Warrant Canary
Hey, Just a thought. I'm not sure what the legal standing of warrant canaries (i.e. being compelled to lie) are in Canada, but given the privacy level afforded by the site the key component to that privacy is trust.
You're doing a lot to make sure private data is treated as harmful, and with the open source code being visible, but that's still not a guarantee that the server is actually running the code that will be open sourced.
Tildes could probably benefit from a warrant canary given that it's a platform for user generated content and if it gets prominent enough it may be subject to LEO scrutiny. Compliance with LEO is a given since the website operates under Canadian Jurisdiction, but given the... nature of some requests (Gag Orders / Etc...) a canary could be a privacy positive move for users of Tildes.
It's an interesting question, and I honestly haven't researched warrant canaries very heavily, but my general feeling towards them is a bit negative because I don't think they're very useful.
A few concerns/problems I have with warrant canaries in general:
Your primary weapon is keeping to your policy of no data retention. Dump all user specific data as fast as it is possible to do so and don't collect any more than the bare minimum. That way when the warrants come in, you get to laugh and tell the courts 'tough fucking luck, I am very sad for you.' The courts cannot order you to retain more data and spy on people.
I think some kind of public disclosure might also be in order - we serviced xxx legal requests this quarter etc. Make it highly visible and public any time the courts butt into the business. You're outside US jurisdiction, so you shouldn't have to worry about their 'secret courts' and 'secret laws' and 'secret gag orders' since they have no pull where you are. The most the USA can do is pressure Canada to get involved, and odds are the data will be turned over and deleted long before that mess can make it through the proper channels.
Let's play spot the American who doesn't trust their government to ever act in the peoples' best interests. ;)
I am all for privacy, good privacy & data retention policies and properly implementing/maintaining said policies but the whole "tough fucking luck, I am very sad for you" towards a government issued warrant is not a common opinion in Canada, IMO. The Canadian government and its law enforcement agencies don't really have a history of overreach like in the US, our courts are historically and demonstrably very pro-privacy at every level (e.g. SCOC decided that IP addresses are not considered sufficiently identifiable information to warrant copyright lawsuits) and Canada has decent consumer protection and privacy regulations with commensurate fines for violations as well (e.g. Bell Canada being fined by our Privacy Commission over selling improperly anonymized user data). And while our laws are admittedly less strong then the EU's currently are that is likely to change soon, for the better, with the Liberals in power.
Hell... we don't even have any records/data mandatory retention period laws in Canada for online services (other than financial transaction/tax record related stuff for obvious reasons), meaning ~ is really under no obligation to retain any information whatsoever about its users beyond what is required for site functionality... which is why @deimos is allowed to store only the email hash for account recovery and not forced to store the email address itself or even a recoverable/disclosable form of it anywhere.
I do think public disclosure of government information requests, where it is legal to do so, is a good idea though.
I think the thing to remember is, part of the problem is that we cooperate pretty heavily with the USA on their SIGINT operations, we're part of Five Eyes after all.
Sure we may be insulated from direct actions of the USA FISA courts here, but we have a really long-term working relationship with the USA, and CSIS has been much better than the CIA/NSA at staying out of the spotlight.
We've had breaches of personal freedoms, and right to due process before in the form of the Anton Piller order filed against TVAddons' author Adam Lackman:
Also in the USA (with coordination with other nations) the FBI once took over & operated a child-porn website to catch it's users. It's not inconceivable to think that given no right to due process or council a site operator within a shared SIGINT region like the five eyes could be compelled to hand over operations to allow for live snooping.
It's all very /r/conspiracy sounding I'm sure, but threat modelling is all about the what-if. It's noble to aim to produce nothing of value (a-la, E2E Encryption for messaging services) would it not be relevant to think about what could be done to ensure confidence in what's running on the endpoint matches what's available to view in source.
Just some thoughts I had about these services as a whole. We very well may not have much recourse in Canada, but we also very well have less to worry about. It's just interesting to think about.
Edit: I realize this may have come off very anti-law-enforcement / law, that's not really my intent. Obviously operating within Canada the site is subject to the laws, and should make an effort to comply with legal orders... but abuses of power have been seen, and when those abuses also have people in the dark it's a real sticky problem. As @cfabbro pointed out, "public disclosure of government information requests, where it is legal to do so, is a good idea", but I think it's useful to insulate the users and the operators from potential suppressive or abusive behaviors. Today's government / law-enforcement agencies might be above board, but that can change over time.
... and yes, this is probably over-thinking it, but hey... 15 years ago we didn't think governments would be scooping up entire logs of internet activity, and we were wrong.
You mentioned this in the OP as well, but I'm honestly pretty confused why that's getting lumped in with warrant canaries. A warrant canary doesn't seem to have anything to do with being able to verify that the open-source code matches what's running on the server (at least as far as I know for what they generally cover).
Either way, that's actually something that I had put some thought into, and from what I could figure out there's no possible way to truly verify that the code on the server is the same as the open-source version. Every possibility I came up with could be circumvented by just modifying the verification method itself to lie. It's definitely possible that I'm missing some possibility, but I haven't been able to come up with anything that would work.
The reason they got lumped together was mostly the possibility to be compelled to operate a compromised version that may not be treating personal data as dangerous. The warranty canary being one possible way of spelling turmoil, I had mostly just noticed the absence of one and was interested in a discussion about it with regard to if it had been considered or whatever else was on the horizon.
I agree with you that it's hard (if not impossible) to verify that the code running is a specific version or not outside of running your own instance which is why I was curious about something with a legal leg to stand on (possibly like a canary).
It's probably a moot point, but I thought the discussion could be interesting.