Jack, a longtime friend of mine who runs his own software company once observed that increasing security to thwart criminals doesn’t make the world safer. It makes the criminals smarter.
As it turns out, it also makes non-criminals smarter, too.
That’s how Isis Agora Lovecruft wound up with a personal warrant canary. Don’t let images of cute yellow birds merrily chirping away fool you. This is serious canary business.
These canaries are high-tech cousins of the ones used by miners to warn of the presence of invisible coal gas. The warrant canary warns of the presence of a secret national security or law enforcement investigation.
The intent is not to harm the judicial process, but rather to engage in a public conversation about the extent of government investigatory powers.
The concept behind the warrant canary was originated by Steven Schear, who suggested that Internet Service Providers (ISPs) could publish regular statements attesting to the fact that they had not been served with secret requests for user information. Such requests are typically accompanied by a gag order, often because they involve national security concerns.
That statement is a warrant canary.
“My understanding is that the courts cannot order an ISP to act affirmatively and provide a patron with incorrect information (i.e., they cannot deputize you and force you to lie to the patron),” he wrote on the cyberpunks mailing list, articulating the concept on which the warrant canary rests: the government cannot compel false speech any more than it can abridge free speech.
But what about individuals? What if they are caught in a national security investigation?
That’s what happened to Lovecruft, a cryptographer working on the Tor Project, whose software and associated network enables anonymous communication over the internet. Such anonymity is a thorn in the side of government security agencies around the world.
The FBI had approached Lovecruft’s attorney, telling him, “We would strongly prefer to meet her in person. We have some documents we’d like her opinion on.”
Lovecruft had her doubts.
She was concerned the FBI might be trying to coerce her into including a backdoor into Tor’s software or network. Such an end run around Tor’s security would give government agencies access to otherwise confidential communications.
Were Lovecruft to be served with a gag order, confiding in her parents (who had already been questioned by the FBI), alerting colleagues, or seeking advice from industry professionals would result in heavy penalties.
“I didn’t talk to anyone who wasn’t already in regular contact with me,” she wrote on her blog, “fearing I might endanger them—some thug might show up at their mom’s door or make some threats to their lawyers…”
Feeling, in her words, “gagged and frightened,” Lovecruft took the corporate warrant canary and plumped it up a bit.
She published a statement announcing that she had never received any National Security Letters; personal requests for backdoors in projects she was working on; FISA (Foreign Intelligence Surveillance Act) court orders; or subpoenas or search warrants accompanied by a gag order.
As a cryptographer, she knew enough to sign her statement with a digitally-encrypted signature. Anyone with a moderate knowledge of software could verify the document originated with her.
But there was another problem.
What if she were approached to add a backdoor and simultaneously ordered not to remove her warrant canary?
So Lovecruft included in her signature an expiration date.
If she did not renew the warrant canary in six months, anyone validating its authenticity would find it was expired and draw the predictable conclusion that its statements were no longer true.
It was a creative solution to her problem, but its efficacy remains to be seen.
According to the Electronic Frontier Foundation (EFF), which addresses the issue of the legality of ISP warrant canaries on its website, “There is no law that prohibits a service provider from reporting all the legal processes that it has not received.”
The EFF goes on to say that publishing a warrant canary is not an obstruction of justice, “…since this intent is not to harm the judicial process, but rather to engage in a public conversation about the extent of government investigatory powers.”
Whether this logic extends to individuals, and whether the principle behind warrant canaries is legal at all, has yet to be tested in the courts.
For now, at least, Lovecruft’s warrant canary is, as she puts it, still alive. And the balance between secrecy and transparency has tipped a bit in transparency’s favor.
But, as my friend Jack also pointed out, the principle that security makes for smarter individuals cuts both ways. The government’s reaction to canary warrants has yet to materialize.
And when it does, you can bet there will be another Lovecruft out there breeding a more robust canary.
Start your Sunday with a laugh. Read the Sunday Funnies, fresh humor from The Out Of My Mind Blog. Subscribe now and you'll never miss a post.
Mind Doodle…
The principle that the government cannot compel false speech has to be separated from the government’s ability to compel speech under certain circumstances. Case in point? The Surgeon General’s warning on tobacco products. Hardly speech the tobacco industry would have legally fought to protect.