Canarywatch: Keeping track of warrant canaries

In the post-Snowden world, the term “warrant canary” – indicating a method used by some communications service providers to let their users know that they have not been served with a legal and secret government request for user data, access to their servers, etc. – has become widely known and understood.

A number of Internet companies have set up a type of warrant canary in their transparency reports or as a standalone statement, but so far it’s been difficult to keep track of them and notice when they are removed. But not anymore.

The Electronic Frontier Foundation, the Berkman Center for Internet and Society, NYU’s Technology Law & Policy Clinic, and the Calyx Institute have banded together to set up Canarywatch, a project that provides information about the state of known warrant canaries, all in one place.

“Canarywatch lists the warrant canaries we know about, tracks changes or disappearances of those canaries, and allows users to submit canaries not listed on the site. For people with interest in a particular canary, the site will show any changes we know about,” EFF’s Nadia Kayyali explained in a recent blog post.

“The page’s FAQ explains the mechanics and legal theories underpinning warrant canaries. It also has an anatomy of a canary that, since canaries come in so many different forms, helps anyone understand what they’re seeing when they look at a particular canary.”

While the aim of the project is admirable, we still don’t know for sure if warrant canaries are legal and work as they should.

“There is no law that prohibits a service provider from publishing an honest and complete transparency report that includes all the legal processes that it has not received. The gag order only attaches after the ISP has been served with the gagged legal process. Nor is publishing a warrant canary an obstruction of justice, since this intent is not to harm the judicial process, but rather to engage in a public conversation about the extent of government investigatory powers,” the Canarywatch project’s members say, noting that the First Amendment protects against compelled speech.

But, in a relatively recent discussion on WhisperSystems’ GitHub repository, the well-regarded whitehat hacker and security researcher Moxie Marlinspike has expressed his doubts.

“If it’s illegal to advertise that you’ve received a court order of some kind, it’s illegal to intentionally and knowingly take any action that has the effect of advertising the receipt of that order,” he noted. “A judge can’t force you to do anything, but every lawyer I’ve spoken to has indicated that having a ‘canary’ you remove or choose not to update would likely have the same legal consequences as simply posting something that explicitly says you’ve received something.”