You’re Encrypting — warrant canaries
In the United States, the USAPATRIOT Act allows law enforcement to issue a secret warrant known as a National Security Letter (NSL). This action must be kept secret, making it difficult to get legal help or popular support.
In a technology context, this is to prevent tipping off users / customers that they’re being monitored. Companies have been asked to keep their site running uninterrupted and to deny receiving NSLs to avoid tipping off users.
What is a warrant canary?
The government can prevent you from talking about investigations, but there is some legal precedent that you cannot to be forced to say something. By posting notices or including a line in reports that you have not seen an NSL, you could theoretically stop updating the sign when its statement is no longer true.
This builds up trust between users and service providers.
Librarians printed signs like this as early as 2002.
Are warrant canaries legal?
Maybe..? This space is in a grey area because legal decisions around NSLs have been secretive in the past.
It’s no longer best practice to post a sign or page that you remove or edit, to post a daily canary, or to test the law.
Modern websites and investor reports with warrant canaries post quarterly updates. Some include a PGP signature to verify that they were written by a trusted person, or blockchain data to prove when they were written. I’ll write more about these techniques in the future.
Some other advice against the warrant canary tactic:
…courts generally aren’t impressed by this sort of thing, and I can easily imagine a secret warrant that includes a prohibition against triggering the warrant canary. And for all I know, there are right now secret legal proceedings on this very issue.
— Bruce Schneier
…every lawyer I’ve spoken to has indicated that having a “canary” you remove or choose not to update would likely have the same legal consequences as simply posting something that explicitly says you’ve received something
— Moxie, Open Whisper Systems
What if I don’t have a warrant canary?
One of the best arguments in favor of a warrant canary is that you could have some defense, flawed or not, against searches. You could theoretically use this to pressure the government to disclose the NSL, or to issue a public search warrant. Likely this would involve going to court with top-notch lawyers.
Depending on your circumstances, you might choose to violate a NSL. After a report said that Edward Snowden used encrypted e-mail service Lavabit, that service was abruptly shut down by its creator, almost certainly in reaction to and in violation of an NSL.
I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.
Have warrant canaries been used?
One of the highest-profile warrant canaries was Apple’s inclusion of this statement in a government transparency report:
Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us.
The next year, that statement was no longer included. Apple likely had received NSLs before and after making the statement, but this was the first time acknowledging it.
Sometimes warrant canaries are missed for a few days simply because someone forgot to update their message (oops).
Currently there is some concern because Riseup.net has not updated their warrant canary in 3 months plus 3 days, when typically it would have been updated.