Reviving the Canary

Companies forced to secretly share information about their customers used to rely on the warrant canary mechanism to alert the public of secret requests for information. Is it time to bring them back?

Between Amazon’s Ring & Alexa and Google’s Nest and Home, more than a quarter of Canadians are broadcasting from inside and outside their homes, having granted consent to those companies to collect the video, audio and likely mountains of other data.

But when Amazon, Google and their ilk are required to share that information using legal subpoenas, user data requests and other government orders, customers are kept in the dark.

With the introduction of the U.S. Patriot act two decades ago, companies that were required to secretly submit information about members and customers became concerned about losing the public’s trust as a result of this tacit compliance, so they adopted a simple mechanism to let the public know they had not been required to collaborate with any data sharing request. Until they stopped and removed the notice, which meant that it was no longer the case.

A sign in a public library, “The FBI has not been here (watch very closely for the removal of this sign)”. This is a reaction to §215 of the PATRIOT Act. [courtesy of Wikimedia Commons]

Because the law does not prevent companies from stating that the FBI has not visited, or removing such a sign when it is no longer true, this elegant mechanism has seen broad adoption and support from civil liberties organizations that stood to protect the public’s right to know when their private data was used for purposes other than those for which they had originally shared it.

With the vast increase in data sharing with data aggregation companies, interest in all that user data has vastly increased as well. According to the National Observer,

Amazon recorded an increase of close to 800 per cent in user data requests by governments in the last half 2020, according to its transparency report released Sunday. In total, the company processed 27,664 legal orders from government agencies around the world in the form of subpoenas, search warrants and court actions.

In the not-so-distant days of coal mining, animal sentinels were used to detect the presence of toxic gases in hazardous working environments. Because canaries are more susceptible to certain environmental hazards their sacrifice served as a visual early-warning system that gave workers a chance to survive.

Images in this article are courtesy of Canva and Pexels

No one is contesting the legality of warrants and requests for user information, but secrecy continues to be security by obscurity and with the enormous amounts of user data entrusted to companies for specific purposes, the aggregation of this data, by virtue of simple collection and collation from multiple parties, constitutes a clear and present danger for people.

By having all that data in one place, then sharing it and comparing it with that of other organizations, it is easy to see how such practices amount to both security and privacy risks for those data subjects.

The fact that data subjects are permitted under law to have knowledge of their data in the hands of any organization, especially government agencies, is poor consolation when demands for information are made under a veil of secrecy.

Is it time to bring back the noble canary?

Interested in reading more? Here are some additional links to follow:

National Observer article in which I suggest that transparency is fundamental to security, but also to the human right of privacy, protected under Article 12 of the United Nations’ Universal Declaration of Human Rights.

The Universal Declaration of Human Rights. Always a good reminder of what nations can accomplish when they collaborate constructively.

Do not hesitate to order the illustrated version for your kids.

What does a Warrant Canary look like? Here are some examples:

Pur.ism Warrant Canary.

Cloudflare’s Transparency Report.

VPN Warrant Canaries.

According to ThreatPost, when Reddit published its most recent transparency report, missing was a notice present in its previous such report that it had never received a National Security Letter, FISA Court order or classified order for user data.

What if canaries were automatically recognized by web browsers before accessing a website and by smartphones before entering a retail establishment?

New innovations hint at a bright future for the noble warrant canary despite dark days ahead for public surveillance and persistent requests for pervasive surveillance mechanisms.

The push for persistent access to user data takes on a different, more ominous dimension when organizations are forced to weaken their encryption and build backdoors in their products for arbitrary government access and inspection.

The recent introduction of Australia’s new legislation is a chilling reminder of the importance of public awareness about this toxic movement with global repercussions.



Bad Privacy Blog by Claudiu Popa

Fīat jūstitia, ruat cælum. Personal musings on data protection fails, snafus & oddities, written & edited by Claudiu Popa; author, educator, booknerd.