Warrant canary

Details: Last Updated: 26 July 2021

Regulatory

What on earth is a warrant canary?

A warrant canary is a regularly published statement that a service provider has not had a notice issued by a court as of a given date. If the notice is not updated or is removed users can assume a service provider has been served such a notice and as such is compromised. The idea is that users would be informed without a breach of an order made by a court. This is made more actionable when regular transparency reports are produced by the service provider.

In the UK, where this site is hosted, the powers concerned are regulated by the Regulation of Investigatory Powers Act 2000 as amended to date and penalties could range from a fine to up to five years in prison. In the US they are regulated by the Patriot Act 2001. Both of these regulations have criminal penalties for disclosing the existence of such notices where such disclosure is prohibited.

Tipping-off - Regulation of Investigatory Powers Act 2000, Section 54

(4)A person who makes a disclosure to any other person of anything that he is required by a section 49 notice to keep secret shall be guilty of an offence and liable—
(a)on conviction on indictment, to imprisonment for a term not exceeding five years or to a fine, or to both;
(b)on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum, or to both.

Tipping-off - Section 54 UK Regulation of Investigatory Powers Act 2000

In 2013 Apple were widely reported to have added this statment, which could serve as a warrant canary to their transparency report

“Apple has never received an order under Section 215 of the USA Patriot Act."

Apple Transparency report 2013131105reportongovernmentinforequests2.pdf

This document is not available from Apples website now, and Apple no longer add such a statement to their transparency reports. Perhaps this is an acknowledgement of thinking that removing such a canary from a report is the pretty much the same as notifying users that such a notice is in place.

Apple do however provide a lot of detail about the specific number and type of reauests made of them about devices or accounts/apple IDs. This is open and transparent and welcome.

Transparency - Government requests - Apple Computer

Transparency page screenshot - Apple Computer

What is the usefulness of a warrant canary in 2021?

Not much use, I'd say. They are untested in law. They were an experiment a few years ago which is what made me come across the technique. There isn't an Internet Standard behind them, and there doesn't seem to be a lot of industry support for them currently.