What is a warrant canary?
A warrant canary is a colloquial term for a regularly published statement
that a service provider has not received legal process (like a national security letter)
that it would be prohibited from disclosing to the public. Once a service provider does
receive legal process, the speech prohibition goes into place, and the provider
no longer makes the statement about the number of such process received.
Warrant canaries are often provided in conjunction with a transparency report,
listing the processes the service provider can publicly say it received over
the course of a particular time period. The term "warrant canary" is a reference
to the canaries used to provide warnings in coalmines, which would become sick before
miners from carbon monoxide poisoning, warning of the otherwise-invisible danger.
How do warrant canaries work in theory?
When a warrant canary "dies" (disappears, is not updated, etc.), provider no
longer makes the statement about the number of such process received.
For example, an ISP might issue a semi-annual transparency report, stating
that it had not received any national security letters in a particular six-month period.
NSLs come with a gag, which purports to prevent the recipient from saying it has received one.
(While a federal court has ruled that the NSL gag is unconstitutional,
that order is currently stayed pending the resolution of the government's appeal).
When the ISP issues a subsequent transparency report without that statement,
the reader may infer from the silence that the ISP has now received an NSL.
How do warrant canaries work in practice?
Unfortunately (though unsurprisingly) warrant canaries come in a variety of forms.
Some are more detailed, such as the canary at Riseup.net:
"Riseup has not received any National Security Letters or FISA court orders,
and we have not been subject to any gag order by a FISA court.")
Some are less detailed, such as the canary on Pinterest:
National security: 0
The variety of different forms means that each canary must be examined carefully.
This "anatomy of a warrant canary" can help with that. It explains what
specific legal processes a company might want to include in a canary,
and what those processes are.
Unfortunately, the disappearance of or changes to a warrant canary
may not always mean that the service provider received secret legal process.
It may have simply decided to change the format of its transparency report,
or forgotten to issue an update by the deadline.
Why would an ISP want to publish a warrant canary?
"Sunlight is said to be the best of disinfectants." — Justice Louis D. Brandeis.
Publishing a warrant canary is one way for ISPs to indicate that they support
greater transparency around government surveillance, and to allow them to
provide honest and complete transparency reports up until the time that they are gagged.
We are in a time of unprecedented public debate over the government's powers to
secretly obtain information about people. The revelations about the NSA's
massive bulk surveillance programs have raised serious questions about whether
these powers are necessary, legal and constitutional. Secret surveillance
violates not only the privacy interests of the account holder, but the speech
interests of ISPs who wish to participate in these public debates.
Why should we care about publicizing secret legal processes like national security letters?
As part of the reauthorization of the Patriot Act in 2006 in the USA, Congress directed
the DOJ Inspector General (IG) to investigate and report on the FBI's use of NSLs.
In four reports issued in 2007, 2008, 2010, and 2014 the IG documented the agency's
systematic and extensive misuse of NSLs and various attempts at reform.
The reports showed that between 2003 and 2006, the FBI's intelligence violations included
improperly authorized NSLs, factual misstatements in the NSLs, improper requests
under NSL statutes, and unauthorized information collection through NSLs. The FBI's
improper practices included requests for information based on First Amendment
protected activity. Although the 2014 report finds that the FBI has improved NSL
practices, it makes new recommendations, and notes significant issues with how the
FBI interprets the scope of its authority under NSL statutes, as well as ongoing
problems with the FBI's use of exigent letters.
In December 2013, the President's Review Group on Intelligence and Communications
Technologies recommended public reporting—both by the government and NSL recipients—of
the number of requests made, the type of information produced, and the number of
individuals whose records have been requested.
As discussed below, NSLs are just one type of gagged legal process. Similar problems
persist in other forms of secret process.
What are some of the gagged legal processes that an ISP might receive?
An ISP may be gagged from stating it has received:
- any one of several types of national security letters;
- orders from the Foreign Intelligence Surveillance Court (like the Section 215 orders used for the bulk call records program or the Section 702 orders used for the NSA's PRISM program); or
- an ordinary subpoena or search warrant accompanied by a gag order pursuant to the Electronic Communication Privacy Act.
The government has issued hundreds of thousands of these gagged legal requests, but very few have ever seen the light of day.
What does the government say is permissible for recipients of gagged legal process?
Being subject to a gag order means that companies can't make simple statements
like "We received three NSLs last year." Instead, the government only allows ISPs
to report receipt of gagged legal process in ranges of 1000, starting at 0, for six-month
periods. So if an ISP received 654 NSLs, it could report 0-999. If the companies choose to
report FISC requests and NSL requests combined, they can use ranges of 250, again starting at 0.
For example, Apple reported receiving 0-249 national security requests in the first half of
2013 and AT&T reported 0-999 content FISC orders, 0-999 non-content FISC orders and
2000-2999 NSLs for the same period.
While the government-approved ranges all start at zero, publication of a range might
indicate that the ISP has received at least one, as otherwise the ISP would have no
obligation to follow the government's formula.
In contrast to the government-approved ranges, warrant canaries can be much more
specific, making it easier to determine what sort of legal process an ISP has been served with.
Is it legal to publish a warrant canary?
There is no law that prohibits a service provider from publishing an honest and complete
transparency report that includes all the legal processes that it has not received.
The gag order only attaches after the ISP has been served with the gagged legal process.
Nor is publishing a warrant canary an obstruction of justice, since this intent is not
to harm the judicial process, but rather to engage in a public conversation about
the extent of government investigatory powers.
What's the legal theory behind warrant canaries?
The legal theory behind warrant canaries is based on the concept of compelled speech.
Compelled speech is where a party is forced by the government to make expressive
statements. The First Amendment protects against compelled speech in most
circumstances. For example, a court held that the New Hampshire state government
could not require its citizens to have "Live Free or Die" on their license plates.
While the government may be able to compel silence about legal processes through a
gag order, it's much more difficult to argue that it can compel an ISP to lie by
falsely stating that it has not received legal process when in fact it has.
How have courts dealt with compelled speech?
Courts have rarely upheld compelled speech. In a few instances, courts have allowed the government to compel speech in the commercial context, where the government shows that the compelled statements convey important truthful information to consumers. For example, warnings on cigarette packs are a form of compelled commercial speech that have sometimes been upheld, and sometimes struck down, depending on whether the government shows there is a rational basis for the warning. Existing precedents, however, are unlikely to extend to this situation.
We're not aware of any case where a court has upheld compelled false speech—and the cases on compelled speech have tended to rely on truth as a minimum requirement. For example, Planned Parenthood challenged a requirement that physicians tell patients seeking abortions of an increased risk of suicidal ideation. The court found that Planned Parenthood did not meet its burden of showing that the disclosure was untruthful, misleading, or not relevant to the patent's decision to have an abortion.
That's why the theory provides a strong legal underpinning for the use of warrant canaries— having a pre-existing statement regarding legal processes means that any change to that statement required by the government would be compelled speech.
Are there any cases upholding warrant canaries?
Not yet, because as far as we know, no court has ever been called on to rule on one.
However, that may change soon. In October 2014, Twitter filed a lawsuit against the
federal government after the FBI prevented Twitter from publishing an April 2014
transparency report. Google sued in the Foreign Intelligence Surveillance Court
to be able to publish aggregate numbers of national security requests in a transparency
report, and was joined by Yahoo!, Microsoft, LinkedIn, and Facebook. Those companies reached
a compromise on what they could publish, outlined in a January 2014 letter from the Deputy
Attorney General (the DAG letter). Although Twitter wasn't a party to this action, "the
DOJ and FBI told Twitter that the DAG Letter sets forth the limits of permissible
transparency-related speech for Twitter." The DAG letter provides two options for
reporting, but as the complaint specifically notes: "Under either option, since the permitted
ranges begin with zero, service providers who have never received an NSL or FISA order
apparently are prohibited from reporting that fact." Twitter notes in the complaint that,
"Notwithstanding the fact that the DAG Letter purportedly prohibits a provider from
disclosing that it has received 'zero' NSLs or FISA orders, or 'zero' of a certain
kind of FISA order, subsequent to January 27, 2014, certain communications providers
have publicly disclosed either that they have never received any FISA orders or NSLs,
or any of a certain kind of FISA order. This is referring to the use of what are
colloquially called warrant canaries.
Twitter's filing argues it shouldn't be bound by a settlement it wasn't a party to,
and asks the court for a declaratory judgment (a statement from the court) saying so.
It also asks the court to let it publish the draft transparency report.
The outcome of Twitter's case may take years. But we believe that warrant canaries
are legal, and the government should not be able to compel a lie. To borrow a phrase
from Winston Churchill, no one can guarantee success in litigation, but only deserve it.
What should an ISP do if the warrant canary is triggered?
If an ISP with a warrant canary receives gagged legal process, it should obtain
legal counsel and go to a court for a determination that it cannot be required
to publish false information. While some ISPs may be tempted to engage in
civil disobedience, we believe that it is better to present the issue to
a court before removing the canary, to help establish a precedent.
What happens when a canary dies?
Before a canary dies we alert the business that their canary will "expire" - or die -
and that they have the chance to "refresh" their canary in order to keep it alive.
The business can choose to refresh the canary, prolonging its life, or choose to let it die.
Once a canary dies, we will wait between 24 and 48 hours and then send out email alerts to all of the users
that have subscribed to that canary, as well send a Tweet to alert anyone watching that it has expired.