Privacytools.io warrant canary is... invalid?!

[tezeb]

Filing an issue against dead warrant canary sounds a bit hilarious, but anyway. Warrant canary example on privacytools.io(funny image about FBI) is very misleading. The basic idea behing warrant canaries is to inform about gag orders, which by their nature prevents from modifying anything. This means that it's not possible to remove an image after receiving one. On the other hand gag orders cannot(afaik) force you to do something(ie. lie about not receiving gag order or sign a message about not receiving one). That's why warrant canaries are created periodically and usually signed to make it legally impossible to force someone to create back-dated one(as that would require law-enforcement to make her lie). As privacytools.io is an educational website I think it would be worth to remove this image or provide one with proper information.

btw. I am not a lawyer ;)

[privacytoolsIO]

The image we use is just an example to explain it in a sentence. Wikipedia is doing the same thing: https://en.wikipedia.org/wiki/Warrant_canary

[tezeb]

Wikipedia probably contains most of privacytools current content, but my understanding is that privacytools tries to be more domain-specific which imho implies that it should be more accurate. It's worth noting that wikipedia states that the image in question is "active removal canary", which at least shows that there might exist some "passive" canary. I may be picky, especially that afaik canaries are not court-tested, but after reading description and looking at image it's not clear why canaries are supposed to work and what's the difference(assumed) of sign "FBI was not here" vs "FBI was here" vs removal of "FBI was not here".

[ghost]

The picture is the best way to explain warrant canaries.

[Mikaela]

I don't know about 2016, but as there are nowadays so many services and expansion plans, I agree with a Matrix user who is saying that we should publish PGP signed warrant canaries.

I am also confused on where does https://privacytools.io/ take the warrant-canary as preview, while I can most easily find it on https://privacytools.io/classic/#wc.

[jonaharagon]

@Mikaela https://www.privacytools.io/providers/#wc

Also, honestly I just hate GPG, and after having reset all of my devices I haven't restored my private keys on any one of them to no ill effect. But we certainly could if we wanted.

[Mikaela]

I feel you.

How about some GPG alternative that is recently talked about? I can think of only minisign right now.

[jonaharagon]

We will not be adding warrant canaries for PrivacyTools at this time.

[Mikaela]

I wish to have more explanation on why not.

I had a theory that we don't have a warrant canary as it would otherwise be removed already, but then @JonahAragon started answering "no" to my questions such as "Has a similar member of Intelligence Community of any country been in contact with you?".

I am also offered the reason that @blacklight447-ptio dislikes warrant canaries and that this has been discussed in the team chat, but I don't remember that or have any idea how to find it and I think we should at least have a "why we don't issue a warrant canary" section.

The previous reason on this issue tracker is honestly hating GPG, while not addressing the GPG alternatives and while @blacklight447-ptio is one of the very few team members without a PGP key, he wasn't the one to comment here on hating GPG. I think I am assigning them on this issue also.

[Mikaela]

https://github.com/privacytoolsIO/privacytools.io/issues/1567#issuecomment-561849743 - as far as I can see, the only thing we can do is removing the warrant canary section entirely.

[blacklight447]

@Mikaela I have many gpg keys, just not one for ptio so far.