Canary Statement

noun

1… A small songbird in the finch family, serinus canaria domestica, originally native to islands in the North Atlantic.

2… A mechanism to test for unsafe conditions, originating from the use of canaries in coal mines to detect poisonous gases or cave-ins. If the canary died, it was time to get out of the mine. More recently, the term has been used by some online service providers to refer to an affirmative statement, updated regularly, that the provider has not been subjected to certain legal processes. If the statement is not updated in a timely fashion, users may infer that the canary statement may no longer be true.

Canary

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

HelpYouFind.Me (aka, Netlandish Inc.) positively confirms that the integrity of
our system is sound: all our infrastructure is in our control, we have not been
compromised or suffered a data breach, we have not disclosed any private
encryption keys, and we have not been forced to modify our system to allow
access or information leakage to a third party.

This canary will be re-signed on the following dates:

* February 1
* May 1
* August 1
* November 1

We will also sign a new canary statement every time we have to alter the
javascript code that handles the in browser encryption to include the expected
sha256 hashes of the corresponding files.

File: crypto.js
Description: Unprocessed javascript source code
URL: https://s3.amazonaws.com/hyfm/static/js/crypto.js
SHA256 Hash: 0adbffc3cf1bd08deecb42dc54f8811ff7981451d4569afe5b6769a9c6e9c1e6

File: crypto_build.533c3071e05a.js
Description: Processed and minified javascript source code
URL: https://s3.amazonaws.com/hyfm/static/js/crypto_build.533c3071e05a.js
SHA256 Hash: e67db9b2c4725bf2d96adf6220ffe7d445823a34b2759974d934ddd0a4cc8410

We will include a link to a recent news article[0] in each update to establish
that the signature was not pre-generated. 

## Latest canary signing

Below are the details of the most recent canary signing.

Date: 2021-06-15
Removed 2 typos in the statement referencing the hash type (512 instead of 256)
and mentioning Riseup, the organization in which we based our canary statement
on.
 
## Frequently asked questions

Q: Are you compromised by law enforcement?

A: No. We have never permitted installation of any hardware or software
monitoring on any system that we control; law enforcement has not taken our
servers; does not, and has never had access to them. We would rather cease
operations before we did that.

Q: Couldn't the government just make you say that?

A: Forced speech is actually quite rare in the US legal context. It's usually
only in cases of consumer protection where the government has been successful
in compelling speech (e.g. forced cigarette warnings). Nevertheless, no they
aren't forcing us to say anything.

[0]: https://www.cnn.com/2021/06/15/politics/proud-boys-dysfunction-capitol-attack/index.html
-----BEGIN PGP SIGNATURE-----

iQHJBAEBCgAzFiEEvT4qfd11cHea2Tl9DgYLnxPoFvUFAmDJIWIVHGhlbGxvQGhl
bHB5b3VmaW5kLm1lAAoJEA4GC58T6Bb1V70L/2X/TTqlIggZcr67c090i3UKiu9l
RXyjEKqPNMX8hK3YhAvOQDFRAHSbhiGDDF1VNVCSZX5+9ec4bAgrXIr2PI/5eVeb
XUxy1Fc0dorHEjT0WQIPkGft5ral6hR4faiSQEFQxC1wpz5pb50udywhklE+SJka
vj7kl++SwagAWHZ7U1k6lPv/viEULOEOrV+gEBH8rGTb142DXm0WzWxz6oTn4Dbg
CqkATxaxEQc9XljtW925e728N47e71hcZbsTPr6ExsWGKQq3Jp4TWBFjuQ9l+rlD
M6IeX3wmV7xdTOwjj+/4uffQB1iNKFQF7nvaKjDutKJ7xExQBeJj9O2eQps+P42v
/6LHKGuYAqjzQAqc0264J+7IZ7vf9FZKlsU6SJn3yKTzaojLEcbGs0zRrjTiUb2x
+vlMGT6OAaF+yvvuvNX9xfCVF8Fm51rEtSkn7OlkL4Nk4UhKkDg5ObZg5ufUlXBi
ml6H0d9/r7Cyz/KwrXON+a30qeQM9LWGwTpr5Q==
=6phX
-----END PGP SIGNATURE-----

Verification instructions

You should follow these instructions to download HelpYouFind.Me's gpg key and verify the canary statement:

  1. Download the signed canary statement
  2. Download our public signing key. Then import it like via gpg:

    gpg --import hyfm_signing_key.asc

    Alternatively you can download it directly from a public keyserver:

    gpg --keyserver hkps://hkps.pool.sks-keyservers.net --recv-key BD3E2A7DDD7570779AD9397D0E060B9F13E816F5

    You can also use the "hkps://keys.openpgp.org" keyserver

  3. Once you have imported the key you can verify the statement like so:

    gpg --verify canary-statement-signed.txt
  4. You should get output that is similar to the following (note the date will change, based on when the canary statement was signed):

    gpg: Signature made Thu 11 Mar 2021 07:42:19 PM PST
    gpg:                using RSA key BD3E2A7DDD7570779AD9397D0E060B9F13E816F5
    gpg:                issuer "hello@helpyoufind.me"
    gpg: Good signature from "HelpYouFind.Me Admins " [ultimate]

You should make sure that it says “Good signature” in the output and confirm that the keyid matches the one listed above. If this text has been altered, then this information should not be trusted.

Unless you have taken explicit steps to build a trust path to the HelpYouFind.Me key, you will see a warning message similar to:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

However, you still should see the “Good signature”.

Note: This template is based on the RiseUp.net canary page.