What is a warrant canary?
A warrant canary is a statement that declares that an organization has not taken certain actions or received certain requests for information from government or law enforcement authorities. Many services use warrant canaries to let users know how private their data is.
Some types of law enforcement and intelligence requests come with orders prohibiting organizations from disclosing that they have been received. However, by removing the corresponding warrant canary statement from their website (or wherever it is posted), organizations can indicate that they have received such a request.
Why is it called a "canary"? The term stems from the common "canary in the coal mine" analogy, which refers to the practice of bringing canaries down into mines to help indicate the presence of deadly gas. The gas was invisible and could not be smelled, but if the canary died, the miners would know the gas was present. Similarly, some government requests are "invisible" — they cannot be announced publicly. However, a missing warrant canary indicates that such a request exists, just as a canary's death indicated the presence of deadly gas.
Warrant canary examples
One of the earliest examples of a warrant canary was a sign posted inside a library in the US state of Vermont in 2005. The sign simply read, "The FBI has not been here"; if the sign was taken down, the implication would be that the US Federal Bureau of Investigations (FBI) had accessed patrons' records within that library.
Here is an example of a more sophisticated warrant canary for an online service: "Our company has never installed any law enforcement software or equipment anywhere on our network." (See the Cloudflare warrant canaries section below for more examples.)
What is a transparency report?
Warrant canaries typically appear in transparency reports. A transparency report is a report published at regular intervals by an organization, to report on law enforcement requests for information. Some transparency reports also describe how often content was removed or blocked as a result of government intervention.
When a warrant canary disappears from the latest version of a transparency report, this indicates that the statement no longer applies — in other words, a government agency has made a request as described in the canary.
You can read the Cloudflare Transparency Report here.
What is a government request?
A government request is any request for information from a government agency. Government requests include requests from law enforcement agencies, which generally investigate crime, as well as requests from intelligence agencies or other government agencies with investigatory authorities. Government agencies generally must go to a court to order organizations to produce information, making it compulsory for organizations to comply. But they can also simply request information. Requests from intelligence agencies are particularly relevant for warrant canary usage because they typically cannot be announced publicly.
What is a national security letter?
A national security letter (NSL) is a type of intelligence request specific to US intelligence agencies. NSL recipients are required to keep the fact that they have received an NSL secret so the agencies can conduct their investigations without interference and without tipping off the subject of the investigation. Federal agencies can only use NSLs to request certain types of records — they cannot request the content of communications, such as email body text or phone conversations.
What are encryption backdoors?
There have been many instances when governments have asked technology service providers to introduce backdoors into their encryption. A backdoor is a built-in way to circumvent encryption, much like giving someone a master key that can open any lock within a building.
Backdoors make encryption weaker and less secure. For this reason, technology providers may include an encryption warrant canary to indicate whether or not their encryption has been weakened at the request of a government agency.
What are Cloudflare's warrant canaries?
As of December 2020, Cloudflare has the following warrant canaries posted:
- Cloudflare has never turned over our encryption or authentication keys or our customers' encryption or authentication keys to anyone.
- Cloudflare has never installed any law enforcement software or equipment anywhere on our network.
- Cloudflare has never provided any law enforcement organization a feed of our customers' content transiting our network.
- Cloudflare has never modified customer content at the request of law enforcement or another third party.
- Cloudflare has never modified the intended destination of DNS responses at the request of law enforcement or another third party.
- Cloudflare has never weakened, compromised, or subverted any of its encryption at the request of law enforcement or another third party.
See the Cloudflare Transparency Report to learn more.