Warrant Canaries — What They Are And What They Mean for Online Privacy

In September, a seemingly small copy change on Apple’s transparency report fueled a national conversation about surveillance and online privacy.

Apple’s 2013 transparency report included the following footnote: “Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us.” The 2014 report replaced this statement with a brief note: “To date, Apple has not received any orders for bulk data.”

Many have interpreted Apple’s 2013 statement as a warrant canary — that is, a flag organizations throw to show they haven’t yet been made to comply with a secret subpoena. Apple has been predictably mum on whether the omission was a warning signal, though Twitter has gone public with its defense of warrant canaries, insisting they are a legal way to set privacy expectations for tech users.

So what’s the big deal about warrant canaries? What skin do tech firms, governments and users have in the game?

Warrant Canaries: Not your grandma’s birdwatching.

According to The Register, warrant canaries take their name from the old mining practice of bringing a caged canary to test a mine for poisonous gasses (if Tweety died, it was time to jump ship). Now, in the wake of the Patriot Act and revelations about surveillance programs like PRISM, the public is putting pressure on Silicon Valley firms like Apple, Google and Facebook to reassure users that their privacy is being protected. Warrant canaries are one way these companies can do that.

Another way is with transparency reports. Many tech companies issue reports pertaining to government data requests and content removal. Virtru publishes their own transparency reports detailing the type and number of government requests we’ve received, the number we’ve challenged and how many user keys we’ve provided. As with Virtru’s transparency reports to date, these documents often send the same message as a warrant canary by reporting that the company has received zero security requests.

It’s not hard to see the implicit struggle between public transparency and the secrecy with which intelligence agencies must operate, which puts the interests of big tech firms at odds with those of the government. This is where warrant canaries face a legal gray area. Twitter noted in a blog post that restrictions by the Department of Justice limited the types of data they could publish in their transparency report, including the number of national security requests they had received — even if that number was zero.

Should you be concerned?

Virtru believes that businesses have the 1st Amendment right to report the number and types of security requests they’ve received, under what authorities, and they have the right to use “zero” in their data. Virtru has taken a strong stand in favor of privacy, and we will fight secrecy orders, non-targeted or “bulk” orders and orders for encryption keys based on any standard less than probable cause.

There’s one more wrench to throw into the works: Patriot Act Section 215, which expands the government’s ability to access data collected by businesses, is set to expire in 2015 without legislative action to extend it. It will be interesting to see if the legislation lapses, and how that changes conversations about online privacy and surveillance.

If you’re concerned about data privacy, follow a few best practices: be mindful of what you’re storing and where, and use strong encryption wherever possible. Virtru’s client-side email encryption service provides an extra layer of security between your emails and unauthorized recipients, including hackers and data thieves. There’s no foolproof way to keep your data out of the wrong hands, but there are plenty of ways to gain more control over your own privacy and security.