Riseup’s Zombie Warrant Canary

In the aftermath of the 9/11 attacks in the United States many tech companies and Internet Service Providers were being ordered, through the Patriot Act, to handover their users’ private data through National Security Letters from the FBI or warrants issued by the highly secretive Foreign Intelligence Surveillance Court. Often times accompanying these letters were gag orders that prohibited the affected companies from even informing their users that their systems and data had been accessed by government officials.  In  an effort to silently alert their users of these intrusions companies began posting public statements to their websites known as warrant canaries. A warrant canary affirms that a company has not been issued a secret government subpoena.

In the “old days” miners would use live canaries to test the safety of mines they were working in.  If the canary was sent into the mine and died, it meant the mine had accumulated unsafe levels of poisonous gases and could no longer be used. Warrant canaries are used in much the same way to alert and warn users of communication services that the service should be avoided.  By removing or not updating their warrant canary, a company is signaling to users that they may have been served with a secret court order for user information that they are legally compelled not to discuss.

Since warrant canaries are cryptographically signed digital documents they are generally considered trustworthy and accurate by the Internet community as a whole. While there has been speculation about the government forcing companies to publish warrant canaries, government-compelled speech is extremely rare.  It most often occurs only for consumer protection and other safety purposes, such as the warning labels found on cigarettes or cleaning products.  Oddly enough, very few companies actually publish warrant canaries.  Either they are afraid of walking that fine line with the law, or they cannot publish warrant canaries because they have, in fact, been ordered to provide user information to the government.

Apple and Riseup are some of the few organizations to have used warrant canaries in the past.  In a 2013 transparency report Apple published a warrant canary, only to subsequently remove that language from the report fairly soon after.  A more mysterious and recent case involves Riseup.net, a well-known technology collective of 150,000 users that provides private email, chat, VPN and other services to activists and journalists. Companies historically have updated their warrant canaries approximately every three months, yet Riseup has not updated theirs since August of 2016.  In addition, the organization posted a series of mysterious tweets back in November, neither confirming nor denying that it was issued a secret subpoena of any kind by any government agency, but asking its users to still trust in the service. The case of Riseup clearly highlights the flaws that can arise when warrant canaries are not properly implemented, such as confusion, anxiety and wild speculation among users.

To Learn More:


Be the first to comment

Leave a Reply