Warrant canaries, security theater, and you
More evidence that birds are not real
Law enforcement agencies issue warrants to companies to compel them to provide access to user data for investigations. Oftentimes these warrants are connected to a gag order, prohibiting the company from disclosing the existence of the request to protect the investigation's confidentiality.
A warrant canary is a idea to get around gag orders indirectly. Effectively, the organization regularly states they haven’t received a warrant and if they ever stop stating it, someone can infer that they received a warrant. It relies on the idea that a court cannot compel speech.
As an example, Cloudflare introduced 6 canaries, which have been on their website since 2019:
Cloudflare has never turned over our encryption or authentication keys or our customers' encryption or authentication keys to anyone.
....
Cloudflare has never weakened, compromised, or subverted any of its encryption at the request of law enforcement or another third party.
In this post, I investigate the efficacy of warrant canaries and why they might not work as well as expected — I focus both on how well they work, as well as why we might think they work better than they do.
How well do warrant canaries work?
When I first heard of them a few years ago, warrant canaries seemed like a great idea - cleverly getting around a law preventing speech - after all, you can’t force a company to say something, let alone something untrue. Historically, they have had some important backers, and in November 2013, Apple was the first major company to state that it had never received an order for user data under the Patriot Act. Then approximately a year later, GigaOm reported that the warrant canary disappeared (2014).
Unfortunately, practically speaking there are 2 main issues with warrant canaries:
The first issue is that, in practice, warrant canaries are not that effective at communicating meaningful information.
In 2015, a coalition of leading digital rights organizations1 banded together to create an organization called Canary Watch which would help monitor changes and removals of warrant canaries. However, just one year later they wrote, “all of the members of the Canary Watch coalition have come to the agreement that the project has run its course and has come to a natural ending point.”
While they found that they provided a lot of awareness to warrant canaries, they found that the work of actually tracking them was not worth it, because warrant canaries often provide only a single piece of information: that "something has happened." However, the range of possibilities for what that "something" might be is vast, making them a less-than-useful tool. These possibilities can include something as benign as the person forgetting to update the canary (which is most common) to more severe scenarios, such as the service receiving a national security letter or even being intentionally backdoored (which is least common). They found that this lack of specificity dramatically reduces their overall utility.
The second issue, is that warrant canaries likely do not hold legal muster.
From speaking with lawyers, it seems likely that warrant canaries are barred by the gag order, the same way a proactive disclosure would be. Importantly, no meaningful cases challenging warrant canaries have been tried in the US2. However, serious researchers generally seem to believe they would not withstand a serious challenge. Moxie Marlinspike, creator of Signal and co-author of the Signal protocol3 is regularly cited saying: “Every lawyer we've spoken to has confirmed that this would not work.” (2014).
Bruce Schneier (not a lawyer, but someone with lots of legal experience and lawyer colleagues), says “It relies on the fact that a prohibition against speaking doesn’t prevent someone from not speaking. But courts generally aren’t impressed by this sort of thing, and I can easily imagine a secret warrant that includes a prohibition against triggering the warrant canary. And for all I know, there are right now secret legal proceedings on this very issue.”4
When asked, a lawyer I spoke to said: “Warrant canaries seems pretty nonsense. Like how non-lawyers think law might work, with loopholes where a judge is like `Ah damn you got me!`”
This second point is likely related to the first, and the fact that they likely wouldn’t withstand meaningful legal scrutiny likely contributes to them not being that useful. While it’s possible to imagine a warrant canary that is well-implemented and provides meaningful information, the more information a warrant canary provides, the more likely it is to be called into legal question5. So from a legal perspective, each of the companies interested in providing a warrant canary is incentivized to provide as vague a warrant canary as possible.
Why did I think Warrant Canaries were legitimate and helpful?
In light of the realization that warrant canaries are not effective tools, I would argue that warrant canaries are another form of security theater6 — security measures that increase feelings of security while not actually providing meaningful security. And there really is good reason to think that warrant canaries are real — many companies have been claiming to use warrant canaries for some time now; security companies like Cloudflare (already mentioned), and NordVPN openly discuss warrant canaries (until ~2 months ago) as if they are meant to instill trust.
Security theater is a form of marketing or advertisement by these companies; it is trying to convince people of the security/trustworthiness of a product or company. However, clearly not all advertising is theater. I would make the distinction that security theater generally aims to mislead non-technical audiences by making (true) technical claims that don't do as much as promised.
This framing raises two points of concern:
How easy it is for non-legal people to be wrong about the law, and the role of experts in understanding security.
And it poses the question, who is this theater even for?
How easy is it to be misled
I am literally a PhD student studying data privacy, and up until this week, I thought canary warrants were legitimate tools7 (though, maybe I am behind the times). It wasn’t until I dug deeper and spoke with colleagues that I discovered that they are not particularly useful tools, in practice. I regularly see this extend beyond me, it seems that smart, technical people8 with no legal training, are fairly prone to convincing themselves of the way that something should work. This last week, I’ve been thinking deeply about how I was misled (so easily)?
In this case, I think the reason comes down to the specifics of how technical security experts think (something they like to call security thinking), and the limitations of security thinking in legal settings. To me, warrant canaries bear clear resemblance to security codes in end-to-end encryption. Security codes are unique cryptographic fingerprints used to verify that communication is securely encrypted between intended parties without interception. Users can compare these codes to ensure no man-in-the-middle attack has compromised the encryption. Like warrant canaries, security codes do nothing to protect against an attack (or disclosure), they only alert you of the existence of one.
Warrant canaries very clearly emerged from security thinking by technical experts — people who approached a system and a problem, and asked “how can I break the system to fix the problem”.
The problem is that the law is easy to get wrong and there are a lot of ways that it would make sense for the law to work, that it simply does not — people go to law school for a reason. These technical experts don’t always understand the system well enough to bend it correctly.
Believability increases staying power
I was originally told about warrant canaries from a technical expert (not a legal one), and I was misled by the implications of companies that these tools were meaningful for privacy/security. Only upon my own personal investigation, 2 conversations with lawyers peers, and a rabbit hole into Signal’s CEO did I really change my perspective.
Once a sufficiently plausible story starts being shared by experts (perhaps of a neighboring field), the story is probably going to stay for some time -- plausible, niche facts told to you by someone with authority have real staying power9.
Who is this theater even for? And what are the downsides to the theater?
I think the most surprising question about this kind of security theater is who is this even for?
The answer, I think, is: people like me, and probably you, if you’re reading this post. Someone who is generally technically competent, but cybersecurity law is not their domain. In many ways, the target demographic is the individuals that companies like Apple are building a business model around: selling privacy/security to people where the differentiating feature of the product is specifically the privacy/security of it.
All this said, security theater is a calculated risk, as there is potential risk and harm to these businesses by being caught doing security theater - hypothetically, they suffer reputational damage as serious security companies. I imagine these companies believe that the benefits to their brand and increase in customers outweigh the reputational harms to the company of being caught doing security theater. Personally, I do think less of companies that I find engaging in privacy washing or security theatre — it makes me ask: what other security practices are not meaningful that you are claiming are meaningful. I am more wary, and actions like this make me increasingly cautious.
Some of my takeaways:
The first takeaway is the literal one: as they stand, warrant canaries provide little information, and companies appear unwilling to push the envelope on this front, likely because a legal fight may reveal that they are illegal.
We should be even more mindful of companies pitching security/privacy practices. As these companies are not typically selling security - they are selling the feeling of security (in particular business-to-customer companies).
Developing pathways to validating my trust in a fact/statement is critical, and so easy to do incorrectly. We know this generally in a world of fake news and misinformation, but I’m surprised to find myself falling for it so close to my domain expertise. It’s a bit of a wake-up call for me.
Plausible, but niche, facts that are slightly outside your domain are exactly the ones that are easiest to get wrong, and are very easy to propagate misinformation about when you tell someone who thinks of you as more of an expert than you are.
Experts need to be extremely careful in making comments about neighboring fields, because they risk misinforming people who transfer trust in them on one topic to trust in them on another topic.
As a note, for a more full description of warrant canaries and their history, I recommend this post on them by Josh Lake.
Thanks to Sarah Schwettman and Ben Murphy for comments!
EFF, Freedom of the Press Foundation, NYU Law, Calyx and the Berkman Klein Center.
Though, they were explicitly made illegal in Australia.
Which is used by effectively every end-to-end encryption messaging service today.
And generally, courts have a lot of deference to law enforcement, in particular for National Security Letters, so would likely defer to law enforcement over the company.
A term coined by Bruce Schneier to describe the TSA
I originally set about trying to write a blog post explaining the concept of warrant canaries in layman terms.
Technically smart people, if you will.
Beyond the initial believability of the effectiveness of warrant canaries, there’s also a selection bias — only the ideas that are sufficiently plausible are the ones that sit with us and stand the test of time. The idea actually originated in 2002 (on Yahoo groups, no less); Steven Schear introduced an idea to establish a norm that users could message the company and request if their data had been accessed. This idea eventually fell out of discussion for practical concerns rather than legal ones, but similar to warrant canaries, does not appear to hold water, legally. His rationale was rooted in the argument “My understanding is that the courts cannot order an ISP to act affirmatively and provide a patron with incorrect information (i.e., they cannot deputize you and force you to lie to the patron).”
It seems worth observing that only an idea that is sufficiently plausible and technically niche would have the holding power for over 2 decades.