/* ---- Google Analytics Code Below */

Sunday, January 12, 2020

Warrant Canaries are Here

A term that was new to me .... I remember well the notion of the 'canary in the coal mine', the canary tells us by dying, that something has happened.  Now the idea is broadened technically to indicate a simple signal that something has changed in a company, system. status ... '  The signal can be read by people or machines.       Warrant Canaries.

Recently discussed in an excellent Twit TV podcast .....
Also quoting from the podcast notes:

'.... A proposed standard for making warrant canaries machine readable.

This tidbit popped-up a few weeks ago and I didn't want to skip it:
https://nakedsecurity.sophos.com/2019/12/19/proposed-standard-would-make-warrant-canarie
s-machine-readable/

The term “Canary” comes from the idea of taking a canary down into a coal mine as a low-tech oxygen and noxious gas monitor. Wiktionary defines a “Canary in a coal mine” as “Something whose sensitivity to adverse conditions makes it a useful early indicator of such conditions; something which warns of the coming of greater danger or trouble by a deterioration in its health or welfare.”

Which brings us to “Warrant Canaries”...
The trouble was that government warrants compelling the release of information were typically accompanied by gag orders enjoining the served party from making any disclosures about being in receipt of such a warrant. In other words: "You must provide us with the following information and you cannot tell anyone that we asked and you provided."

When it was passed in 2001, the US Patriot Act enabled authorities to access personal information stored by a service provider about US citizens. It also let them issue gag orders that would prevent the organisation from telling anyone about it. It meant that the government could access an individual’s private information without that person knowing.

Privacy respecting companies like ISPs and cloud service providers want their users to know whether the government is asking for this information. The idea of the Warrant Canary was first conceived by a guy named Steve Schear in 2002 after the Patriot Act came into effect. The idea was to provide a passive way of warning people that an organisation holding their data has received a subpoena.

The idea is sheer brilliance: Instead of an organization telling people that it has been served with a subpoena (which is illegal under the Patriot Act), the organisation stops telling them that it hasn’t been service with a subpoena.

To do this, the organization displays a public statement online that it only changes if the authorities serve it with a warrant. As long as the statement stays unchanged, individuals know that their information is safe. But if the "nothing to see here, move along" statement changes or disappears, they can infer that all is not well without the organisation explicitly saying so.

The idea is clever, but, until now it hasn't scaled well. That may be about to change. The problem is that these statements have been ad hoc and designed to be read, interpreted and understood by people. This makes them difficult to track and monitor at scale... Which is what a warrant canary standard would solve.  ... "

No comments: