For years, organisations have been using a common tactic called the warrant canary to warn people that the government has secretly demanded access to their private information. Now, a proposed standard could make this tool easier to use.
When passed in 2001, the US Patriot Act enabled authorities to access personal information stored by a service provider about US citizens. It also let them issue gag orders that would prevent the organisation from telling anyone about it. It meant that the government could access an individual’s private information without that person knowing.
Companies like ISPs and cloud service providers want their users to know whether the government is asking for this information. This is where the warrant canary comes in. First conceived by Steve Schear in 2002, shortly after the Patriot Act came into effect, a warrant canary is a way of warning people that the organisation holding their data has received a subpoena.
Instead of telling people that it has been served with a subpoena, the organisation stops telling them that it hasn’t. It displays a public statement online that it only changes if the authorities serve it with a warrant. As long as the statement stays unchanged, individuals know that their information is safe. When the statement changes or disappears, they can infer that all is not well without the organisation explicitly saying so. Here’s an example of one.
A warrant canary can be as simple as a statement that the service provider has never received a warrant. The problem is that those statements aren’t standardised, which makes it difficult for people to interpret them. How can you be sure that a warrant canary means what you think it means? If it disappears, does that mean that the service provider received a warrant, or did someone just forget to include it somewhere? Does the canary’s death indicate a sinister problem, or did it just die of natural causes? This isn’t idle speculation – warrant canary changes like SpiderOak’s have confused users in the past.
The other problem is that these statements are designed to be read by people, which make them difficult to track and monitor at scale. That’s what the warrant canary standard would solve.
The proposed standard surfaced on Github on Tuesday. It was created by GitHub user carrotcypher, inspired by the work of organisations like the Calyx Institute (a technology non-profit that develops free privacy software) and the now-defunct Canary Watch, a project from the Electronic Frontier Foundation (EFF), Freedom of the Press Foundation, NYU Law, Calyx and the Berkman Center. Canary Watch listed and tracked warrant canaries. When it shut down Canary Watch, the EFF explained:
In our time working with Canary Watch we have seen many canaries go away and come back, fail to be updated, or disappear altogether along with the website that was hosting it. Until the gag orders accompanying national security requests are struck down as unconstitutional, there is no way to know for certain whether a canary change is a true indicator. Instead the reader is forced to rely on speculation and circumstantial evidence to decide what the meaning of a missing or changed canary is.
Canarytail seeks to change that. As it explains on its Github readme.md page:
We seek to resolve those issues through a proper standardized model of generation, administration, and distribution, with variance allowed only inside the boundaries of a defined protocol.
Instead of some arbitrary language on a website, the warrant canary standard would be a file created using the JSON language, which is notable for displaying data as a list of key:value pairs readable by both people and machines. The file would include 11 codes with a value of zero (false) or one (true). These codes include WAR for warrants, GAG for gag orders, and TRAP for trap and trace orders, along with another code for subpoenas, all of which will have specific legal implications for an organisation and its users. If the value next to any of these keys is zero, the person of software reading the file can infer that none of the warnings have been triggered. If the code changes to one, it’s cause for concern.
The file also contains some other interesting codes, including DURESS, which indicates that the organisation is being coerced somehow, along with codes indicating that they have been rated. There is also a special code indicating a Seppaku pledge, which is a promise that an organisation will shut down and destroy all its data if a malicious entity takes control of it.
In a smart bit of cryptographic manoeuvring, the proposed standard must be cryptographically signed with a public key, and includes information about the expiry date. It uses a block hash from the bitcoin blockchain to verify the freshness of the digital signature. As another safeguard, it includes a PANICKEY field with another public key. If the file is signed with this key, people can interpret it as a kill switch, causing the warrant canary to fail immediately. That’s useful if an organisation suddenly gets raided and can’t afford to wait until the current warrant canary file expires.
A standard like this could help revive warrant canaries by making them easier to track and more deterministic. In the meantime, plenty of non-standard warrant canaries have disappeared, including Reddit’s and Apple’s.
epic_null
While I understand the intent, I feel like this design doesn’t meet the legal needs of the warant canary.
Personally, I would have made it a json file with a series of codes to be removed rather than a file with a series of bits to be set to one.
Gavin
As much as I approve of warrant canaries, this whole process confuses me in two ways:
First, the initial point of a warrant canary was for a company to deliberately not inform the public of a subpoena and gag order by instead informing the public while it wasn’t served with one. Cool. But if the JSON canarytail format has flags for WAR, GAG, TRAP, DURESS and so on, where a “0” would be changed to a “1” to indicate “yep, we got served,” isn’t that now informing the public that they did get something rather than that they didn’t? In other words, does this method fall foul of doing what the gag order says they legally cannot do?
Second, once a canary has been changed or removed, or once a canarytail flag has been flipped, then what? The indication is that something happened, but it’s a one-shot deal. That particular canary in the coalmine has succumbed to the carbon monoxide and is no more. It’s an ex-canary.
Perhaps these canaries also need a serial number or something? Once a warrant canary has been used, the company needs to introduce a fresh new canary to be an indicator of new shenanigans, with an incremented serial number. If so, I feel that should be part of the standard too so that we known in a machine-readable way that this is valid canary #4 from company X and it’s still singing happily.