Warrant Canary: Definition, Evolution & Impacts

Learn why Top Industry Analysts consistently name Okta and Auth0 as the Identity Leader

Okta

Updated: 04/21/2022 - 12:25

Time to read: 4 minutes

A warrant canary is a notice that a provider hasn't been served with a government subpoena. This tiny statement should reassure users that their data is safe, as government officials aren't scrutinizing it.

At one point, consumers were deeply worried about government intrusion into electronic life. And companies rarely, if ever, got served with documents that put privacy at risk. But times have changed.

Now, warrant canaries are relatively rare. Most companies have been served by warrants, and arguably, fewer consumers see the need for proof that warrants aren't being issued.

How Does a Warrant Canary Work?

A warrant canary is proof of a negative. A company that shares one, typically as part of a transparency report, states that no privacy-violating warrant is in place right now.

Most companies are legally required to hand over customer data when provided with the proper paperwork. The Patriot Act, for example, requires cable providers to disclose data about customers — without notice — when asked to do so. Since cable operators deliver internet access, they could be compelled to give scores of data in response to a subpoena.

When the legal wheels are in motion, a company can't tell customers about it. Your cable company can't send you a notice that a subpoena has arrived and your data is at risk.

But the company can use a warrant canary to tell you that no subpoenas are in place. In theory, you could watch that notification page. If it disappears or is modified, you know a warrant has hit. That knowledge comes your direction without direct disclosure from your provider. You infer that something has changed.

Who Uses Warrant Canaries?

Privacy is just as important to companies as it is to individuals. And sometimes, the government asks for more power than it needs.

For example, privacy experts say the FBI made multiple mistakes between 2003 and 2006, such as writing up warrants with incorrect information, grabbing data they shouldn't have seen, or violating people's First Amendment rights.

A warrant canary is a way to fight back. And at one point, several companies used them. Most of them eliminated their notices, which suggests they released data in response to an official request. Notable examples include:

Apple. Officials included a warrant canary in transparency reports, and they cited the Patriot Act by name. The warning disappeared in 2014.
Pinterest. The company included warrant canaries in transparency reports until 2015.
Reddit. The company included a warrant canary in reports until 2016.

We don't know how many companies use warrant canaries now. Canary Watch, a joint project with the Electronic Freedom Foundation, the Freedom of the Press Foundation, NYU Law, Calyx, and the Berkman Center, tracked canaries for about 12 months. Organizers tracked canary statements and noticed when they were revised or deleted. The project wrapped up in 2016, and there are no plans to bring it back.

Are Warrant Canaries Helpful?

A warrant canary is a strong statement about privacy, transparency, and government interference. Companies that put privacy at the center of all activities may remain committed to the practice, but some won't.

Experts say warrant canaries aren't always legal. The documents rely on the assumption that denying a warranty is different than discussing one openly. That may not hold up in court.

A company that goes to trial over a warrant canary could expose even more data and anger hundreds or thousands of customers.

Additionally, about 63 percent of American consumers believe it's not possible to go through daily life without government data collection. They don't expect privacy, and they're not likely to be angry when it disappears. Hassling with a warrant canary may come with zero benefits.

The best way to assure your customers that you care about privacy is to surround them with security all the time. Start by crafting strong authorization rules. Read this blog post to get started.

References

Special Analysis: Why Did the NYPD Cite an Anti-Terrorism Law When It Subpoenaed a Reporter's Twitter Account. (February 2020). Reporter's Committee.

Warrant Canary Frequently Asked Questions. (April 2014). Electronic Frontier Foundation.

Apple May Have Quietly Signaled That It's Received a Secret Patriot Act Order. (September 2014). The Verge.

Has Pinterest Been Targeted by the FBI? (May 2016). IT Pro.

Reddit Kills Off Its Warrant Canary as Users Come Under Scrutiny of Spooks. (April 2016). Yahoo News.

Canary Watch One Year Later. (May 2016). Electronic Frontier Foundation.

Australia Outlaws Warrant Canaries. (May 2015). Schneier on Security.

Americans and Privacy: Concerned, Confused, and Feeling Lack of Control Over Their Personal Information. (November 2019). Pew Research Center.