* You're suddenly under governmental orders not to disclose X. You remove a canary that says not-X, effectively disclosing X, and this was obviously your exact and pre-meditated intent. You then have to find a lawyer who will help you argue to a judge and other officials that you're in the clear with this loophole.
* You have a canary that says not-X, as an assurance to some other party. X happens, but you're also told at the same time that the folk wisdom you heard on the Internet about canaries will not protect you. So you don't remove the canary. Now your canary is falsely assuring that other party, betraying whatever trust they put in you, perhaps to their detriment.
This is fair given what Ethereum just did. But, IMO, that's not what I expect if someone says "warrant canary". Under the "original" sense of canaries, your scenarios wouldn't make sense. Unfortunately, this new, wrong interpretation of the original idea seems to have become more common.
The original idea was that on some regular cadence (say weekly), you actively post a (hopefully signed) message somewhere saying "I hereby attest that, as of <insert current date>, we have not received any warrants/subpeonas/etc and are not subject to any gag orders, etc. etc.". (eg, rsync.net's canary: https://www.rsync.net/resources/notices/canary.txt). You have to set it up so that someone has to actually go and do something for the updated canary to go up, so it's like a dead man's switch. If you ever stop posting those, that's the signal to users that something is up.
That approach is extremely robust legally. In the US at least, publicly posting a digitally signed message asserting something presumably important and valuable about your business that's knowingly a lie would be considered false advertising, wire fraud, etc. depending on the exact situation. The government has a lot of power to legally compel you to not do things that would otherwise be legal (eg, uttering the speech "we just got a subpeona for all of your data!"). What they absolutely cannot legally do is compel you to do something illegal. Eg, they can't make you commit wire fraud by actively lying to your customers about the services you provide. That's a very strong legal position and you wouldn't have a hard time getting a lawyer to back you up on it.
Basically, if your "canary" requires you to "take down" something, it's not a proper canary and, yeah, I wouldn't trust it to protect you from much.
I know a little something about these kind of mechanisms.
Neither of your scenarios seem problematic:
"You then have to find a lawyer who will help you argue to a judge and other officials that you're in the clear with this loophole."
Presumably the same lawyer(s) you've already retained for the purpose of defending the canary (and other things). Defending the canary in court (under US 1A law regime) is the entire point.
Also note that in the de facto standard canary process[1] you don't remove the canary (as that would be a positive, intentional act of speech). You simply stop updating it.
"So you don't remove the canary."
Again, under no scenario do you remove the canary - you simply stop updating it.
[1] "Special note should be taken if these messages ever cease being updated, or are removed from this page."
I imagine that canary questions sometimes come up in non-publicly-disclosed legal proceedings, as well as in the occasional extra-legal practice.
If that actually does happen, and canaries ever failed to stand up in them, then how many lawyers would ever be in a position to hear about those failures, such that the lawyer could competently advise clients how to use canaries successfully?
Would the lawyer have to have been the veteran top litigator who handled the situations that reached the ear of the ACLU, or who previously worked on those situations on behalf of some facet of government?
Or is there sufficiently binding official assurance from government that canaries done a certain way are OK, no matter what happens in some non-public meeting?
(BTW, I really like your company. Though, as much as its canary looked like probably a signal of principled old-school Internet techie values, it also looked like potentially a bit of a magnet for trouble, in business it might attract, and in who it might antagonize. The tech choices there seem be heavy on minimizing risk of IT drama, but the canary seemed to flirt with drama.)
> veteran top litigator who handled the situations that reached the ear of the ACLU
I think you assume that getting in contact with lawyers from the ACLU is much much harder than it is, either that or that the ACLU only gets involved in sufficiently high-profile cases but nonetheless false. If you're a company that deals with sensitive data and have a legitimate worry about getting NSLs you could probably get a meeting with the relevant legal/policy expert just by shooting them a polite email about it.
Experts in a particular niche field not wanting to talk about their passion, impossible challenge. "Wait, woah, you also care about this?! You wanna testify in the committee hearing for the bill our team is working on?"
I agree that getting in contact with the ACLU is easy. (I did it myself, when I was just a random city committee volunteer, and we were considering an issue that I figured the ACLU could help inform.)
My question was where would someone go to get counsel about canaries, from someone who knows how this actually works in practice, not only in the legal precedents that are public info. (After all, we are talking about situations involving gags.)
For example, I was guessing maybe there's someone at the ACLU who has heard of enough of the non-public to give good counsel. But asking.
Unstated, I was also wondering whether the folk wisdom that so many people repeat, and which some seem to rely upon, is informed by the expertise of the rare people in a position to know the full reality.
Even if it's true, it does sound like a stereotypical computer person's misunderstanding of how law works: "Aha! But this Constitutional interpretation says that government can't compel speech! Checkmate!" Hence, checking that.
This is why you sign the canary regularly, and then it just expires if you do nothing.
Although... I also don't see much use in them either, it seems everyone ends up complying with something eventually and so all canaries end up getting removed.
IANAL, but I'd think that hurting your possible future defense is what you just said, and what people always say: that the premeditated intent is to violate a potential future gag, and that removing the canary (or not updating a cryptographic signature, or resetting to 0 the "__ days since last served a subpoena" notice) is a mechanism for that violation.
IMHO, that's kinda a weaselly trick, no matter how good the cause, and it might not stand up, not legally, nor in extra-legal practice.
Not a lawyer, but I think the government has more ability to prevent you from doing something than forcing you to act.
They can tell you to not remove the canary, and not tell anyone your logs are being monitored, but it is trickier for them to say you must re-sign this certificate.
That sounds like much more of a nuanced law question than a "are these the same".
While they might be able to stop you telling the world, they might not be able to force you to perform actions that cause you to lie to the public
In this case, they mentioned the involvement of a confidential state agency in the commit message, so it does not seem like there is a gag order per se, at least not a very broad one.
And to my knowledge, warrant canaries haven't been tested in U.S. courts, so the zeroth (and possibly most common) scenario would just be that you remove the canary and nothing happens to you, and the canary works as intended.
I bet there's a great organization that works on defending civil liberties in the digital world. It turns out they have an article on this, from a full decade ago. It also covers who else is using canaries, and existing, highly limited, precedent for compelled speech.
Doing it with HTML, CSS, and an SVG icon seems odd. Having it in your privacy policy document or something similar seems more appropriate then you're just updating your privacy policy.
I am not a lawyer, but just on the surface this seems to me like it's the complete opposite of a canary. If the whole point is that you're continually posting a "no" and you suddenly stop, that makes sense legally because it seems strange that you could coerce someone to keep doing something and lying, as that is not the same thing as "disclosing" something. Like, if you wore a green shirt every day and suddenly started wearing red, it makes sense to me why legally it would be hard to force someone to keep wearing green shirts.
This is nothing like that, the commit message itself is literally disclosing the fact that they have received an enquiry.
On the one hand, Congress' anti-crypto contingent is raising alarm over Bitcoin's energy consumption.
On the other hand, they are calling on their allies in the SEC to reject the Ethereum ETF, while the SEC is using Ethereum's transition from Proof of Work to Proof of Stake — which reduced its energy consumption by 99.99% — as the legal justification to designate Ethereum a security and thereby severely reduce the market's access to it.
"According to a person at a company who received a recent subpoena request, the SEC’s probe of the Swiss-based Ethereum Foundation began shortly after the blockchain’s shift to a new governance model known as “proof-of-stake” in September of 2022." https://fortune.com/crypto/2024/03/20/sec-gary-gensler-ether...
If you can just say in a commit message "we have received a voluntary enquiry from a state authority that included a requirement for confidentiality" surely the whole song and dance about canaries is pointless, right? Or did the committer fuck up and ruin their plausible deniability?
This is an absolutely unbelievable Baader-Meinhoff coincidence. I was, less than 5 minutes ago, searching the script for this line so that I could send it to my father.
They might have anticipated receiving a more restrictive gag order when they originally put the canary in place.
I wonder if the NSA should have a team that just goes around organisations that have warrant canaries and sends them baseless confidential messages, just enough to trigger the canary. The fact that they don't do this suggests they don't think canaries are much use.
Most organizations which post warrant canaries use phrasing that would be less vulnerable to this "attack", such as making the canary conditional on the compelled disclosure of information.
My cynical side wonders if they were just looking for an excuse to get rid of it so they can continue their process of sheding off the final remaining shreds of the original cypherpunk culture of crypto.
Or they were just giving a finger to The Man. But yes, to the extent that a "we have never" canary would have protected them (which is a little questionable to be honest), this commit message taken alone absolutely opens them up to whatever penalties exist in whatever jurisdiction sent the demand.
I think anyone can still say they they have NOT been contacted by a given agency?
That given, they are not going to "waste" their canary if it was a simple request for information. Best guess, this is the beginning of the end for Ethereum and they have been compromised just like Blockstream and BitcoinCore were previously.
It is best to assume that from now on Ethereum is no long a decentralized application but its development is being directed by a governmental agency, again, same as BitcoinCore.
Most important next step for Cryptocurrency is to make it development resistance. Every notable attack on crypo the last few years has not been hackers but developers like Greg Maxwell, Peter Todd and Adam Back who attack the code base out in the open, acting as useful idiots for three letter organizations. It seems ETH is next on the chopping block.
Ethereum (the protocol) is not only developed by Ethereum Foundation; and further, the several client implementations are all open source and run by independent organizations.
It's a good rule of thumb, but it also feels like people use that as a tactic to continually change code to get away from having a formatting change come in. That's why on any new project, even personal ones, I enforce formatting from day one if the language has a formatter.
It's pretty annoying to work in a codebase that had no formmatter running so that I then have to make special adjustments to my editor to stop formatting on save for certain files.
I don't understand your point... how would continually changing code avoid formatting changes? If you want to change the formatting, just commit a change to the formatting.
Because your change and the formatting change are probably dependent, and between the time you submit the change and the time your PRs are accepted there may be multiple other commits to that file which affected lines that your formatting PR addressed. If changes wait for weeks to be merged (which is actually pretty quick compared to years) you wind up with the formatting change being blocked on needing a rebase. The thing becomes an annoying PITA of merge conflicts and rebases.
So either have code formatting standards to start with which are automatically applied, or else accept PRs that have whitespace fixes and merge them promptly (I can accept splitting up the commits into formatting and non-formatting commits but even that is barrier to entry over people being able to submit changes to your software easily--every bit of fussiness is a tax on the submitter's time and will result in less submissions).
You make it sound like both of these changes have to be entirely separately reviewed, but most of the code review processes I have seen--including mailing lists--have the ability to merge in a sequence of patches in a single go, rather than having to review each one by one.
Otherwise, if the problem is that you have patches waiting to be merged for weeks that result in merge conflicts, that isn't solved by putting the patches together into a single patch: you just have a process that is going to make formatting changes impossible to clear without tons of extra work.
As for submitters, they need not put in this time: the maintainer or review team can trivially split the patch as this is literally close to hunk selection... it is so easy that I routinely do this as part of every single commit I have made even locally and even temporarily for as long as I can remember?
Regardless, I still don't understand: nothing you are saying makes it sound like the people in your scenario are actively making code changes to avoid having to make a formatting change--"a tactic to continually change code to get away from having a formatting change come in--which is what was claimed and what seemed so utterly confusing... I can't imagine someone saying "I'm going to change this logic few days as I hate formatting patches".
You're assuming a relatively high degree of competency and available time on the part of maintainers and it sounds like a reasonably short backlog. That's great. For overworked, understaffed teams like a large backlog of reviews it generally doesn't work like that. And for those teams the work done on fixing the formatting issues across their project pays off in velocity because submitters and reviewers stop needing to care about the issue entirely.
This is why when people think about submitting a change and they see their editor auto-formatting changed half the lines in the file with whitespace fixes, they get a bad feeling about how submitting anything to the project is going to go.
If you're making a big commit that formats a large file or files and those files are constantly getting merged in, then it makes the formatting PR hard to get in as it constantly has to merge or just start over. This might be only a concern for certain scenarios in large companies.
> how would continually changing code avoid formatting changes?
It makes every single commit as ugly as this one. In other words, instead of only some of your commits being full of formatting noise, all of them are, because touching any line causes rewrapping/reindentation of all the nearby lines.
Running a formatter on every single commit is dumb, unless you're an enormous company that doesn't release their software (i.e. Google and very few other companies).
If you ship your software, make the autoformatter part of the release process. Commit the reformat (to the trunk) right before each branch-off. It's a great compromise. Everything is autoformatted "in the limit" but the disruptive commits happen only once per release cycle. Formatting-only PRs get rejected with "please wait until the next release and/or teach the autoformatter to do whatever it is you want here"
I used to believe this but then I found myself spending way more time on clean single-purpose commits than I saved looking at a clean commit log.
Especially if the cleanup touches the same code you are semantically modifying you are basically forced into a bad dilemma of doing them in parallel (leading to a merge conflict with yourself yuck), or doing them in series which leads to the question of whether you should twiddle your thumbs while waiting for the first commit to get through review or whether you should do something else in the meantime risking forgetting the other commit.
That's why I don't think it's completely clear cut.
What are the implications for a warrent to be served to the ethereum foundation? Unlike the last time[0], this is directed at the foundation rather than individual.
[0]: In 2019, Ethereum Foundation employee Virgil Griffith was arrested by the US government for presenting at a blockchain conference in North Korea. He would later plead guilty to one count of conspiring to violate the International Emergency Economic Powers Act in 2021. (https://en.wikipedia.org/wiki/Ethereum)
Ah, the same guy who created Tor2Web with Aaron Schwartz, and the immediately used it to try to sell deanonymized access logs to Tor hidden services to various governments.
The idea behind a canary is while they can tell you to keep it confidential, they can't compel your speech to lie and say you've never cooperated. Adding a wink wink nod nod code word defeats the idea.
Isn't saying "You can't talk about this" compelling speech? Why can the courts say "You can't talk about this" legally, but can't say "You can't update your warrant canary"?
Because, in the United States, you have a constitutional right not to be compelled to say something you don't want to, but you don't have the constitutional right to say whatever you want to, especially in the case of a gag order regarding an active investigation or trial.
So if you go ahead and say "I haven't be served a warrant by X group" on your website, the government can stop you from saying the contrary, but they can't force you to lie about it, so you are free to remove the canary since it is no longer true.
If the courts ever tried to retaliate against that, they'd run into a mountain of precedent that forbids compelled speech. They would have to argue that you are required to lie, rather than be allowed to retract a non-truth. That's not something the Constitution is going to allow.
The other half is that the canary is broad, and doesn't specify which government or agency made the request / gag order.
The "I didn't really talk about it, I just didn't NOT say I WASN'T talking about it" thing feels like a flimsy technicality. I think what's really protecting these canaries is that they're non-specific and one-time-only.
I don't think we're going to see many "I have not been gagged by the CIA on April 25, 2024" canaries going around, even though that technically uses the same loophole.
So, it goes like this? If I have been served a warrant with a gag order:
If someone asks me "Have you been served a warrant with a gag order?" - I'm allowed to say "No", and lie about it if I want to. I am not allowed to say "Yes", per the gag order.
Now, if someone asks me: "have you been served a warrant with a gag order? Say no if the answer is no, but say nothing is the answer is yes". Now, I am allowed to say no, and allowed to say nothing, even though by saying nothing it directly contradicts the point of the gag order? Is it really the case that these gag orders are meaningless if someone just asks the question in the right manner?
I can't really buy that. I suspect canary warrants only "work" because they have never been tested in court yet.
a judge can compel you to do cryptographic math in your head after you have forgotten the private key? the entirety of reaching into peoples minds with law is nonsense
Well, a judge kept Tommy Thompson in jail for 7+ years on contempt of court charges after the court asked Tommy to product some gold ingots and he "forgot" where they were.
>If someone asks me "Have you been served a warrant with a gag order?" - I'm allowed to say "No", and lie about it if I want to. I am not allowed to say "Yes", per the gag order.
>Now, if someone asks me: "have you been served a warrant with a gag order? Say no if the answer is no, but say nothing is the answer is yes". Now, I am allowed to say no, and allowed to say nothing, even though by saying nothing it directly contradicts the point of the gag order? Is it really the case that these gag orders are meaningless if someone just asks the question in the right manner?
It isn't about asking or answering questions. Let's say I light a fire in my firepit each morning that I haven't been served with a secret warrant. The day after I'm served, I simply don't light it. Anyone watching the firepit then knows that I've been served. Nobody is asking me anything, and I'm not saying anything. The government can compel you to stay silent due to a gag order, but they cannot compel you to trudge out every morning to light the firepit.
As I understand it warrant canaries are controversial in the legal community or at least were last I looked. Some of the questions you are exactly what they've asked. I don't know if any of the theories have been properly tested in courts yet.
I'd be extremely skeptical of anything you read in this thread about contentious signing, dates or whateever. There are a lot of amateur lawyers with amateur opinions in here. If you are interested in ever using one, find a lawyer and check with them first.
But whatever the legal consensus is, I doubt a git commit that says "NSA wuz here" fits in with it.
Technically even just removing a warrant canary immediately could put you at legal risk in the USA. The non-risky way is to update the canary $date every $timeperiod and then stop updating $date after an attack. That way nothing is changed to indicate but it still becomes obvious by lack of update after $timeperiod.
Yeah, that kind of irked me with the commit. Currently (769b306) it says:
> this commit removes a section of the footer as we have received a voluntary enquiry from a state authority that included a requirement for confidentiality
Which... is just saying what happened? Point is to remove it without saying anything, as if you do, you'd break the "requirement for confidentiality" and put yourself at risk.
A voluntary enquiry with a gag order? I mean, I suppose in principle there's no reason such a thing wouldn't be possible, but it feels like a bit of an edge case.
I'm trying to think to myself if I was running a project and had a canary, what would be the threshold to kill the canary on a voluntary enquiry.
If it was CIA and they sent me: "Please give us all information on XYZ so that we can organize an assassination on them. This is voluntary and you don't have to give us that information. This is just pretty please."
I think I would kill my canary even if the request is technically voluntary and I wasn't compelled to give out any information. But that was a joke scenario because I couldn't come up with more realistic scenarios.
And then I guess if your threshold is too low, you'll kill your canary on something that might be a nothingburger.
I don't think the CIA exactly sends you a note asking for data to be dropped off at their Google Drive. It is more likely you receive an offer to license data you have from a company that is relatively obscure with a financial incentive.
It is. But when you're on the receiving end and the federal agents bust down your door and point firearms at you you see things a bit differently in the moment.
somehow it is hard to believe that this statement is made .. confidentiality and "gag orders" have ruled the business world for more than twenty years in the USA. Any executive of any public company (stocks) must demonstrate iron-clad compliance with these orders, every week of their employment. Asvmuch as anyone might agree with the aspirational poetry of this statement, it is literally ABCs of US dollar business that this is no joke. surely that is clear?
This isn't business. This is the government using secret violent force to keep you from telling others you've been (legally) robbed. It does not involve a voluntary contract that one enters into willingly in the open. These are very different things. Surely that is clear?
One extreme (no demand on me is fair) or the other (every action by government must be obeyed) .. neither of those..
I agree that it is not a contract between equals, it is an action of law in government; like it or not it is the price of civilization. In the USA the basis of law has been worked out very well, in some cases. Of course there are abuses and no one is defending an abuse of the law. Humans are social and difficult. The answer lies in a system of review and an ability to change over time.
The "bigger"/more extensive website is ethereum.org (https://github.com/ethereum/ethereum-org-website), guess people aren't as interested in the foundation as they are in the project itself. I think that's pretty standard in the cryptocurrency scene.
The US Securities and Exchange Commission (SEC) has launched a probe into Ethereum to determine whether the largest altcoin is a security, Fortune reported.
The SEC sent subpoenas to companies seeking documents and financial records relating to their dealings with the Ethereum Foundation, the story said, citing companies that have received SEC subpoenas.
Hard not to get all conspiracy theorist about canary removals.
If I were to don my tinfoil hat, it seems possible to remove the canary with a boring incident for plausible deniability of a prior incident whose confidentiality is more strictly enforced.
The stricter gag order gets what it wants - non-disclosure of that particular gag order, the canary gets what it wants - removal after an incident.
* You're suddenly under governmental orders not to disclose X. You remove a canary that says not-X, effectively disclosing X, and this was obviously your exact and pre-meditated intent. You then have to find a lawyer who will help you argue to a judge and other officials that you're in the clear with this loophole.
* You have a canary that says not-X, as an assurance to some other party. X happens, but you're also told at the same time that the folk wisdom you heard on the Internet about canaries will not protect you. So you don't remove the canary. Now your canary is falsely assuring that other party, betraying whatever trust they put in you, perhaps to their detriment.