Is there any reason why a company could not apply the same concept of a warrant canary on a user-by-user basis?
Imagine seeing a message every time you log into your Gmail account informing you that Google has never been compelled to surrender your private data to a law enforcement agency.
Why stop with users? Every email, web search, Lyft ride, Dropbox file, Facebook post and Grindr encounter could get its own canary: "This message has never been disclosed to law enforcement".
And as @chiph says, the canary doesn't really have to die after a secret warrant is served, it just needs to sing a different song: "Your data has not been disclosed to law enforcement for [ 179 ] days".
Courts and legislatures don't look too kindly upon flagrant violations of the spirit of the law. They view it as an end-run around their power. Although it happens slowly, loopholes do get shut (cf. Aereo).
A startup that's trying to get some notoriety in a few months or even years can definitely do something like this. Apple, who has to plan on a longer time horizon and who probably enlists the soft power of the government on a regular basis, has to be more cautious.
I can hire a team of lawyers and finance people to set up a complex system of subsidiaries so that my company only realizes profit in a specific way in a specific jurisdiction to avoid taxes, and as long as we've all followed the letter of the law, there doesn't seem to be any problem with the 'spirit of the law'. In fact, entire companies of accountants, lawyers and business consultants exist solely to help other companies follow the letter of the law while avoiding the spirit of it.
What makes it so that laws regarding anything "tech" get to be written and interpreted so vaguely and widely (from warrant canaries to copyright issues etc) when rules for everything from finance to oil spills are narrowly defined and interpreted?
I think that's actually a perverse case of survivor bias. You don't really get to be a significant oil or finance company without intimately knowing how to work with / play the regulatory system, so the ones you see still standing are the ones who really know how to capture the regulators. If you have an oil company worth $5 billion, you have figured out how to make regulators work for you.
Luckily, in the US at least, it's possible for a few nerds to build a company (say, Dropbox) that's as financially valuable as some long-established government schmoozers but has never thought about regulatory issues. So the "young" tech companies like Microsoft, Apple, Google, Facebook, etc. are less capable lobbyists on average.
I am not aware of any cases of warrant canaries being tested by the courts, but the general principle has been effective in the past in the UK.
When cars were first introduced, many towns across the UK viewed them as an opportunity to make money by fining the rich by setting obscenely low speed limits (think <20mph) with extraordinarily high fines. In response to this, the AA was formed to warn motorists of speed traps down the road.
This started to cut into profits, so the the government retaliated by charging and convicting an AA guy with "obstruction of justice". AA agents were therefore not allowed to inform motorists of speed traps.
The AA responded by changing their protocol. They would always salute passing motorists unless there was something wrong (aka, unless there was a speed trap). The absence of a salute indicated a speed trap, and the law could not force the AA to salute.
I'm not sure if this was ever challenged in court, but they were able to keep it up for several decades so it was never successfully challenged in court at least.
I believe that this remained the habit of motorcyclists until relatively recently and it has since been tested in court and declared not allow (reference vague memories of newspaper articles).
Do motorcyclists signal to others except when there is a speed trap, or do they signal to others when there is a speed trap? The later is common in the states (cars flashing their headlights), but I haven't heard of the former and enforcing a ban on it seems completely impractical at the very least.
And what kind of free society can force citizens to salute? "The government won't tolerate warrant canaries" makes intuitive sense because we have grown used to the courts throwing out all sensibility whenever there are computers involved, but the idea of the government compelling civilians to salute "in meatspace" seems blatantly beyond the pale.
We tap our helmets to warn of cops. We wave (or nod in countries that drive on the left) just to say hi. Absence of a signal would be useless on a bike as we're generally pretty bad about giving the signals we intend to give, let alone not giving the ones we don't intend to. It would be chaos.
The issue I see is what options the court has to break your canary. The general arguement for a canary is that: A) the government cannot infringe on your freedom of speach without cause (so it is legal prior to the request), and B) the government cannot force you to lie (so it is legal to remove the cannary after the request). However, with a per user cannary, once the request has been made, the court might be able to order you to remove the canary from all users to protect the legitamite government interest of maintaing secrecy about who is being targeted.
I suspect that's exactly the argument the government will make when a warrant canary case eventually makes its way to court. That taken to its logical conclusion it renders all gag orders ineffective.
1) It wasn't a canary to begin with, so its removal means nothing.
2) There's no legal precedent for disclosing a Section 215 order by killing the canary, so Apple removed it before they received a Section 215 order. That way it doesn't disclose anything and Apple avoids legal liability.
Killing the canary does actually reveal the order, which violates at least the spirit of Section 215. Under the wrong circumstances, that could get you jail time.
On the other hand, making materially false statements after Sarbanes-Oxley can also get you jail time.
So yes, Apple could have realized that they had painted themselves into a corner that they really didn't want to be in. Having said all that, though, my money's still on 3).
> Killing the canary does actually reveal the order, which violates at least the spirit of Section 215.
Of course there's question as to whether the spirit of Section 215 is constitutional. It may be reasonable for the government to force you no to say something.
But can the government force you to knowingly make a false statement?
> But can the government force you to knowingly make a false statement?
No, but they can punish you for telling the truth. The fact that you'll be punished for lying does not negate the punishment for telling the truth, just as the fact that you'll be punished for telling the truth does not give you an excuse to lie.
They can do absolutely anything they want. There are no limits to their power; anything that is not within the bounds of the law can be done first, and then have the law written to permit it later.
There are no checks against their power-- no court, no congressional group, and no group of people is willing to regulate the "watchmen".
Not sure why you're being downvoted. The NSA & Co. are technically subject to the rule of law, but mostly all three powers of the state choose to turn a blind eye to their policing violating the Constitution.
This is the default state of affairs, and it only changes when there is strong public outrage and pressure for the government to do their damn job of watching over the watchmen. Which is seriously screwed up.
I'm not familiar with US law to really say much, but under Canadian law it'd be illegal for a company to keep the canary if they received a section 215, and I presume it'd be the same in the US. I wonder if this would overwrite that law, and provide them with the ability to lie in their transparency report.
Nope. The warrant canary is a catch-22 of your own making, so you have to take the punishment either way. Either accept the penalty for lying, or accept the penalty for telling the truth. It's your decision which one you'd rather take.
Is there any case where something else would take precedence in case of conflict with a Section 215 order? Lying under oath when being sworn into an office of state, perhaps?
The law doesn't work like that. There is no "precedence". If you are forced to choose between lying under oath, or saying something you're not allowed to say, you're going to have to take the punishment either way. Any judge will recognize that you put yourself in this situation and therefore you are responsible for the outcome.
Corporations cannot plead the 5th. That only applies to individuals. And it only applies when there is any reason to believe there is a risk of self-incrimination.
So yes, if you are in a circumstance where pleading the 5th is allowed, then you may plead the 5th and therefore not comment. But in the case of a corporation, or in the case of circumstances where you may not plead the 5th, then you cannot escape punishment by asserting that you are in a catch-22.
In the first six months of 2014, we received 250 or fewer of these requests. Though we would like to be more specific, by law this is the most precise information we are currently allowed to disclose.
Interesting and somewhat disappointing that it took a year for anyone to notice that it had disappeared. The appearance generated quite a lot of interest.
(Of course, I'm as responsible as anyone else for not noticing. I wonder if it would be possible to build a service to proactively check for their disappearance?)
I don't think it took anyone a year to notice it had disappeared. Where did you get that information? The report for the first half of 2013 where the original canary appeared wasn't even released as of a year ago. It was released Nov. 5, 2013.
Furthermore, this document (https://www.apple.com/privacy/docs/upd-nat-sec-and-law-enf-o...) provides credence to the possibility that the NSA requested information from Apple after the Nov. 5, 2013 release as that Jan 27th, 2014 release directly mentions that it replaces the previous notes.
(speculation ahead)
This, along with the knowledge that the canary is now removed, implies that the NSA requests were the core difference in the numbers, in my opinion. This would place the time of NSA disclosures to sometime in late 2013-very early 2014, I would imagine.
He probably thought the report missing the canary was published at the end of 2013 given that's the name of the report and the date in the filename. Understandable mistake.
The metadata in the PDF file says it was actually created on August 27th of this year.
I'm sure it could be found with a web archive or a quick search, but I personally believe it is irrelevant as it would not make sense to release the 2nd half 2013 report before the 1st half 2013 report. This means the 2nd half 2013 report had to have been released after Nov. 5, 2013, but beyond that, it wouldn't make sense to release the 2013 report before the year is over, would it? This leads me to believe it would be nearly impossible for this canary to have been missing for over a year.
Edit: ugh, hate when people edit after I already responded... It would literally be impossible for this canary missing to be over a year old. The news of the canary's existence didn't even break over a year ago (from my research).... I don't understand why this point is even debatable.
OK, so they had the canary. Received the warrant. Removed the canary...and re-engineered iOS 8 so that they are no longer technically able to comply with the warrant?
Could you be more precise? Reengineered what? iCloud mail, CalDAV, and WebDAV are not encrypted. So, I guess you are referring to iCloud backups? Did anyone repeat the mud puddle test with iOS 8?
If you are referring to actually remotely retrieving information from a device: they could still fulfil request by pushing the targeted user a signed application update with a trojan.
As someone said in one of the other Apple PR topics: it's as much a political problem as a technical problem. Since Apple, Google, and Microsoft are able to push any update to devices, they can always be forced to put backdoors on devices.
Could a lawyer or someone with familiarity with warrants like these explain how a "warrant canary" is legal?
I understand the concept, but discloses something you can't disclose. They can compel you to lie/not comment if asked, "Hey, Apple, did you get any of those National Security Letters".
Is there a clear cut loophole or is this something yet to be challenged?
It has nothing to do with being compelled to lie by a court order. It has nothing to do with the Judicial system at all. It has nothing to do with lying vs. not commenting.
IANAL (and not an American citizen to begin with!) but most laws are formal, that's how they're compatible with "freedom". For a law to forbid you to do something, it has to describe what actions are exactly forbidden, in a fairly precise language.
A legal system can't let law enforcement officials decide after the fact what's permitted and what isn't (that's the theory anyway; your actual experience may vary widely).
So if a law forbids you to tell something, but doesn't explicitly forbid you to not tell another thing, the non-telling of which could potentially reveal the thing that's supposed to stay secret, then you can claim that you technically obeyed the letter of the law, if not its spirit.
Well, the US has a dual system; in the US everything eventually ends up being evaluated against a written Constitution (something the UK never had).
And if you look at SCOTUS, many Justices are essentialists (the most famous of which is Antonin Scalia); legal essentialism means sticking to the letter of the law.
So I think what I described is a reasonable explanation of the legal canary, at least from a philosophical point of view.
"The EU" will probably never demand access to Apple's data. The EU usually passes legislation that has to be adapted by all member states (where, usually, the EU decision is the minimum that the states have to implement, some do even implement more).
Still, all those requests will be by member states and involve different demands.
So, probably, even in the EU, they will say "FU!" to some and not to others.
Under what conditions would the warrant canary statement reappear? I'm thinking of those workplace safety signs: "This corporation has operated for [ 179 ] days without a Section 215 warrant being served"
Have any of the other major tech companies had similar canary disappearances? I only ask because this is the first time I've heard of one actually being used by a tech company as a warning flare.
Apple should just declare that they have been subject to Section 215. Given how many users Apple has it can't reasonably be argued that such a disclosure would be a danger to national security.
Hopefully they would end up before SCOTUS and help defang the USA PATRIOT Act.
I've asked this before to no avail, but what can the NSA possibly do if Apple refuses?
Fine them? Sure, they have billions.
They can't arrest the company... Is Cook going to jail? What is the actual threat here? You could argue that Apple has more power than many governments.
They can certainly make life difficult for Apple and its executives; see what happened to Phil Nacchio of Qwest when he pushed back against surveillance requests.
He's also changed his tune some over time. Now it's all about users rights and privacy, but way back when the big concern was that the FCC might drop a giant fine on them. Less about protecting customers, more about protecting the bottom line by not getting caught.
Putting pressure on individuals is the simplest, most logical and very effective option. So, yes, Cook getting charged with insider trading or tax evasion would fit right in.
I know of at least one instance where executives of a medical device company tried to ignore the FDA, and said executives got marched out the door in handcuffs. If the FDA can do that, I'm pretty sure the NSA can...
The can request any fine amount they want. The Yahoo fine schedule would have been billions within a couple months iirc because it included a doubling clause every few weeks that the order wasn't complied with.
It turns out you can fine people arbitrary amounts of money. There is no amount of money that Apple can have that the government can't think of a bigger number than.
As the nuclear option, the USG could simply force them to stop doing business in the US. That would effectively put them out of business and would never happen.
Yes but all of their designers, developers, etc, are all in the US. Note that all Apple stuff says, "Designed in California". If all of your non-manufacturing is shut down, the company is shut down. I think you failed to see this point.
You are right on both points. They do say that (I see now that my laptop says "designed by Apple in California") and yes, I did not imagine that all of their engineers are in the US.
I would still guess that they would try to move to another country rather than shutting down. I admit that it would be hard if not impossible.
So now what? Now that the canary has disappeared, is there no other information that can be transmitted to us? It feels like it's a binary signal that just got set permanently, so there's no more information we can glean from it.
Imagine seeing a message every time you log into your Gmail account informing you that Google has never been compelled to surrender your private data to a law enforcement agency.