Companies collect data about what you think and do, but they aren’t the only ones interested in this information. Law-enforcement agencies sometimes want access, and when they do, they can compel companies to hand it over. Some can even make these companies swear to secrecy about the whole affair.
Many companies don’t like this, so they’ve adopted a tactic called “warrant canaries” to alert us to what’s going on.
What Is a Warrant Canary?
Think: “canary in a coal mine.”
Canary birds were once used in coal mines as a toxic gas detection system. Canaries would show signs of illness sooner than humans once carbon monoxide levels began to rise. In this way, the birds served as an early warning system.
Warrant canaries alert you to the existence of a warrant (or, rather, the nonexistence of a warrant). Say a company creates a dedicated webpage stating that it has never received a warrant for customer data. This page is the warrant canary. If it goes down, or the wording changes, then you can infer that the company has received a warrant.
Are Warrant Canaries Trustworthy?
Short answer: No!
A warrant canary does not offer definitive information that a warrant has been issued. When a statement disappears from a website, the most we can do is speculate.
5 Main Issues With Warrant Canaries
- Sometimes warrant canaries disappear only to reappear a few days later.
- Sometimes the language subtly changes, providing us with more reasons to speculate but even less certainty.
- Some canaries receive updates on a daily basis while some are posted and remain unchanged, perhaps even forgotten.
- There is no consistency among warrant canaries. Some appear in HTML on webpages, while others are in downloadable PDF reports or indicated by an image. Some sites go through the effort of signing theirs with GnuPG.
- All of this inconsistency makes monitoring warrant canaries difficult.
For more on the issues surrounding warrant canaries, take a look at the Electronic Frontier Foundation’s Canary Watch report.
Examples of Warrant Canaries
Here are some ways companies have used warrant canaries so far.
1. Apple’s “Warrant Canary”
Apple publishes a transparency report twice a year, which details how often the company complies with law enforcement requests for data. You can view Apple’s transparency reports on its website.
The first report in 2013 contained a line that various outlets reported as a warrant canary. Here’s the text:
“Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us.”
Section 215 of the USA Patriot Act permits intelligence agencies to collect many kinds of records and force individuals or companies not to speak about the matter.
The aforementioned line was nowhere to be found in the next report. Instead, there was this:
“To date, Apple has not received any orders for bulk data.”
Some observers took this change as evidence that Apple had since received a secret request for data and was now subject to a gag order. But it’s also possible that a writer or a lawyer simply reworded the passage, either for clarity or to make Apple’s words more defensible in court. We simply don’t know if this was even a warrant canary.
The original line has remained missing from all subsequent reports.
2. NordVPN’s Warrant Canary
But there are some details to keep in mind here, which the company elaborated on when first announcing its warrant canary. NordVPN is based in Panama, not the US, so it isn’t subject to the US Patriot Act. The US is not the only country with such laws, but as NordVPN states, Panama does not require data retention or permit gag orders.
Yet if you have been tracking the company’s warrant canary, you may have noticed that the About Us page was not its original home. In the original announcement, the warrant canary had its own URL, which now redirects.
3. Purism’s Warrant Canary
Purism makes computers with an emphasis on free software and privacy. In the interest of transparency, the company has an entire webpage that serves as a warrant canary. The page’s title, the URL, and the page description explicitly state what a warrant canary is and the purpose of the page.
“This page is to inform users that Purism has not been served with a secret government subpoena in any of its hardware, its software, or its services. If a warrant canary has not been updated in the time period specified by Purism, users are to assume that Purism has indeed been served with a secret subpoena. The intention is to allow Purism to warn users of the existence of a subpoena passively, without disclosing to others that the government has sought or obtained access to information or records under a secret subpoena. Warrant canaries have been found to be legal by the United States Justice Department, so long as they are passive in their notifications.”
Yet even with such clear and transparent intentions, there’s still room for guesswork. When October 1st, 2019 came and went, someone took to the Purism forums to ask about the missing warrant canary update. They received a link the warrant canary’s source code on GitLab, which had been updated on time and not yet synced to the site. This goes to show that even when there’s a high degree of transparency, warrant canaries still make it easy to jump to conclusions.
You Just Can’t Trust Warrant Canaries
Warrant canaries can stem from an earnest desire to inform users about the state of their data. But while some implementations are better than others, a warrant canary alone does not provide definitive proof of a subpoena.
If you want to see just how much confusion can spawn from a warrant canary, check out the comment thread that ensued following a change to SpiderOak’s warrant canary. You’re also welcome to share your own experience.