Public concern about mass government surveillance of the internet has grown ever since Edward Snowden exposed the incredible scale and scope of the NSA’s spying operations to the world. It has since become popular among internet services that handle sensitive data, or which are intended to protect users’ privacy (such as VPN services), to issue warrant canaries. These are intended to reassure customers that the service has not been compromised by the government and served a gag order.
In the United States, any company can be issued with a secret government subpoena or national security letter (NSA). This forces them to hand over all data pertaining to either a named customer, or even to comply with a blanket order to hand over information on all customers. The company may also be required to start keeping logs of users’ new activity, even if it would not otherwise do so.
Such subpoenas or NSLs are typically accompanied by a gag order, which prevents the company (or any of its staff), under threat of serious legal consequences (as time in jail), from disclosing the existence of the subpoena or NSL to its customers. Most other countries have similar laws.
Perhaps the most infamous case involving such a gag order is that of Lavabit. In 2013 this secure webmail company was subpoenaed (with gag order) to hand over the SSL private keys of all 400,000+ customers to the NSA in order to spy on Edward Snowden (who was believed to have used the service).
Owner Levi Levinson chose not to comply, and immediately closed down his company in order to protect the privacy of its users. He was later convicted of contempt of court.
What are warrant canaries?
A warrant canary is a regularly updated statement by a company that it has not been compromised and served a gag order. If a warrant canary is not updated at regular intervals (usually to a set schedule) then users should assume that the service has been compromised.
“IPredator has not received any National Security Letters or FISA court orders, or has been silenced by similar (il)legal and anti-democratic law tools.”
This statement is signed with a PGP key intended to verify its authenticity.
Warrant Canaries work on the notion that a government can legally silence an individual, but that it cannot force them to tell a lie (i.e. to falsely update the warrant canary). In the US it is argued that the First Amendment protects against compelled speech. As the Electronic Frontier Foundation (EFF) notes,
“While the government may be able to compel silence through a gag order, it may not be able to compel an ISP to lie by falsely stating that it has not received legal process when in fact it has.”
The idea of warrant canaries has been championed by the EFF, which operates Canary Watch, a website dedicated to monitoring whether companies allow their warrant canaries to lapse.
Can a warrant canary be trusted?
On the face of it, warrant canaries sound like a good idea. Many are not convinced, however, arguing that warrant canaries are little more that puff and smoke advertising with little to no real substance.
1. First Amendment protection for the use of warrant canaries is purely conjectural – it has never been tested in a court of law. It is very possible that a US court would rule that failure to update a warrant canary constitutes contempt of the legal requirement placed on an individual.
This is even more true outside the US, where people do not enjoy the explicit Constitutional rights afforded to US citizens. Australia is the first country to explicitly outlaw the use of warrant canaries, and other countries (such as the UK) are likely to follow soon.
2. A website can be easily be taken over by a government and false updates given. Securing a warrant canary with a PGP key is intended to protect against this, but a) how many people actually check these PGP keys?, and b) if a company owner can be compelled to compromise his or her service, they can also be compelled (or bribed) to hand over their PGP keys.
As Brett Max Kaufman, a lawyer at the American Civil Liberties Union, told the BBC,
“If the government asked a company to leave its warrant canary up (and therefore communicate something false to the public), the company would have the right to challenge any gag (under the First Amendment... or under certain provisions of the USA Freedom Act) in court. But if a court upheld the government's request... the public would be none the wiser, at least for some time. Indeed, that would be the entire objective from the government's perspective."
An individual who was quick enough might be able to destroy all copies of their PGP key (which will be stored in a variety of places so it that can be verified) before being forced to hand it over. This would allow an eagle-eyed observer to notice the missing signature if the company is forced to keep updating its warrant canary. There is still no way, however, for customers to know whether or not a key has not been destroyed.
Secure web storage firm SpiderOak makes a brave attempt to address this problem by having its warrant canary digitally signed by 3 different high ranking individuals within the company (who are presumably located in different geographical locations). This would certainly make coercing (or bribing) all signers more difficult (or expensive), but provides no cast-iron guarantees that this is the case and that they can all be trusted.
3. Even when warrant canaries are “triggered” (i.e. they are not updated in a timely manner), this is often ignored. A good example is Apple, which in 2014 removed its warrant canary from its latest transparency report. Despite this, it was widely argued that the removal probably did not mean that Apple had been forced to hand over data following secret government orders. This may or may not be true, but whatever the case, the incident was quickly forgotten and customers carried on trusting Apple as usual.
Another example is the missing warrant canary in Reddit’s 2015 transparency report. Despite some initial concern among a small subsection of Redditors, business on the Reddit forums has also since continued as usual.
What, then, is the point of having a warrant canary, if its disappearance causes no alarm!?
Warrant canaries are a flawed idea that serve mainly as promotional fluff for companies keen to display their privacy-friendly credentials.
The fact that even when warrant canaries are triggered, this is routinely ignored (presumably because acting on the trigger is inconvenient for users) only serves to further undermine what little confidence we can have in such a measure.