Warrant canary

Last updated
Library warrant canary relying on active removal designed by Jessamyn West Antipat4.svg
Library warrant canary relying on active removal designed by Jessamyn West

A warrant canary is a method by which a communications service provider aims to implicitly inform its users that the provider has been served with a government subpoena despite legal prohibitions on revealing the existence of the subpoena. The warrant canary typically informs users that there has not been a court-issued subpoena as of a particular date. If the canary is not updated for the period specified by the host or if the warning is removed, users might assume the host has been served with such a subpoena. The intention is for a provider passively to warn users of the existence of a subpoena, albeit violating the spirit of a court order not to do so, while not violating the letter of the order.

Contents

Some subpoenas, such as those covered under 18 U.S.C. §2709(c) (enacted as part of the USA Patriot Act), provide criminal penalties for disclosing the existence of the subpoena to any third party, including the service provider's users. [1] [2]

National Security Letters (NSL) originated in the 1986 Electronic Communications Privacy Act and originally targeted those suspected of being agents of a foreign power. [3] Targeting agents of a foreign power was revised in the Patriot Act in 2001 to allow NSLs to target those who may have information thought to be relevant to either counterintelligence activities or terrorists activities directed against the United States. [3] The idea of using negative pronouncements to thwart the nondisclosure requirements of court orders and served secret warrants was first proposed by Steven Schear on the cypherpunks mailing list, [4] mainly to uncover targeted individuals at ISPs. It was also suggested for and used by public libraries in 2002 in response to the USA Patriot Act, which could have forced librarians to disclose the circulation history of library patrons. [5] [6]

Etymology

The term is an allusion to the practice of coal miners bringing canaries into mines to use as an early-warning signal for toxic gases, primarily carbon monoxide and methane. [7] The birds are more sensitive to these gases than humans, and became sick before the miners, who would then have a chance to escape or put on protective respirators. [8]

Usage

A sign in a library in Craftsbury, Vermont in 2005 The FBI has not been here.jpg
A sign in a library in Craftsbury, Vermont in 2005

The first commercial use of a warrant canary was by the US cloud storage provider rsync.net, which began publishing its canary in 2006. [9] In addition to a digital signature, it provides a recent news headline as proof that the warrant canary was recently posted [10] as well as mirroring the posting internationally. [11]

On November 5, 2013, Apple became the most prominent company to publicly state that it had never received an order for user data under Section 215 of the Patriot Act. [12] [13] On September 18, 2014, GigaOm reported that the warrant canary statement did not appear anymore in the next two Apple Transparency Reports, covering July–December 2013 and January–June 2014. [14] Tumblr also included a warrant canary in the transparency report that it issued on February 3, 2014. [15] In August 2014, the online cloud service Spider Oak implemented an encrypted warrant canary that publishes an "All Clear!" message every 6 months. Three PGP signatures from geographically distributed signers must sign each message—so if a government agency forced SpiderOak to update the page, they would need to enlist the help of all three signers. [16]

In September 2014, U.S. security researcher Moxie Marlinspike wrote that "every lawyer I've spoken to has indicated that having a 'canary' you remove or choose not to update would likely have the same legal consequences as simply posting something that explicitly says you've received something." [17] [18]

In March 2015 it was reported that Australia outlawed the use of a certain kind of warrant canary, making it illegal to "disclose information about the existence or non-existence" of a Journalist Information Warrant issued under new mandatory data retention laws. [19] Afterwards, computer security and privacy specialist Bruce Schneier wrote in a blog post that "[p]ersonally, I have never believed [warrant canaries] would work. It relies on the fact that a prohibition against speaking doesn't prevent someone from not speaking. But courts generally aren't impressed by this sort of thing, and I can easily imagine a secret warrant that includes a prohibition against triggering the warrant canary. And for all I know, there are right now secret legal proceedings on this very issue." [20] This is not the first Australian law to outlaw warrant canaries. The "Telecommunications (Interception) Amendment Act 1995" was probably the first, making it illegal to "disclose information about the existence or non-existence" of Interception Warrants. [21]

That said, case law specific to the United States would render the covert continuance of warrant canaries subject to constitutionality challenges.[ citation needed ] West Virginia State Board of Education v. Barnette and Wooley v. Maynard rule the Free Speech Clause prohibits compelling someone to speak against one's wishes; this can easily be extended to prevent someone from being compelled to lie. New York Times Co. v. United States protects one exercising the First Amendment to publish government information, even if it is against the wishes of the government, except under grave and exceptional circumstances previously set by act and precedent. This may also have implications in regards to acting against a direct government intervention, similar to a government intervention against a warrant canary.[ citation needed ]

Companies and organizations that no longer have warrant canaries

The following is a non-exhaustive list of companies and organizations whose warrant canaries no longer appear in transparency reports:

Canary Watch

In 2015, a coalition of organizations consisting of the EFF, Freedom of the Press Foundation, NYU Law, the Calyx Institute, and the Berkman Center created a website called Canary Watch in order to provide a compiled list of all companies providing warrant canaries. Its mission was to provide prompt updates of any changes in a canary's state. It is often difficult for users to ascertain a canary's validity on their own and thus Canary Watch aimed to provide a simple display of all active canaries and any blocks of time that they were not active. [25] In May 2016, it was announced that Canary Watch "will no longer accept submissions of new canaries or monitor the existing canaries for changes or take downs". [26] The coalition of organizations which created Canary Watch explained their decision to discontinue the project by stating that it has achieved its goals to raise awareness about "illegal and unconstitutional national security process, including National Security Letters and other secret court processes." The Electronic Frontier Foundation also noted that "the fact that canaries are non-standard makes it difficult to automatically monitor them for changes or takedowns." They explained that the project had run its course, that ample attention had been brought to canaries, and detailed warrant canary strengths and weaknesses they observed. [26]

Examples

In 2016, the Riseup tech collective failed to update their warrant canary, due to sealed warrants from a court. [27] [28] The canary has since been updated, but no longer states the absence of gag orders. [29]

In February 2024, the Ethereum Foundation removed the warrant canary from their website [30] citing "[a] voluntary enquiry from a state authority that included a requirement for confidentiality" in the commit message.

See also

Related Research Articles

<span class="mw-page-title-main">Mass surveillance</span> Intricate surveillance of an entire or a substantial fraction of a population

Mass surveillance is the intricate surveillance of an entire or a substantial fraction of a population in order to monitor that group of citizens. The surveillance is often carried out by local and federal governments or governmental organizations, such as organizations like the NSA, but it may also be carried out by corporations. Depending on each nation's laws and judicial systems, the legality of and the permission required to engage in mass surveillance varies. It is the single most indicative distinguishing trait of totalitarian regimes. It is also often distinguished from targeted surveillance.

American Civil Liberties Union v. Ashcroft is a lawsuit filed on behalf of a formerly unknown Internet Service Provider (ISP) company under the pseudonym John Doe, Inc. by the American Civil Liberties Union against the U.S. federal government, by the Department of Justice under former U.S. Attorney General John Ashcroft.

<span class="mw-page-title-main">Controversial invocations of the Patriot Act</span>

The following are controversial invocations of the USA PATRIOT Act. The stated purpose of the Act is to "deter and punish terrorist acts in the United States and around the world, to enhance law enforcement investigatory tools, and for other purposes." One criticism of the Act is that "other purposes" often includes the detection and prosecution of non-terrorist alleged future crimes.

<span class="mw-page-title-main">National security letter</span> US government administrative subpoena

A national security letter (NSL) is an administrative subpoena issued by the United States government to gather information for national security purposes. NSLs do not require prior approval from a judge. The Stored Communications Act, Fair Credit Reporting Act, and Right to Financial Privacy Act authorize the United States government to seek such information that is "relevant" to an authorized national security investigation. By law, NSLs can request only non-content information, for example, transactional records and phone numbers dialed, but never the content of telephone calls or e-mails.

<span class="mw-page-title-main">Christopher Soghoian</span> American computer scientist

Christopher Soghoian is a privacy researcher and activist. He is currently working for Senator Ron Wyden as the senator’s Senior Advisor for Privacy & Cybersecurity. From 2012 to 2016, he was the principal technologist at the American Civil Liberties Union.

<span class="mw-page-title-main">Stored Communications Act</span>

The Stored Communications Act is a law that addresses voluntary and compelled disclosure of "stored wire and electronic communications and transactional records" held by third-party Internet service providers (ISPs). It was enacted as Title II of the Electronic Communications Privacy Act of 1986 (ECPA).

The WikiLeaks-related Twitter court orders were United States Department of Justice 2703(d) orders accompanied by gag orders issued to Twitter in relation to ongoing investigations of WikiLeaks issued on 14 December 2010. The U.S. government sent Twitter a subpoena for information about Julian Assange and several other WikiLeaks-related persons, including Chelsea Manning. Twitter appealed against the accompanying gag order in order to be able to disclose its existence to its users, and was ultimately successful in its appeal.

<span class="mw-page-title-main">PRISM</span> Mass surveillance program run by the NSA

PRISM is a code name for a program under which the United States National Security Agency (NSA) collects internet communications from various U.S. internet companies. The program is also known by the SIGAD US-984XN. PRISM collects stored internet communications based on demands made to internet companies such as Google LLC and Apple under Section 702 of the FISA Amendments Act of 2008 to turn over any data that match court-approved search terms. Among other things, the NSA can use these PRISM requests to target communications that were encrypted when they traveled across the internet backbone, to focus on stored data that telecommunication filtering systems discarded earlier, and to get data that is easier to handle.

Lavabit is an open-source encrypted webmail service, founded in 2004. The service suspended its operations on August 8, 2013 after the U.S. Federal Government ordered it to turn over its Secure Sockets Layer (SSL) private keys, in order to allow the government to spy on Edward Snowden's email.

<span class="mw-page-title-main">USA Freedom Act</span> 2015 U.S. surveillance law

The USA Freedom Act is a U.S. law enacted on June 2, 2015, that restored and modified several provisions of the Patriot Act, which had expired the day before. The act imposes some new limits on the bulk collection of telecommunication metadata on U.S. citizens by American intelligence agencies, including the National Security Agency. It also restores authorization for roving wiretaps and tracking lone wolf terrorists. The title of the act is a ten-letter backronym that stands for Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act of 2015.

<span class="mw-page-title-main">Proposed reforms of mass surveillance by the United States</span>

Proposed reforms of mass surveillance by the United States are a collection of diverse proposals offered in response to the Global surveillance disclosures of 2013.

<span class="mw-page-title-main">Barack Obama on mass surveillance</span> Overview of the statements of former U.S. president Barack Obama on mass surveillance

Former U.S. President Barack Obama favored some levels of mass surveillance. He has received some widespread criticism from detractors as a result. Due to his support of certain government surveillance, some critics have said his support violated acceptable privacy rights, while others dispute or attempt to provide justification for the expansion of surveillance initiatives under his administration.

A transparency report is a statement issued semesterly or annually by a company or government, which discloses a variety of statistics related to requests for user data, records, or content. Transparency reports generally disclose how frequently and under what authority governments have requested or demanded data or records over a certain period of time. This form of corporate transparency allows the public to discern how much user information governments have requested through search warrants, court orders, emergency requests, subpoenas, etc. Additionally, companies report data related to requests for user information regarding national security matters, including national security letters and FISA Requests. In 2010, Google was the first company to release a transparency report, with Twitter following in 2012. Additional companies began releasing transparency reports in light of the Edward Snowden leaks in 2013, and the number of companies issuing them has increased rapidly ever since. Additionally, the United States Intelligence Community began releasing their Annual Statistical Transparency Report in 2013, in an attempt to raise public opinion following the leaks. Today, transparency reports are issued by a variety of technology and communications companies, including Google, Microsoft, Verizon, AT&T, Twitter, Apple, Dropbox, Facebook, Yahoo, Uber, Amazon, T-Mobile, Discord, Reddit, and CloudFlare. As of July 2021, 88 companies have provided transparency reports. Due to the optional nature of transparency reporting, some companies' transparency reports include information related to the government's involvement in copyright takedowns, while others do not. Critics claim that these descrepencies in various companies' reports results in confusion rather than clarification regarding government requesting and censorship practices, and many agree that systematic transparency reporting practices should be implemented across every company that receives requests for user information or takedown notices. Additionally, companies are required by the government to report the number of national security requests they received in bands of 500 or 1000 (0-499) (0-999). Several companies and advocacy groups have lobbied the U.S. government to change this policy and allow the exact number of national security requests to be released, and Twitter is raising this issue in the ongoing legal battle,Twitter v. Garland.

The Calyx Institute is a New York-based 501(c)(3) research and education nonprofit organization formed to make privacy and digital security more accessible. It was founded in 2010 by Nicholas Merrill, Micah Anderson, and Kobi Snitz.

<span class="mw-page-title-main">Cellphone surveillance</span> Interception of mobile phone activity

Cellphone surveillance may involve tracking, bugging, monitoring, eavesdropping, and recording conversations and text messages on mobile phones. It also encompasses the monitoring of people's movements, which can be tracked using mobile phone signals when phones are turned on.

Mass surveillance in Australia takes place in several network media, including telephone, internet, and other communications networks, financial systems, vehicle and transit networks, international travel, utilities, and government schemes and services including those asking citizens to report on themselves or other citizens.

<span class="mw-page-title-main">Crypto Wars</span> Attempts to limit access to strong cryptography

Attempts, unofficially dubbed the "Crypto Wars", have been made by the United States (US) and allied governments to limit the public's and foreign nations' access to cryptography strong enough to thwart decryption by national intelligence agencies, especially the National Security Agency (NSA).

Microsoft Corp. v. United States, known on appeal to the U.S. Supreme Court as United States v. Microsoft Corp., 584 U.S. ___, 138 S. Ct. 1186 (2018), was a data privacy case involving the extraterritoriality of law enforcement seeking electronic data under the 1986 Stored Communications Act (SCA), Title II of the Electronic Communications Privacy Act of 1986 (ECPA), in light of modern computing and Internet technologies such as data centers and cloud storage.

<span class="mw-page-title-main">Riseup</span> Tech collective

Riseup is a volunteer-run collective providing secure email, email lists, a VPN service, online chat, and other online services. This organization was launched by activists in Seattle with borrowed equipment and a few users in 1999 or 2000, and quickly grew to millions of accounts.

Google's changes to its privacy policy on March 16, 2012, enabled the company to share data across a wide variety of services. These embedded services include millions of third-party websites that use AdSense and Analytics. The policy was widely criticized for creating an environment that discourages Internet innovation by making Internet users more fearful and wary of what they do online.

References

  1. Nadine Strossen (2005), "Safety and freedom: Common concerns for conservatives, libertarians, and civil libertarians" (PDF), Harvard Journal of Law and Public Policy , vol. 29, no. 73, pp. 78–79, retrieved January 3, 2014
  2. Eunice Moscoso (August 17, 2003), "Subpoenas Fly In Hunt For Hidden Terrorists", Palm Beach Post , p. 1A
  3. 1 2 Shaun Waterman (September 30, 2004), "Ashcroft: U.S. will appeal terror-law ruling", United Press International , retrieved January 3, 2014
  4. "Re: ISP Utility To Cypherpunks? Yahoo! Groups". Tech.groups.yahoo.com. October 31, 2002. Archived from the original on November 3, 2013. Retrieved 2013-06-13.
  5. West, Jessamyn (2002). "Five Technically Legal Signs for Your Library". Librarian.net : avoiding the PATRIOT Act since 2001. Archived from the original on December 18, 2002. Retrieved 2013-11-14.{{cite web}}: CS1 maint: unfit URL (link)
  6. Doctorow, Cory (September 9, 2013). "How to foil NSA sabotage: use a dead man's switch - Technology". The Guardian (UK). Retrieved 2013-11-14.
  7. David A. Bengston, Diane S. Henshel, "Environmental Toxicology and Risk Assessment: Biomarkers and Risk Assessment", ASTM International, 1996, ISBN   0803120311, p 220.
  8. Pollard, Lewis (2018-03-27). "The canary resuscitator". Science and Industry Museum blog. Retrieved 2021-10-13.
  9. "An ISP that protects your data from the NSA". Reddit - May 26, 2006. Retrieved January 5, 2016.
  10. "rsync.net Warrant Canary". rsync.net. Retrieved June 12, 2013.
  11. Kozubik, John (August 6, 2010). "The Warrant Canary in 2010 and Beyond". Blog.kozubik.com. Retrieved 2013-06-13.
  12. Farivar, Cyrus (5 November 2013). "Apple takes strong privacy stance in new report, publishes rare "warrant canary"". ArsTechnica.com. Retrieved 5 November 2013.
  13. "Report on Government Access Requests" (PDF). Apple.com. November 5, 2013. Retrieved 2013-11-15.
  14. Roberts, Jeff John (2014-09-18). "Apple's "warrant canary" disappears, suggesting new Patriot Act demands". Gigaom. Retrieved 2014-09-18.
  15. Collier, Kevin (4 February 2014). "The NSA could not care less about your Tumblr blog". The Daily Dot . Retrieved 13 February 2014.
  16. Kumparak, Greg (14 August 2014). "SpiderOak Implements A Warrant Canary". TechCrunch. AOL Inc. Retrieved 28 January 2017.
  17. Marlinspike, Moxie (22 September 2014). "If it's illegal to advertise that you've received a court order of some kind..." GitHub. Archived from the original on 27 October 2014. Retrieved 3 April 2016.
  18. Meyer, David (1 April 2016). "How Reddit Strongly Hinted It Received a Secret Surveillance Order". Fortune. Time Inc. Retrieved 3 April 2016.
  19. Doctorow, Cory (26 March 2015). "Australia outlaws warrant canaries". Boing Boing. Retrieved March 26, 2015.
  20. Schneier, Bruce (31 March 2015). "Australia Outlaws Warrant Canaries". Schneier on Security. Retrieved 21 June 2015.
  21. Anderson, Shae (14 February 2021). "Has Australia killed the warrant canary?" . Retrieved 14 February 2021.
  22. Farivar, Cyrus (18 September 2014). "No, Apple probably did not get new secret government orders to hand over data". Ars Technica. Condé Nast. Retrieved 21 June 2016.
  23. Volz, Dustin (31 March 2016). "Reddit deletes surveillance 'warrant canary' in transparency report". Reuters. Retrieved 31 March 2016.
  24. Lomas, Natasha (5 July 2016). "Silent Circle silently snuffs out its warrant canary — but claims it's a "business decision"". TechCrunch. AOL Inc. Retrieved 6 July 2016.
  25. "Canary Watch tracks government requests for your information online". Gizmag. 4 February 2015. Retrieved 5 March 2015.
  26. 1 2 Quintin, Cooper (25 May 2016). "Canary Watch – One Year Later". Deeplinks (Blog). Electronic Frontier Foundation. Retrieved 15 July 2016.
  27. "Disparity in the RiseUp Canary - GPG RSA Key Was Changed By ONE Character At The Last Update". Reddit. 2016-11-18.
  28. "Episode 1: Riseup, Technological Centralization & Snitching". 23 February 2017. Archived from the original on 2017-03-04. Retrieved 2017-12-21.
  29. Whittaker, Zack. "Encrypted email service Riseup sparks worry after warrant canary appears to expire". ZDNet. Retrieved 2019-11-10.
  30. "this commit removes a section of the footer as we have received a voluntary enquiry from a state authority that included a requirement for confidentiality". GitHub. Retrieved 20 March 2024.

Further reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.