Thursday, July 28, 2016

On the usefulness of warrant canaries

Warrant canaries can be useful tools for letting users know that you have received a national security letter (NSL) that you would otherwise be unable to talk about.  Without using a canary, you would be otherwise unable to legally let users know about the invasion of their privacy.

The idea of warrant canaries became very popular a couple of years ago and even spawned the CanaryWatch movement and website.  But the CanaryWatch folks eventually terminated the project citing changes in wording, missed updates, etc. that communicated confusion among those examining the canaries.  The project was still a success however since it got people talking and thinking about NSL's and other secret court warrants.

I raise the idea of warrant canaries today because a site I've used in the past,, let their warrant canary expire today.  This leaves me in an interesting position of wondering whether someone was lazy, someone was hit by a bus, or they were served with an NSL.

The first and last are concerning.  If you say you care about privacy but can't set a calendar reminder, I'm a little concerned about your privacy street credibility.  It's also sloppy and doesn't inspire confidence in the rest of your operations.  If you've been served with a warrant on the other hand, I'm concerned about that as well.

Word to the wise, if you are going to deploy a warrant canary make sure you update it.  Otherwise you're leaving your users in a confused state and possibly exposing sloppy internal practices.  While a warrant canary can possibly increase user confidence in your operation, failing to update one does exactly the opposite.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.