A warrant canary is a method by which a communications service provider aims to inform its users that the provider has not been served with a secret government subpoena. Secret subpoenas, including those covered under 18 U.S.C. §2709(c) of the USA Patriot Act, provide criminal penalties for disclosing the existence of the warrant to any third party, including the service provider's users. A warrant canary may be posted by the provider to inform users of dates that they have not been served a secret subpoena. If the canary has not been updated in the time period specified by the host, users are to assume that the host has been served with such a subpoena. The intention is to allow the provider to warn users of the existence of a subpoena passively, without disclosing to others that the government has sought or obtained access to information or records under a secret subpoena. Warrant canaries have been found to be legal by the United States Justice Department, so long as they are passive in their notifications.
United States secret subpoenas or national security letters originated in the 1986 Electronic Communications Privacy Act to be used only against those suspected of being agents of a foreign power. This was revised in 2001 under the Patriot Act so that secret subpoenas can be used against anyone who may have information deemed relevant to counter-intelligence or terrorism investigations. The idea of using negative pronouncements to thwart the nondisclosure requirements of court orders and served secret warrants was first proposed by Steven Schear on the cypherpunks mailing list, mainly to uncover targeted individuals at ISPs. It was suggested for use by public libraries in 2002 in response to the USA Patriot Act.
The first commercial use of a warrant canary was by the tech firm Wickr which specializes in secure private messaging. Wickr's canary informs users that no government orders or investigations have been initiated, and, should this change, the canary will be altered. Another early tech firm to adopt warrant canaries was rsync.net. In addition to a digital signature, they provide a recent news headline as proof that the warrant canary was recently posted as well as mirroring the posting internationally.
On November 5, 2013, Apple became the most prominent company to publicly state that it had never received an order for user data under Section 215 of the Patriot Act. On September 18, 2014, GigaOm reported that the warrant canary statement did not appear anymore in the next two Apple Transparency Reports, covering July–December 2013 and January–June 2014. Tumblr also included a warrant canary in the transparency report that it issued on February 3, 2014. The online cloud service Spider Oak implemented an encrypted warrant canary that publishes an "All Clear!" message every 6 months. Three PGP signatures from geographically distributed signers must sign each message — so if a government agency forced SpiderOak to update the page, they would need to enlist the help of all three signers.
Previously, mobile security company Lookout had stated that it had not received any national security letters and had "not been required by a FISA court to keep any secrets that are not in this transparency report."
The US security researcher Moxie Marlinspike states that "every lawyer we've spoken to has confirmed that [a warrant canary] would not work" for the TextSecure server. The Electronic Frontier Foundation thinks otherwise.
CanaryWatch.org was founded to provide a compiled list of all companies providing warrant canaries. The mission of this site is to provide prompt updates of any changes in a canary's state. It is often difficult for users to ascertain a canary's validity on their own and thus CanaryWatch provides a simple display of all active canaries and any blocks of time that they were not active.
Australia outlawed the use of a certain kind of warrant canary in March of 2015, making it illegal for a journalist to "disclose information about the existence or non-existence" of a warrant issued under new mandatory data retention laws. It is unlikely a journalist could give a correct canary in this situation anyway, as under this legislation the agency obtaining the warrant is not compelled to inform the journalist of the warrant.
Companies and organizations with warrant canaries
- Clandestine Reporters Working Group
- Electric Embers
- Espionage App
- Library Freedom Project
- Liquid VPN
- Qubes OS
- Riseup Networks
- Silent Circle
- Spider Oak
- The Internet Archive
- Animal sentinel
- Patriot Act, Title V, National security authorities
- WikiLeaks-related Twitter court orders
- Nadine Strossen (2005), "Safety and freedom: Common concerns for conservatives, libertarians, and civil libertarians" (PDF), Harvard Journal of Law and Public Policy 29 (73): 78–79, retrieved January 3, 2014
- Eunice Moscoso (August 17, 2003), "Subpoenas Fly In Hunt For Hidden Terrorists", Palm Beach Post: 1A
- Roberts, Jeff John (Feb 9, 2015). "Site will show if the U.S. has killed a “warrant canary”". GIGAOM. Retrieved March 5, 2015.
- Roberts, Jeff John (Oct 10, 2014). "Are “warrant canaries” legal? Twitter wants to save tech’s warning signal of government spying". GIGAOM. Retrieved March 5, 2015.
- Gillmore, Dan. "Google Can’t Tell You When the Government Wants Your Data. Here’s a Sneaky Solution.". Slate. Retrieved March 5, 2015.
- Shaun Waterman (September 30, 2004), "Ashcroft: U.S. will appeal terror-law ruling", United Press International, retrieved January 3, 2014
- "Re: ISP Utility To Cypherpunks? Yahoo! Groups". Tech.groups.yahoo.com. October 31, 2002. Retrieved 2013-06-13.
- West, Jessamyn (2002). "Five Technically Legal Signs for Your Library". Librarian.net : avoiding the PATRIOT Act since 2001. Archived from the original on 2002-12-18. Retrieved 2013-11-14.
- Doctorow, Cory (September 9, 2013). "How to foil NSA sabotage: use a dead man's switch - Technology". The Guardian (UK). Retrieved 2013-11-14.
- Nakashima, Ellen (Dec 16, 2014). "Tech firms tussle with DOJ over the right to say ‘zero’". Washington Post. Retrieved March 5, 2015.
- "rsync.net Warrant Canary". rsync.net. Retrieved June 12, 2013.
- Kozubik, John (August 6, 2010). "The Warrant Canary in 2010 and Beyond". Blog.kozubik.com. Retrieved 2013-06-13.
- Farivar, Cyrus (5 November 2013). "Apple takes strong privacy stance in new report, publishes rare "warrant canary"". ArsTechnica.com. Retrieved 5 November 2013.
- "Report on Government Access Requests" (PDF). Apple.com. November 5, 2013. Retrieved 2013-11-15.
- Roberts, Jeff John (2014-09-18). "Apple’s "warrant canary" disappears, suggesting new Patriot Act demands". Gigaom. Retrieved 2014-09-18.
- Collier, Kevin (4 February 2014). "The NSA could not care less about your Tumblr blog". The Daily Dot. Retrieved 13 February 2014.
- Kumparak, Greg (August 14, 2014). "SpiderOak Implements A Warrant Canary". TechCrunch. Retrieved 2014-09-28.
- "Transparency @ Lookout". Lookout.com. Retrieved 2013-11-05.
- "Provide a "warrant canary" for the TextSecure server". Github.com. Retrieved 2014-07-23.
- "Warrant Canary Frequently Asked Questions". EFF. Retrieved 2015-01-29.
- "Canary Watch: Activists create website to track & reveal NSA, FBI info requests". Russian Times. Feb 6, 2015. Retrieved March 5, 2015.
- "Canary Watch tracks government requests for your information online". Gizmag. Feb 4, 2015. Retrieved March 5, 2015.
- Doctorow, Cory. "Australia outlaws warrant canaries". Boing Boing. Retrieved March 26, 2015.
- Hurst, Daniel. "Australia's new 'improved' data retention laws: how will they work?". Guardian Australia. Retrieved March 30, 2015.
|Look up warrant canary in Wiktionary, the free dictionary.|
- privacytools.io Examples of VPN providers with warrant canaries.
- rsync.net canary.txt Note the use of recent news headlines to verify the date of the declaration.
- Proxy.sh canary Daily updated warrant canary.
- Warrant Canary Frequently Asked Questions Electronic Frontier Foundation.
- CanaryWatch.org A website that explains and tracks warrant canaries.
- MetaCanary.org An open directory of warrant canaries.