SpiderOak’s Warrant Canary

SpiderOak, which offers Dropbox-like file sync only with zero-knowledge encryption (SpiderOak itself has no way to decrypt your data), has added a warrant canary to its site.

As Wikipedia sums it up, a warrant canary is a method of trying to circumvent court orders that forbid companies to notify targets of surveillance that they are, in fact, being targeted:

A warrant canary is a method by which a communications service provider informs its users that the provider has not been served with a secret United States government subpoena. Secret subpoenas, including those covered under 18 U.S.C. §2709(c) of the USA Patriot Act, provide criminal penalties for disclosing the existence of the warrant to any third party, including the service provider’s users. A warrant canary may be posted by the provider to inform users of dates that they have not been served a secret subpoena. If the canary has not been updated in the time period specified by the host, users are to assume that the host has been served with such a subpoena. The intention is to allow the provider to warn users of the existence of a subpoena passively, without disclosing to others that the government has sought or obtained access to information or records under a secret subpoena.

Whether or not warrant canary’s would actually be effective is debatable, especially for a company doing business in the United States that might be subject to criminal prosecution itself for effectively disclosing to the target(s) of a secret subpoena that something is amiss. I am not a lawyer, but I suspect judges will look askance (to say the least) at companies essentially taking preparations ahead of time to circumvent court orders.

That said, SpiderOak’s implementation of a warrant canary appears well thought out,

The canary itself can take many forms, the one we’ve chosen is a specific plain text signed with multiple GPG keys.

The GPG keys belong to different SpiderOakers which we’ve selected based on geolocation. So besides doing all the legal (or illegal) things an adversary would need to do to get a backdoor somewhere in SpiderOak, they’ll also need to compel 3 people around the globe to sign a message at a specific moment in time.

. . .

In cases such as SpiderOak, killing a canary can quite possibly mean killing the business, so we switched to publishing the canary every 6 months. This means the first canary will be signed between August 10 and August 15, 2014. The next one will be signed between February 10 and February 15, 2015.

The actual warrant canary is here. It says a lot about SpiderOak that they’ve taken this step, but this should probably be viewed more as a signifier by SpiderOak about how seriously they take the security of their user’s data rather than a tool that is likely to be effective at informing end users of the existence of secret subpoenas.

SpiderOak — Like Dropbox, Except They Don’t Lie to You

I’m not a fan of Dropbox ever since it was clear they had deceived customers. I work on a freelance project where everyone uses Dropbox (after I go them hooked on it), and giving it up for that isn’t really an option. For everything else I was using Dropbox for, however, I long ago removed all of my files off their service.

Instead I’m using SpiderOak. Like Dropbox, SpiderOak is intended as tool to backup files to the cloud and then sync those files with other computers and devices such as smart phones.

What SpiderOak has that Dropbox doesn’t is the option for genuine encryption — my SpiderOak account is set up so that nobody, including SpiderOak employees, can access my files without my password. Dropbox promised users this capability, but it turned out they were not telling the truth and their employees could access user files at any time (or accidentally expose them for a couple hours to the entire Internet as they did earlier this year).

Of course with great power comes great complexity, and this is the major downside to SpiderOak. Dropbox is dead simple to install and use — it took me no time at all to get people who barely understood how to use their computer to install and use Dropbox with no problem. SpiderOak, on the other hand, requires a lot more thinking about what you’re doing.

So in SpiderOak, first you have to create a Backup set (for example, all files in a directory), and then the application backs that up. Then you need to go in and sync the backup, authorizing specific devices and/or specific directories or files. Don’t get me wrong — it is not that SpiderOak is obsessively complex, but rather that it is just not drop dead simple like Dropbox is.

On the other hand, SpiderOak is much cheaper than Dropbox — I’m currently paying $10/month for 100gb of space (and, like Dropbox, there is a free account with a 2gb limit).

The only other thing I’d add is that I think the Dropbox app for Android is crap. the SpiderOak app wasn’t much better until recently, but the latest version does a nice job of letting me pick and choose which files, directories, etc. I want my phone to keep in sync.

Dropbox Lied. End of Story.

For the past couple years, I’ve paid for a 50gb Dropbox account and actively promoted the service among friends and colleagues. Drobpbox has been extremely useful in managing some freelance projects I’m involved in. So when potential security issues surrounding Dropbox emerged back in April, I was concerned about just how private and secure the files I was sharing were.

Since April, there seems to be two basic schools of thought on Dropbox. The first is that Dropbox’s problems are really no big deal. That fact that employees of Dropbox can potentially access files are inherent to any synced system. On the other side are folks who have shut down their Dropbox accounts and forsworn the service forever.

Here’s what I take away from the debacle: Dropbox lied, both to me and to the other folks to whom I recommended their system. When I signed up for Dropbox, the service promised that all of my files were encrypted and that,

Dropbox employees aren’t able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc., not the file contents).

When the security concerns emerged, Dropbox weaseled out of the above promise by clarifying that Dropbox employees are, in fact, able to access user files, but they are typically not granted access to do so. As Dropbox put it in a response to this issue,

In our help article we state that Dropbox employees aren’t able to access user files. This is not an intentionally misleading statement — it is enforced by technical access controls on our backend storage infrastructure as well as strict policy prohibitions. The contents of a file will never be accessed by a Dropbox employee without the user’s permission. We can see, however, why people may have misinterpreted “Dropbox employees aren’t able to access user files” as a statement about how Dropbox uses encryption, so we will change this article to use the clearer “Dropbox employees are prohibited from accessing user files.”

Whether they intended to or not (and it is hard not to see the original statement as intentionally misleading), Dropbox lied about its security model. I and others took those assurances seriously and assumed our files were being encrypted client side.

Regardless of whether this or that feature or security option is a good or bad idea, the fact remains that I simply don’t trust Dropbox anymore. I have better things to do than worry about when/if Dropbox is going to have to release another “sorry, we didn’t mean to mislead you, but …” statement.

I already set my account up so it reverts to the basic free version once the renewal date hits later this summer. I’m moving everything out of Dropbox except for my Keepass file and any other files which are already encrypted, and for working with clients who are going to continue to use the service despite the security risks. I’m currently testing SpiderOak — which is like Dropbox but uses a client-side encryption model — for all my cloud-based file syncing needs.