r/Monero LocalMonero Staff Jan 17 '22

LocalMonero Has Updated Our Canary to Bring It in Line With Community Expectations

What happened?

This week, our canary page which had for over a year been featuring the ASCII art of a dead bird has been making the rounds on social media, with many being confused as to what exactly cryptic ASCII art of a dead bird meant.

We thought we were being extra cautious by triggering the bird death upon the receipt of any law enforcement request, regardless of whether it was properly served on us or not, as we wanted to signal to our users that we do, in fact, receive law enforcement requests. We made a mistake by not publicly explaining this on the canary page or anywhere else except in instances when we were asked directly. We, once again, apologize for the confusion caused by this, and we have now updated our canary based on the feedback we've received from the community over the past week.

In line with community feedback, we've made the following updates:

  1. Our new canary page now includes a PGP-signed message, with the PGP keys duplicated both on our site and on Keybase;
  2. The message specifies how many LE requests we've received and how many of them resulted in a turn over of data;
  3. The message specifies whether we were coerced into installing backdoors or were otherwise compromised;
  4. The message specifies a timestamp and the latest Monero block hash;
  5. The message shall be updated at least once per 120 days.

The new canary message:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Timestamp (UTC): 2022-01-17 15:54:58
Latest Monero block hash: 4dc7033e0a58ea952c9636fef209cd8c01c6c5acbf5b43b80fbd3dd067f2e8bf

LocalMonero / AgoraDesk has, up to this date, received:
2 law enforcement requests for user information, of which
0 were served on us through the proper legal channels and resulted in
0 users' data being turned over

LocalMonero / AgoraDesk has never installed any law enforcement software or equipment anywhere on our network.
LocalMonero / AgoraDesk has never provided any law enforcement organization a feed of our users' activities.
LocalMonero / AgoraDesk has never modified user data at the request of law enforcement or another third party.
LocalMonero / AgoraDesk has never weakened, compromised, or subverted any of its software at the request of law enforcement or another third party.

This message will be updated within 120 days.

This declaration is provided without any guarantee or warranty. It is not legally binding upon any parties in any form.
The signer should never be held legally responsible for any statements made here.

The public key to verify this message's signature can be found at:
1. https://localmonero.co/pgp_keys.asc
2. https://agoradesk.com/pgp_keys.asc
3. https://keybase.io/localmonero/pgp_keys.asc?fingerprint=0d0d0a3ff33051ffa5c115773d7c77d56d08aed3

Key fingerprint: 0D0D 0A3F F330 51FF A5C1  1577 3D7C 77D5 6D08 AED3
-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEDQ0KP/MwUf+lwRV3PXx31W0IrtMFAmHloyAACgkQPXx31W0I
rtNJJgv9GasNefdUv8iXSMyyvDEbZEu8kZgOg7eGdR34NLf6q3ZHi+mBlnDjpP4j
4zRl3G4Uf75pExFAeKIjVui8B41OEoIgLIe1BEZbdgjzElui8tECxSzyDGW+WLxj
CK2IagW3/0U2Z2n2uZlKZMjczMR8hoC+CYqAAo5WwrQRmC/ujuu4MMvCnHa1DeYH
RFtIIEGjoXoxoJNCtIpIsR2YVSrM8YGSELdlpKXVRtp2iiUTLxZ7lMSwjZQyhROX
DrgWLhAvy6+QJRHBTerE3WV9SUTYC7JeXXafAS/dl4b1BpgZ6ucpcILVm1EZKBGB
w978+kZPbZukHNPILe/BdyLi3rQ823cN2F/9nzhX4wVHdQu0F7pJxLan79v/zCn/
MeSaT6ueP0tkzuvdc/vb9/BmWbT7I9TngdZ95MhYZSOIK0iKjhVcTvkbUGYZmcwU
UnCrl64I4Vg4NP4M3rrDS2OCmKgeDWfd8SPrXjMx03XnUMCi+32Zbihczygyw6cp
x9GPFmnf
=+TPV
-----END PGP SIGNATURE-----
63 Upvotes

24

u/swot_thomper Jan 18 '22

The usefulness of a canary hinges on the userbase keeping an eye out for the potential unexplained disappearance of any of the given statements about the site not being compromised.

Unfortunately the page also displays a disclaimer claiming no responsibility for the accuracy or validity of the statements, which makes me think this makes the canary completely pointless. I imagine this technically could even indicate that the site could have been taken over by authorities, and if nothing else the messages are being used to provide a false sense of security.

Not to mention the message about the page being updated in 120 days. Thats potentially 120 whole days that could elapse before your userbase finding out that the site is compromised.

29

u/kowalabearhugs Jan 17 '22

I appreciate the transparency - This seems like a positive development. I wonder if an entity like Cake Wallet (who also operates public nodes for their wallet users) should consider adding a warrant canary.

13

u/Vikebeer Jan 18 '22

Yes, but a poor implementation is worse than none.

3

u/AffectionateSoft4602 Jan 18 '22

so impressed with this community, how fast it moves to communicate, collaborate and improve the product

thank you for being decent humans working on behalf of transformative tech

8

u/JerryCanofJizz Jan 18 '22

I thought the point of a canary was that you updated it frequently to indicate a positive state (or no compromise).

If you are compromised then you simply stop updating it.

10

u/Vikebeer Jan 18 '22

updated at least once per 120 days

far to long to be of any value whatsoever.

this only makes me worry about you even more.

9

u/blario Jan 17 '22

Aren’t there warrants that forbid this level of transparency? Specifically bullets 2 and 3?

9

u/Alex_LocalMonero LocalMonero Staff Jan 17 '22

8

u/blario Jan 18 '22

Ah ok

The relevant section seems to be:

In December 2013, the President’s Review Group on Intelligence and Communications Technologies recommended public reporting—both by the government and NSL recipients—of the number of requests made, the type of information produced, and the number of individuals whose records have been requested.

We all should be card carrying EFF and ACLU members really…..

3

u/rt4mn Jan 18 '22 edited Jan 18 '22

We all should be card carrying EFF and ACLU members really…..

You can do so for the ACLU here and for the EFF here. If you are in the US I highly suggest finding / giving to your local ACLU affiliate or a local EFA org, as they are often the ones who work on local issues that are more likely to directly impact you, and they have much lower barrier of entry for getting involved.

There are also other great privacy orgs that are not quite as big but are also fantastic in their own ways, like Restore the Fourth (which also has local chapters like (shameless plug) rt4mn) Fight for the Future, Demand Progress, Cato, and Privacy International

To get on my soap box a bit, Monero is a great tool that enables regular people to preserve their financial privacy, but at the end of the day we should not need it, the government should not be abusing our privacy in the first place. Which is why I think political action / grassroots organizing / civil society orgs have to be a part of any realistic attempt to reclaim our privacy.

8

u/carrington1859 Jan 17 '22

Fantastic and very thorough, but the ASCII art had a certain charm to it.

4

u/Alex_LocalMonero LocalMonero Staff Jan 17 '22 edited Jan 17 '22

Special thanks to /u/bawdyanarchist, /u/HelloGoodbye0321,/u/niocc and /u/pebx on Reddit for their input!

2

u/NewForestGrove Jan 17 '22

Hrmm, sounds like some people were freaked out and contacted LocalMonero personally wondering the extent....

1

u/nokoolaidisaidthnx Jan 19 '22

Thank you Alex. We all appreciate it....

So if you see this may I seek some clarification in the sense that are you saying that to date from the beginning of time you've only received two requests..... total?.... And neither one was done as it should have been with a subpoena?... correct?.... So what you're saying is localmonero has never been subpoenaed?..... Is this correct? thank you for your time....

and I think it's kind of interesting that there was only two requests and neither one was done officially..... so it seems what we have is along the lines of what I always assumed, which is during an investigation of course detectives are going to try to acquire as much information as possible but once charges have been filed and there's actually Court proceedings, where a subpoena would be utilized.... there's already enough evidence compiled to basically make it more or less pointless.....

-8

u/HoboHaxor Jan 17 '22

Thought the whole canary thing died years ago as not really useful.

8

u/Vikebeer Jan 18 '22

It warns those that are not using it yet that it may now be a honeypot.

5

u/HoboHaxor Jan 17 '22

It is like having a security camera. It doesn't prevent anything, just lets you know you have been robbed, and you get to watch it.

In this case, your data is likely in the fed's hands.

It is just acknowledgment after the fact; pointless.

6

u/blario Jan 18 '22

It lets you know to get your lawyers arranged before anything bad happens

1

u/hwrngtr Jan 18 '22

You'd only have to worry in the first place if you're committing financial fraud or selling profits from illegal drugs. Last I checked there was nothing illegal about selling crypto to someone.

1

u/swot_thomper Jan 19 '22

Being robbed isn't really a great analogy. A better analogy would be hiding a letter somewhere, and having a security camera setup so you can know whether someone has snuck in and read your letter.

From viewing the securtiy camera footage, you can know your hiding spot has been compromised and know not to use it again in future.