While commenters are mentioning that this particular method has not been tested in court, is there any reason to believe that it wouldn't work? Similar situations have happened before when a group loudly says "no comment" and this is interpreted as a confirmation. E.g. in the case of the leaks last week, Google, Facebook, MS, etc explicitly denied that they were involved in blanket government surveillance, but Verizon only said "no comment"[1] in an internal email about the phone metadata news story. If the government could actually force them to lie, then they would have issued an explicit denial like the other companies.<p>Outside of spy fiction and conspiracy theories, I haven't seen any evidence that the government can legally force someone to lie (vs just a no comment) in order to cover up an NSL or FISA order.<p>Is there any evidence that they would able to force a company using a warrant canary to issue a fake one or respond with anything other than "no comment" to direct questions from the media?<p><a href="http://www.buzzfeed.com/mattlynley/verizons-internal-memo-to-employees-on-the-nsa-surveillance" rel="nofollow">http://www.buzzfeed.com/mattlynley/verizons-internal-memo-to...</a>
Sadly, this probably would not hold up in court, if the government ever tried to challenge it (why would they, though? The last thing they want is a ruling against them; better to just threaten ISPs with more regulation). On the other hand, a company might get away with a plausibly inadvertent side channel e.g. something like this:<p><a href="http://torrentfreak.com/kim-dotcoms-gaming-lag-hints-spying-121004/" rel="nofollow">http://torrentfreak.com/kim-dotcoms-gaming-lag-hints-spying-...</a><p>"Your honor, we went above and beyond the law, creating a special system for handling lawful surveillance requests by the FBI and NSA. Unfortunately, the expanding volume of surveillance requests has overwhelmed this system, resulting in unintentional increases in latency experienced by surveillance targets. Our technical support staff is developing a solution..."
Anti Money Laundering legislation normally lists an offence known as 'tipping off'. If during a transaction a bank or regulated financial agent becomes suspicious of a client or a transaction then they are not only obligated to report it to the authorities but they are explicitly prevented from communicating their suspicions in any way to the client.<p>If the client is asking why the transaction or payment is delayed while the authorities investigate then the regulated company cannot mention the real reason and have to try and make up a lie or explain that some other entity is responsible for the delay and they don't know the real reason.<p>This is true in the UK at least and I assume you can see how it relates to the Warrant Canary concept. I will add that the tipping off offence is backed up with the threat of jail time for staff and directors in a company.
What a difference submission time makes.<p><a href="https://news.ycombinator.com/item?id=5419177" rel="nofollow">https://news.ycombinator.com/item?id=5419177</a>
Too bad the law is interpreted by people and not computers. These kinds of hijinks are frowned upon in courts. "Here look, I'll illuminate the pixels that aren't part of the message and leave the other pixels dark!"
So I'm going to send you a continuous stream of 1's saying currently my blueray play is not outputting a 1 from the movie 'The Godfather'<p>Wink wink.
<p><pre><code> "The legality of this has not been tested in any court.[citation needed]"
</code></pre>
I would imagine the kind of court that would test this concept would not be held under the eye of the public.
Or we can use the same logic that the Clapper and Alexander use. Instead of the canary, just publish a database containing a list of the NSLs. Distribute a client that syncs the database, and disallows logins if your user is affected. Politely ask that your users not attempt to view the information in the database that has been sent to them periodically.<p>Since no human actually read the contents, they didn't "collect" your communication, so you haven't broken the law.<p>Remember, they themselves set the legal standard so that you can have all of the data you want, but it doesn't count as you officially having it until you actually look at it!
What if a company told all its customers this:<p>"We only have the capability to record your activity on server X. Currently you are using server Y. Click here to be re-assigned servers."<p>In other words, if such a company got an warrant regarding a user, they would always handle that user on server X. Therefore, that user would be able to tell they were being monitored (to some % certainty) by refreshing their server assignment several times. If they were always assigned to server X, they could conclude that the company was probably trying to record their activity. A user couldn't be 100% certain because it would be possible that they were randomly assigned to X every time.
If the software is automatically set to report that the provider has not received a warrant, then when it receives an order, it must undertake an action to tell the software <i>not</i> to post that it hasn't received an order. A judge would likely rule that this action is a violation of any confidentiality provisions, since the intent of the system is clearly laid out in advance. It's no different than working out a specific hand signal in advance to notify someone of trouble - flashing that signal is a violation.
Simple solution: A startup firm that warrant canaries FOR you. Every week your company receives a phone call. The pre-arranged contact is asked "Were any federal subpeonas issued for you to disclose customer data in a blanket fashion?"<p>The normal reply would (hopefully) no. Otherwise it might be "no comment."<p>I believe this would absolve the contact in question from perjuring themselves under the fifth amendment and would be no different than those "our website is hackproof" badges that get sold.<p>If someone wants to run with the idea, I'm game.
rsync.net has done this for quite some time, although I have no idea if it's ever been challenged:<p><a href="http://www.rsync.net/resources/notices/canary.txt" rel="nofollow">http://www.rsync.net/resources/notices/canary.txt</a>
A number of people have pointed out that this method probably wouldn't hold up in courts because you are, in effect, communicating the existence of a NSL by ceasing to update the canary. And when courts consider the legal rights of a government body charged with fighting terrorism against the ill defined rights of a server owner to control the content of their server, the rights of the former are likely to trump those of the latter.<p>But since the purpose of this method is to effect civil disobedience, maybe the same end could be realized via different means. Hypothetically speaking, if a service provider kept a database of all NSLs received, but failed to strongly secure the database, leading to its access by an outside third party, this shouldn't constitute "communication". The database could perhaps be made accessible via a URL ("to enable remote workers to view and process NSLs" or some plausible justification) but protected by a weak password. An employee of that service provider could then secretly leak the password to a third party. Bad network security is not a crime, and unless the third party revealed that the password had been leaked, there would be no way to prove that it wasn't guessed or brute forced.
See also: <a href="http://en.wikipedia.org/wiki/Fail_deadly" rel="nofollow">http://en.wikipedia.org/wiki/Fail_deadly</a><p>Fail deadly mechanisms go off unless they are explicitly told not to. During the cold war, Russia implemented fail deadly policies in an attempt to assure a retaliatory nuclear strike would go off even if most in power were taken out by a first strike.
I was wondering about something similar yesterday; the feasibility of a provider truthfully indicating receipt whilst staying within the confines of the law.<p>For a 'regular' warrant, a provider can "confirm" or "deny" being served. Presumably they can "deny" being served a secret warrant if one hasn't been served, because the terms of a secret warrant presumably only require them to decline acknowledgement if they've been served, in which case they could "neither confirm nor deny", couldn't they?
This concept strikes me as really <i>weak</i>. It acts under the pretense that a gag order is valid. The whole concept of a gag order needs to be confronted, not skittered away from.
Instead of a news headline, they could use an entry in the Bitcoin ledger to prove that the canary is current (<a href="http://erratasec.blogspot.com/2013/05/bitcoin-is-public-ledger.html" rel="nofollow">http://erratasec.blogspot.com/2013/05/bitcoin-is-public-ledg...</a>)<p>EDIT: Actually, they could simply include the hash of a recent block in the blockchain.
This could have been invented by Raymond Smullyan<p><a href="http://en.wikipedia.org/wiki/Raymond_Smullyan#Logic_problems" rel="nofollow">http://en.wikipedia.org/wiki/Raymond_Smullyan#Logic_problems</a>
Asking whether this will hold up in court is asking the wrong question. National Security Letters <i>themselves</i> are highly unlikely to hold up in court.<p>The whole premise rests on people being intimidated into not fighting it.
There is a lot of confusion around this topic so let's get something out of the way: none of the companies mentioned in the leak were served ANY search warrants.<p>The participating companies were active participants in the spying scheme using the Patriot Act and FISA requests, not search warrants.