Cloudflare expands government warrant canaries in transparency bid

Companies may not be able to tell you what the government has demanded, but they can tell you what it has not.
Written by Charlie Osborne, Contributing Writer

Cloudflare has expanded its transparency report to include a wider range of "have nots" when it comes to government demands -- an interesting loophole in the law which can give insight into gagging orders without being in contradiction of them.

The concept is known as a warrant canary. Named after the birds which have been used to warn miners of toxic elements in the air down mine shafts, warrant canaries are used by some companies to let users know that secret requests for data or technological changes have not been received.

These 'warrant canary' statements are posted in a public way and while they may seem counter-productive, the use of warrant canaries is a loophole in the law which simply states that no request has been received -- until these statements are removed.

By doing so, companies uphold the law on secret government requests and subsequent gagging orders which prevent them from revealing these demands, but they also maintain transparency, as users can 'assume' that such requests have been received, should the warrant canaries vanish.

The extent of government surveillance in some countries, such as in the United States, prompted the use of warrant canary tactics to maintain trust between companies and their users. Reddit removed its warrant canary in 2016 following what is generally believed to be a US National Security letter, which is used for the purpose of electronic surveillance.

Cloudflare has been publishing transparency reports since 2013, and in this year's biannnual report (.PDF), the extent of the cloud service provider's warrant canary has expanded.

CNET: US reportedly took Russian trolls offline on Election Day in 2018

The company's existing warrant canaries are below:

  • Cloudflare has never turned over our SSL keys or our customers SSL keys to anyone.
  • Cloudflare has never installed any law enforcement software or equipment anywhere on our network.
  • Cloudflare has never terminated a customer or taken down content due to political pressure.
  • Cloudflare has never provided any law enforcement organization a feed of our customers' content transiting our network.

Three new warrant canaries are now included:

  • Cloudflare has never modified customer content at the request of law enforcement or another third party.
  • Cloudflare has never modified the intended destination of DNS responses at the request of law enforcement or another third party.
  • Cloudflare has never weakened, compromised, or subverted any of its encryption at the request of law enforcement or another third party.

In addition, Cloudflare has changed its first warrant canary, "Cloudflare has never turned over our SSL keys or our customers SSL keys to anyone," to now include "encryption or authentication keys or our customers' encryption or authentication keys," given the depreciation and increasing age of SSL.

"It's not enough for us to be transparent about the things we do willingly, because tech companies are pressured every day to take the easy way out and avoid controversy or conflict by doing seemingly small things easily and quietly that are corrosive to these values," Cloudflare says.

TechRepublic: Why AI and ML are not cybersecurity solutions--yet

Within the report, the company said that 19 criminal subpoenas were received during 2018, and seven requests were answered; 21 civil subpoenas -- used for requests such as copyright claims -- were issued in the same year and all were answered; and 55 court orders were received, 44 of which were answered.

See also: MWC 2019: Your bionic hand is now at risk from hackers

Cloudflare says that should a request for information be received what is not deemed just, the company would "exhaust all legal remedies in order to protect our customers from what we believe are illegal or unconstitutional requests."

Facebook's worst privacy scandals and data disasters

Previous and related coverage

Editorial standards