84

While browsing VeraCrypt's website I found its warrant canary. I tried to understand what it is and what its purpose was by reading corresponding Wikipedia article. To be honest I find it quite confusing.

Can someone explain what a warrant canary is in a bit less complicated way than Wikipedia does?

Improve this question
6
  • 2
    This appears to be a duplicate of Is there any legal theory behind “warrant canaries”? on law.se.
    – Philipp
    Commented May 16, 2017 at 8:19
  • @Philipp That link was already mentioned under dr jimbob's answer.
    – Mast
    Commented May 16, 2017 at 8:27
  • 18
    IMO, it shouldn't be migrated and cross-site duplicates are allowed.
    – Mast
    Commented May 16, 2017 at 8:31
  • 8
    These is soooooooooooo weird times; I fear official governments much more than I fear "private" criminals.
    – Uwe Keim
    Commented May 16, 2017 at 11:29
  • 1
    Ironically enough, the PGP signature to that canary is invalid because of encoding problems, and the fact that the news headlines happened to have an é.
    – NH.
    Commented Nov 20, 2017 at 17:33

3 Answers 3

Reset to default
113

Governments may issue secret government subpoenas to communication providers that force them to disclose private data about their users or insert backdoors into their products. Furthermore, governments may give criminal penalties to an organization that chooses to publicly disclose if a subpoena was issued.

Some tech organizations attempt to get around this by regularly issuing "we have never been issued any such government subpoenas" while signing their messages with their private key. This message is called a warrant canary, with an analogy to a canary in a coal mine. (If the mine begins to fill up with poisonous gases, the small canary will feel its effects before humans and serves as a warning to everyone to get out of the coal mine). If the government issues a subpoena to them, they promise they will stop issuing the cryptographically signed message stating "we have never been issued any secret gov't subpoenas". While the law allows the gov't to penalize them for disclosing information about a secret subpoena, there is (currently) no law that would require them to continue issuing such warrant canaries.

Granted, it's feasible for a gov't court to secretly force an organization to give up their private keys that were used to sign their warrant canary, or require them to continue publishing their warrant canaries or suffer severe consequences; whether this happens in practice is not publicly known. It's also possible that the people issuing the warrant canary are not trustworthy people and would voluntarily continue to issue them, even while complying with government subpoenas.

For more information check out these links from the comments:

Improve this answer
12
  • 43
    Some additional info that doesn't really deserve its own answer: It is unlikely a law will ever be passed (in the US) that would nullify this "canary" approach because it would be a law mandating that a company tell a lie. Unless something dramatic changes, such a law has no chance in court.
    – Vlad274
    Commented May 15, 2017 at 21:19
  • 7
    law.stackexchange.com/questions/268/…
    – user123931
    Commented May 15, 2017 at 21:32
  • 52
    @Vlad274 The law would mandate that a company tell alternative facts, of course.
    – Niet the Dark Absol
    Commented May 16, 2017 at 9:07
  • 1
    Not withstanding what chapka said 2 some years ago, the gov't can't really legally compel speech. Just look at the courts ruling on ordering people to give up their phone codes; they won't make such an order. Look at the Apple Iphone case, the FBI couldn't compel the release of their signing key.
    – Dean MacGregor
    Commented May 16, 2017 at 20:47
  • 1
    It's possible attempting to compel an entity to assert anything could be seen as a fifth amendment violation in the US. Sometimes it's more about shifting the burden of litigation to a party that would rather not deal with being the litigant (like a US or district attorney's office) than it is about complying with the letter if the law.
    – Todd Wilcox
    Commented May 17, 2017 at 2:41
14

Basically, it's a way to get around a restriction on disclosing a warrant has been served.

  1. Warrants authorize the seizing of items, including data. Many users want to know if their data has potentially been seized
  2. Warrant canaries have dates on them
  3. It can be against the law to disclose that one has received a secret subpoena or warrant (thank you to cat for the correction) to a third party (such as a user)
  4. Receiving a warrant does not compel one to post a warrant canary
  5. If one does receive a warrant, one does not post a warrant canary. If it is not posted, users/viewers know that a warrant has been served in the last month

For example VeraCrypt deals with encrypting data. It is possible that a warrant or other court order could be issued to attempt to force VeraCrypt to help decrypt something that their software encrypted. This is a way of alerting users to this fact, without falling afoul of gag orders, etc.

Improve this answer
8
  • 4
    it is against the law to disclose a secret subpoena, not any warrant
    – cat
    Commented May 15, 2017 at 23:01
  • 8
    What prevents companies from having a different warrant canary for every single user, not just a general one for everyone?
    – user541686
    Commented May 16, 2017 at 6:19
  • 2
    @Mehrdad Apart from the logistics, probably the degree of defensibility. While a company may be able to defend using a generic "warrant canary" (the question appears open), I suspect it would be much harder to defend a per-user canary. The former doesn't release any details of the warrant(s), only (by omission) that one-or-more have been issued. However, ceasing to publish a "We have not received a warrant regarding Joe Bloggs" would reveal specific detail that (I suspect) would be indefensible.
    – TripeHound
    Commented May 16, 2017 at 9:39
  • @TripeHound: That's what I thought too, but then what defense would individual canaries be more ill-suited for? If the defense is "you can't compel us to lie, especially to our customers", then would the number of customers really matter at all? That's the defense I'm reading everywhere. On the other hand if the defense is "this is a better trade-off for the greater good" then I guess you would be right but that doesn't seem to be the main defense that I'm reading.
    – user541686
    Commented May 16, 2017 at 10:13
  • 1
    In this case they might just order you to stop publishing highly specific warrant canaries with the first warrant, which I am reasonably certain they can do.
    – Joshua
    Commented May 16, 2017 at 21:53
6

In the US, many forms of government cooperation and compulsion are public. Some can be secret, or secret for a period of time. The general idea is that they are public. A company or person may wish to keep such assistance to the government secret or confidential, but there is often no requirement from the government to do so. However, in recent years, that has been changing to a default "make all the things secret" philosophy, and the increased use of National Security Letters.

Warrant canaries are directed at National Security Letters (NSLs), which historically, from what little we know about them, also come with a permanent gag order (aka forced secrecy forever). Because NSLs are issued under the "National Security" umbrella and apparatus (link), the government says they fall outside the normal scope and rule of law, and as such you cannot talk about it or will get thrown in to Gitmo and they will throw away the key. Maybe not literally, but they threaten to do all sorts of horrible things and prevent even the receiving entity of an NSL from seeking counsel, which many view to be an abuse of power and due process.

The warrant canary is an attempt to be a solution for companies, who now hold all our private information (willing or unwittingly) to let their users know if they have been breached by the government by use of force or coercion. This is in addition to the statistics and breach reports companies regularly disclose to their users. The theory is that you can be compelled to be silent, but you can't be compelled to say something, or a particular thing. Therefore, the warrant canary will die when the company goes silent.

A particular warrant canary is only good for a particular length of time, and then must be replaced, refreshed, or updated. If it gets stale or disappears, presumably, an NSL was issued to the company, and that company has been forced to turn over data of one or more of its users.

Source: reading the news on this stuff.

Improve this answer
1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .