small piece in the bigger picture of maintaining your national sovereignty. The debate needs to not be about whether or not this type of collection should exist, or how to create some sort of meta tag to undermine it; but rather the scope of it, where to draw the line, and where it fits into the national legal framework.

Canary tags and such wasted efforts by the technical community. Rather, we need to calmly and rationally ask ourselves why every free society in history has decided they needed a wiretaping capability. How do we address those legit concerns with legit privacy concerns? How can technology positively contribute to finding such a balance? The positions and efforts I see the technical community recently taking will simply leave us without a role to address privacy issues that modern societies and governments are trying to solve.

Shades of gray (1)

gmuslera (3436) | about 9 months ago | (#45448581)

Once you accepted that you can have secret laws to force providers to not tell something, how far is that from forcing them to keep updating that metatag or lying? Before that becomes a standard or something popular enough the law covering that chance will follow.

The system is broken already, there is no possible trust if you have secret laws to force even the most trustfully provider to follow their orders, stop playing boiling frog.

And if you think that things are bad enough already, think that we know so far a few of the 200000 documents [businessinsider.com] leaked by Snowden.

Simple solution (4, Insightful)

vikingpower (768921) | about 9 months ago | (#45448585)

Don't host anything in the USA. Don't use USA-based cloud services. Don't do business with USA companies. At my employer's, the national R & D institute of a smaller European country, we already don't anymore. Business keeps on going as usual. We live as if the USA would not exist. Can we be subject to surveillance, or eavesdropped upon ? Of course. But we are out of the legal hassle. As simple as that.

Cory's solution won't work, at least (2)

fatphil (181876) | about 9 months ago | (#45448603)

"Thereafter, the service sits there, quietly sending a random number to you at your specified interval, which you sign and send back as a "No secret orders yet" message. If you miss an update, it publishes that fact to an RSS feed."

Yeah, *you* sign it. Because the NSA won't have access to your private key, suuuuure....

Are you a cop? Cause you have to tell me... (0)

Anonymous Coward | about 9 months ago | (#45448605)

Last I checked it is a myth that an undercover cop has to reveal his/her identity if asked. Is there any thinking here that couldn't equally be applied to making drug purchases?

Let's say a drug dealer was caught by the cops selling drugs in which he always assured his clients he wasn't working with the police. Then he made a plea deal to work a sting on his clients. I'm pretty sure the cops would compel him to make the same, now inaccurate, assurance.

What company in it's right mind (1)

rsilvergun (571051) | about 9 months ago | (#45448609)

would go around telling people that? After some thank yous from the /. community to fear and distrust it would cause would doom the company, and ticking off the feds wouldn't help either...

It's not that easy - (1)

the_skywise (189793) | about 9 months ago | (#45448627)

First off - Any company/individual that receives ANY warrant should be allowed to publish that fact. I think what's being searched might be reasonably kept secret but the government should never have the right to force you into an anal probe and then demand you keep it secret. That's just dictatorial BS and it needs to stop NOW.

That being said - Let's say you implement the canary... Then the government just makes a small request of the site in a regular time period. Now it becomes an effective whipping tool to stop undesired behavior.

The only way to win is to stop the government playing this game, which in the US it never had (and still doesn't have) the right to.

Another implementation (1)

irp (260932) | about 9 months ago | (#45448641)

A company (I've forgotten which, think it was a "pre-cloud" storage solution) used this approach:
Each day post a photo of the front page from a local newspaper, with the message that if said image was no longer updated, they had received a 'request'. The idea being that the government/law agency/whatever only have the legal means to make them STOP doing something, but are unable to force them to go through the trouble of uploading a new image each day. ... I remember wondering if there is some legal way to force a person/company to stop stopping...

Re:Another implementation (1)

ledow (319597) | about 9 months ago | (#45448683)

They don't need to force a company to upload anything.

They just require the company's co-operation to inform them of the correct process to reproduce what they would normally do, and access to their systems. Pretty much if you get to that point, you already have that.

And, again, uploading an image of a newspaper isn't authentication that the message came from the people who set up the canary. Any agency could say "Okay, we require access to your systems to perform law enforcement tasks that you cannot be party to... now we scan in the newspaper and upload it ourselves... done."

Re:Another implementation (1)

wvmarle (1070040) | about 9 months ago | (#45448933)

It has to be done every day. When you get a warrant, I suppose you have an option to object. Even delaying by a day or two would be enough.

adding crypto to meta tags (0)

Anonymous Coward | about 9 months ago | (#45448663)

think how your ssl does a cert to you but now you include this into the tag and it has a time stamp

if you have an admin that can do testing between sites and users you can then find "anomalies"

these oddities can then be publicized and let society push for "corrections"

Subtle subversion won't work anymore. (1)

Anonymous Coward | about 9 months ago | (#45448715)

Nonsense. It's far too late to play subversive word games, America. Your secret judges will simply judge that any attempt to circumvent the gag order of a secret warrant, through action or inaction, will be illegal, and you will be forced to maintain any such canary. No matter what you try, they will attempt to coerce you to lie, to be complicit in their bullshit whether you want to or not.

I need to make it clear what this means. You are being ordered by your government, to become secret informants to spy on your comrades, and you cannot tell anyone about it or it will be a crime and you will be arrested, maybe even (the fear is) disappear to somewhere like Guantanamo. You are scared of your government. You are being terrorised by them. This isn't the sign of a open, healthy, free society with a strong tradition of democracy. That is the sign of a fascist police state. Right now. It's already too late.

And the rest of the world knows this, especially now. It has come to light. Everyone knows that no-one in your country, no person or corporation, can be trusted to have integrity while this system remains in place, unless you visibly fight for that integrity - stand up to it, absolutely and publicly refuse to cooperate, publish any such attempts - and, yes, be damned for it. The existence of these warrants is critically damaging to your national interests and reputation - far more dangerous than any bomb.

Our integrity sells for so little, but it's all we really have. It is the very last inch of us, but within that inch, we are free. It is small and it is fragile, and it is the only thing in the world worth having. We must never lose it or give it away. People fought for years to keep it. We must never let them take it from us.

Subtle resistance cannot fight this kind of terrorism. You have to stand in front of tanks, not knowing whether they will stop. You have to fight for your freedom, or they will take it away from you, and they will never give it back.

If anyone ever tells you to backdoor your code, Slashdot, would you, as people, have the brass balls (metaphorically or otherwise) to tell them to fuck off? Are your ethics strong enough to refuse, even in the face of legal coercion? Are you at least as badass as LavaBit?

You can come back to the global marketplace when, and only when, the answer is yes. Until then, very sorry, but we can no longer trust you, America, because you and everything you create could be made to lie, cheat and steal, and you'd be powerless to prevent it unless you dare to stand up to it. Don't like it? Dare to say no. And if you don't dare? Then that freedom your ancestors fought so hard for... you threw it away because of terror. Fucking grow a pair.

Liability to false information. (0)

Anonymous Coward | about 9 months ago | (#45448803)

I believe it is supposed to work as the canary is present to mean "We have not been served a warrant."
So as soon as they get a warrent they should stop updating that as they can then neither confirm nor deny the event.

However, this relies on the process from getting the warrant to stopping the update to infact happen. What if they get the warrent then the process breaks and they do not clear the message. People still continue to use the site assuming there is no warrant, but one has been served and the process failed. This would make the company liable for claiming "we have not been served a warrant" when they in fact had.

When a simple mistake can lead to large liability don't expect companies to do that. Smaller shops might be able to have confidence in the process. Larger ones are more likely to have the process broken and would have larger liability.

Does this warrant a warrant warrant? (0)

Anonymous Coward | about 9 months ago | (#45448847)

Does this warrant a warrant warrant of a canary in a coal mine?

Easy government workaround (3, Insightful)

swillden (191260) | about 9 months ago | (#45448849)

All the government has to do to make this useless is to regularly send a warrant request to every web property of any note.

What's more interesting is the suit filed by several tech companies demanding permission to provide counts of National Security Letters and the number of accounts affected. Google has already negotiated permission to share this data as long as it's in ranges no smaller than 1000, which actually tells us most of what we want to know already (e.g. in 2012 Google received between 0 and 999 NSLs, affecting between 1000 and 1999 user accounts, which, assuming Google has about a billion users, means the NSLs have affected ~0.0001% of their user base), but exact numbers would be better.

As another poster said, technological solutions to policy problems don't work, at least not well. We need to fix the law.

Better idea (1)

Pichu0102 (916292) | about 9 months ago | (#45448851)

For a website about security, have a warrant canary on every user's page when they login. If it disappears, well, there you go. In addition, add a counter that, for every FISA request you get, increments the counter by 2, afterwards which you add 1 to, to get, say "We have not received 255 FISA requests."

The solution is simpler. (1)

couchslug (175151) | about 9 months ago | (#45448923)

Never, ever put anything in "cyberspace" you don't want the world to know. There is no "security", and any offer of that should logically be regarded as a trap.

Stop wanting dumb things. If you never, ever, put compromising info in the control of someone else then it cannot be handed off under coercion because it doesn't exist to be handed off. This situation is no different than handing off a paper copy of (information) in the pre-internet days and expecting it to be proof against warrant or subpoena.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>