Let’s imagine a world where telecommunications providers and online services pay more than lip service to users’ privacy and security. In such a place, they send an email to every customer and user each morning, with words to this effect:
“As of this date, we have not received any requests or demands from law enforcement, or any other parties, seeking information about your data and/or other activities with our service.”
One morning, in the case of a (hopefully) small number of recipients, the email would not appear. This would, in effect, be a notification that such a request or demand had, indeed, arrived.
Why is such a system—often called a “warrant canary”—necessary in the first place? Because the government continues to abuse its powers, and judges (and Congress) continue to allow the abuse. So it’s time to insist that the companies whose services we use step up and protect our rights.
Here’s the latest example. Almost three years ago, the U.S. government ordered Google to turn over a vast amount of information it was holding about people connected to WikiLeaks. Google complied but didn’t get permission to notify its users until recently. Recently, these individuals found out—and they were enraged at both the scope of the government’s sweep and what they perceived as Google’s beyond-tardy notification. They made their displeasure clear in a letter to the company.
Google was under a gag order, it turned out—instructed by the government not, under any circumstances, to tell the targets of its spying. And in a Washington Post interview, an attorney for Google said it had been fighting against this and other gag orders for years.
I’m not arguing that gag orders are always wrong. In some cases, telling the target might lead him to destroy evidence or to flee to avoid capture. But as governments always do, they take what makes sense in a few cases and try to extend it broadly. The notion of a gag order lasting forever is simply obnoxious to all notions of liberty.
Hence the need for warrant canaries, an expression derived from “canary in the coal mine”—when the canaries died due to invisible carbon-monoxide gas that would prove deadly to miners, they’d have time to reach safety. (Think of them as an “everything's OK” alarm.) The Electronic Frontier Foundation has an excellent FAQ about warrant canaries, including a list of some of the companies currently using them.
Kurt Opsahl, the EFF’s deputy general counsel and creator of the FAQ, says more and more companies are starting to issue transparency reports, and warrant canaries (the few that there are) often go there. In Apple’s 2013 transparency report, for example, the company said it had “never received an order under Section 215” of the Patriot Act—but that language disappeared in subsequent transparency reports, as sharp-eyed observers spotted almost immediately.
Warrant canaries wouldn’t be needed in the first place, of course, if the government weren’t so freewheeling with its gag orders. Twitter, which has been more aggressively protective of free speech than the other major services, sued the government last year. It argued that on First Amendment grounds, it should have broader rights to disclose invasions of its users’ accounts. Naturally, the Justice Department, in keeping with the Obama administration’s obsession with secrecy, is aggressively saying no to even small progress.
How can it be constitutional in any case to tell companies and people not to speak, often indefinitely or forever? In 2013, a federal judge found the National Security Letters to be a violation of the First Amendment in some circumstances. The order has been stayed while the government appeals.
The current style of warrant canaries—broad notifications to everyone with Web postings—are fine as far as they go. But once it’s clear that the company has been forced to turn over information under a gag order, it strikes me as incumbent on the company to let its law-abiding customers know if they—as does happen—have been swept up in a dragnet. Opsahl tells me, however, that he knows of no company doing what I suggested at the top of this piece: notifying customers and users individually for as long as it has not received requests for each person’s data. Most users would just ignore it, but activists, journalists, and others who have reason to worry—including, yes, people contemplating or engaging in criminal activity—would certainly sign up for such a service.
In a new Yale Law Journal article on warrant canaries, Rebecca Wexler predicts this kind of notification is on the horizon. Information services such as email providers will create “disclosure by design” by embedding it into their services, she says. Let's hope so.
If warrant canaries became more common, might the government then start ordering companies and individuals to lie outright? You’d think this would be beyond the pale, but given the way our liberties have been twisted in recent years, it's frighteningly in the realm of possibility. No one knows if any of the currently posted warrant canaries are government-ordered lies, but I’d guess not, at least so far.
One way we could reduce the need for warrant canaries is to reduce our reliance on centralized technology and communications. If your data is genuinely in your control, you'd find out immediately if the government wanted a copy, because it would have to come directly to you.
That’s far easier said than done, as anyone who’s ever operated an email server can attest. But if the companies providing these services can’t bring themselves to do what’s right for their users and customers in an era when government becomes more and more intrusive and obnoxious, this may become the only alternative. This is a market opportunity for someone.