Thursday, 7 December 2017

Dismantling a canary?

Andrews & Arnold Ltd has a warrant canary, and for good ethical reasons.

We have stated, clearly, that we do not have any so called "black boxes" (of any colour), nor any orders for "data retention", nor "intercept capability".

This is still true, and I will be happy to state that in person to anyone that asks me, or even on irc, at least for now...

However, there is a problem...

The main possible problem is that we may, one day, receive an order to install something or do something, along with a gagging order so we could not tell someone. For example, see s95(2) Investigatory Powers Act 2016. This means we could not remove the canary at that point as we would be in breach of the gagging order, even if we did not reveal specifically what sort of notice we had. However, if we did have a notice, we couldn't state that we didn't have such things without some sort of fraud or misrepresentation. It seems like a good idea in principle, but basically means one day we may have the choice of breaking the law or breaking the law, and the end result is unlikely to help out customers whatever we decide.

The good news is that this is still very unlikely. The Home Office have said they do not want to go after people with fewer than 10,000 users and we think that is still true for us. I am happy to say we believe we have under 10,000 users as a simple matter of fact for as long as it is true.

I am also very happy to state, as it does not have the same issue, that A&A will always aim to challenge and appeal any unreasonable order to install surveillance or snooping or even logging.

So what can we do to help our customers?

Well, the first thing we can say is not to trust anyone not to have snooping! That includes us! We still aim to challenge any general monitoring or snooping as it is against human rights to do blanket surveillance. If we get an order we expect to challenge it, and maybe, if I can, find ways to announce it (unlikely). But we have to follow the law, though I am not above finding loopholes in that if I can.

We all have a basic human right (by more than one human rights declaration) to respect for our privacy and correspondence. What that means exactly is complicated, and open to interpretation, and has caveats, but at A&A we do take it seriously, and will continue to work with other groups, and even on our own, to challenge anyone or any government aiming to curb such rights.

I, myself, spoke to a parliamentary select committee over the issues in the Investigatory Powers Bill. This gives some clue as to how far we are prepared to go to respect these rights as a company!

We take this seriously, but ultimately we are one small step in the chain of "Internet connectivity" that our customers enjoy. You may be able to trust us, but you cannot trust peering, transit, the far end ISP, well, anyone!

You should be able to trust BT or TT back-haul that we use, as the Act makes it clear they (e.g. BT) cannot snoop on us (A&A). However, it seems the Home Office feel they can just ask BT to do such snooping (as far as I am aware) and we cannot have confidence that BT would challenge such an order, and we know that such an order would be secret and gagged so we (and you) would not know if it happened. Yes, some sort of encrypted PPP is not out of the question, but that still leaves everyone else involved in your Internet connection to be snooped on!

As it is we have some limited logging which we explain, and some CDRs, and they are already available if we get legal requests. We obviously aim to document these and minimise these. For the most part customers can use us for connectivity without such logs at all (e.g. run your own email systems).

So what can customers do?

There are many things, and we have a lot of details on our web site. We'll try to add more and more over time. You can run your own DNS, your own email, tor browsers, VPNs, use end to end encrypted apps, and email, and so on. There are many ways to preserve your human right to respect for your privacy and correspondence. Use them. Ask for help from us on how to use them!

So how do I dismantle a canary?

With a scalpel? This simple answer is a plan to announce we will be removing it in, say, 2020. Far enough ahead to not be the result of any sort of order now, and so clearly our choice and not an indication that the canary has died of noxious gasses.

Does that make sense?

Obviously, doing anything with a canary can lead to be people thinking it has been killed to signify a notice of some sort, despite what I say here. There is nothing we can do about this: basically, that is the canary doing its job! However, we do not feel that the risks of having a canary make it worth having, which is why we are looking at options here.

We have not announced that yet, but I wonder what people think?
  • Is this a sane way to dismantle a canary?
  • Will it work or cause even more concern?
  • Should we be dismantling the canary?
P.S. I nicked a picture (well linked to) for this blog as I felt making my own images (as I usually try to) of a canary and a scalpel would be very very politically incorrect and also somewhat messy...I

Update 1:

Thanks for the various comments explaining how a canary usually works - a signed dated statement. We could change to that format, obviously, but it does not change the underlying issue. Indeed, I may change the website to push all such statements in one place and in that format anyway.

I am pleased that you appreciate the canary being in place, thank you.

However, it would still put us in the position (if we did get such notices) of either breaking the gagging order by not updating it, or making a fraudulent statement by updating it. It also does not change the fact that it is not "useful" to customers for us to have the canary, for that reason, and because we are only one link in the chain so you have to assume there is intercept and snooping anyway. The most "useful" thing we can do is advise on our policy and attitude and the work we are doing to stop such laws in the first place, so you have some idea who you are dealing with as an ISP.


  1. You could always announce that you'll dismantle the canary in 2020, then replace it with a different, differently-worded one, with another expiry date (and so on ad infinitum).

    1. What does that solve? It sounds like all the problems of having a canary plus all the problems of removing a canary.

    2. It at least means that *not* removing the "expired canary" serves as a statement that all is not as usual. Some laws of this nature can force you to not do something (i.e. do not say that we have installed snooping stuff: do not remove a canary), but cannot force you into positive action ("post a lie saying you did not install a snooper", "remove this canary on time"). I'm not sure if that's true of this law, though.

    3. No, sorry, the legal advice is that by failing to do what people expect, i.e. failing to renew the canary, we would be in breach, and some of the gagging orders are criminal offences. So yes, they don't say "you must do this positive action", they say "you must go to jail"...

    4. Oh damn, they thought of that :/ so you're given a choice, as Roger says, between lying to your customers and committing an offence? What a wonderful law this isn't.

  2. PGP signed canary along with BBC headlines for the day and a statement saying if canary is not replaced by $DATE, assume compromised.

  3. I thought the canarys worked like "as of date x, we do not have any black boxes", meaning the lack of update was the warning, not its disappearance.
    It wouldn't be fraudulent to keep that in place (but not updated) if you did get a black box as it wouldn't by lying.

    1. Current legislation has been written with warrant canaries in mind, and requires you either to lie (by keeping the canary in place) or to commit an offence (by communicating the existence of the wiretap). The "removing the statement is not in itself a statement" idea was always casuistry at best, and doesn't stand up against a determined opponent.

  4. As a customer, I believe the canary is one reason why people choose A&A - it's certainly one reason why I chose A&A. It shows that A&A ultimately wants to do "the right thing", not just do what the law says like any big company.

    The simple fact is that if you do remove the canary, that is a step away from "being a company that just tries to do the right thing" and will take away some of A&A's unique charm.

    Also, to address your concern with what to do if you DO get a gagging order while the canary is still around - simple. Break the gagging order by removing the canary, and deal with whatever punishment there may be for breaking the gagging order.

    The point of canaries is to show that you won't bow down to an immoral law (or application thereof) and that means that you have to cross that bridge if and when you come to it (by breaking the law). If you aren't prepared to break civil law when absolutely necessary to defend the moral statement you make by having a canary, there's no point having a canary in the first place!

    1. Thanks, and yes, if we are talking a simple civil law, and even (as per s95(2) civil enforcement, and not even applicable if I was to resign before disclosing (maybe, assuming Official Secrets Act not also engaged), then that would not be so much of an issue. The problem is that other parts of the Act have gagging orders with severe criminal charges. Ultimately we could end up with a situation where the company cannot continue which is not in the interests of customers at all. My point is that this is not helping customers as you have to assume that someone is snooping on you somewhere, and take precautions anyway. Does that make some sense?

    2. To add, what perhaps I am asking here, is whether the is something we can do better? Something more useful? A statement on how we plan to handle such orders, if ever they do come (challenging, appealing, etc), and how to work to challenge the laws in the first place (such as evidence to parliament, etc). Is that a more useful thing for our customers and everyone else that having the company killed off?

    3. You could amend the contractual terms between yourselves and your customers (e.g. me) to state that while you may be unable to tell me so, you are obligated by the terms to challenge all orders to the fullest extent allowed by the law and disclose any information as, and as soon as, permitted.

    4. Not sure it needs to be in terms, but that is the sort of statement we are considering as an alternative.

  5. Consult proper legal advice and contact the EFF for general guidance

    1. We have done, honest, that is why this is a concern.

    2. BTW that EFF FAQ is US specific, sorry.

    3. Sorry, my mistake, it just looks like this is a problem that has already been weighed in on, by definition, and so I'd suggest you don't try to reinvent the wheel. It feels akin to rolling your own encryption. In the end I would stick to the advice from my legal bods on how to manage your canary, not ideas from a blog.

    4. I quite understand, this is not about re-inventing the wheel, but about scrapping it. I am not sure there is much written on dismantling a canary to be honest. We'd love to continue it but with prospect of future serious criminal charges, and with it not actually helping customers that we have it, I want to find something better. A statement on policy and principles, and how we would fight any such orders, etc. I hope that makes some sense.

  6. It does and I appreciate you giving this such thought.

    Isn't the whole point of a canary that you can be compelled to not reveal an interception order, but not compelled to maintain a statement that there isn't one? Does the gagging order /actually/ affect your ability to do that, in the view of your legal counsel?

    I don't see how you could be required to maintain a system of statements that there is no interception order. For example you've said if asked in person you'll happily state that there isn't one. How would you answer after a gagging order? Silence, or lie that there isn't one, or say "I can neither confirm nor deny", which, given that you've said you would confirm if asked, is as good as saying there is an order and hence breaking the gagging order anyway.

    So it seems to me that a gagging order being interpreted as a requirement to maintain a fiction across expiring statements, comments from your mouth, etc, is not workable and cannot be a valid interpretation. But that's why I'm posting on a blog and not a lawyer.

    If I was creating a canary here I'd have a page on the site with a signed statement that there is no interception order and that statement expires on a date 6 months from now. Perhaps I'd have a second such statement linked from the same page but out of band for redundancy in case there's a mistake with the first. I'd stagger them 3 months apart, so it would take 9 months for both to intentionally expire. Is that long enough to not break a gagging order, given that the system is in place before you receive any such order?

    The reason for redundancy being that if you maintain a single canary and make a single mistake you could destroy trust in your company. Either way a canary needs to be watertight technically, operationally and procedurally with anyone involved knowing fully what they are doing in touching it.

    Just musings from the blog, absorb what is useful, etc

    Good luck in finding light at the end of the tunnel and thanks again for your efforts with it.

    1. Current legal advice is that if one does anything, or does not do something, which therefore reveals the gagged order, is a breach.

      So the law won't compel me to lie, just that is I don't lie I'll be breaking the law. They won't say "make this false statement", they'll say "go to jail"...

      But I really do appreciate the discussion on this. If there was a way to do it, I may do so, really. But right now the lawyer we pay for this advice says there is not, if ever we get such an order.

      There are different levels, some civil which I could maybe weather, but some seriously criminal which I could not. Even the civil ones could come with unexpected criminal "Official Secrets Act" aspects, so hard to predict.

      So I am looking at ways to make statements that customers can use to judge the integrity of A&A, and the resolve we have to challenge such things at all levels, but which won't get me locked up!

  7. If I emailed you TODAY to ask if you have any so called "black boxes" (of any colour), nor any orders for "data retention", nor "intercept capability" would you respond and if so how?

    1. Today I say no, but if we did set a date for ending the canary then after that date we would not comment.

  8. Is there a reason you couldn't have a third-party in another jurisdiction audit your systems and get them to publish a canary statement?
    If you had something put in that they weren't allowed to see, they could at least announce you've stopped their service.

    1. Mostly these things have not been tested in law and so lawyers are being understandably careful. I am not saying an effective canary is in fact impossible but I doubt that would help either. Stopping that “service” could be seen as disclosing.

    2. Essentially the idea is to take the matter out of your hands... you come to your regularly scheduled audit, you either have to cancel the audit, or they ask 'what's this plugged in here'.
      You can't tell them so they publish that there's something unaccounted for on your network. Or you can't continue being audited and they announce you're not a customer anymore.
      If they're not a UK company I doubt they could be compelled to do anything, including keeping you as a customer.
      If the law could penalise that, then I don't see how it's possible for any communications company to have 3rd party contracts dealing with their infrastructure.
      (Sorry, I'm sure you're giving this way more thought than I have, but the situation sounds bonkers.)

    3. The problem is either of those choices means us breaking the law by disclosing. I agree, it is crazy.