When the FBI or some other government agency comes a-calling at any custodian of your private information, from Google or Yahoo! to the local public library, they bring something called a National Security Letter (NSL).  This not only serves as a warrant for the information they seek, but it also includes a gag order — the institution is not permitted to disclose that they have been served, or what information they handed over.


But companies are fighting back, in a passive-aggressive way (don’t worry, this time it’s a good thing).  As detailed in this article on ZDNet, companies have realized that post-Snowden, customer trust in protection of their data is quite important.  And so many of them are implementing what is called a “warrant canary.”  The name derives from the old practice of taking a canary down with coal miners, so that if gases start to accumulate the more-sensitive canary would die and hopefully give the miners sufficient warning to escape the local buildup of carbon monoxide or similar.

Low-tech warrant canary

A warrant canary is a statement that a company makes proactively that they have not received a demand for data — and silence — bundled into a NSL.  Then, we in the public watch for the statement to go away.  It can be a line in the text of a webpage, or a periodic statement perhaps in a quarterly report for a public corporation.  It can also be a sign on a bulletin board as in the picture to the left.

Legal scholars wonder whether the NSL’s gag order can also be interpreted to require the subject organization to actively lie to the public, and continue to say, “no, they have not been here.”  Moxie Marlinspike has stated his opinion that removing a warrant canary would “likely have the same legal consequences as simply posting something that explicitly says you’ve received something.”

But the Electronic Frontier Foundation (EFF) believes that a law specifically outlawing this practice would be required, and there is no such thing on the books as of now.  So they have established a website, Canary Watch, that maintains a list of existing canaries and monitors them for changes.  

ZDNet quotes EFF staff attorney Mark Rumold as saying, “No court has ever publicly addressed the issue,” and that it would be “unprecedented”  for the government to force a company to keep that warrant canary in place. “I’m skeptical it would ever happen….”

Once a company has been served with a gag order, though, it’s too late.  Verizon was forced to comply with a Section 215 order for phone records data of every one of its customers.  And Twitter is suing with the Justice Department aiming to settle whether or not warrant canaries are protected under the First Amendment right to free speech.

Visit Canary Watch for more on this.  I check it a couple times a week.