A warrant canary is a colloquial term for a regularly published statement that a service provider has not received legal process (like a national security letter) that it would be prohibited from disclosing to the public. Once a service provider does receive legal process, the speech prohibition goes into place, and the provider no longer makes the statement about the number of such process received.
Warrant canaries are often provided in conjunction with a transparency report, listing the processes the service provider can publicly say it received over the course of a particular time period. The term "warrant canary" is a reference to the canaries used to provide warnings in coalmines, which would become sick before miners from carbon monoxide poisoning, warning of the otherwise-invisible danger.
When a warrant canary "dies" (disappears, is not updated, etc.), provider no longer makes the statement about the number of such process received.
For example, an ISP might issue a semi-annual transparency report, stating that it had not received any national security letters in a particular six-month period. NSLs come with a gag, which purports to prevent the recipient from saying it has received one. (While a federal court has ruled that the NSL gag is unconstitutional, that order is currently stayed pending the resolution of the government's appeal). When the ISP issues a subsequent transparency report without that statement, the reader may infer from the silence that the ISP has now received an NSL.
Unfortunately (though unsurprisingly) warrant canaries come in a variety of forms. Some are more detailed, such as the canary at Riseup.net:
"Riseup has not received any National Security Letters or FISA court orders, and we have not been subject to any gag order by a FISA court.")
Some are less detailed, such as the canary on Pinterest:
National security: 0
The variety of different forms means that each canary must be examined carefully. This "anatomy of a warrant canary" can help with that. It explains what specific legal processes a company might want to include in a canary, and what those processes are.
Unfortunately, the disappearance of or changes to a warrant canary may not always mean that the service provider received secret legal process. It may have simply decided to change the format of its transparency report, or forgotten to issue an update by the deadline.
"Sunlight is said to be the best of disinfectants." — Justice Louis D. Brandeis.
Publishing a warrant canary is one way for ISPs to indicate that they support greater transparency around government surveillance, and to allow them to provide honest and complete transparency reports up until the time that they are gagged. We are in a time of unprecedented public debate over the government's powers to secretly obtain information about people. The revelations about the NSA's massive bulk surveillance programs have raised serious questions about whether these powers are necessary, legal and constitutional. Secret surveillance violates not only the privacy interests of the account holder, but the speech interests of ISPs who wish to participate in these public debates.
As part of the reauthorization of the Patriot Act in 2006, Congress directed the DOJ Inspector General (IG) to investigate and report on the FBI's use of NSLs. In four reports issued in 2007, 2008, 2010, and 2014 the IG documented the agency's systematic and extensive misuse of NSLs and various attempts at reform.
The reports showed that between 2003 and 2006, the FBI's intelligence violations included improperly authorized NSLs, factual misstatements in the NSLs, improper requests under NSL statutes, and unauthorized information collection through NSLs. The FBI's improper practices included requests for information based on First Amendment protected activity. Although the 2014 report finds that the FBI has improved NSL practices, it makes new recommendations, and notes significant issues with how the FBI interprets the scope of its authority under NSL statutes, as well as ongoing problems with the FBI's use of exigent letters.
In December 2013, the President's Review Group on Intelligence and Communications Technologies recommended public reporting—both by the government and NSL recipients—of the number of requests made, the type of information produced, and the number of individuals whose records have been requested.
As discussed below, NSLs are just one type of gagged legal process. Similar problems persist in other forms of secret process.
An ISP may be gagged from stating it has received:
The government has issued hundreds of thousands of these gagged legal requests, but very few have ever seen the light of day.
Being subject to a gag order means that companies can't make simple statements like "We received three NSLs last year." Instead, the government only allows ISPs to report receipt of gagged legal process in ranges of 1000, starting at 0, for six-month periods. So if an ISP received 654 NSLs, it could report 0-999. If the companies choose to report FISC requests and NSL requests combined, they can use ranges of 250, again starting at 0. For example, Apple reported receiving 0-249 national security requests in the first half of 2013 and AT&T reported 0-999 content FISC orders, 0-999 non-content FISC orders and 2000-2999 NSLs for the same period.
While the government-approved ranges all start at zero, publication of a range might indicate that the ISP has received at least one, as otherwise the ISP would have no obligation to follow the government's formula.
In contrast to the government-approved ranges, warrant canaries can be much more specific, making it easier to determine what sort of legal process an ISP has been served with.
There is no law that prohibits a service provider from publishing an honest and complete transparency report that includes all the legal processes that it has not received. The gag order only attaches after the ISP has been served with the gagged legal process. Nor is publishing a warrant canary an obstruction of justice, since this intent is not to harm the judicial process, but rather to engage in a public conversation about the extent of government investigatory powers.
The legal theory behind warrant canaries is based on the concept of compelled speech. Compelled speech is where a party is forced by the government to make expressive statements. The First Amendment protects against compelled speech in most circumstances. For example, a court held that the New Hampshire state government could not require its citizens to have "Live Free or Die" on their license plates. While the government may be able to compel silence about legal processes through a gag order, it's much more difficult to argue that it can compel an ISP to lie by falsely stating that it has not received legal process when in fact it has.
Courts have rarely upheld compelled speech. In a few instances, courts have allowed the government to compel speech in the commercial context, where the government shows that the compelled statements convey important truthful information to consumers. For example, warnings on cigarette packs are a form of compelled commercial speech that have sometimes been upheld, and sometimes struck down, depending on whether the government shows there is a rational basis for the warning. Existing precedents, however, are unlikely to extend to this situation.
We're not aware of any case where a court has upheld compelled false speech—and the cases on compelled speech have tended to rely on truth as a minimum requirement. For example, Planned Parenthood challenged a requirement that physicians tell patients seeking abortions of an increased risk of suicidal ideation. The court found that Planned Parenthood did not meet its burden of showing that the disclosure was untruthful, misleading, or not relevant to the patent's decision to have an abortion.
That's why the theory provides a strong legal underpinning for the use of warrant canaries— having a pre-existing statement regarding legal processes means that any change to that statement required by the government would be compelled speech.
Not yet, because as far as we know, no court has ever been called on to rule on one. However, that may change soon. In October 2014, Twitter filed a lawsuit against the federal government after the FBI prevented Twitter from publishing an April 2014 transparency report. Google sued in the Foreign Intelligence Surveillance Court to be able to publish aggregate numbers of national security requests in a transparency report, and was joined by Yahoo!, Microsoft, LinkedIn, and Facebook. Those companies reached a compromise on what they could publish, outlined in a January 2014 letter from the Deputy Attorney General (the DAG letter). Although Twitter wasn't a party to this action, "the DOJ and FBI told Twitter that the DAG Letter sets forth the limits of permissible transparency-related speech for Twitter." The DAG letter provides two options for reporting, but as the complaint specifically notes: "Under either option, since the permitted ranges begin with zero, service providers who have never received an NSL or FISA order apparently are prohibited from reporting that fact." Twitter notes in the complaint that, "Notwithstanding the fact that the DAG Letter purportedly prohibits a provider from disclosing that it has received 'zero' NSLs or FISA orders, or 'zero' of a certain kind of FISA order, subsequent to January 27, 2014, certain communications providers have publicly disclosed either that they have never received any FISA orders or NSLs, or any of a certain kind of FISA order. This is referring to the use of what are colloquially called warrant canaries.
Twitter's filing argues it shouldn't be bound by a settlement it wasn't a party to, and asks the court for a declaratory judgment (a statement from the court) saying so. It also asks the court to let it publish the draft transparency report.
The outcome of Twitter's case may take years. But we believe that warrant canaries are legal, and the government should not be able to compel a lie. To borrow a phrase from Winston Churchill, no one can guarantee success in litigation, but only deserve it.
If an ISP with a warrant canary receives gagged legal process, it should obtain legal counsel and go to a court for a determination that it cannot be required to publish false information. While some ISPs may be tempted to engage in civil disobedience, we believe that it is better to present the issue to a court before removing the canary, to help establish a precedent. If you run an ISP with a warrant canary and receive gagged legal process, you can contact firstname.lastname@example.org if you would like help finding counsel.
Various ISPs have published canaries on a wide range of schedules. To allow time to file a case and for the court to rule on the important legal questions, we suggest at least few months between the transparency report and the time period covered.
Canarywatch is a coalition of organizations including the Electronic Frontier Foundation, the Berkman Center for Internet and Society, NYU's Technology Law & Policy Clinic, Freedom of the Press Foundation and the Calyx Institute. The Calyx Institute runs and hosts canarywatch.org.