A warrant canary is a method by which a communications service provider aims to implicitly inform its users that the provider has been served with a government subpoena despite legal prohibitions on revealing the existence of the subpoena. The warrant canary typically informs users that there has been a court-issued subpoena as of a particular date. If the canary is not updated for the period specified by the host or if the warning is removed, users might assume the host has been served with such a subpoena. The intention is for a provider to passively warn users of the existence of a subpoena, albeit violating the spirit of a court order not to do so, while not violating the letter of the order.
Some subpoenas, such as those covered under 18 U.S.C. §2709(c) (enacted as part of the USA Patriot Act), provide criminal penalties for disclosing the existence of the subpoena to any third party, including the service provider's users.
National Security Letters (NSL) originated in the 1986 Electronic Communications Privacy Act and originally targeted those suspected of being agents of a foreign power. Targeting agents of a foreign power was revised in the Patriot Act in 2001 to allow NSLs to target those who may have information thought to be relevant to either counterintelligence activities or terrorists activities directed against the United States. The idea of using negative pronouncements to thwart the nondisclosure requirements of court orders and served secret warrants was first proposed by Steven Schear on the cypherpunks mailing list,[1] mainly to uncover targeted individuals at ISPs. It was also suggested for and used by public libraries in 2002 in response to the USA Patriot Act, which could have forced librarians to disclose the circulation history of library patrons.[2] [3]
The term is an allusion to the practice of coal miners bringing canaries into mines to use as an early-warning signal for toxic gases, primarily carbon monoxide and methane.[4] The birds are more sensitive to these gases than humans, and became sick before the miners, who would then have a chance to escape or put on protective respirators.[5]
The first commercial use of a warrant canary was by the US cloud storage provider rsync.net, which began publishing its canary in 2006.[6] In addition to a digital signature, it provides a recent news headline as proof that the warrant canary was recently posted[7] as well as mirroring the posting internationally.[8]
On November 5, 2013, Apple became the most prominent company to publicly state that it had never received an order for user data under Section 215 of the Patriot Act.[9] [10] On September 18, 2014, GigaOm reported that the warrant canary statement did not appear anymore in the next two Apple Transparency Reports, covering July–December 2013 and January–June 2014.[11] Tumblr also included a warrant canary in the transparency report that it issued on February 3, 2014.[12] In August 2014, the online cloud service Spider Oak implemented an encrypted warrant canary that publishes an "All Clear!" message every 6 months. Three PGP signatures from geographically distributed signers must sign each message—so if a government agency forced SpiderOak to update the page, they would need to enlist the help of all three signers.[13]
In September 2014, U.S. security researcher Moxie Marlinspike wrote that "every lawyer I've spoken to has indicated that having a 'canary' you remove or choose not to update would likely have the same legal consequences as simply posting something that explicitly says you've received something."[14] [15]
In March 2015 it was reported that Australia outlawed the use of a certain kind of warrant canary, making it illegal to "disclose information about the existence or non-existence" of a Journalist Information Warrant issued under new mandatory data retention laws.[16] Afterwards, computer security and privacy specialist Bruce Schneier wrote in a blog post that "[p]ersonally, I have never believed [warrant canaries] would work. It relies on the fact that a prohibition against speaking doesn't prevent someone from not speaking. But courts generally aren't impressed by this sort of thing, and I can easily imagine a secret warrant that includes a prohibition against triggering the warrant canary. And for all I know, there are right now secret legal proceedings on this very issue."[17] This is not the first Australian law to outlaw warrant canaries. The "Telecommunications (Interception) Amendment Act 1995" was probably the first, making it illegal to "disclose information about the existence or non-existence" of Interception Warrants.[18]
That said, case law specific to the United States would render the covert continuance of warrant canaries subject to constitutionality challenges. West Virginia State Board of Education v. Barnette and Wooley v. Maynard rule the Free Speech Clause prohibits compelling someone to speak against one's wishes; this can easily be extended to prevent someone from being compelled to lie. New York Times Co. v. United States protects one exercising the First Amendment to publish government information, even if it is against the wishes of the government, except under grave and exceptional circumstances previously set by act and precedent. This may also have implications in regards to acting against a direct government intervention, similar to a government intervention against a warrant canary.
The following is a non-exhaustive list of companies and organizations whose warrant canaries no longer appear in transparency reports:
In 2015, a coalition of organizations consisting of the EFF, Freedom of the Press Foundation, NYU Law, the Calyx Institute, and the Berkman Center created a website called Canary Watch in order to provide a compiled list of all companies providing warrant canaries. Its mission was to provide prompt updates of any changes in a canary's state. It is often difficult for users to ascertain a canary's validity on their own and thus Canary Watch aimed to provide a simple display of all active canaries and any blocks of time that they were not active.[22] In May 2016, it was announced that Canary Watch "will no longer accept submissions of new canaries or monitor the existing canaries for changes or take downs".[23] The coalition of organizations which created Canary Watch explained their decision to discontinue the project by stating that it has achieved its goals to raise awareness about "illegal and unconstitutional national security process, including National Security Letters and other secret court processes." The Electronic Frontier Foundation also noted that "the fact that canaries are non-standard makes it difficult to automatically monitor them for changes or takedowns." They explained that the project had run its course, that ample attention had been brought to canaries, and detailed warrant canary strengths and weaknesses they observed.[23]
In 2016, the Riseup tech collective failed to update their warrant canary, due to sealed warrants from a court.[24] [25] The canary has since been updated, but no longer states the absence of gag orders.[26]
In February 2024, the Ethereum Foundation removed the warrant canary from their website[27] citing "[a] voluntary enquiry from a state authority that included a requirement for confidentiality" in the commit message.