Fighting back against NSA sabotage with a dead-man's switch


#1

[Permalink]


#2

I suspect if you try this, you will get a court order instructing you to continue sending those messages.


#3

Is there any reason to suspect that this would be treated, legally, as different than just saying that you’ve received a secret order?

Unless you found a magical literalist court who would also accept the “I didn’t violate the gag order, indeed, I specifically said 'No, of course I haven’t received any secret disclosure orders.” The fact that I was rolling my eyes and exuding theatrical levels of sarcasm is totally irrelevant!" argument, it seems like they wouldn’t much care how you disclose the fact, just whether or not you effectively disclose it.


#4

It’s not that you have to keep sending those messages, it’s just that the guy you bought your switch from apparently sold you a mislabeled ‘sent to federal prison for decades’ man switch, so it’s just my friendly advice that you not touch it.


#5

Centralization is the problem. An oppressive state generally disregards its own rules, and only other behemoths can withstand its attacks. However, Microsoft was sentenced to death by Clinton’s DOJ, and only survived by funding both party’s presidential candidates. No centralized service will be immune to US government coercion, no matter how brilliantly it tries to apply technical craftiness to the legal arena. A small business with a single owner doing this will soon find that single owner brought up on child porn charges, etc… This xkcd strip is not a joke.

If you want to fight this fight, apply technical craftiness to technology. It’s time for fully peer-to-peer and friend-to-friend services replacing the old centralized ones, making encryption and resilience the rules. I really actually love this dead-man’s switch idea, but it expects too much honor from the opponent.


#6

#7

[quote=“fuzzyfungus, post:3, topic:9321, full:true”]
Is there any reason to suspect that this would be treated, legally, as different than just saying that you’ve received a secret order?[/quote]

There is a legal difference between not being permitted to say you’ve received one and being required to falsely say you haven’t received one.

That’s not to say you won’t be under a lot of threat for it, but it wouldn’t exactly be a clear-cut thing.


#8

While it IS possible that you could be served with a court order to continue sending, how long would it take for the gov’t to obtain such an order?


#9

Fighting back against dead-man’s switch…

The NSA imposes secret surveillance order on all service providers, and everyone stops reporting in.

I’m guessing if you implemented this tomorrow with the whole world joining in, you’d probably wonder of your mail server was broken due to the lack of “no secret order” messages you receive from the get go.


#10

It’s an interesting question, and I’d like to see it tested. Rsync.net has a canary.txt file updated once a week, which contains a copy of the latest Washington Post headlines, and a cryptographic signature / signed message digest, along with a statement to the effect that they’ll stop updating the canary.txt file on receipt of a warrant containing a secrecy order.

http://www.rsync.net/resources/notices/canary.txt

Ah, okay you’re proposing a decentralised version of this. Sounds like an interesting programming project.


#11

This is not a new idea. See Warrant Canary.


#12

Agreed, but who has the time to actually do that kind of thing? What we need is Warrant Canary 2.0 for the Web, an automated tool that allows you to quickly notify those who are interested that you’ve remained warrant free.

e.g, suppose CanaryBot emails you a message, then assuming you’re good, you just reply to that email using GPG to sign the reply: automated tool at CanaryBot then gets your email, validates the signature, and marks you ‘alive’ for another 72 hours, 1 week, etc. Once you miss an email, the WarrantBot knows you’re ‘dead’ and publishes your obituary to an RSS feed informing subscribers about your unwarranted demise.


#13

Beat me to it.


#14

In a world where a journalist is facing over a hundred years in prison for linking to already-publicly-accessible leaked documents, I don’t think the claim of “I didn’t not say that I was issued a gag order” will be considered a defense by a US or UK judge. The justice system invents its own rules when it comes to the internet.

I think if this thing existed, any gag order would explicitly instruct you to keep sending the nothing-happened message. Failing to follow that would find you violating the order.

PS: Cory there’s a minor typo in your email that had me re-reading a paragraph 3 times to understand it. The parenthetical statement starting “(though even the NSA now admits to routine abuse” has no closing parenthesis.


#15

Cory, in your article in the Guardian you write

The UK is on less stable ground – the “unwritten constitution” lacks clarity on this subject, and the Regulation of Investigatory Powers Act allows courts to order companies to surrender their cryptographic keys (for the purposes of decrypting evidence, though perhaps a judge could be convinced to equate providing evidence with signing a message)

Actually I think your Canary idea is still good in Albion, because the RIP Act specifically prohibits the Government from compelling you to hand over secret keys whose only purpose is to generate digital signatures, e.g. provided you generate your key as DSA, or RSA key as sign only, you are exempt from penalties - the government cannot make you reveal a secret key to gain them the ability to generate false canary messages.

Part III section (9) of the Regulation of Investigatory Powers Act 2000 reads

(9) A notice under this section shall not require the disclosure of any key which—
(a) is intended to be used for the purpose only of generating electronic signatures; and
(b) has not in fact been used for any other purpose.


#16

That’s “…not unwarranted demise.”


#17

then by that reasoning if i say to someone “if you have not received a gag order say ‘no’ otherwise say anything else” and they can say they have by just saying anything else.


#18

I could see this being used in other scenarios… libraries and ISPs having a prominent sign saying “We have not been served with a National Security Letter in XX days” that would come down if they are served.
The law prevents them from saying they have been served with a letter, but doesn’t prevent them from saying they haven’t, or from saying nothing.
Online services could even have this on a per-user basis with a “We have not been asked for your information” notice that would be taken down if they ARE asked for your info.
They’d have to actually care, though.

(edit) I posted before reading about the Warrant Canary. My bad.
And here I thought I was being clever.


#19

That’s not quite the same thing. In that circumstance they could be required to say nothing at all, and it would be on you to decide whether they simply decided not to answer the question. But requiring them to actively tell you “no” is something quite different.


#20

I was thinking about this canary problem last week and I think the only way to be sure to escape reprisal is to make it more than just a first amendment issue. If you submitted a sworn canary-like statement through some means to a court, you would have to tell the truth or else commit perjury. I don’t think the government can compel you to commit a felony.

I also wondered if you could use the same defense for example to deny breaking your crypto-email service for the NSA on the grounds that you might be guilty of hacking into the customer’s e-mail that you have no permission to read/access.