
Apple’s “warrant canary” disappears - panarky
https://gigaom.com/2014/09/18/apples-warrant-canary-disappears-suggesting-new-patriot-act-demands/
======
kwhite
Is there any reason why a company could not apply the same concept of a
warrant canary on a user-by-user basis?

Imagine seeing a message every time you log into your Gmail account informing
you that Google has never been compelled to surrender your private data to a
law enforcement agency.

~~~
panarky
Why stop with users? Every email, web search, Lyft ride, Dropbox file,
Facebook post and Grindr encounter could get its own canary: "This message has
never been disclosed to law enforcement".

And as @chiph says, the canary doesn't really have to die after a secret
warrant is served, it just needs to sing a different song: "Your data has not
been disclosed to law enforcement for [ 179 ] days".

[https://news.ycombinator.com/item?id=8336323](https://news.ycombinator.com/item?id=8336323)

~~~
qq66
Courts and legislatures don't look too kindly upon flagrant violations of the
spirit of the law. They view it as an end-run around their power. Although it
happens slowly, loopholes do get shut (cf. Aereo).

A startup that's trying to get some notoriety in a few months or even years
can definitely do something like this. Apple, who has to plan on a longer time
horizon and who probably enlists the soft power of the government on a regular
basis, has to be more cautious.

~~~
Crito
I am not aware of any cases of warrant canaries being tested by the courts,
but the _general principle_ has been effective in the past in the UK.

When cars were first introduced, many towns across the UK viewed them as an
opportunity to make money by fining the rich by setting obscenely low speed
limits (think <20mph) with extraordinarily high fines. In response to this,
the AA was formed to warn motorists of speed traps down the road.

This started to cut into profits, so the the government retaliated by charging
and convicting an AA guy with "obstruction of justice". AA agents were
therefore not allowed to inform motorists of speed traps.

The AA responded by changing their protocol. They would always salute passing
motorists _unless_ there was something wrong (aka, unless there was a speed
trap). The _absence_ of a salute indicated a speed trap, and the law could not
force the AA to salute.

I'm not sure if this was ever challenged in court, but they were able to keep
it up for several decades so it was never _successfully_ challenged in court
at least.

Edit: The AA could be considered sort of similar to the american AAA ( _"
triple-A"_).
[http://en.wikipedia.org/wiki/The_Automobile_Association](http://en.wikipedia.org/wiki/The_Automobile_Association)
[http://www.theaa.com/aboutaa/history.html#tabview=tab1](http://www.theaa.com/aboutaa/history.html#tabview=tab1)

~~~
JupiterMoon
I believe that this remained the habit of motorcyclists until relatively
recently and it has since been tested in court and declared not allow
(reference vague memories of newspaper articles).

~~~
Crito
Do motorcyclists signal to others _except_ when there is a speed trap, or do
they signal to others when there _is_ a speed trap? The later is common in the
states (cars flashing their headlights), but I haven't heard of the former and
enforcing a ban on it seems completely impractical at the very least.

And what kind of free society can force citizens to salute? _" The government
won't tolerate warrant canaries"_ makes intuitive sense because we have grown
used to the courts throwing out all sensibility whenever there are computers
involved, but the idea of the government compelling civilians to salute "in
meatspace" seems blatantly beyond the pale.

~~~
redthrowaway
We tap our helmets to warn of cops. We wave (or nod in countries that drive on
the left) just to say hi. Absence of a signal would be useless on a bike as
we're generally pretty bad about giving the signals we intend to give, let
alone not giving the ones we don't intend to. It would be chaos.

------
panarky
Possible explanations:

1) It wasn't a canary to begin with, so its removal means nothing.

2) There's no legal precedent for disclosing a Section 215 order by killing
the canary, so Apple removed it before they received a Section 215 order. That
way it doesn't disclose anything and Apple avoids legal liability.

3) Apple really did receive a Section 215 order.

~~~
AnimalMuppet
About 2):

Killing the canary does actually reveal the order, which violates at least the
spirit of Section 215. Under the wrong circumstances, that could get you jail
time.

On the other hand, making materially false statements after Sarbanes-Oxley can
also get you jail time.

So yes, Apple could have realized that they had painted themselves into a
corner that they _really_ didn't want to be in. Having said all that, though,
my money's still on 3).

~~~
admax88q
> Killing the canary does actually reveal the order, which violates at least
> the spirit of Section 215.

Of course there's question as to whether the spirit of Section 215 is
constitutional. It may be reasonable for the government to force you no to say
something.

But can the government force you to knowingly make a false statement?

~~~
eridius
> But can the government force you to knowingly make a false statement?

No, but they can punish you for telling the truth. The fact that you'll be
punished for lying does not negate the punishment for telling the truth, just
as the fact that you'll be punished for telling the truth does not give you an
excuse to lie.

~~~
nitrogen
Was your paragraph intended to be Kafkaesque, or was it just a coincidence?

~~~
eridius
Coincidence I guess. I've never read Kafka so I don't actually know what his
writing style is like.

------
rrggrr
As explained by Apple:

In the first six months of 2014, we received 250 or fewer of these requests.
Though we would like to be more specific, by law this is the most precise
information we are currently allowed to disclose.

[http://www.apple.com/privacy/government-information-
requests...](http://www.apple.com/privacy/government-information-requests/)

------
nl
Interesting and somewhat disappointing that it took a year for anyone to
notice that it had disappeared. The appearance generated quite a lot of
interest.

(Of course, I'm as responsible as anyone else for not noticing. I wonder if it
would be possible to build a service to proactively check for their
disappearance?)

~~~
crazypyro
I don't think it took anyone a year to notice it had disappeared. Where did
you get that information? The report for the first half of 2013 where the
original canary appeared wasn't even released as of a year ago. It was
released Nov. 5, 2013.

Furthermore, this document ([https://www.apple.com/privacy/docs/upd-nat-sec-
and-law-enf-o...](https://www.apple.com/privacy/docs/upd-nat-sec-and-law-enf-
orders-20140127.pdf)) provides credence to the possibility that the NSA
requested information from Apple after the Nov. 5, 2013 release as that Jan
27th, 2014 release directly mentions that it replaces the previous notes.

(speculation ahead) This, along with the knowledge that the canary is now
removed, implies that the NSA requests were the core difference in the
numbers, in my opinion. This would place the time of NSA disclosures to
sometime in late 2013-very early 2014, I would imagine.

~~~
dangrossman
He probably thought the report missing the canary was published at the end of
2013 given that's the name of the report and the date in the filename.
Understandable mistake.

The metadata in the PDF file says it was actually created on August 27th of
this year.

~~~
crazypyro
I'm sure it could be found with a web archive or a quick search, but I
personally believe it is irrelevant as it would not make sense to release the
2nd half 2013 report before the 1st half 2013 report. This means the 2nd half
2013 report had to have been released after Nov. 5, 2013, but beyond that, it
wouldn't make sense to release the 2013 report before the year is over, would
it? This leads me to believe it would be nearly impossible for this canary to
have been missing for over a year.

Edit: ugh, hate when people edit after I already responded... It would
literally be impossible for this canary missing to be over a year old. The
news of the canary's existence didn't even break over a year ago (from my
research).... I don't understand why this point is even debatable.

------
UVB-76
Gee, thanks for the hat tip...

[https://news.ycombinator.com/item?id=8334058](https://news.ycombinator.com/item?id=8334058)

~~~
idlewords
Here, have a cookie: 🍪

~~~
gpmcadam
Hey! I'm in Europe, so really you should have asked for my consent before
offering me cookies over the web.

------
ForHackernews
Very interesting in light of this:
[https://news.ycombinator.com/item?id=8333258](https://news.ycombinator.com/item?id=8333258)

~~~
jpmattia
As well as this:
[https://news.ycombinator.com/item?id=8333595](https://news.ycombinator.com/item?id=8333595)

~~~
mpweiher
OK, so they had the canary. Received the warrant. Removed the canary...and re-
engineered iOS 8 so that they are no longer technically able to comply with
the warrant?

If true, that's quite heroic.

~~~
danieldk
Could you be more precise? Reengineered what? iCloud mail, CalDAV, and WebDAV
are not encrypted. So, I guess you are referring to iCloud backups? Did anyone
repeat the mud puddle test with iOS 8?

[http://blog.cryptographyengineering.com/2012/04/icloud-
who-h...](http://blog.cryptographyengineering.com/2012/04/icloud-who-holds-
key.html)

If you are referring to actually remotely retrieving information from a
device: they could still fulfil request by pushing the targeted user a signed
application update with a trojan.

As someone said in one of the other Apple PR topics: it's as much a political
problem as a technical problem. Since Apple, Google, and Microsoft are able to
push any update to devices, they can always be forced to put backdoors on
devices.

------
johnhess
Could a lawyer or someone with familiarity with warrants like these explain
how a "warrant canary" is legal?

I understand the concept, but discloses something you can't disclose. They can
compel you to lie/not comment if asked, "Hey, Apple, did you get any of those
National Security Letters".

Is there a clear cut loophole or is this something yet to be challenged?

~~~
kllrnohj
> I understand the concept, but discloses something you can't disclose.

Until they have been served a warrant, they are not under a non-disclosure
warrant. That's how the canary is legal.

> hey can compel you to lie/not comment if asked

No, no they cannot. They can prevent you from commenting, they can _NOT_
compel you to lie.

Lying and not commenting are very, _VERY_ different.

~~~
gohrt
> Lying and not commenting are very, VERY different.

The Federal Government disgrees with you. Just one example:

[https://www.google.com/webhp?#q=least%20untruthful%20manner%...](https://www.google.com/webhp?#q=least%20untruthful%20manner%20possible)

~~~
kllrnohj
Your example doesn't disagree with me.

It has nothing to do with being compelled to lie by a court order. It has
nothing to do with the Judicial system at all. It has nothing to do with lying
vs. not commenting.

------
tkinom
I wonder what happen if Russian, China, India, Japan, EU all demanding same
level of access to Apple's data.

Apple might not care about Iran or other smaller countries, but how is it
going to deal with big market like China, India, EU?

~~~
Argorak
"The EU" will probably never demand access to Apple's data. The EU usually
passes legislation that has to be adapted by all member states (where,
usually, the EU decision is the minimum that the states have to implement,
some do even implement more).

Still, all those requests will be by member states and involve different
demands.

So, probably, even in the EU, they will say "FU!" to some and not to others.

------
chiph
Under what conditions would the warrant canary statement reappear? I'm
thinking of those workplace safety signs: "This corporation has operated for [
179 ] days without a Section 215 warrant being served"

------
crazypyro
Have any of the other major tech companies had similar canary disappearances?
I only ask because this is the first time I've heard of one actually being
used by a tech company as a warning flare.

I'd expect a governmental legal challenge...

------
staunch
Apple should just declare that they have been subject to Section 215. Given
how many users Apple has it can't reasonably be argued that such a disclosure
would be a danger to national security.

Hopefully they would end up before SCOTUS and help defang the USA PATRIOT Act.

~~~
nnnnni
Well, Apple _does_ basically have enough money to buy the entire US
Government...

~~~
tlrobinson
What's your definition of "the US government"? Does it include the hundreds of
trillions of dollars worth of oil, minerals, land, etc?

~~~
cheald
"A majority of Congress"

------
MrJagil
I've asked this before to no avail, but what can the NSA possibly do if Apple
refuses?

Fine them? Sure, they have billions.

They can't arrest the company... Is Cook going to jail? What is the actual
threat here? You could argue that Apple has more power than many governments.

~~~
lukifer
They can certainly make life difficult for Apple and its executives; see what
happened to Phil Nacchio of Qwest when he pushed back against surveillance
requests.

[http://www.denverpost.com/business/ci_25845407/unrepentant-j...](http://www.denverpost.com/business/ci_25845407/unrepentant-
joe-nacchio-blames-feds-qwests-financial-collapse)

~~~
djur
Is there any evidence for Nacchio's claims other than his say-so?

~~~
noblethrasher
Our own 'tptacek has commented on this:

[https://news.ycombinator.com/item?id=8021904](https://news.ycombinator.com/item?id=8021904)

------
stevewepay
So now what? Now that the canary has disappeared, is there no other
information that can be transmitted to us? It feels like it's a binary signal
that just got set permanently, so there's no more information we can glean
from it.

------
higherpurpose
Relevant story: [http://www.wired.com/2014/09/apple-iphone-
security/](http://www.wired.com/2014/09/apple-iphone-security/)

------
maresca
Perhaps this is the reason for all of the security updates in iOS 8.

