The idea of a warrant canary in information privacy is the story of one clever workaround and one small paradox, a paradox the newly-launched Canary Watch database aims to track. If an ISP or content provider were required by American national security programs to turn over user data, such as Verizon being forced to release ongoing batches of phone call data under the Patriot Act in 2013 (and furthermore being gagged from warning its users) how would anyone know?
Much like actual canaries were taken into mines to warn of dangerous gases, well, by dying, a "warrant canary" statement on a website assures the user that the provider in question has not received any requests for user information. However, when the canary "dies" or is removed from the website, this is an indicator to an observant onlooker that the company has indeed been served with requests by a national security entity and is gagged from stating that fact outright. In September of 2014, Apple famously let its warrant canary die, prompting the obvious assumption that it received orders for user information.
UPGRADE TO NEW ATLAS PLUS
More than 1,200 New Atlas Plus subscribers directly support our journalism, and get access to our premium ad-free site and email newsletter. Join them for just US$19 a year.UPGRADE
Key to those assumptions, however, is that someone is watching the canary. If a website lacks a canary, was it removed or did it never exist in the first place? Canary Watch is Electronic Frontier Foundation's answer to that quandary. Developed in partnership with other organizations, the website compiles known canaries and tracks changes to them – many of them companies that we deal with on a daily basis, such as Reddit and Tumblr.
A good example to illustrate the concept further is Reddit's transparency report and warrant canary, first published January 29, 2015 and tracked on Canary Watch. Subreddits often tread grey legal ground, both for the topics covered and for many of the involved users having anonymous accounts.
Reddit's transparency report provides detailed information about not only requests for user information (55 in 2014) and requests for removal of content (218), but also contains the canary: "As of January 29, 2015, reddit has never received a National Security Letter, an order under the Foreign Intelligence Surveillance Act, or any other classified request for user information."
Reddit is a classic example because it is the playground of many a web denizen, but companies as seemingly innocuous as Pinterest have a canary ("National security: 0," as part of a longer report). It's not uncommon to find a canary for ISPs, web hosts, secure communication applications such as Wickr and Subrosa, content management tools, and any other company that stakes its livelihood on users feeling that their data and identities are secure.
Though the requests and gags primarily stem from American legal (and extralegal) national security provisions such as Section 215 of the Patriot Act and NSA's Prism program, many of the reports also detail international requests.
Canary Watch's database is currently small, but visitors are encouraged to submit new canaries for inclusion. A comprehensive FAQ explains how to interpret the entries.