Warrant canaries have been employed since the early years of this century by online service providers for protecting and retaining the privacy of their users. They became a permanent feature of online websites and platforms as a potential solution to the United States’ Patriot Act, passed in 2001, because most tech giants residing in the USA enable the government agencies to have complete access to all data of users available online. For it was in direct conflict with the privacy policies of websites and tech giants of silicon valley, they resorted to warrant canaries – a secret message to their users.
Warrant canaries have a history of constant fluctuation. They have been employed and then not employed later. Different companies typed down varied and succinct messages for their users over the years. Were they successful? The answer to this is still not possible. But all this uncertainty is comprehensible when the government is brought into the equation.
Similarly, websites started using messages on their main pages, depicting that they had not received any request form the government or any of its agencies for data of certain or all people. If that message disappears from their pages, it would be a warning sign, discreetly telling its users that they have received a request from the authorities for data of specific people. These messages came to be called warrant canaries. Like the absence of a canary in a coal mine is a warning sign, so is the absence of these messages on websites.
The following is a warrant canary once used by Reddit:
“Reddit has never received a National Security Letter, an order under the Foreign Intelligence Surveillance Act, or any other classified request for user information.”
But things changed drastically in 2013. Edward Snowden, an intelligence contractor and whistleblower, leaked some confidential documents, revealing the surveillance done by the government. The revelation also alarmed the many technology companies that then followed the same path of warrant canaries. Apple started using warrant canaries in 2013, and Reddit and Tumblr soon followed suit. The following was the a brief warrant canary used by Apple:
Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us.
But again, these drastic steps were soon undone: Apple dropped its warrant canary in 2014, so did Reddit in 2016, for unknown reasons.
Moreover, to keep a record of all warrant canaries and to spread awareness about them, Canary Watch was formed by different organizations. But it also came to an end in 2016 because it has served its purpose, as per Electronic Frontier Foundation.
The government can even nip this evil in the bud–evil to the authorities–by passing a law that bans warrant canaries altogether, just like Australia surveillance law did in 2015. They have not done this yet, which, from one perspective, makes the whole thing suspicious.
Sometimes technical issues can also lead to misunderstanding. A warrant canary might disappear once a website is updated and then reappear within a day or days. Or Changing in wording over a period of time could also spread the rumor of the website being forced to hand over some data.
This is what the cryptographer, Bruce Schneier, has to say about the effectiveness of warrant canaries:
I have never believed this trick would work. It relies on the fact that a prohibition against speaking doesn’t prevent someone from not speaking. But courts generally aren’t impressed by this sort of thing, and I can easily imagine a secret warrant that includes a prohibition against triggering the warrant canary. And for all I know, there are right now secret legal proceedings on this very issue.
Or you can resort to the VPN way. The following VPNs do use warrant canaries, but they keep them updated and enable users to browse anonymously–NordVPN is the best of them, for it is from Panama, so the American laws are not applicable to it; Surfshark is also a good option, for it is updated on daily basis; PureVPN is last of them and just like Surfshark, it is updated daily.
Warrant canaries could be called archaic due to the technological evolution in the last decade. Governments have the latest tools in hand to gain access to whatever they want. But in retrospect, warrant canaries would always be tech companies’ best try at securing users’ privacy.
Image: DIW-Aigen
Read next: Accessing the Blocked Websites: Follow the Guide to Access Them Without a VPN
Warrant canaries have a history of constant fluctuation. They have been employed and then not employed later. Different companies typed down varied and succinct messages for their users over the years. Were they successful? The answer to this is still not possible. But all this uncertainty is comprehensible when the government is brought into the equation.
Understand the Origin of the Term To Grasp the Concept
Sometimes it requires an analogy to explain a concept. Caged Canaries were used in the past to ascertain the presence of poisonous gas in a coal mine. Because canaries are more sensitive than humans to gasses, they could detect them before. If the canary used died, it was a clear warning of a poisonous gas and of not venturing any further.Similarly, websites started using messages on their main pages, depicting that they had not received any request form the government or any of its agencies for data of certain or all people. If that message disappears from their pages, it would be a warning sign, discreetly telling its users that they have received a request from the authorities for data of specific people. These messages came to be called warrant canaries. Like the absence of a canary in a coal mine is a warning sign, so is the absence of these messages on websites.
How Does Warrant Canary Really Work?
Many tech giants have leveraged warrant canaries, like Reddit and Tumblr. As I have mentioned before about the USA and its legislation regarding access to personal data, the federal government can compel any website owner to provide them data of their users, via NSL– National Security Letter. The companies have no option than taking down the warrant canaries on their pages–indicating to their users of behind-the-door requests received. Moreover, they will not be able to use warrant canaries over, for they have once received the request.The following is a warrant canary once used by Reddit:
“Reddit has never received a National Security Letter, an order under the Foreign Intelligence Surveillance Act, or any other classified request for user information.”
History of Warrant Canaries
After the legislation of Patriot act, 2001, warrant canaries were a natural consequence for the protection of users’ data on websites. The company rsync.net became the first one to employ warrant canary for this purpose. It took some time before major players realized the importance of warrant canaries.But things changed drastically in 2013. Edward Snowden, an intelligence contractor and whistleblower, leaked some confidential documents, revealing the surveillance done by the government. The revelation also alarmed the many technology companies that then followed the same path of warrant canaries. Apple started using warrant canaries in 2013, and Reddit and Tumblr soon followed suit. The following was the a brief warrant canary used by Apple:
Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us.
But again, these drastic steps were soon undone: Apple dropped its warrant canary in 2014, so did Reddit in 2016, for unknown reasons.
Moreover, to keep a record of all warrant canaries and to spread awareness about them, Canary Watch was formed by different organizations. But it also came to an end in 2016 because it has served its purpose, as per Electronic Frontier Foundation.
Are Warrant Canaries Worth Employing?
One does not have to be a scientist to realize this fact that the government is as well aware of the warrant canaries as users are. If an intelligence agency wants to have data of users from a specific platform without the platform dropping its warrant canary, it will not be difficult to achieve. The authorities can easily coerce any company to keep its warrant canary displaying that it has not received any order to provide data of certain people. This assumption buries all canaries.The government can even nip this evil in the bud–evil to the authorities–by passing a law that bans warrant canaries altogether, just like Australia surveillance law did in 2015. They have not done this yet, which, from one perspective, makes the whole thing suspicious.
Sometimes technical issues can also lead to misunderstanding. A warrant canary might disappear once a website is updated and then reappear within a day or days. Or Changing in wording over a period of time could also spread the rumor of the website being forced to hand over some data.
This is what the cryptographer, Bruce Schneier, has to say about the effectiveness of warrant canaries:
I have never believed this trick would work. It relies on the fact that a prohibition against speaking doesn’t prevent someone from not speaking. But courts generally aren’t impressed by this sort of thing, and I can easily imagine a secret warrant that includes a prohibition against triggering the warrant canary. And for all I know, there are right now secret legal proceedings on this very issue.
What To Do If Warrant Canaries Are Not the Solution?
There are some ways on users’ end that are better in keeping their privacy intact than relying on warrant canaries. As most of these tech. companies are based in the USA, only the country’s laws and government can coerce them to hand over data. But if you have an account on a platform based in another country–other than the USA, the UK, Australia, New Zealand and Canada–you would be in a much better and safer position. Also, if you provide only a limited amount of data to online platforms, you would not be facing privacy-breached issues altogether, for you have not provided any information that must be kept confidential or that could lead someone to you.Or you can resort to the VPN way. The following VPNs do use warrant canaries, but they keep them updated and enable users to browse anonymously–NordVPN is the best of them, for it is from Panama, so the American laws are not applicable to it; Surfshark is also a good option, for it is updated on daily basis; PureVPN is last of them and just like Surfshark, it is updated daily.
Things to Remember
Users must bear in mind that the removal of a warrant canary from a website does not necessarily mean that the website has received a request for data of users–it could be a technical issue. More importantly, even if that is the case, considering yourself to be one of the people whose data is asked for is not wise.Warrant canaries could be called archaic due to the technological evolution in the last decade. Governments have the latest tools in hand to gain access to whatever they want. But in retrospect, warrant canaries would always be tech companies’ best try at securing users’ privacy.
Image: DIW-Aigen
Read next: Accessing the Blocked Websites: Follow the Guide to Access Them Without a VPN