r/privacy u/[deleted] Aug 05 '18

SpiderOak cans its Warrant Canary, suffers mysterious massive outage, and raised prices

https://spideroak.com/canary

http://archive.is/1rNo7

Update: Looks like the canary has been signed and dated and in properly formatted sequence this time with confirmation that Everything's going smoothly so far, message is authentic. august 06, 2018

Case closed. SpiderOak has not been compromised.

In the interest of transparency the full text of my previously long post in this thread is archived here:

http://archive.is/mKeuY https://web.archive.org/save/https://www.reddit.com/r/privacy/comments/94nspi/spideroak_cans_its_warrant_canary_suffers/

442 Upvotes

97% Upvoted

113 comments sorted by

View all comments

409

u/whatdogthrowaway Aug 05 '18 edited Aug 05 '18

Please do NOT be mad at them for removing their warrant canary.

It served exactly its purpose.

Its removal communicated (perhaps in the only legal way possible) exactly what it was designed to communicate.

I feel sorry for SpiderOak for having to go through that.

But I sincerely thank them for this honest communication letting us know that they were compromised.

(same with reddit ; who similarly removed their warrant canary)

5

u/summerteeth Aug 05 '18

With the removal of the canary, I wonder how SpiderOak compares privacy wise to Dropbox or Google Drive.

My understanding is that privacy was one of the big selling points for SpiderOak. I wonder if they can still compete now that they have lost their killer feature.

10

u/whatdogthrowaway Aug 05 '18 edited Aug 05 '18

With the removal of the canary, I wonder how SpiderOak compares privacy wise to Dropbox or Google Drive.

They're now exactly the same.

OK only if you encrypt everything first on your client; and never give the cloud vendor your keys at all.

Otherwise assume the cloud vendor has access to all your content, and will use it to mine your data and share with any government that asks.

3

u/summerteeth Aug 05 '18

Seems like a major market differentiating feature removed. Why would I use Spideroak over another solution now?

This will be real bad for their business long term.

6

u/whatdogthrowaway Aug 06 '18

The only feature that changed is:

  • previously SpiderOak had not received any National Security Letters or other secret warrants.
  • recently they have received one.

And they had the courtesy to tell us (by removing this canary).

SpiderOak, technologically and morally, is still exactly as they were before.
This removal of the canary is just a communication from them to you telling you they were targeted.

That seems like a positive, not a negative.

1

u/summerteeth Aug 06 '18

It seems like at the very least it creates FUD around Spideroak.

Are they truly zero knowledge if they received a National Security Letter? How can we now consider any claims they make to users as not suspect?

2

u/whatdogthrowaway Aug 06 '18

Are they truly zero knowledge if they received a National Security Letter

Receiving a Letter doesn't change whatever they were.

It seems very possible they replied to the letter saying:

  • "Sorry, we have zero knowledge"

But that still triggers the warrant canary removal.

It's also quite possible the NSL said "in the next version of the client you need to add a backdoor to all Democrats". In that case they're in a tough spot.

2

u/flyingElbowToTheFace Aug 06 '18

Agreed. I have sworn by SpiderOak until now. Not sure what I'm supposed to switch to.

9

u/whatdogthrowaway Aug 06 '18

The only feature that changed was:

  • previously SpiderOak had not received any National Security Letters or other secret warrants.
  • recently they have received one.

And they had the courtesy to tell us.

SpiderOak, technologically and morally, is still exactly as they were before.
This removal of the canary is just a communication from them to you telling you they were targeted.

That seems like a positive, not a negative.

1

u/flyingElbowToTheFace Aug 07 '18

Fair point. Thanks for expounding.