Warrant canaries aren’t definitive markers that a company has been served with a National Security Letter or some other type of court order mandating that customer information be turned over to a government agency or law enforcement. But oftentimes, they are a strong indicator that something has changed in that arena.
Pinterest, for example, in its 2015 transparency report reported the number of National Security Letter requests it had received as 0-249. Prior, it was just 0.
“What prompted this move? Under the law, a company that has received a national security request can report in bands of 250, starting at 0, semiannually. Thus, there is certainly the strong implication that Pinterest did receive a national security request, because it would have otherwise have continued to report 0,” wrote Electronic Frontier Foundation staff technologist Cooper Quintin.
Quintin’s observation was part of a larger announcement that the EFF along with the Freedom of the Press Foundation, NYU Law, Calyx, and the Berkman Center had decided to no longer maintain the Canary Watch project.
Launched more than a year ago, CanaryWatch.org was meant to be a repository listing warrant canaries and monitoring them for changes or removals, Quintin said. At the outset, the Canary Watch database was 11 entries strong, and today there are close to 70. Quintin said that the project had achieved its goals and submissions of new canaries would no longer be accepted, and that the group would no longer monitor existing canaries for changes.
“The major strides in our understanding about the nature and current status of warrant canaries and national security letters mean Canary Watch has definitely been a success. Moreover, it raised awareness and contributed to an important policy debate that is now well underway,” Quintin wrote. “In contrast to the uncertainty a year ago, it now seems that the Internet at large can offer robust and decentralized monitoring of warrant canaries; the rapid spread of the news when reddit’s canary disappeared is a testament to that fact.”
On April 1, Reddit published its most recent transparency report and missing was a notice present in its previous such report that it had never received a National Security Letter, FISA Court order or classified order for user data. Quintin said in his report that since the removal of the Reddit canary, searches for warrant canaries on the Canary Watch website “grew by an order of magnitude”
“The last year has, without a doubt, been a banner year for awareness of warrant canaries,” he said.
Canary Watch served a useful purpose given that prior to its inception, it was difficult to track their existence, especially post-Snowden as more ISPs, telecommunications providers and technology companies sought ways to communicate with customers in this regard.
Warrant canaries are generally communicated through companies’ transparency reports and are within the scope of the law. Reporting on National Security Letters, for example, is prohibited by a court-imposed gag order. Statements such as Pinterest’s and Reddit’s stating that no such orders had ever been issued are the canaries; once those types of statements are removed, one can assume a secret court order for user data has been issued.
Quintin said that organizations have also dropped canaries in PDFs, plaintext, HTML and images, while others were integrated into website banners or Github.
“We have seen canaries that are signed using GPG, canaries that are part of a transparency report, canaries that include the day’s weather and top news headlines. We have seen canaries that are updated on a daily basis and canaries which are updated once per year. We have seen canaries that were created once and then never updated again,” Quintin wrote. “Again, the fact that canaries are non-standard makes it difficult to automatically monitor them for changes or takedowns.”
Warrant canaries are also always open to interpretation, fostered by subtle changes in grammar, wording or even URLs where statements are located.
“All of this uncertainty caused numerous false alarms, which made it difficult to monitor warrant canaries,” Quintin wrote. “Additionally, this chaos served as a further demonstration of how difficult it is to interpret what it means when a warrant canary changes.”