Warrant Canaries: Watching US Agencies So IT Doesn't Have To

4 DARPA Projects We Love

The government is watching.

Maybe not right this second. But it is watching. It could at any moment turn its attention to the online services you use and scrutinize you, your business, or your employees. How can you tell?

Typically, you can't -- legally speaking. Oftentimes gag orders pursuant to National Security Letters (NSL), secret court orders issued under the Foreign Intelligence Surveillance Act (FISA), Electronic Communication Privacy Act orders, or run-of-the-mill warrants and subpoenas bar ISPs and other organizations from alerting others when the federal government decides it wants to sift through their records.

This was the problem facing Nicholas Merrill 11 years ago. Then president of an ISP, Merrill received an NSL from the FBI demanding a laundry list of records relating to one of his customers -- and barring him from disclosing that he had received the demand, according to coverage of the case in Wired. He fought the NSL -- anonymously. It was not until six-and-a-half years later that a judge partially lifted the gag order, allowing Merrill to reveal his identity as the case's plaintiff -- although he remains barred from disclosing information related to what records the FBI sought from him, despite the fact that the FBI withdrew its request long ago.

Since Merrill's difficulties, the notion of a "warrant canary" has been popularized. The idea was initially created in 2002 as a protection against potential intrusions under the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001. The warrant canary concept is simple: Communicate -- frequently and prominently -- the fact that you are not currently subject to a gag order or similar government intrusion until the day comes that you are gagged. Then, the day your notice -- your warrant canary -- is no longer present, the public (including organizations that rely on your services) can presume precisely what you are not allowed to say.

The concept rose to yet greater prominence when Apple began using a warrant canary in 2013.

Merrill has since become an activist for Internet freedom. In 2010, he founded the Calyx Institute, a New York-based nonprofit dedicated to Internet privacy interests.

On February 3, the Calyx Institute -- in partnership with the Electronic Frontier Foundation (EFF) and other Internet policy groups -- announced its joint launch of CanaryWatch.org. The website purports to list and track the status of any warrant canaries that are reported to it. Should one of the warrant canaries "die," CanaryWatch.org will know about it -- and broadcast the news. Canary listings on CanaryWatch.org include social networks, such as Tumblr and Reddit; InfoSec companies, such as Silent Circle and Espionage App; and other websites, such as 8chan and the Internet Archive.

This is an important development for IT professionals charged with protecting their organization's data. It would be virtually impossible to monitor every federal government agency's request for information sent to your service providers, even if that information were publicly available. While your legal teams may already be keeping an eye on warrant canaries, it's worth it for IT do to the same. Warrant canaries are monitoring government agencies so you don't have to. Watching the canaries will keep you in the loop and enable you to be prepared in the event that any of your service providers are facing a government agency request for information. If you're not already working with your legal and governance teams on an appropriate response, it's high time you set about doing so. Such government inquiries can have far-reaching effects on your business, as Merrill's case demonstrates.

The term "warrant canary" is drawn from the use of canaries in coal mines before modern ventilation systems became widely used. Any lethal gases present in the mine would kill the tiny canary long before seriously harming the coal miners -- allowing the workers time to escape or don respirators. The warrant canary concept is similar. Once the notice -- i.e., the "canary" -- disappears or "dies," danger can be presumed.

[Who's tracking your cellphone? Read Smartphone SIM Cards Hacked By US, UK Spies.]

It is worth noting that warrant canaries remain legally untested -- and even dubious. Moxie Marlinspike (a pseudonym), a cyber-security researcher and contributor to messaging app TextSecure, wrote on GitHub: "Every lawyer we've spoken to has confirmed that [warrant canaries] would not work" for TextSecure."

Marlinspike's GitHub comments go on to note:

If it's illegal to advertise that you've received a court order of some kind, it's illegal to intentionally and knowingly take any action that has the effect of advertising the receipt of that order. A judge can't force you to do anything, but every lawyer I've spoken to has indicated that having a "canary" you remove or choose not to update would likely have the same legal consequences as simply posting something that explicitly says you've received something.

The CanaryWatch.org partner organizations apparently disagree. The EFF reported that US courts have never upheld government-compelled speech that is false (and "rarely" uphold even truthful government-compelled speech).

Some of those who use warrant canaries have tried to prepare for such compulsion nonetheless, employing encryption and other methods to help verify authentic canaries and expose canaries that are fake or were issued under duress. Still, CanaryWatch.org ominously noted, "even if a canary is signed by a key, that doesn't mean that the provider wasn't forced to sign it."

That said, if your IT organization is concerned about the potential for the government to pry into your activities, it's worth keeping an eye on what's happening on this front. This is particularly helpful for multinational organizations facing pressure from stakeholders outside the US over the potential for data to be reviewed by the government.

What's your view on warrant canaries? Is a service such as CanaryWatch useful to you in your business? Are companies that issue warrant canaries engaging in illegal activity? Tell us what you think in the comments section below.

Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization’s IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.