A warrant canary is a public statement describing an action that a service provider has not done; the statement is removed if the service provider gets a legal order to take that action but is prohibited from disclosing it.
A warrant canary is a statement that declares that an organization has not taken certain actions or received certain requests for information from government or law enforcement authorities. Many services use warrant canaries to let users know how private their data is.
Some types of law enforcement and intelligence requests come with orders prohibiting organizations from disclosing that they have been received. However, by removing the corresponding warrant canary statement from their website (or wherever it is posted), organizations can indicate that they have received such a request.
Why is it called a "canary"? The term stems from the common "canary in the coal mine" analogy, which refers to the practice of bringing canaries down into mines to help indicate the presence of deadly gas. The gas was invisible and could not be smelled, but if the canary died, the miners would know the gas was present. Similarly, some government requests are "invisible" — they cannot be announced publicly. However, a missing warrant canary indicates that such a request exists, just as a canary's death indicated the presence of deadly gas.
One of the earliest examples of a warrant canary was a sign posted inside a library in the US state of Vermont in 2005. The sign simply read, "The FBI has not been here"; if the sign was taken down, the implication would be that the US Federal Bureau of Investigations (FBI) had accessed patrons' records within that library.
Here is an example of a more sophisticated warrant canary for an online service: "Our company has never installed any law enforcement software or equipment anywhere on our network." (See the Cloudflare warrant canaries section below for more examples.)
Warrant canaries typically appear in transparency reports. A transparency report is a report published at regular intervals by an organization, to report on law enforcement requests for information. Some transparency reports also describe how often content was removed or blocked as a result of government intervention.
When a warrant canary disappears from the latest version of a transparency report, this indicates that the statement no longer applies — in other words, a government agency has made a request as described in the canary.
You can read the Cloudflare Transparency Report here.
A government request is any request for information from a government agency. Government requests include requests from law enforcement agencies, which generally investigate crime, as well as requests from intelligence agencies or other government agencies with investigatory authorities. Government agencies generally must go to a court to order organizations to produce information, making it compulsory for organizations to comply. But they can also simply request information. Requests from intelligence agencies are particularly relevant for warrant canary usage because they typically cannot be announced publicly.
A national security letter (NSL) is a type of intelligence request specific to US intelligence agencies. NSL recipients are required to keep the fact that they have received an NSL secret so the agencies can conduct their investigations without interference and without tipping off the subject of the investigation. Federal agencies can only use NSLs to request certain types of records — they cannot request the content of communications, such as email body text or phone conversations.
Encryption is a method of concealing information by scrambling it so that it appears to be random data. Only parties with the encryption key can decrypt and view the real information.
There have been many instances when governments have asked technology service providers to introduce backdoors into their encryption. A backdoor is a built-in way to circumvent encryption, much like giving someone a master key that can open any lock within a building.
Backdoors make encryption weaker and less secure. For this reason, technology providers may include an encryption warrant canary to indicate whether or not their encryption has been weakened at the request of a government agency.
As of December 2020, Cloudflare has the following warrant canaries posted:
See the Cloudflare Transparency Report to learn more.
이 글을 읽은 후에 다음을 할 수 있습니다:
Encryption and privacy
Right to be forgotten