Warrant canary

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
Library warrant canary relying on active removal designed by Jessamyn West

A warrant canary is a method by which a communications service provider aims to inform its users that the provider has been served with a secret government subpoena despite legal prohibitions on revealing the existence of the subpoena. The warrant canary typically informs users that there has not been a secret subpoena as of a particular date. If the canary is not updated for the time period specified by the host or if the warning is removed, users are to assume that the host has been served with such a subpoena. The intention is to allow the provider to warn users of the existence of a subpoena passively, without disclosing to others that the government has sought or obtained access to information or records under a secret subpoena.

Secret subpoenas, such as those covered under 18 U.S.C. §2709(c) of the USA Patriot Act, provide criminal penalties for disclosing the existence of the warrant to any third party, including the service provider's users.[1][2]

United States secret subpoenas or national security letters originated in the 1986 Electronic Communications Privacy Act to be used only against those suspected of being agents of a foreign power.[3] This was revised in 2001 under the Patriot Act so that secret subpoenas can be used against anyone who may have information deemed relevant to counter-intelligence or terrorism investigations.[3] The idea of using negative pronouncements to thwart the nondisclosure requirements of court orders and served secret warrants was first proposed by Steven Schear on the cypherpunks mailing list,[4] mainly to uncover targeted individuals at ISPs. It was also suggested for and used by public libraries in 2002 in response to the USA Patriot Act, which would force librarians to disclose the circulation history of any of their patrons.[5][6]


A sign in a library in Craftsbury, Vermont in 2005

The first commercial use of a warrant canary was by the US cloud storage provider rsync.net, which began publishing its canary in 2006.[7] In addition to a digital signature, it provides a recent news headline as proof that the warrant canary was recently posted[8] as well as mirroring the posting internationally.[9]

On November 5, 2013, Apple became the most prominent company to publicly state that it had never received an order for user data under Section 215 of the Patriot Act.[10][11] On September 18, 2014, GigaOm reported that the warrant canary statement did not appear anymore in the next two Apple Transparency Reports, covering July–December 2013 and January–June 2014.[12] Tumblr also included a warrant canary in the transparency report that it issued on February 3, 2014.[13] In August 2014, the online cloud service Spider Oak implemented an encrypted warrant canary that publishes an "All Clear!" message every 6 months. Three PGP signatures from geographically distributed signers must sign each message — so if a government agency forced SpiderOak to update the page, they would need to enlist the help of all three signers.[14]

In September 2014, US security researcher Moxie Marlinspike wrote that "every lawyer I've spoken to has indicated that having a 'canary' you remove or choose not to update would likely have the same legal consequences as simply posting something that explicitly says you've received something."[15][16]

As a matter before a court exercising judicial power, a warrant could be obtained against another person that prohibits its own disclosure of existence or non-existence. However, this could easily be remedied by amalgamating the right to a fair trial with the warrant canary. In Australia, everyone has a right to a fair trial under case law, and the larger picture of this law being the right to access a lawyer, if one were to write a warrant canary in such a way that seeks access to legal representation, it may have the effect of "triggering" the canary; informing the larger public of the existence of a secret warrant, and should an authority object or remove such a notice seeking legal representation, could be seen as that authority's infringement of this legal right in Australia (with the goal of the canary to be effectively causing a stay of proceedings) and other common law jurisdictions. This would cure the inherent prohibition in the reducing warrant canaries to be a matter of negative or positive action (the addition of a notice, or the removal of such a notice, whatever the case may be).

Australia outlawed the use of a certain kind of warrant canary in March 2015, making it illegal for a journalist to "disclose information about the existence or non-existence" of a warrant issued under new mandatory data retention laws.[17] It is unlikely a journalist could give a correct canary in this situation anyway, as under this legislation the agency obtaining the warrant is not compelled to inform the journalist of the warrant.[18] Afterwards, computer security and privacy specialist Bruce Schneier wrote in a blog post that "[p]ersonally, I have never believed [warrant canaries] would work. It relies on the fact that a prohibition against speaking doesn't prevent someone from not speaking. But courts generally aren't impressed by this sort of thing, and I can easily imagine a secret warrant that includes a prohibition against triggering the warrant canary. And for all I know, there are right now secret legal proceedings on this very issue."[19]

That said, case law specific to the United States would render the covert continuance of warrant canaries subject to constitutionality challenges. West Virginia State Board of Education v. Barnette and Wooley v. Maynard rule the Free Speech Clause prohibits compelling someone to speak against one's wishes; this can easily be extended to prevent someone from being compelled to lie. New York Times Co. v. United States protects one exercising the First Amendment to publish government information, even if it is against the wishes of the government, except under grave and exceptional circumstances previously set by act and precedent. The latter also carries the weight of acting against a direct government intervention similar to a government intervention against a warrant canary.

Companies and organizations with warrant canaries[edit]

The following is a list of notable companies and organizations that have published warrant canaries:

Companies and organizations who no longer have warrant canaries[edit]

The following is a list of companies and organizations whose warrant canaries no longer appear in transparency reports:

Canary Watch[edit]

In 2015, a coalition of organizations consisting of the EFF, Freedom of the Press Foundation, NYU Law, the Calyx Institute, and the Berkman Center created a website called Canary Watch in order to provide a compiled list of all companies providing warrant canaries. Its mission was to provide prompt updates of any changes in a canary's state. It is often difficult for users to ascertain a canary's validity on their own and thus Canary Watch aimed to provide a simple display of all active canaries and any blocks of time that they were not active.[53][54] In May 2016, it was announced that Canary Watch "will no longer accept submissions of new canaries or monitor the existing canaries for changes or take downs".[55] The coalition of organizations which created Canary Watch explained their decision to discontinue the project by stating that it has achieved its goals to raise awareness about "illegal and unconstitutional national security process, including National Security Letters and other secret court processes." The Electronic Frontier Foundation also noted that "the fact that canaries are non-standard makes it difficult to automatically monitor them for changes or takedowns."[55]

See also[edit]


  1. ^ Nadine Strossen (2005), "Safety and freedom: Common concerns for conservatives, libertarians, and civil libertarians" (PDF), Harvard Journal of Law and Public Policy, 29 (73), pp. 78–79, retrieved January 3, 2014
  2. ^ Eunice Moscoso (August 17, 2003), "Subpoenas Fly In Hunt For Hidden Terrorists", Palm Beach Post, p. 1A
  3. ^ a b Shaun Waterman (September 30, 2004), "Ashcroft: U.S. will appeal terror-law ruling", United Press International, retrieved January 3, 2014
  4. ^ "Re: ISP Utility To Cypherpunks? Yahoo! Groups". Tech.groups.yahoo.com. October 31, 2002. Retrieved 2013-06-13.
  5. ^ West, Jessamyn (2002). "Five Technically Legal Signs for Your Library". Librarian.net : avoiding the PATRIOT Act since 2001. Archived from the original on December 18, 2002. Retrieved 2013-11-14.CS1 maint: Unfit url (link)
  6. ^ Doctorow, Cory (September 9, 2013). "How to foil NSA sabotage: use a dead man's switch - Technology". The Guardian (UK). Retrieved 2013-11-14.
  7. ^ "An ISP that protects your data from the NSA". Reddit - May 26, 2006. Retrieved January 5, 2016.
  8. ^ "rsync.net Warrant Canary". rsync.net. Retrieved June 12, 2013.
  9. ^ Kozubik, John (August 6, 2010). "The Warrant Canary in 2010 and Beyond". Blog.kozubik.com. Retrieved 2013-06-13.
  10. ^ Farivar, Cyrus (5 November 2013). "Apple takes strong privacy stance in new report, publishes rare "warrant canary"". ArsTechnica.com. Retrieved 5 November 2013.
  11. ^ "Report on Government Access Requests" (PDF). Apple.com. November 5, 2013. Retrieved 2013-11-15.
  12. ^ Roberts, Jeff John (2014-09-18). "Apple's "warrant canary" disappears, suggesting new Patriot Act demands". Gigaom. Retrieved 2014-09-18.
  13. ^ Collier, Kevin (4 February 2014). "The NSA could not care less about your Tumblr blog". The Daily Dot. Retrieved 13 February 2014.
  14. ^ Kumparak, Greg (14 August 2014). "SpiderOak Implements A Warrant Canary". TechCrunch. AOL Inc. Retrieved 28 January 2017.
  15. ^ Marlinspike, Moxie (22 September 2014). "If it's illegal to advertise that you've received a court order of some kind..." GitHub. Archived from the original on 27 October 2014. Retrieved 3 April 2016.
  16. ^ Meyer, David (1 April 2016). "How Reddit Strongly Hinted It Received a Secret Surveillance Order". Fortune. Time Inc. Retrieved 3 April 2016.
  17. ^ Doctorow, Cory. "Australia outlaws warrant canaries". Boing Boing. Retrieved March 26, 2015.
  18. ^ Hurst, Daniel. "Australia's new 'improved' data retention laws: how will they work?". Guardian Australia. Retrieved March 30, 2015.
  19. ^ Schneier, Bruce (31 March 2015). "Australia Outlaws Warrant Canaries". Schneier on Security. Retrieved 21 June 2015.
  20. ^ "8chan". 8ch.net. 8chan. n.d. Retrieved 31 August 2016. We have not been served any secret court orders and are not under any gag orders.
  21. ^ "Transparency Report". Acevpn. 30 April 2016. Retrieved 31 August 2016. No warrants have ever been served to Acevpn or Acevpn employees.
  22. ^ "Warrant Canary". AzireVPN.com. 19 September 2017. Retrieved 19 September 2017. Netbouncer AB declares that, up to this point, no warrants have been served, nor have any searches or seizures taken place at any Netbouncer AB location or involving any Netbouncer AB personnel.
  23. ^ "Government Requests Transparency Report". Adobe Systems Inc. 30 November 2015. Retrieved 31 August 2016.
  24. ^ "Cheezburger, Inc. 2014 Transparency Report". Cheezburger, Inc. 5 February 2015. Retrieved 6 March 2018.
  25. ^ "Cloudflare Transparency Report". Retrieved 28 September 2017.
  26. ^ "DEF CON Transparency Report". Retrieved 28 September 2017.
  27. ^ "Canary". First Look Media. Retrieved 9 May 2018.
  28. ^ "Canary". ipredator.se. IPredator. 30 December 2017. Retrieved 17 January 2018.
  29. ^ "Canary". Library Freedom Project. Retrieved 9 May 2018.
  30. ^ admin (1 July 2015). "Transparency Report & Warrant Canary". Mailfence. Retrieved 31 August 2016.
  31. ^ "Transparency report". Mapbox. Retrieved 9 May 2018.
  32. ^ "National Security Demands (2014)". Medium. 5 January 2015. Retrieved 9 May 2018.
  33. ^ "NordVPN About Us and Our Policies". NordVPN. 6 October 2015. Retrieved 12 November 2018.
  34. ^ "Transparency Report". Peerio. n.d. Retrieved 25 November 2015.
  35. ^ "Transparency Report". Pinterest. Retrieved 9 May 2018.
  36. ^ "Transparency Report". Proton Technologies AG. 7 December 2016. Retrieved 7 December 2016.
  37. ^ "Purism Warrant Canary". Purism. Purism. Retrieved 31 December 2015.
  38. ^ "Canaries". Qubes OS. Retrieved 9 May 2018.
  39. ^ Canary- Riseup.net https://riseup.net/canary
  40. ^ "SpiderOak Canary". SpiderOak. Retrieved 9 August 2018.
  41. ^ Moore, Jonathan (6 August 2018). "A Transparency Report is a Canary". SpiderOak. Retrieved 9 August 2018.
  42. ^ "Internet Archive Frequently Asked Questions – Law Enforcement Requests". The Internet Archive. Retrieved 9 May 2018.
  43. ^ "Transparency Report". Tumblr. Retrieved 9 May 2018.
  44. ^ Matthias (1 July 2015). "Transparency Report & Warrant Canary for the Secure Email Service Tutanota". Tutanota. Retrieved 22 August 2015.
  45. ^ "VeraCrypt Canary".
  46. ^ "Transparency Reporting on User Accounts". Wickr. Retrieved 9 May 2018.
  47. ^ Hern, Alex (2014-08-06). "Wikipedia swears to fight 'censorship' of 'right to be forgotten' ruling". The Guardian. ISSN 0261-3077. Retrieved 2016-11-07.
  48. ^ "Transparency Report". XMission. Retrieved 25 October 2016.
  49. ^ "Privacy Policy". Zinc. Retrieved 28 September 2017. Zinc has never received an order to disclose Customer Data under either Section 215 of the USA Patriot Act or Section 702 of the FISA Amendments Act. Zinc will update this statement weekly with any changes.
  50. ^ Farivar, Cyrus (18 September 2014). "No, Apple probably didn't get new secret gov't orders to hand over data". Ars Technica. Condé Nast. Retrieved 21 June 2016.
  51. ^ Volz, Dustin (31 March 2016). "Reddit deletes surveillance 'warrant canary' in transparency report". Reuters. Retrieved 31 March 2016.
  52. ^ Lomas, Natasha (5 July 2016). "Silent Circle silently snuffs out its warrant canary — but claims it's a "business decision"". TechCrunch. AOL Inc. Retrieved 6 July 2016.
  53. ^ "Canary Watch: Activists create website to track & reveal NSA, FBI info requests". Russian Times. 6 February 2015. Retrieved 5 March 2015.
  54. ^ "Canary Watch tracks government requests for your information online". Gizmag. 4 February 2015. Retrieved 5 March 2015.
  55. ^ a b Quintin, Cooper (25 May 2016). "Canary Watch – One Year Later". Deeplinks (Blog). Electronic Frontier Foundation. Retrieved 15 July 2016.

Further reading[edit]