Looks like a pretty decent law hack to me; they are going to comply with the warrant and just not update a particular file anymore.
Still, I assume a skilled lawyer would be able to convince a judge that the net effect is that users effectively obtain information about rsync.net being served a warrant quite closely around some specific date, and thus the service broke the law anyway (assuming secret warrants are lawful in the first place).
I'm not even sure you would need a skilled lawyer. Judges tend to be fairly smart. The law isn't a computer program, mindlessly followed by automatons on the bench. Intent matters, and I wouldn't be surprised if a judge considered this exactly the same as issuing a press release.
This is no different than libraries having a sign up that says "The FBI has not been here" and taking it down after they have (second sign): http://www.librarian.net/technicality.html
My understanding is that most observers believe that the sign is legal.
It was used almost a century ago in England to warn drivers about speed traps.
"It originated at the start of the last century as drivers started to run foul of police speed traps in which officers used a stopwatch to calculate whether or not a car was going too fast. Even then it was illegal to warn motorists about speed traps, but the AA advised its members to stop if a patrolman failed to salute, and the driver would then be given information about "road conditions" ahead."
the analogy is not quite the same. Rsync are subtely different in that they are putting up a new dated sign each week and stop doing so if served a warrant.
(the point being they are not actively making a change [taking the sign down] to indicate a "visit". Could make a difference)
It would be an interesting legal case to say the least, especially because they do not indicate that they will provide further information about the warrant, or how to act other than individuals should "take special notice".
Still I believe you are correct, by having a publicly stated policy about their planned inaction when served a secret warranty is effectively the same as making a public announcement. Ballsy, but kudos to them for making a statement about their privacy beliefs.
It does seem like something that only works once. As soon as a warrant is served and they stop updating the file, when can they start updating it again? When the warrant is made public?
Does it matter? Either rsync.net is clean, or it's not. Once surveillance begins it could continue indefinitely, and once law enforcement decides rsync.net is a threat it's likely that they'll become a regular target. After that point, if you're not OK with having your data searched by government agencies, you're not going to be entirely comfortable with rsync.net. But until that point, rsync.net can stake a big claim on keeping your data safe.
It seems transparently, wishful-thinkingly illegal. If everyone can find out when a warrant was served by watching what rsync.net says, then how can rsync.net claim they kept the existence of the warrant secret?
The law takes the idea of forcing a person to speak much more seriously than the idea of forcing him to remain silent, particularly if you would be forcing him to make a knowingly false declaration. I can't think of an instance off-hand where a US judge has forced a civilian by injunction to make a known-false public statement.
Transparently contriving to escalate keeping a secret to making a positive declaration would, I think, not impress a judge very much. After all, it is rsync.net who is intentionally placing themselves in a position where making a false declaration is the only way to comply with the law. The judge does not need to force them to make a statement; he only needs to observe afterwards that they have communicated the fact that they were served with a warrant and thereby failed to comply with their legal obligation to keep the warrant secret. It would be up to rsync.net to argue that they had freed themselves from that obligation by taking these actions.
Frankly, this is the kind of thing a five-year-old would come up with. "Yo, warden, I just created a new religion that says I have to have steak and hookers every day! Respect my religious freedom!" The law isn't that brittle. It's hackable, but you have to respect judges' latitude and legal sense.
They're not actually saying a warrant was served - that is an important detail that no one seems to be mentioning. All they're doing is not saying that a warrant wasn't served, and the two aren't the same thing.
There are a variety of circumstances under which the warrant canary would not be published. A warrant being served might be one (it might not), but there are certainly others: policy change being the most obvious.
I don't think there is a good legal precedent in general for maintaining that someone's failure to speak (under whatever circumstances) violates a provision for secrecy. I think that would be a hard argument to make, given that, at most, the failure to publish would lead some people to suspect that some kind of warrant had been served for something, somewhere, sometime in the past week or so, that rsync might have. Vague, at best.
Consider though that this is still a (nominally) free country, and they created this novel scenario 1) long before they were subject to any speech restrictions and 2) by making only true and public statements.
Then consider that they would come under speech restrictions through no fault of their own. It may be contrived, but they would be standing in a courtroom having committed no bad acts.
Would a judge order them to construct and publish a false statement? That's the question, but can you find case law that shows this ever having happened?
If not, then regardless of how contrived it is, it's still legally novel.
Then consider that they would come under speech restrictions through no fault of their own.
Being served a warrant would not necessarily involve fault, either, yet it would put them under speech restrictions -- restrictions against making true and public statements. So current law already accepts that people can be punished for making true and public statements without committing any other bad acts.
I don't think the judge would order them to publish a false statement. I think the judge would simply punish them for revealing the warrant and respond to their pleas of speech coercion by saying, "Hey, your fault, not mine, and you did it on purpose." I mean, they're intentionally committing themselves to either publishing a false statement or breaking the law. They've showed their willingness, indeed their intention, to do one or the other if served with a warrant. If they intended to break the law, then they can hardly argue their innocence. If they intended to publish a false statement, then they can hardly argue that the court coerced them to do so. And the fact that they already explained their cunning plan means they can't argue lack of foresight, either.
As for novelty, I wouldn't even trust a lawyer to know whether this is novel. People have been splitting legal hairs since long before Solomon. Putting the letter of the law in contradiction to the spirit of the law is hardly a novel concept; this is just one possibly novel example. It's probably discussed in the Talmud somewhere. "Ah yes, the famous story of Francois the builder, who owed his brother Juan thirty-five rubles and agreed to repay him by shearing his sheep on the fifteenth day following the next new moon, knowing full well that the fifteenth day following the next new moon was a sabbath day, on which sheep-shearing was forbidden."
I'm not sure that the government can legally force you to lie, though. Anyway, I'm sure the authors of the law didn't consider this possibility (they are politicians after all) so it would ultimately be decided by a judge. I would bet 50/50 on the result.
There's nothing really novel here, though, except a little bit of cryptography to prevent the government from faking the messages, and the authors of the law were almost certainly not politicians. As far as I'm aware, laws are normally drafted by the people who want them passed -- lobbyists, usually, but in this case I would guess the law was written by DOJ or FBI lawyers.
How long would it take the lawyer to make his case? All rsync.net needs is to skip one day and it's too late. If rsync.net can stall a bit or find a way to fight it, then it's over.
Knowing the way bureaucracies work, they wouldn't manage to get the order to force them to update the canary until a few days later, at which point it would be too late.
All they need to do is buy themselves one day, and have a track record of not being late with the updates.
They already have an obligation to keep the warrant secret. If the court rules that they (obviously intentionally) violated that obligation, they will bear the consequences, right? The whole point is to try to avoid legal responsibility. Otherwise they could just post the details of the warrant on their home page.
Rsync.net is a fantastically awesome service. Check out their FAQ:
Will you support my use of X ?
Yes. If you are using X with an rsync.net filesystem, we will support and troubleshoot your use of it, regardless of how complex or esoteric that usage or application is. All such support will be handled by a real live Unix engineer, and will never be dealt with by a ticket system, autoresponder, or first level / junior "technician".
Really ?!
Yes. We are not just providing offsite filesystems, we are providing complete, end to end, personal customer support.
I can't even get that level of support ("real live Unix engineer") at my current workplace when things go pear-shaped.
I used to host with johncompanies.com (started by the same group or person), and support was always excellent with them as well. I didn't have to use it often, but whenever I did it was a fantastic experience.
It seems like they've got a pretty good idea about what things cost them and can scale by charging the right price for their business. I think they'll do fine.
they've been around for a while. I had an account with johncompanies before I started prgmr.com. My experience was quite positive.
I've heard this 'it doesn't scale' argument many times, and I think the source is that the sort of skills it takes to maintain support infrastructure of that quality are quite different from and rarely present in the same individual (or management of a company) as the skills required to scale out a product to the mass market.
Also, I don't believe the mass market doesn't really want a unix nerd on the level 1 support line. they want someone who speaks 'normal person.'
I use Rsync.net and have been very happy with them. They even give you the option now to do pull backups via cron to prevent hackers deleting your backups a la the avsim.com hack.
While I admire the spirit of this, unfortunately I believe it's of limited use: Once word gets out that these guys are LEA "unfriendly", it will start to attract the kinds of people that get LEA attention, and then they'll have to respond to a court order / subpoena / warrant / lawful intercept, and it's all over.
Large ISPs routinely get subpoena requests all the time (i.e. they have teams that do only that). I think rsync.net is setting themselves up for a lot of undesired press when they finally have to do it.
But it probably wouldn't work anyway. If a judge agrees that there is a need for a secret warrant, it's serious enough (aka national security) that the judge will tell you to continue doing business as usual, including posting your weekly canary.
There is no harm to you of posting an incorrect warrant canary and if that's the only objection you have, the judge will be happy to give you immunity on that point.
If you refuse to do so, expect to be held in contempt or similar coercion technique.
You realize that unless you have a trust path via keys that you've signed (preferably by meeting the people holding them) that that verification isn't verifying much, right?
It's pretty easy to create a key that has that key id (since it's only the last few hex digits of the full 40 digit fingerprint) and the user id is freeform.
If you don't believe it's easy to pick your own key id, check the keyservers for the number of keys with DEADBEEF as their key id ;)
yes. And if I were a customer of theirs I'd work to obtain a more trusted copy of their key. But, FYI, I've had this copy of their key in my keyring for several years, I didn't just pull it off their website today.
Nobody has pointed out how easily the "news story" of today could be faked and updated. It's a simple script that would be able to read google news, pick out a random story, and throw it in the PGP signed message. How can that not be automated?
> In opening remarks, a Democratic senator emphasized Judge Sonia Sotomayor's upbringing, while a Republican senator expressed concerns about activism on the bench.
I don't know, that probably could have been written a week ago. Should we be worried?
It was a joke - my point was that anyone who pays attention to politics would have known that the Democrats would emphasize her upbringing, and Republicans would express concerns about judicial activism.
That reminds me of a podcast by The Economist called "The Week Ahead", where each Friday they try to guess what the major news stories in the next week will be.
I agree with you that they could have found a story that would have been harder to guess.
I hate to belabor the point, and I'm pretty sure you get it anyway, but it's not the general subject or tone of the story that matters, it's the exact wording, which would be very hard to guess, especially for longer excerpts. It's not a matter of finding a "story" that's hard to guess, it's a matter of finding exact wording. I'll guess there's going to be some kind of trouble with the space shuttle next week, but that doesn't help defeat rsync.net's scheme.
Still, I assume a skilled lawyer would be able to convince a judge that the net effect is that users effectively obtain information about rsync.net being served a warrant quite closely around some specific date, and thus the service broke the law anyway (assuming secret warrants are lawful in the first place).