Hacker News new | comments | show | ask | jobs | submit login
Apple’s “warrant canary” disappears (gigaom.com)
406 points by panarky on Sept 18, 2014 | hide | past | web | favorite | 93 comments

Is there any reason why a company could not apply the same concept of a warrant canary on a user-by-user basis?

Imagine seeing a message every time you log into your Gmail account informing you that Google has never been compelled to surrender your private data to a law enforcement agency.

Why stop with users? Every email, web search, Lyft ride, Dropbox file, Facebook post and Grindr encounter could get its own canary: "This message has never been disclosed to law enforcement".

And as @chiph says, the canary doesn't really have to die after a secret warrant is served, it just needs to sing a different song: "Your data has not been disclosed to law enforcement for [ 179 ] days".


Courts and legislatures don't look too kindly upon flagrant violations of the spirit of the law. They view it as an end-run around their power. Although it happens slowly, loopholes do get shut (cf. Aereo).

A startup that's trying to get some notoriety in a few months or even years can definitely do something like this. Apple, who has to plan on a longer time horizon and who probably enlists the soft power of the government on a regular basis, has to be more cautious.

Something about that fact has always bothered me.

I can hire a team of lawyers and finance people to set up a complex system of subsidiaries so that my company only realizes profit in a specific way in a specific jurisdiction to avoid taxes, and as long as we've all followed the letter of the law, there doesn't seem to be any problem with the 'spirit of the law'. In fact, entire companies of accountants, lawyers and business consultants exist solely to help other companies follow the letter of the law while avoiding the spirit of it.

What makes it so that laws regarding anything "tech" get to be written and interpreted so vaguely and widely (from warrant canaries to copyright issues etc) when rules for everything from finance to oil spills are narrowly defined and interpreted?

I think that's actually a perverse case of survivor bias. You don't really get to be a significant oil or finance company without intimately knowing how to work with / play the regulatory system, so the ones you see still standing are the ones who really know how to capture the regulators. If you have an oil company worth $5 billion, you have figured out how to make regulators work for you.

Luckily, in the US at least, it's possible for a few nerds to build a company (say, Dropbox) that's as financially valuable as some long-established government schmoozers but has never thought about regulatory issues. So the "young" tech companies like Microsoft, Apple, Google, Facebook, etc. are less capable lobbyists on average.

I am not aware of any cases of warrant canaries being tested by the courts, but the general principle has been effective in the past in the UK.

When cars were first introduced, many towns across the UK viewed them as an opportunity to make money by fining the rich by setting obscenely low speed limits (think <20mph) with extraordinarily high fines. In response to this, the AA was formed to warn motorists of speed traps down the road.

This started to cut into profits, so the the government retaliated by charging and convicting an AA guy with "obstruction of justice". AA agents were therefore not allowed to inform motorists of speed traps.

The AA responded by changing their protocol. They would always salute passing motorists unless there was something wrong (aka, unless there was a speed trap). The absence of a salute indicated a speed trap, and the law could not force the AA to salute.

I'm not sure if this was ever challenged in court, but they were able to keep it up for several decades so it was never successfully challenged in court at least.

Edit: The AA could be considered sort of similar to the american AAA ("triple-A"). http://en.wikipedia.org/wiki/The_Automobile_Association http://www.theaa.com/aboutaa/history.html#tabview=tab1

I believe that this remained the habit of motorcyclists until relatively recently and it has since been tested in court and declared not allow (reference vague memories of newspaper articles).

On motorcycles, we put a hand on the helmet, signifying "man-with-a-hat ahead".

Do motorcyclists signal to others except when there is a speed trap, or do they signal to others when there is a speed trap? The later is common in the states (cars flashing their headlights), but I haven't heard of the former and enforcing a ban on it seems completely impractical at the very least.

And what kind of free society can force citizens to salute? "The government won't tolerate warrant canaries" makes intuitive sense because we have grown used to the courts throwing out all sensibility whenever there are computers involved, but the idea of the government compelling civilians to salute "in meatspace" seems blatantly beyond the pale.

We tap our helmets to warn of cops. We wave (or nod in countries that drive on the left) just to say hi. Absence of a signal would be useless on a bike as we're generally pretty bad about giving the signals we intend to give, let alone not giving the ones we don't intend to. It would be chaos.

What's AA?

The Automobile Association - Britain's equivalent to AAA in the US.

Applying that to the individual user level is probably too specific to slip past gag orders like this more general language is.

Then you download a 3rd party plugin that hides the message, and displays a big warning if it's missing.

Mainly because the .0000001% if apple users who actually care about this vs. the amount of work to implement isnt worth it business wise.

Steve Schear's original proposal for the warrant canary was per-user, and you'd actually pay to maintain/check it.


(it's somewhere in cypherpunks.venona.com but I don't know exactly which message. it's circa 1992)

The issue I see is what options the court has to break your canary. The general arguement for a canary is that: A) the government cannot infringe on your freedom of speach without cause (so it is legal prior to the request), and B) the government cannot force you to lie (so it is legal to remove the cannary after the request). However, with a per user cannary, once the request has been made, the court might be able to order you to remove the canary from all users to protect the legitamite government interest of maintaing secrecy about who is being targeted.

I suspect that's exactly the argument the government will make when a warrant canary case eventually makes its way to court. That taken to its logical conclusion it renders all gag orders ineffective.

The EFF has a nice FAQ on warrant canaries: https://www.eff.org/deeplinks/2014/04/warrant-canary-faq But the short version is nobody really knows if you could be forced to post one or not.

Possible explanations:

1) It wasn't a canary to begin with, so its removal means nothing.

2) There's no legal precedent for disclosing a Section 215 order by killing the canary, so Apple removed it before they received a Section 215 order. That way it doesn't disclose anything and Apple avoids legal liability.

3) Apple really did receive a Section 215 order.

About 2):

Killing the canary does actually reveal the order, which violates at least the spirit of Section 215. Under the wrong circumstances, that could get you jail time.

On the other hand, making materially false statements after Sarbanes-Oxley can also get you jail time.

So yes, Apple could have realized that they had painted themselves into a corner that they really didn't want to be in. Having said all that, though, my money's still on 3).

> Killing the canary does actually reveal the order, which violates at least the spirit of Section 215.

Of course there's question as to whether the spirit of Section 215 is constitutional. It may be reasonable for the government to force you no to say something.

But can the government force you to knowingly make a false statement?

> But can the government force you to knowingly make a false statement?

No, but they can punish you for telling the truth. The fact that you'll be punished for lying does not negate the punishment for telling the truth, just as the fact that you'll be punished for telling the truth does not give you an excuse to lie.

Was your paragraph intended to be Kafkaesque, or was it just a coincidence?

Coincidence I guess. I've never read Kafka so I don't actually know what his writing style is like.

They can do absolutely anything they want. There are no limits to their power; anything that is not within the bounds of the law can be done first, and then have the law written to permit it later.

There are no checks against their power-- no court, no congressional group, and no group of people is willing to regulate the "watchmen".

Not sure why you're being downvoted. The NSA & Co. are technically subject to the rule of law, but mostly all three powers of the state choose to turn a blind eye to their policing violating the Constitution.

This is the default state of affairs, and it only changes when there is strong public outrage and pressure for the government to do their damn job of watching over the watchmen. Which is seriously screwed up.

> But can the government force you to knowingly make a false statement?

I'm inclined to doubt that they can. But they can keep you locked up for a decade while the case makes its' way to the Supreme Court.

I'm not familiar with US law to really say much, but under Canadian law it'd be illegal for a company to keep the canary if they received a section 215, and I presume it'd be the same in the US. I wonder if this would overwrite that law, and provide them with the ability to lie in their transparency report.

Nope. The warrant canary is a catch-22 of your own making, so you have to take the punishment either way. Either accept the penalty for lying, or accept the penalty for telling the truth. It's your decision which one you'd rather take.

Is there any case where something else would take precedence in case of conflict with a Section 215 order? Lying under oath when being sworn into an office of state, perhaps?

The law doesn't work like that. There is no "precedence". If you are forced to choose between lying under oath, or saying something you're not allowed to say, you're going to have to take the punishment either way. Any judge will recognize that you put yourself in this situation and therefore you are responsible for the outcome.

No in the US you can plead the 5th and simply not respond.

Corporations cannot plead the 5th. That only applies to individuals. And it only applies when there is any reason to believe there is a risk of self-incrimination.

So yes, if you are in a circumstance where pleading the 5th is allowed, then you may plead the 5th and therefore not comment. But in the case of a corporation, or in the case of circumstances where you may not plead the 5th, then you cannot escape punishment by asserting that you are in a catch-22.

As Mitt Romney was fond of saying, "corporations are people"

Sure, and legally in many ways corporations are people. But in this specific case, corporations do not enjoy the protections of the 5th amendment.

[Citation needed]

I learned it from The Illustrated Guide to Law, which is a webcomic about law written and illustrated by a criminal defense lawyer.

The page that states this is http://lawcomic.net/guide/?p=2600, though the next couple of pages are relevant as well.

This only works if your testimony is the only evidence of the crime.

As explained by Apple:

In the first six months of 2014, we received 250 or fewer of these requests. Though we would like to be more specific, by law this is the most precise information we are currently allowed to disclose.


Interesting and somewhat disappointing that it took a year for anyone to notice that it had disappeared. The appearance generated quite a lot of interest.

(Of course, I'm as responsible as anyone else for not noticing. I wonder if it would be possible to build a service to proactively check for their disappearance?)

I don't think it took anyone a year to notice it had disappeared. Where did you get that information? The report for the first half of 2013 where the original canary appeared wasn't even released as of a year ago. It was released Nov. 5, 2013.

Furthermore, this document (https://www.apple.com/privacy/docs/upd-nat-sec-and-law-enf-o...) provides credence to the possibility that the NSA requested information from Apple after the Nov. 5, 2013 release as that Jan 27th, 2014 release directly mentions that it replaces the previous notes.

(speculation ahead) This, along with the knowledge that the canary is now removed, implies that the NSA requests were the core difference in the numbers, in my opinion. This would place the time of NSA disclosures to sometime in late 2013-very early 2014, I would imagine.

He probably thought the report missing the canary was published at the end of 2013 given that's the name of the report and the date in the filename. Understandable mistake.

The metadata in the PDF file says it was actually created on August 27th of this year.

I'm sure it could be found with a web archive or a quick search, but I personally believe it is irrelevant as it would not make sense to release the 2nd half 2013 report before the 1st half 2013 report. This means the 2nd half 2013 report had to have been released after Nov. 5, 2013, but beyond that, it wouldn't make sense to release the 2013 report before the year is over, would it? This leads me to believe it would be nearly impossible for this canary to have been missing for over a year.

Edit: ugh, hate when people edit after I already responded... It would literally be impossible for this canary missing to be over a year old. The news of the canary's existence didn't even break over a year ago (from my research).... I don't understand why this point is even debatable.

Yes. Sorry about the mistake.

Gee, thanks for the hat tip...


Seems independant, but thank you for pointing it out regardless!


Here, have a cookie: 🍪

Hey! I'm in Europe, so really you should have asked for my consent before offering me cookies over the web.

Very interesting in light of this: https://news.ycombinator.com/item?id=8333258

OK, so they had the canary. Received the warrant. Removed the canary...and re-engineered iOS 8 so that they are no longer technically able to comply with the warrant?

If true, that's quite heroic.

Could you be more precise? Reengineered what? iCloud mail, CalDAV, and WebDAV are not encrypted. So, I guess you are referring to iCloud backups? Did anyone repeat the mud puddle test with iOS 8?


If you are referring to actually remotely retrieving information from a device: they could still fulfil request by pushing the targeted user a signed application update with a trojan.

As someone said in one of the other Apple PR topics: it's as much a political problem as a technical problem. Since Apple, Google, and Microsoft are able to push any update to devices, they can always be forced to put backdoors on devices.

Could a lawyer or someone with familiarity with warrants like these explain how a "warrant canary" is legal?

I understand the concept, but discloses something you can't disclose. They can compel you to lie/not comment if asked, "Hey, Apple, did you get any of those National Security Letters".

Is there a clear cut loophole or is this something yet to be challenged?

The EFF has a good FAQ on the legal considerations for warrant canaries.

While there's plenty of precedent for gag orders, there's not much case law for compelled false speech.


> I understand the concept, but discloses something you can't disclose.

Until they have been served a warrant, they are not under a non-disclosure warrant. That's how the canary is legal.

> hey can compel you to lie/not comment if asked

No, no they cannot. They can prevent you from commenting, they can NOT compel you to lie.

Lying and not commenting are very, VERY different.

> Lying and not commenting are very, VERY different.

The Federal Government disgrees with you. Just one example:


Your example doesn't disagree with me.

It has nothing to do with being compelled to lie by a court order. It has nothing to do with the Judicial system at all. It has nothing to do with lying vs. not commenting.

Ah, the old "lie of omission" gambit.

IANAL (and not an American citizen to begin with!) but most laws are formal, that's how they're compatible with "freedom". For a law to forbid you to do something, it has to describe what actions are exactly forbidden, in a fairly precise language.

A legal system can't let law enforcement officials decide after the fact what's permitted and what isn't (that's the theory anyway; your actual experience may vary widely).

So if a law forbids you to tell something, but doesn't explicitly forbid you to not tell another thing, the non-telling of which could potentially reveal the thing that's supposed to stay secret, then you can claim that you technically obeyed the letter of the law, if not its spirit.


Well, the US has a dual system; in the US everything eventually ends up being evaluated against a written Constitution (something the UK never had).

And if you look at SCOTUS, many Justices are essentialists (the most famous of which is Antonin Scalia); legal essentialism means sticking to the letter of the law.

So I think what I described is a reasonable explanation of the legal canary, at least from a philosophical point of view.

In general, it is far easier to (legally) force a company to not announce something than to force them to announce a lie.

So no, it is not perfect. But it is better than nothing.

I wonder what happen if Russian, China, India, Japan, EU all demanding same level of access to Apple's data.

Apple might not care about Iran or other smaller countries, but how is it going to deal with big market like China, India, EU?

"The EU" will probably never demand access to Apple's data. The EU usually passes legislation that has to be adapted by all member states (where, usually, the EU decision is the minimum that the states have to implement, some do even implement more).

Still, all those requests will be by member states and involve different demands.

So, probably, even in the EU, they will say "FU!" to some and not to others.

Under what conditions would the warrant canary statement reappear? I'm thinking of those workplace safety signs: "This corporation has operated for [ 179 ] days without a Section 215 warrant being served"

Have any of the other major tech companies had similar canary disappearances? I only ask because this is the first time I've heard of one actually being used by a tech company as a warning flare.

I'd expect a governmental legal challenge...

Apple should just declare that they have been subject to Section 215. Given how many users Apple has it can't reasonably be argued that such a disclosure would be a danger to national security.

Hopefully they would end up before SCOTUS and help defang the USA PATRIOT Act.

Well, Apple does basically have enough money to buy the entire US Government...

What's your definition of "the US government"? Does it include the hundreds of trillions of dollars worth of oil, minerals, land, etc?

"A majority of Congress"

I've asked this before to no avail, but what can the NSA possibly do if Apple refuses?

Fine them? Sure, they have billions.

They can't arrest the company... Is Cook going to jail? What is the actual threat here? You could argue that Apple has more power than many governments.

They can certainly make life difficult for Apple and its executives; see what happened to Phil Nacchio of Qwest when he pushed back against surveillance requests.


Is there any evidence for Nacchio's claims other than his say-so?

Our own 'tptacek has commented on this:


He's also changed his tune some over time. Now it's all about users rights and privacy, but way back when the big concern was that the FCC might drop a giant fine on them. Less about protecting customers, more about protecting the bottom line by not getting caught.

Post-Snowden, the burden of proof is on the government.

Putting pressure on individuals is the simplest, most logical and very effective option. So, yes, Cook getting charged with insider trading or tax evasion would fit right in.

They can absolutely fine them, and if Yahoo's experience is any indication, fines for this kind of stuff are beyond what billions will cover:


How can you hope to defeat stuff like this in court if you can't survive the fines building up while you're waiting to see the process through?

>You could argue that Apple has more power than many governments.

You underestimate the power of governments.

The judicial powers of 'contempt of court' are some of the most powerful IN government. I have no doubt they can force Apple.

I know of at least one instance where executives of a medical device company tried to ignore the FDA, and said executives got marched out the door in handcuffs. If the FDA can do that, I'm pretty sure the NSA can...

Fine them. Fine them more after fining them. Arrest executives. The powers of contempt of court are rather wide.

That would make SEC filings a disclosure of surveillance.

The can request any fine amount they want. The Yahoo fine schedule would have been billions within a couple months iirc because it included a doubling clause every few weeks that the order wasn't complied with.

It turns out you can fine people arbitrary amounts of money. There is no amount of money that Apple can have that the government can't think of a bigger number than.

As the nuclear option, the USG could simply force them to stop doing business in the US. That would effectively put them out of business and would never happen.

I am sure that people in other countries buy Apple products.

Yes but all of their designers, developers, etc, are all in the US. Note that all Apple stuff says, "Designed in California". If all of your non-manufacturing is shut down, the company is shut down. I think you failed to see this point.

You are right on both points. They do say that (I see now that my laptop says "designed by Apple in California") and yes, I did not imagine that all of their engineers are in the US.

I would still guess that they would try to move to another country rather than shutting down. I admit that it would be hard if not impossible.

Upvoted for humility, it is a rare trait :)

That is the problem. No one knows what they can do. The conpany will certainly have no recourse.

So now what? Now that the canary has disappeared, is there no other information that can be transmitted to us? It feels like it's a binary signal that just got set permanently, so there's no more information we can glean from it.

Perhaps this is the reason for all of the security updates in iOS 8.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact