In the years since Edward Snowden began putting much of the NSA‘s business in the street, including its reliance on the secret FISA court and National security Letters, warrant canaries have emerged as a key method for ISPs, telecoms and other technology providers to let the public know whether they have received any secret orders. But keeping track of the various canaries scattered around the Web is difficult, so a group of legal and civil liberties organizations have come together to launch a new site to monitor the known warrant canaries.
The Canary Watch site is the work of the EFF, the Berkman Center for Internet and Society and NYU’s Technology Law and Policy Center and it works on a simple concept. The site maintains a list of all of the known warrant canaries and periodically checks each organization’s site to see whether the canary is still there and then lists any changes to the status.
A warrant canary is a simple statement from a company such as an ISP that says the organization has not received any legal orders for user data or other information that are accompanied by a gag order. National Security Letters typically prevent the targeted organization from revealing that is has received an NSL. So, organizations that have not received one publish a statement to that effect on their site or in a transparency report and if they later receive an NSL, they remove the statement, thus communicating that event to the public without violating any laws.
For example, Tumblr’s most-recent transparency report contains a paragraph that serves as a warrant canary.
“As for whether we’ve received national security requests targeting our users, such as National Security Letters (FBI-issued requests for subscriber information), or Foreign Intelligence Surveillance Act (“FISA”) orders (orders issued in classified court proceedings, requiring companies to provide user information in national security investigations), as of the date of publication of this report, we have never received a National Security Letter, FISA order, or any other classified request for user information,” the report says.
Right now, Canary Watch lists 11 organizations, including Lookout, Pinterest, Reddit and Tumblr.
“Canarywatch lists the warrant canaries we know about, tracks changes or disappearances of those canaries, and allows users to submit canaries not listed on the site. For people with interest in a particular canary, the site will show any changes we know about,” Nadia Kayyali of the EFF said in a blog post.
“Warrant canaries are a unique tool ISPs have to provide users with more transparency about the government requests they do, and do not, receive. We hope the site will educate, improve the usefulness of warrant canaries for the general public, and help people with a special interest in canaries track them.”
In addition to the current list of known canaries, the Canary Watch site also gives users the ability to submit new canaries on their own. There is some debate as to the effectiveness and legal usefulness of warrant canaries, but Kayyali said much of it depends upon the intended use of the canary.
“The question of how effective canaries are depends on what you feel the purpose for them is. They allow service providers to be as honest and transparent with their customers as they are allowed to be by law. And as a tool to educate and inform people about the kinds of requests ISPs can get, they’re useful,” Kayyalo said by email.
“As to why a provider would or would not want to have a canary, I’m sure that depends on the provider, and they’d be able to answer that question best for you. Some organizations such as Spideroak do have blog posts explaining their decision to publish a canary, and companies that publish transparency reports include some explanation about why they do so as well.”
Image from Flickr photos of Weezul.