What is a Warrant Canary?

Governments may issue secret government subpoenas to communication providers that force them to disclose private data about their users or insert backdoors into their products. Furthermore, governments may give criminal penalties to an organization that chooses to publicly disclose if a subpoena was issued.

Some tech organizations attempt to get around this by regularly issuing "we have never been issued any such government subpoenas" while signing their messages with their private key. This message is called a warrant canary, with an analogy to a canary in a coal mine. (If the mine begins to fill up with poisonous gases, the small canary will feel its effects before humans and serves as a warning to everyone to get out of the coal mine). If the government issues a subpoena to them, they promise they will stop issuing the cryptographically signed message stating "we have never been issued any secret gov't subpoenas". While the law allows the gov't to penalize them for disclosing information about a secret subpoena, there is (currently) no law that would require them to continue issuing such warrant canaries.

Granted, it's feasible for a gov't court to secretly force an organization to give up their private keys that were used to sign their warrant canary, or require them to continue publishing their warrant canaries or suffer severe consequences; whether this happens in practice is not publicly known. It's also possible that the people issuing the warrant canary are not trustworthy people and would voluntarily continue to issue them, even while complying with government subpoenas.

For more information check out these links from the comments:

  • https://www.yalelawjournal.org/forum/warrant-canaries-and-disclosure-by-design
  • https://law.stackexchange.com/questions/268/what-is-the-legal-status-of-warrant-canaries

Basically, it's a way to get around a restriction on disclosing a warrant has been served.

  1. Warrants authorize the seizing of items, including data. Many users want to know if their data has potentially been seized
  2. Warrant canaries have dates on them
  3. It can be against the law to disclose that one has received a secret subpoena or warrant (thank you to cat for the correction) to a third party (such as a user)
  4. Receiving a warrant does not compel one to post a warrant canary
  5. If one does receive a warrant, one does not post a warrant canary. If it is not posted, users/viewers know that a warrant has been served in the last month

For example VeraCrypt deals with encrypting data. It is possible that a warrant or other court order could be issued to attempt to force VeraCrypt to help decrypt something that their software encrypted. This is a way of alerting users to this fact, without falling afoul of gag orders, etc.


In the US, many forms of government cooperation and compulsion are public. Some can be secret, or secret for a period of time. The general idea is that they are public. A company or person may wish to keep such assistance to the government secret or confidential, but there is often no requirement from the government to do so. However, in recent years, that has been changing to a default "make all the things secret" philosophy, and the increased use of National Security Letters.

Warrant canaries are directed at National Security Letters (NSLs), which historically, from what little we know about them, also come with a permanent gag order (aka forced secrecy forever). Because NSLs are issued under the "National Security" umbrella and apparatus (link), the government says they fall outside the normal scope and rule of law, and as such you cannot talk about it or will get thrown in to Gitmo and they will throw away the key. Maybe not literally, but they threaten to do all sorts of horrible things and prevent even the receiving entity of an NSL from seeking counsel, which many view to be an abuse of power and due process.

The warrant canary is an attempt to be a solution for companies, who now hold all our private information (willing or unwittingly) to let their users know if they have been breached by the government by use of force or coercion. This is in addition to the statistics and breach reports companies regularly disclose to their users. The theory is that you can be compelled to be silent, but you can't be compelled to say something, or a particular thing. Therefore, the warrant canary will die when the company goes silent.

A particular warrant canary is only good for a particular length of time, and then must be replaced, refreshed, or updated. If it gets stale or disappears, presumably, an NSL was issued to the company, and that company has been forced to turn over data of one or more of its users.

Source: reading the news on this stuff.

Tags:

Warrant Canary

Related

Is there a file system that doesn't support encryption? Does WannaCry infect Linux? Is this passwordless system secure? Mitigate MS17-010 on Windows XP? (wannacry ransomware) How is the "WannaCry" Malware spreading and how should users defend themselves from it? How SS7 attack first enter into SS7 network? Why do the roles of public/private keys reverse when talking about public key encryption and digital signatures? Can I trust a security hash implementation after testing it with random inputs against another implementation? How to detect a keylogger in a USB keyboard? Can a USB keyboard host a keylogger? Is it possible to embed information that is both nearly invisible to the naked eye and decodable from an external camera? Best practices communicating links in email How is the stack protection enforced in a binary?

Recent Posts