I have never understood what value I personally would derive from a warrant canary. For the sake of discussion let's assume that reddit's warrant canary was intentionally removed and but for an NSL it would have continued to appear on reddit. How do my actions differ in this universe compared to one where the canary was present in the report?
Let's say you frequent lots of subreddits that might be considered outside societal norms. Right now that data is ONLY available internally at Reddit.
If the NSA hoovered up this data, suddenly they might learn a lot about you that they didn't know before (although there's probably a fair argument that people probably leave enough other clues scattered across other data sources they likely have access to that make this redundant).
Maybe you aren't looking at things that would set off their alerts for today's hot media topics. But what about the future? What if we end up with a President with a radical discriminatory agenda (a scarily likely possibility at this point unfortunately)? What if suddenly things that may have been frowned upon before by the general public are suddenly made illegal by Executive order or some other horrible twisting of our laws? This provides the government with a great way to narrow down the list and identify targets that have become "inconvenient" for them.
Think it can't happen or that this is an off-the-wall conspiracy theory? Germany and Russia would like to have a chat with you.
Sure, the mainstream users probably won't have any noticeable impact on their lives. For now at least. But this can still have a chilling effect on free speech today, without the nightmare scenario I outlined above occurring.
Firstly, I completely agree with you regarding why this is bad news. However, I don't understand one thing: let's say our hypothetical user has been posting in a private subreddit for carrot fetishists, which Trump will make illegal in 2018. If, today, a NSL was received by Reddit, isn't it potentially already too late for our carrot fetishist, even if they immediately stop visiting the subreddit or delete their account? Now, the carrot lover knows there was a NSL, but there isn't anything they can do except wait and see what happens when the new legislation rolls around in 2018. Emigrate, maybe? Serious question; I don't know how these things work. Asking for a friend.
They can at least stop posting about carrots. If they haven't posted anything personally identifiable that could link their 'carrotlover314' account to their real identity, then they can discard that account. At worst, if it is indeed a case of past lewd carrot-related acts being punishable by death, they'd have a head start to get out of the country before the Carrotstasi get there.
You are right, the only benefit to the carrot lover is that they know, within a reasonable level of certainty, that their carrot loving activities may be called into question in the future.
Which, in my mind, is preferable to the alternative.
Recall the Communist witch-hunt in the cold war. That was done without retroactive policing and parallel construction. Just because they cannot imprison you for actions taken before the action was illegal doesn't mean they can't fuck you over in other ways. It's the thought police all over again.
Perhaps they won't get you for stuff you did today that is legal today.
But if you are still a carrot fetishist in the future, they can use the knowledge that you used to be a carrot fetishist to set up a sting operation. A little parallel reconstruction, they seize your phone and laptop, and next thing you know you're in prison in the future, thanks to the data they hoovered up today and will be in their database forever.
I apologize in advance if this sounds pedantic or like I am just trying to be difficult to be difficult. I am genuinely interested in this subject and appreciate your response. You never really stated what I am doing differently in the canary-removed universe (C0) than I would be doing in the universe where the canary is still present(C1). Respectfully it seems you gave reasons why surveillance is bad, but its not clear what utility I derive from the canary and what I would do differently in C0 vs C1.
I probably should have been more explicit about two of my big problems/uncertainties with warrant canaries in my initial comment. The biggest issue is that they only really seem to matter in circumstances where I assumed the service provided was a secure and private communication platform. My personal threat model does not treat the reddit platform as a secure and private communication platform and Reddit Inc. is just slightly less of an adversary than Eve's Agency. (sidenote: You are Threat Model Shostack correct?)
My other issue is that the canaries seem to be backward looking and do not do much for my future outlook. It seems that the knowledge that an NSL was served just tells me about the past, but very little about the future. Should I assume that since an NSL was served once that I should expect that they will continue to be served repeatedly and regularly going forward? I am having trouble expressing the latter adequately and clearly, hopefully it is teased out below.
For the sake of argument I am assuming/ignoring that Eve does not do global surveillance and cannot easily associate requests from my IP to reddit with submissions/comment timestamps, vote changes, etc.
> If the NSA hoovered up this data, suddenly they might learn a lot
> about you that they didn't know before
In C0, I am screwed, Eve's organization knows I frequent /r/BDSM, /r/guns, /r/earthliberationfront, etc. Am I to assume that further NSLs will be served in the future and therefore I stop visiting my favorite subreddits? If I was concerned about the privacy of my actions what was I doing using a public insecure communication platform?
In C1, I continue to visit /r/BDSM, /r/guns, /r/earthliberationfront, etc and the record of my sensitive activities on reddit is even larger if they are served an NSL in the future.
> suddenly things that may have been frowned upon before by
> the general public are suddenly made illegal by Executive order
> or some other horrible twisting of our laws? This provides the
> government with a great way to narrow down the list and identify
> targets that have become "inconvenient" for them.
In C0 I have a greater reason to believe that I am on the "inconvenient list". In C1 I am still doing all the things its just I have less certainty if I am on the list.
> Think it can't happen or that this is an off-the-wall conspiracy
> theory? Germany and Russia would like to have a chat with you.
I don't think this sounds crazy. I just do not understand what the difference is between C0 and C1. As far as I am concerned the only difference between C0 and C1 is that I know my activities may have been reviewed by Eve in C0.
> Case in point from a couple days ago:
> https://news.ycombinator.com/item?id=11374839
As far as that study is concerned the difference between C0 and C1 is that in C0 I am more aware or "subtly reminded" of the existence of mass surveilance and therefore self-censor. There are fewer subtler reminders of mass surveillance in C1 therefore I self-censor less in C1 than in C0. That makes canaries seem bad?
If I'm understanding you, you're wondering what to do with the information, and comparing it to an identical situation where you don't have the information.
You're right that an early-warning system hasn't been developed. We have no way of knowing what the NSA will decide to analyse after the fact. Indeed, we do not know if an asteroid will hit the earth tomorrow. At one level, there is a limit to our ability to predict the future.
So it's up to the individual. We self-censor, or don't. The chilling effect of the knowledge of surveillance is well documented. Are you making a point that thinking you're being spied upon is more damaging than any fallout of the actual spying?
Traffic flow analysis would probably work quite well on reddit. They could confirm/deny with high confidence whether certain subreddits/posts are accessed without any need to decrypt, just by how big the responses are.
I was initially sceptical that traffic analysis would be enough, but it appears that mainstream TLS does indeed leak a lot of metadata, especially with the typical structure of splitting resources across distinct servers (eg: static.example.com for images). I wonder if the security of something the size of Reddit might not be improved by simply having a large fleet of dns round-robin app servers that all deliver all content from one domain.
I found:
"Identifying Website Users by TLS Traffic Analysis: New Attacks and Effective Countermeasures"
"It should be noted that AEADs, such as ChaCha20-Poly1305, are not intended to hide the lengths of plaintexts. When this document speaks of side-channel attacks, it is not considering traffic analysis, but rather timing and cache side-channels. Traffic analysis, while a valid concern, is outside the scope of the AEAD and is being addressed elsewhere in future versions of TLS."
Since all the posts on Reddit are timestamped, someone sniffing traffic could probably do a decent job tying HTTPS requests (and the IP addresses they came from) to new posts that show up, and the users who posted them.
1) While it isn't a perfect mapping, this is similar to a "I have nothing to hide" argument. The value of anything security or intelligence will vary with the situation. The same counter-arguments apply; you probably don't want to get to the point where you cannot learn about a NSL.
2) In general, information that allows you to make informed, up-to-date decisions is valuable. The sudden disappearance of a warrant canary gives you data about the current state of the world. The canary gives you information about the actions of the growing surveillance state. This information might be used to make preparations or as a political tool. You can decide for yourself if you would take different actions with this information, but even if it doesn't change anything for you, at least you had the opportunity to make that choice.
3) Warrant canaries also serve as an indicator of the politics of the canary publisher. Someone who publishes a canary is sending a message that they care about keeping everyone informed.
> 1) While it isn't a perfect mapping, this is similar to a "I have nothing to hide" argument.
I think you missed the point. The real question is, "So a canary died on a service I use, now what?" Well I have that question too. The damage is done. Should I toss my phone in the nearest trash can, burn off my fingerprints, cut and bleach my hair in the at the nearest connivence store bathroom, and shed a single tear as I will never return home to my family again as I am now hitchhiking to Mexico or what? Because, honestly, I don't know what to do besides that. If you're the target of an NSL, then you need to worry.
> 3) Warrant canaries also serve as an indicator of the politics of the canary publisher. Someone who publishes a canary is sending a message that they care about keeping everyone informed.
Yeah, but the set of those that don't publish canaries doesn't indicate the opposite. Organization X might not publish a canary, because the canary is already dead.
> The real question is, "So a canary died on a service I use, now what?"
Actually, I think you do the same as when an actual canary dies in the mine - you get out. If we look back at what we know about Lavabit, basically a compromised Reddit (or any other web service) might be doing who-knows-what with targeted javascript and what-not. Of course, "Evil Reddit" could already be doing that as a private entity -- but I think it does shift the degree of trust a lot, from a) "probably mining personal data for financial gain through advertising etc", to b) "certainly mining all data at the behest of a mad anti-terror juggernaut that's been out of control for decades".
I might choose not to use the service a) for a lot of things, but I certainly wouldn't want to use service b) for anything.
Now, if I was the NSA/CIA I'd of course try to fund social media and messaging startups through shell corporations, and I'd be surprised if they don't do that. In that respect we go down the "you can't defend against a nation state actor" line of reasoning. But if warrant canaries became enough of a problem, something that could lead to a real exodus of users for something like Reddit -- that might give these corporations enough incentive and reason to challenge the practice in the legal system (The government is forcing us out of business).
Another aspect of the canary, is that while people might not now stop using reddit (or logging in to a reddit persona that's associated with animal cruelty, native American rights activism or other terrorist activities) - it still serves as interesting indicator on continued government overreach, and encroachment on civil liberties and free speech.
As evidence that more and more "town squares" and cafes are fitted with microphones and cameras "for security reasons" surface, the fight against illegal surveillance (can) gain(s) momentum.
So maybe what you should do is not just step away from reddit, but take to the streets.
> "So a canary died on a service I use, now what?"
Yes, that's what I was addressing.
> Should I [stereotypically run like a fugitive]
Probably not, but I don't much about your specific situation.
> I don't know what to do
THAT was my point; you don't know know, because you cannot predict the future. The social or political situation might change in a way that makes NSL searches much more threatening. You might be in a situation where knowing that your activities have been discovered by an a NSL does suggest some type of action.
It's easy to consider the set of possible futures that you can enumerate. That set is rarely complete.
> If you're the target of an NSL, then you need to worry.
And that's the "nothing to hide" argument.
> Yeah, but the set of those that don't publish canaries doesn't indicate the opposite.
Obviously. The canary is still useful information.
In a world without canaries, all providers could have received NSLs forcing them to cooperate with wide ranging surreptitious surveillance, and we'd be none the wiser.
Instead, we live in a world where we know that many of them either are not being forced to secretly cooperate; or in one where canaries don't work, and they're being forced to lie about it.
And of course, there are ways of implementing internal surveillance without the cooperation of providers: by trespassing on their infrastructure, by analysing and recording traffic at their border, etc.
Maybe they are? The question is, what am I doing differently in this universe compared to the universe where the canary is still present? It seems like your answer is "In this universe (canary removed) I no longer treat reddit as a secure and private communication platform." My personal threat model assumes that reddit is not a secure and private communication platform so the status of the canary does not change my behavior, utility schedules, outlook, etc.
I personally would not be doing anything differently but that is besides the point... they should not be able to get that data without a warrant. So I guess the value of it would be that you are now aware of something else that the government is doing that they should not be doing...
I apologize if I am missing something in your answer but "NSLs are bad, mmkay?" does not seem to be very responsive. We knew about NSLs before warrant canaries. If that is the only utility they provide it seems like they are not very useful to me.
It's a good point - I'm not sure who really thinks of reddit as a secure and private platform. Warrant canaries certainly make more sense for gmail or dropbox or something.
That said, while your behavior regarding reddit might not change, it could inform your political behavior. Since organizations can't say they've received NSLs, it's really hard to survey and see how common it is. I'm glad reddit's case here is gaining interest, and hopefully other companies will take part in this program and also get attention when it happens. It would be good to know just how prevalent this practice is.
