Warrant Canary

canary watch

Librarian.net

A warrant canary is a method by which a communications service provider aims to inform its users that the provider has not been served with a secret government subpoena. Secret subpoenas, including those covered under the ‘Patriot Act,’ provide criminal penalties for disclosing the existence of the warrant to any third party, including the service provider’s users. A warrant canary may be posted by the provider to inform users of dates that they have not been served a secret subpoena. If the canary has not been updated in the time period specified by the host, users are to assume that the host has been served with such a subpoena.

The intention is to allow the provider to warn users of the existence of a subpoena passively, without disclosing to others that the government has sought or obtained access to information or records under a secret subpoena. Warrant canaries have been found to be legal by the United States Justice Department, so long as they are passive in their notifications.

United States secret subpoenas or national security letters originated in the 1986 ‘Electronic Communications Privacy Act’ to be used only against those suspected of being agents of a foreign power. This was revised in 2001 under the Patriot Act so that secret subpoenas can be used against anyone who may have information deemed relevant to counterintelligence or terrorism investigations. The idea of using negative pronouncements to thwart the nondisclosure requirements of court orders and served secret warrants was first proposed by Steven Schear on the cypherpunks mailing list, mainly to uncover targeted individuals at ISPs. It was suggested for use by public libraries in 2002 in response to the Patriot Act.

The first commercial use of a warrant canary was by the US cloud storage provider rsync.net which began publishing their canary in 2006. In addition to a digital signature, they provide a current news headline as proof that the warrant canary was recently posted as well as mirroring the posting internationally. In 2013, Apple became the first major American company to publicly state that it had never received an order for user data by the FBI. Canarywatch is an organization founded to maintain a compiled list of all companies providing warrant canaries. Its mission is to provide prompt updates of any changes in a canary’s state. It is often difficult for users to ascertain a canary’s validity on their own and thus Canarywatch provides a simple display of all active canaries and any blocks of time that they were not active.

The legality of warrant canaries was questioned in 2014 by US security researcher Moxie Marlinspike, who argued: ‘[i]f it’s illegal to advertise that you’ve received a court order of some kind, it’s illegal to intentionally and knowingly take any action that has the effect of advertising the receipt of that order. A judge can’t force you to do anything, but every lawyer I’ve spoken to has indicated that having a ‘canary’ you remove or choose not to update would likely have the same legal consequences as simply posting something that explicitly says you’ve received something.’

Australia outlawed the use of a certain kind of warrant canary in 2015, making it illegal for a journalist to ‘disclose information about the existence or non-existence’ of a warrant issued under new mandatory data retention laws. It is unlikely a journalist could give a correct canary in this situation anyway, as under this legislation the agency obtaining the warrant is not compelled to inform the journalist of the warrant. Privacy specialist Bruce Schneier wrote in a blog post that ‘[p]ersonally, I have never believed [warrant canaries] would work. It relies on the fact that a prohibition against speaking doesn’t prevent someone from not speaking. But courts generally aren’t impressed by this sort of thing, and I can easily imagine a secret warrant that includes a prohibition against triggering the warrant canary. And for all I know, there are right now secret legal proceedings on this very issue.’

One Trackback to “Warrant Canary”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s