@k00b @ek have you thought of adding a warrant canary of some kind to the site that you could use if you were ever approached by who knows in some capacity about something that the users might want to know about but you were gagged, that you could then not renew as a signaling mechanism? You could bury it in the Legal page as a paragraph and then not update should something transpire?
0 sats \ 5 replies \ @anon 8 Mar
and renew it once a month if its an all clear
reply
777 sats \ 4 replies \ @k00b 8 Mar
I've thought about putting a literal canary icon in the footer. Then if we're approached, have an icon of a dead canary.
reply
59 sats \ 3 replies \ @anon 8 Mar
you need to set it up to die on its own unless you renew it (feed it), otherwise it can be anti-gag order action
reply
Like a warrant tamagotchi.
reply
77 sats \ 1 reply \ @k00b 8 Mar
Ahhh good tip! I guess they can't punish you for not doing something but they can punish you for doing something.
reply
Mhh, maybe we can regularly sign something that expires fast enough (a certificate basically) and link to it in the legal page? And when we're approached, it automatically expires and is not renewed. The additional benefit is that only the holder of the private key can renew it.
But that would mean we rely on users being able to verify signatures. Key rotation is simply the first thing that came into my mind when thinking about warrant canaries. But I would think anyone who cares about warrant canaries can be expected to know how to use gpg --verify?
Turns out the first commercial use of a warrant canary also used a digital signature:
The first commercial use of a warrant canary was by the US cloud storage provider rsync.net, which began publishing its canary in 2006. In addition to a digital signature, it provides a recent news headline as proof that the warrant canary was recently posted as well as mirroring the posting internationally.