Legal Audit

[johnnybubonic]

Hello-

CanaryTail is an excellent project. In looking it over, however, I couldn't find any sort of review or audit performed by a lawyer.

Has this been done? If so, it is advisable to mention that. (The lawyer/law firm themselves may opt for non-disclosure to avoid indemnification, but it's important that it's at least reviewed for legal feasibility for the Standard and process itself.)

If it has not been done, I suspect that the EFF may be able to provide pro bono legal review for this as they have several volunteer lawyers on hand who are both technically competent and in line with the goals of this project.

If they're unable to help, I have a contact that may be able to help as he is a practicing lawyer involved in related specialty and is also highly technically competent.

Thanks again for being a unified initiative for warrant canaries!

[carrotcypher]

Thanks for the comment.

Two lawyers I work with describe the concept of warrant canaries as "dubious at best". EFF, one of the founding parties of CanaryWatch pulled out of the project citing legal uncertainties as well.

At this time it's assumed that warrant canaries serve more as a marketing and social tool for change than any kind of legal protection, another reason canarytail is being designed for transparency reporting and multi-party signatures to make it easier and more valuable for organizations and their users.

I'm putting together a review of "legality of warrant canaries in different countries" with a lawyer associated with the project, perhaps your lawyer acquaintance could assist with that?

[johnnybubonic]

Two lawyers I work with describe the concept of warrant canaries as "dubious at best". EFF, one of the founding parties of CanaryWatch pulled out of the project citing legal uncertainties as well.

Got it- thanks for the reply! I just wanted to make sure there wasn't anything inherent to the Standard that would definitively break a gag order (rather than potentially break a gag order). I am aware of just how "gray area" canaries can be, but wanted to make sure that the best chance of success in the case of contesting trial would happen. (In other words, there isn't anything in the Standard that would ensure a conviction of breaking gag-order rather than the stock-standard gray area of having a canary in general).

I'm putting together a review of "legality of warrant canaries in different countries" with a lawyer associated with the project, perhaps your lawyer acquaintance could assist with that?

I'll definitely contact them and see if they're interested in helping!

[reverendlex]

Hey there- sorry for the delay.

A friend of mine has some more nuanced legal thoughts on this issue.

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2663454

I'm going to read this over and see if I can make more useful comments.

[carrotcypher]

@reverendlex @johnnybubonic I think we should have a step-by-step interview process for generating the canary to avoid legal complications for the author.

Rationale: If a canary author uses ./canarytail canary new mydomain.com --WAR it could be argued in court that they manually typed --WAR and were thus knowingly acknowledging (at least to the canarytail application) having received a warrant.

If it were a Q/A interface instead, it might add some legal protection as they would only be choosing to decline to make statements one at a time.

Example:

Would you like to make the claim "I have not received a warrant"? (Y/N): N
Would you like to make the claim "I have not received a gag order"? (Y/N): N
Would you like to make the claim "I have not had my servers seized"? (Y/N): Y

[novacoole]

@carrotcypher

I think a slightly better phrasing for the Q/A interface would be:

Would you like to make the claim "I have not received a warrant"? (Yes/No comment): N
Would you like to make the claim "I have not received a gag order"? (Yes/No comment): N
Would you like to make the claim "I have not had my servers seized"? (Yes/No comment): Y

I can imagine some way that even negating one of these claims could be misconstrued as a deliberate leakage of information, however 'No comment' is legally ambiguous yet recognisable to consumers of the warrant canary as not yes.