What is a warrant canary?

A warrant canary is a colloquial term for a regularly published statement that a service provider has not received legal process that it would be prohibited from saying it had received. Once a service provider does receive legal process, the speech prohibition goes into place, and the canary statement is removed.

Warrant canaries are often provided in conjunction with a transparency report, listing the process the service provider can publicly say it received over the course of a particular time period. The canary is a reference to the canaries used to provide warnings in coalmines, which would become sick before miners from carbon monoxide poisoning, warning of the danger.

How might a warrant canary work in practice?

An ISP might issue a semi-annual transparency report, stating that it had not received any national security letters in the six month period.  NSLs come with a gag, which purports to prevent the recipient from saying it has received one. (While a federal court has ruled that the NSL gag is unconstitutional, that order is currently stayed pending the government’s appeal). When the ISP issues a subsequent transparency report without that statement, the reader may infer from the silence that the ISP has now received an NSL.

Why would an ISP want to publish a warrant canary?

Sunlight is said to be the best of disinfectants.” – Justice Louis D. Brandeis.

We are in a time of unprecedented public debate over the government’s powers to secretly obtain information about people. The revelations about the massive NSA bulk surveillance program have raised serious questions about whether these powers are necessary, legal and constitutional.  Secret surveillance violates not only the privacy interests of the account holder, but the speech interests of ISPs who wish to participate in these public debates.

Why should we care about publicizing secret legal process like national security letters?

As part of the reauthorization of the Patriot Act in 2006, Congress directed the DOJ Inspector General to investigate and report on the FBI’s use of NSLs. In three reports issued between 2007, 2008 and 2010, the IG documented the agency’s systematic and extensive misuse of NSLs.

The reports showed that between 2003 and 2006, the FBI’s intelligence violations included improperly authorized NSLs, factual misstatements in the NSLs, improper requests under NSL statutes, and unauthorized information collection through NSLs. The FBI’s improper practices included requests for information based on First Amendment protected activity.

In December 2013, the President’s Review Group on Intelligence and Communications Technologies recommended public reporting—both by the government and NSL recipients—of the number of requests made, the type of information produced, and the number of individuals whose records have been requested.

As discussed below, NSLs are just one type of gagged legal process.  Similar problems persist in other forms of secret process.

Is it legal to publish a warrant canary?

There is no law that prohibits a service provider from reporting all the legal processes that it has not received. The gag order only attaches after the ISP has been served with the gagged legal process.  Nor is publishing a warrant canary an obstruction of justice, since this intent is not to harm the judicial process, but rather to engage in a public conversation about the extent of government investigatory powers.

What are some of the gagged legal processes that an ISP might receive?

An ISP may be gagged from stating it has received any one of several types of national security letters, orders from the Foreign Intelligence Surveillance Court (like the Section 215 orders used for the bulk call records program and the Section 702 orders used for the NSA’s PRISM program), or even an ordinary subpoena when accompanied by a gag order pursuant to the Electronic Communication Privacy Act. The government has issued hundreds of thousands of these gagged legal requests, but very few have ever seen the light of day. 

What does the government say is permissible for recipients of gagged legal process?

The government allows ISPs to report receipt of gagged legal process in ranges of 1000, starting at 0, for six-month periods.  So if an ISP received 654 NSLs, it could report 0-999.  If the companies choose to report FISC requests and NSL requests combined, they can use ranges of 250, again starting at 0.  For example, Apple reported receiving 0-249 national security requests in the first half of 2013 and AT&T reported 0-999 content FISC orders, 0-999 non-content FISC orders and 2000-2999 NSLs for the same period. 

While the government-approved ranges all start at zero, publication of a range indicates that the ISP has received at least one, as otherwise the ISP would have no obligation to follow the government’s formula. 

In contrast to the government-approved ranges, warrant canaries can be much more specific, making the it easier to determine what sort of legal process an ISP has been served with.

What’s the legal theory behind warrant canaries?

The First Amendment protects against compelled speech. For example, a court held that the New Hampshire state government could not require its citizens to have “Live Free or Die” on their license plates. While the government may be able to compel silence through a gag order, it may not be able to compel an ISP to lie by falsely stating that it has not received legal process when in fact it has.

Have courts upheld compelled speech?

Rarely.  In a few instances, the courts have upheld compelled speech in the commercial context, where the government shows that the compelled statements convey important truthful information to consumers.  For example, warnings on cigarette packs are a form of compelled commercial speech that have sometimes been upheld, and sometimes struck down, depending on whether the government shows there is a rational basis for the warning.

Have courts upheld compelled false speech?

No, and the cases on compelled speech have tended to rely on truth as a minimum requirement. For example, Planned Parenthood challenged a requirement that physicians tell patients seeking abortions of an increased risk of suicidal ideation. The court found that Planned Parenthood did not meet its burden of showing that the disclosure was untruthful, misleading, or not relevant to the patient’s decision to have an abortion.

Are there any cases upholding warrant canaries?

Not yet. EFF believes that warrant canaries are legal, and the government should not be able to compel a lie. To borrow a phrase from Winston Churchill, no one can guarantee success in litigation, but only deserve it.

What should an ISP do if the warrant canary is triggered?

If an ISP with a warrant canary receives gagged legal process, it should obtain legal counsel and go to a court for a determination that it cannot be required to publish false information.  While some ISPs may be tempted to engage in civil disobedience, EFF believes that it is better to present the issue to a court, to help establish a precedent. If you run an ISP with a warrant canary and receive gagged legal process, contact info@eff.org if you would like help finding counsel.

How often should an ISP publish the warrant canary?

Various ISPs have published canaries on a wide range of schedules.  To allow time to file a case and for the court to rule on the important legal questions, we suggest at least few months between the transparency report and the time period covered.

Who has issued warrant canaries?

A number of service providers have issued warrant canaries, including:

  • Apple (“Apple has never received an order under Section 215 of the USA Patriot Act.”)
  • Electric Embers ("Since our beginnings in 2003, we have received and complied with 0 (zero) government requests for information.")
  • Espionageapp.com (“We have not placed any backdoors into our software and have not received any requests for doing so. Pay close attention to any modifications to the previous sentence, and verify the signature of this "watch zone" by viewing the page source. Our public GPG key can be found using this ID: A884B988”)
  • Lookout (“Furthermore, as of the date of this report, Lookout has not received a national security order and we have not been required by a FISA court to keep any secrets that are not in this transparency report.”)
  • MagusNet (picture of a warrant canary with the statement, “No Warrants. No Searches, No Seizures [sic] at Magus Net, LLC.”)
  • Pinterest. (“National security: 0”)
  • Rise Up (“Riseup has not received any National Security Letters or FISA court orders, and we have not been subject to any gag order by a FISA court.”)
  • Rsync.net (“No warrants have ever been served to rsync.net, or rsync.net principals or employees. No searches or seizures of any kind have ever been performed on rsync.net assets . . . .”)
  • Tumblr (“As of the date of publication of this report, we have never received a National Security Letter, FISA order, or any other classified request for user information.”)
  • Vilain (“THE FBI HAS NOT BEEN HERE (watch very closely for the removal of this sign).”)
  • Wickr (“As of the date of this report, Wickr has not been required by a FISA request to keep any secrets that are not in this transparency report as part of a national security order.”)

Update April 21, 2014: Updated link and quote for Rise Up's policy, added Electric Embers.