back to article SpiderOak says you'll know it's secure because a little bird told you

Edward Snowden–endorsed cloud storage provider SpiderOak has added an additional safeguard to ensure that its users' data doesn't fall into the hands of law enforcement without their knowledge, in the form of a "warrant canary." The term takes its inspiration from the practice of bringing actual canaries into coal mines that …

  1. Yet Another Anonymous coward Silver badge

    Nice legal argument

    >The service provider can't tell you that a secret warrant exists. But it can stop telling you that >everything's OK

    But if a SWAT team are pointing assault rifles at your head and getting the orange jump suits ready for a long stay in gitmo - you are going to click the everything is OK button.

    1. Anonymous Coward
      Anonymous Coward

      Re: Nice legal argument

      Which is why three people in separate countries have to digitally sign it. If you can get SWAT teams in three countries to descend on the same day - one of them probably in a place like Switzerland that probably doesn't even have SWAT teams - then you've got more power than even the US government is likely to be able to muster. Maybe they'd do that if OBL had been using this service, but they wouldn't be able to do it for a Kim Dotcom or small time terrorist.

      1. Yet Another Anonymous coward Silver badge

        Re: Nice legal argument

        So you raid the US office and with a super-secret ninja court order force them to tell the other offices that everything is OK

        1. Anonymous Coward
          Anonymous Coward

          Re: Nice legal argument

          So you raid the US office and with a super-secret ninja court order force them to tell the other offices that everything is OK

          Ssssh - don't give the game away. With this in place you can secretly tap data whilst everyone has a safe feeling of comfort. After all, you may not even need to subvert the people involved - how hard is it to put up a similar web page after a raid?

        2. Doctor Syntax Silver badge

          Re: Nice legal argument

          "So you raid the US office and with a super-secret ninja court order force them to tell the other offices that everything is OK"

          That was my thought. If you leave the weak link in place adding another, stronger link makes no difference. What's needed is to either have NO exposure in the US or have the servers operated by a sub-contractor outside the jurisdiction with a much stronger legal air-gap than MS with their Irish subsidiary.

          1. Anonymous Coward
            Anonymous Coward

            Re: Nice legal argument

            Depends on what process the US office uses to tell the others all is well. Surely they'd use a specific way to do this, or a "no news is good news" policy where the feds forcing them to call the other offices and say "all is well" is the thing that tips them off that all is not well.

  2. dan1980

    6 months?

    "Initially it thought refreshing it monthly would be a good idea, but then it decided that was too short a period, because it would likely take longer than a month to fight a warrant in court, where possible."

    I can see the benefit in that reasoning but for it to be sound there is another, unmentioned, component, which is that SpiderOak needs to challenge/investigate/delay every warrant or NSL. I see no such promise on their website.

    Further, the 6-month period has no logical justification.

    If the due-date falls in the middle of that period of time they say they need to investigate warrants/NSLs then what do they do? If they choose to 'kill' the canary then there is no difference between a short and long update period - either way they are killing the canary before they are sure they have to.

    If, however, they choose to update the canary, and thus give themselves more time to challenge or ascertain the validity of the warrant/NSL then the shorter update period becomes superior as they can more quickly change the status of the canary from 'alive' to 'dead' if things go south.

    Moreover, the "killing a canary can quite possibly mean killing the business" consideration also dictates a shorter update period.

    Why? Because, in the above scenario of the canary update falling in the middle of a legal investigation/challenge, they have to make a hard decision: do we "kill the business" based on a 'maybe' or do we wait and see. In making that decision, they would have to take consider the length of time they foresee the legal stuff taking and how that compares to the length of time until the next canary update and then weigh that against the possibility that the case will be resolved in their favour.

    The longer the canary update period, the higher the risk to customers if they get that decision wrong.

    With a 1-month update, they can more confidently update the canary, knowing they can kill it more quickly if the case takes a turn and it becomes likely they will have to comply.

    1. Eddy Ito

      Re: 6 months?

      It seems to me that the easiest way to kill the canary would be for one of the geographically diverse signors to revoke their PGP signature so that the webpage which may still be "alive" because of the update frequency would be effectively dead. In using the signatures as a true indicator and it wouldn't even require looking at the webpage between updates. One merely checks the status of the three signatures and if the Tuvaluan signor (or anywhere outside of the offending jurisdiction) has revoked her signature it can be assumed that the canary is dead even though the webpage hasn't been updated. They could even work out a system where one signature would be revoked when the request for data was received and a second if they lost the decision for a proverbial threat level color code [Green, Blue, Yellow, Orange, Red]

      1. frank ly

        @Eddy Ito Re: 6 months?

        Your idea is technically good but the act of revoking a signature can only be done by someone in the 'offending jurisdiction' actively telling the revoker that something is wrong - hence potentially falling foul of the law there. Another layer of 'everything is ok' messages would need to be sent between the various signors, perhaps every week. It could be done with proper organisation of staff but it then starts to get complicated.

  3. tom dial Silver badge

    Assuming that SpiderOak is what it claims, it seems doubtful that they are likely to be bothered by many warrants, national security letters, or subpoenas unless the cryptography they use is broken. Their customers, however, will be subject to pretty much the same range of intrusions as they are now.

  4. eldakka

    Why can't they have 2 'stages' of a canary, both updated daily?

    Stage 1, no current warrant has been issued against SpiderOak, sick canary.

    Stage 2, no warrant has been ENFORCED against SpiderOak, dead canary.

    When a warrant is issued the canary is sick. This covers any period while fighting against a warrant. If all warrants are overturned/denied, the canary gets better. If a warrant is upheld and enforced, the canary denies.

    @Yet Another Anonymous coward:

    "But if a SWAT team are pointing assault rifles at your head and getting the orange jump suits ready for a long stay in gitmo - you are going to click the everything is OK button."

    You obviously didn't read the article.

    It takes THREE (3) different people located in 3 DIFFERENT COUNTRIES to ALL 'approve' updating the status of the canary as 'OK'. While it's likely a SWAT team could standover the US member of that team (if there is one), US SWAT teams would have difficulty deploying simultaneously in at least 2 different foreign countries, possibly 3 if none of the people who can sign the canary are located in the US, to standover all 3 signers.

    1. b166er

      This

      Either that, or you can only use SpiderOak when they update the canary status. Not very useful only being able to use the service twice a year is it?

  5. TReko
    Big Brother

    Publicity stunt

    Even if it takes three people to approve this, it isn't hard for law enforcement in three countries to lean on them.

    If you have really private data, then do not store it in the cloud. The cloud = other peoples computers. If you have to store it in the cloud, then use an end-to-end encryption tool like Truecrypt, PGP or Syncdocs.

    1. Anonymous Coward
      Anonymous Coward

      Re: Publicity stunt

      How is it "not hard" for law enforcement in three countries to lean on them. Let's say you have one guy in say Venezuela or Brazil, one guy in Switzerland, and one guy in China or Russia. Explain exactly who is going to be able to get law enforcement's cooperation in those three locations. Certainly not the US, which is who most of those using this service would be concerned about.

      Better yet, the guys signing won't necessarily have their identities or locations known, so it would take some digging to even find out what countries you'll need the cooperation of before you can start leaning on them.

  6. T. F. M. Reader

    What am I missing?

    So how will the three people in different countries learn about a secret warrant served? Even if all three are the designated recipients of such warrants in their respective countries, arguably the one who learns about a warrant and leaks it, even if only by inaction, may be liable under the law. And they won't even learn of any secret warrant in a fourth country without someone breaking the law - and risking severe punishment - there.

    1. LucreLout
      Holmes

      Re: What am I missing?

      "So how will the three people in different countries learn about a secret warrant served?"

      That is the weakest link. 2/3rd of the people signing that "all is well" will simply not know that it isn't. If all 3 are outside the legal grasp of the USA, then it's probable that all 3 will not know there is anything wrong. Anyone within their borders facing lengthy / indefinite jail time or the threat (legal or otherwise) of adversity to their family IS going to comply - Sabu proved that well enough.

      The biggest weakness, however, is that they have already prioritised profit above privacy, which makes them exactly the same as any other cloud provider. The canary should drop dead within 12 hours of a warrant being served, becuase in reality the point at which SpiderOak is served a warrant is the point at which it is commercially dead anyway - they already know they won't win in court.

      1. P. Lee

        Re: What am I missing?

        I'd hope that all three signatories would be required to decrypt the data on behalf of law enforcement. I think they would find that any signalling is breaking the law - dead-mans switch or not.

        The best thing is to have your local PGP client and not rely on the servers or transit infrastructure to be secure.

        Some engineering is just too hard. Keep a USB key in one pocket and a very strong magnet in the other.

  7. Anonymous Coward
    Anonymous Coward

    Hmm

    Does Spideroak use client-side encryption then or not ? I use Wuala at the moment but I must go check out their site.

  8. Adam Inistrator

    Point of weakness

    Oak can be nobbled by US forcing its citizen NOT to sign the page. I wonder if that could happen.

  9. CAPS LOCK

    An American judge will decide that...

    ... 'not saying everything is OK' is THE SAME as say 'We have turned over you stuff to the NSA'.

    Is their encryption supplied by the NIST? Well guess what?

    If you want stuff to stay out of the hands of Uncle Sam don't place it on the intertubes!

  10. Rarely Posts

    I Don't Get It.....

    I may have missed the nuances of this as I am not currently a person who feels I have a true need for such security. I understand that there are those that do and that I may also at some time if I ever store anything more than those hilarious cat pictures out there on the Internet.

    If a single “Canary” covers anyone in the entire user-base, rather than being on an account-by-account basis, killing the “Canary” will kill the business (or a least put it in hospital). Even those that never actually felt the need to check the “Canary’s” pulse will get spooked when sites like The Reg report that the SpiderOak “Canary” has, “… run down the curtain and joined the bleedin' choir invisible!!”. This is very likely to bring on an unnecessary bout of paranoia and an unnecessarily closed account, as users not actually affected by any court order think that someone is after them.

    So regardless of whether the health status is supposed to be updated every week, month, six months, SpiderOak is going to want to be really, really, really sure it needs to shut up shop before pressing what is tantamount to a self-destruct button, regardless of the time period stated.

    However my points are:

    If the server has “zero-knowledge” then the customer encrypts at their end and sends encrypted data ONLY to the SpiderOak server for storage.

    If the key is not on the server then only the customer has the key.

    Therefore any requirement to disclose data will only provide encrypted data.

    If the sort of person who would seek such an order already has the key then they have penetrated the users system(s) to a point where they most likely have access to all the data anyway (assuming that they “key” involves some kind of LOCAL cert and a passphrase rather than just using the user’s password with any old SpiderOak client software and a private cert provided by SpiderOak).

    So unless the encryption is weak, or unless the SpiderOak system already has a method of removing a user’s encryption, or unless the SpiderOak business just feels the need to build in its own self-destruct button, what is the actual point of this apart from traumatising ALL users when the “Canary” croaks?

    Apologies if I have missed something simple it is just that as I see it shouldn't SpiderOak's design mean that such a "Canary" system is not actually needed?

    1. Nigel 11

      Re: I Don't Get It.....

      I don't get it either.

      Call me naive, but why not put servers owned (locally!) by independant legal entities in several countries with very different politics. For example, Canada, China, Brazil, Switzerland, Australia, India, ... The customer-facing organisation would handle customer regsitration, charging, service contracts with the server operators, etc, but would not have access to its customers' actual data. It's the customers' machines that would handle encrypting and splitting the data and sending it out for storage in a RAID-like pattern, a fraction in each country with redundancy against temporary or permanent storage centre outages.

      1. LucreLout

        Re: I Don't Get It.....

        @Nigel11

        That is not a bad idea at all. However, when you remember that all the internet cables are tapped anyway, they get the data before it ever reaches the servers.

    2. Anonymous Coward
      Anonymous Coward

      Re: I Don't Get It.....

      The court order would specify that SpiderOak need to host a special piece of Javascript, that is served to 'customers of interest'. It would include a bit of code that, the first time they enter their secret to locally decrypt information, copies it somewhere.

      The only real way to prevent this is for browser makers to include the ability for sites to sign and freeze Javascript, such that a site suddenly presenting a new Javascript file would raise a load of red flags and warnings.

      But that makes it incredibly hard for sites to fix bugs in their code, as any update they make must assumed to be hostile. How can you tell the difference between a "genuine bugfix" update, and a "we were forced to root our code and tell you it was a bugfix" update.

  11. Anonymous Coward
    Anonymous Coward

    Just secretly spread the word

    Leave it to IT geeks to come up with a baffling technological solution involving cryptography, signed canary messages, geographically distributed key-holders etc, that can't possibly work in the face of an organisation that has a monopoly on violence. For instance:

    1) The NSA serve a court order on the CIO requiring access to his datacentre, with penalties for divulging it's existence to anyone. How are the people in the remote field offices signing the canary message ever going to know anything is amiss? The warrant would include something telling the head office to tell them everything is ok.

    2) They serve just after the canary is updated. 6 months is likely long enough to get whatever they need from anyone they want.

    3) They'll get the local spooks to force the canaries to update it anyway.

    The only solution that can work is:

    1) The guy who received the order goes on road trip, stops outside a random starbucks somewhere on the way, boots from a TAILS live cd on a burner laptop, and lets his buddies around the world know that his service has been compromised, anonymously posts the same on a few news websites, and spreads the word that way. And has a bonfire party to celebrate afterwards.

    Yeah, he's breached the court order. Good luck proving it though. I'll take method that actually works though, over a false sense of security. And a guy that doesn't have the guts to do this, shouldn't be accepting a position of such trust.

    1. Anonymous Coward
      Anonymous Coward

      Re: Just secretly spread the word

      TBH this canary sounds more like a marketing geek's idea than a techie's idea. It is full of holes and probably too complicated to keep intact in the face of a Secret Court Order. Myself, I would be more inclined to make hard, one way data encryption become the norm. KimDotcom's mega site seeds its users' data encryption with local user keyboard entropy. This makes it impossible for the hoster to hand over the encryption keys in any kind of secret sweep, since they don't have them in the first place. The G-men would need to go directly to the suspect's house and computer if they want to know what he is doing. All that makes fishing expeditions more complicated and decidedly less secret and 4th amendment warrants apply. Don't the feds still need some kind of approval to physically bug someone's computer? Hmm, thought so.

      Solutions like that make global snooping a non-starter and solve other problems as well. But if a canary makes people feel better, then throw that in too.

    2. Dodgy Geezer Silver badge

      Re: Just secretly spread the word

      ...Yeah, he's breached the court order. Good luck proving it though...

      Er... given the way things are going, I suspect that not being able to prove it wouldn't stop him being arrested, given a secret trial and disappeared....

  12. Anonymous Coward
    Boffin

    KISS

    "So how will the three people in different countries learn about a secret warrant served?"

    Easy. Just set up a user login (not canary of course :-P), and only use it to send an harmless email like "meeting at 8pm". Or even better, just use that login to sign in and sign out into a dormant server. The server in turn will email the 3 person. Done.

  13. Figj

    RE: I Don't Get It.....

    You are right, SpiderOak is NOT zero knowledge when sharing data with other people. This is because the share room name is used to derive keys to the shared data and the SpiderOak servers know this share room name. To quote their website, "Information that has been placed in a share room is not zero knowledge" (see - spideroak.com/faq/questions/1374/do_share_rooms_violate_zero_knowledge)

    So the real value of a canary process would be to reveal any legal demand on shared data. Because such demands would require SpiderOak to hand over any shared data which can be decrypted because SpiderOak knows the share room names!

    Oh, and it appears you can hack SpiderOak's shared data yourself if you want to. See digi.ninja/projects/spidering_spideroak.php, www.usenix.org/system/files/conference/woot12/woot12-final22.pdf and prosecco.gforge.inria.fr/webspi/POST/reports/spideroak.txt.

  14. ckm5

    Nothing new

    i used an rsync service years ago (maybe 10?) that had a warrant canary which refreshed every day. This isn't really anything new.

  15. PerlyKing
    Black Helicopters

    Nice idea but...

    This canary argument is all very well, but I'd be surprised if the law they're trying to route around isn't written along the lines of "must not let anyone know by action or inaction".

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like