I speculate that the real reason they are canning the canary program is that it was headed for extinction all by itself anyway.
Reddit's canary is gone, and they made it as clear as they legally can that it was due to a National Security Letter.
Effectively the canary program lost one of its best assets and few people gave a damn.
The flaw at the heart of the canary program is that it relied on public uproar when a canary disappeared. In the absence of that, they will disappear one by one - death by a thousand cuts - and then the program itself is dead.
EFF have seen the writing on the wall and pulled the plug before the program was seen to be doomed anyway.
> How hard is it to run a "canary watch" though? The overhead has to be pretty low. Doesn't make a whole lot of sense to pull the plug.
I don't imagine the decision was based on resources, but rather on a realization that the "canary watch" didn't work, because people just didn't care. In that case, it might make more sense to abandon it rather than continue to suggest, in the face of evidence to the contrary, that it's a productive tool for keeping tabs on government overreach.
It makes reddit unusable for a lot of things (free & open communication being one of them). If you have something important to say then you don't say it on Reddit.
If you have cat pictures or want to talk about train sets then reddit.
I'm wondering if anyone's written a warrant canary best practices? I was hoping the EFF post would have or link to such when it started mentioning that "almost every canary is unique" and that makes it harder to track them.
I'm proposing we write a simple canary spec, for canaries that are both human and machine readable. A format could be, for instance:
* canary.txt in the root of the site.
* Optional text introduction, describing the canary's purpose, the way rsync.com does.
* PGP signed message with expiration date; content optional.
* Replaced by either a 404 or a 451, the 451 for those who want to be more explicit and like to live dangerously.
You probably shouldn't state you're compliant with the spec if you implement it.
.
I'm personally very willing to run a replacement canary watch, I'll see what I can set up over the weekend. I'm thinking of writing it in PHP, so it's easy to copy for others.
I'm thinking it'd be nice to couple it with a spider that automatically indexes these canaries, and to also have captcha'd "add your own" option.
Could anyone point me to a guide to setting up a HN-proof PHP server?
"She drove my computer, pulling the information she had into various spreadsheets. She translated my muttered, vague ideas into charts.
“This is called data mining.” She said the last words in English.
“Which of us is the canary?” I said."
-- the city and the city, China Mieville
As hammock2 mentions, it's hard to believe this requires much effort to keep running -- if the lack of standardization is the issue, couldn't they rather transition to supporting rsync-style (as mentioned by
rsync) canaries only? (Yes, that would reset a lot of canaries)
Third party monitoring does seem to add value to to canaries. One could perhaps argue that it's a job for archive.org -- but seeing as this is all set up, it seems like a shame to shuttle it.
I think it's reasonable to speculate that their canary might as well have not existed for the purposes of determining legal consequence. Without the expected uproar over an agency forcing a canary down, the agency has no reason to apply legal pressure on the company. Thus, reddit's canary gives you no real information about the likely reaction of a govt agency to the practice, and certainly no information about a court's view on its legality.
I'd love to see the same. I'm having a hard time understanding why signaling that a gag order exists with the removal of a canary wouldn't violate the gag order.
Right, exactly. A heartbeat. And further, the signing key could be deleted securely, so coercion or spoofing would be impossible. That, however, would be an argumentally illegal action taken after the gag order. One could have an anonymous third party responsible for that. But then they have much power. And the signal to them would also be an argumentally illegal action taken after the gag order.
This is pure speculation/assumption, but I'm guessing it's because the government can't compel someone to lie, or something like that. I have no citations for this, though... It's just what I always assumed when I heard about canaries.
If, on the other hand, the government is allowed to compel someone to lie, I'd really like to know more about that...
HAHAHAHAHAHA no man, techies don't know anything about the legal system, you could get them excited about any random concoction aimed at subverting a governmental function.
try it, pretend like it is gospel and they'll build entire business around it just for the rug to be pulled
What I found interesting is that Pinterest likeley got one (or more) NSLs. Correct me if I'm wrong, but I thought pinterest was a place where people posted pictures of their food and house, not terror plans and execution videos. I wonder if it was (mis)used for a different type of investigation or if it was a matter of national security, assuming they got an NSL in the first place.
Reddit's canary is gone, and they made it as clear as they legally can that it was due to a National Security Letter.
Effectively the canary program lost one of its best assets and few people gave a damn.
The flaw at the heart of the canary program is that it relied on public uproar when a canary disappeared. In the absence of that, they will disappear one by one - death by a thousand cuts - and then the program itself is dead.
EFF have seen the writing on the wall and pulled the plug before the program was seen to be doomed anyway.