Australia Outlaws Warrant Canaries

In the US, certain types of warrants can come with gag orders preventing the recipient from disclosing the existence of warrant to anyone else. A warrant canary is basically a legal hack of that prohibition. Instead of saying "I just received a warrant with a gag order," the potential recipient keeps repeating "I have not received any warrants." If the recipient stops saying that, the rest of us are supposed to assume that he has been served one.

Lots of organizations maintain them. Personally, I have never believed this trick would work. It relies on the fact that a prohibition against speaking doesn't prevent someone from not speaking. But courts generally aren't impressed by this sort of thing, and I can easily imagine a secret warrant that includes a prohibition against triggering the warrant canary. And for all I know, there are right now secret legal proceedings on this very issue.

Australia has sidestepped all of this by outlawing warrant canaries entirely:

Section 182A of the new law says that a person commits an offense if he or she discloses or uses information about "the existence or non-existence of such a [journalist information] warrant." The penalty upon conviction is two years imprisonment.

Expect that sort of wording in future US surveillance bills, too.

Posted on March 31, 2015 at 7:14 AM • 71 Comments

Comments

keinerMarch 31, 2015 7:30 AM

There is no such thing as "secret legal proceedings"

"Proceedings" are legal or they are secret.

DanMarch 31, 2015 7:51 AM

It's tough to imagine this type of law surviving a 1st Amendment challenge, although it would take someone with money and time to pursue the case.

Bruce SchneierMarch 31, 2015 8:15 AM

"There is no such thing as 'secret legal proceedings.' 'Proceedings' are legal or they are secret."

Fair enough. What I meant was "proceedings involving the law that are being conducted in secret," and not "proceedings that are both secret and legal." I suppose if I meant the latter I would have said "legal secret proceedings," but that might only make sense in my head.

Albert ARIBAUDMarch 31, 2015 8:16 AM

The problem with this law is that in order to get someone imprisoned for "disclosing or using information about the existence or non-existence of such a [journalist information] warrant", one would have to disclose and use information about the warrant, lest the judge be unimpressed by the lack of evidence of actual wrongdoing.

OTOH, that dilemma could be solved by imprisoning the person without involving a judge at all.

Oh wait...

(disclaimer: I am French. We recently got administrative website blocking with no judge involved. Sorry, we're slow.)

Spaceman SpiffMarch 31, 2015 8:17 AM

Ok. Change the verbiage from "I have not been served a warrant" to something like "I have not yet received my pizza"... So, when you stop complaining about not getting your pizza, is that a warrant canary?

MontecarloMarch 31, 2015 8:33 AM

@Dan

If the legislation is introduced in the US, I would word the legal canary 'I have rights under the 1st Amendment'. If you receive a gag order, you would stop staying it. It would be interesting to see if you would be convicted for making that statement. Similarly, it would be amusing if the gag order contained the instruction 'you must continue to declare that you have rights under the 1st Amendment'.

paulMarch 31, 2015 8:39 AM

@Spaceman Spiff:

The text simply says "information about the existence or non-existence". So unless you think a prosecutor is unwilling to go all Shannon on your case, anything that might disclose the existence or non-existence of a warrant would be right out. Which means no codes. Also, pretty much no talking about warrants whatsoever, because saying anything about them in the period before the law goes into effect and there has been time for warrants to be issued would disclose the non-existence of a warrant. (Hmm, even publication of the text of the law discloses the non-existence of warrants thus far and is arguably a violation.)

The part about using the information is particularly troubling for me. Say, for example, that you see your local person-responsible-for-receiving-warrants close their door and curse at work one day, and then you see them drinking more than usual at a local bar. If you then decide to encrypt your email, are you in violation? If, on the other hand, you see them continuing cheerful and chipper and decide not to take certain extreme security measures yet, are you also in violation. Clearly the simple act of letting people know that you might be a person who could be subject to such a warrant triggers criminal liability for all involved...

VicMarch 31, 2015 8:40 AM

How does one put a major technology corporation in prison?

Ans: One doesn't, because they aren't really persons, regardless of what some politicized judges assert.

Oh the tangled Web we weave!

Clearly, FiveEyes has claimed the internet as it's private possession and is working feverishly to make sure laws are passed to keep it that way. Frankly, it's a NWO issue coming alive. Yet, of course, NWO theorists are cranks and weirdos.

Yup, it's a tangled Web alright.

ramriotMarch 31, 2015 9:33 AM

How can this possibly work, it makes EVERYONE guilty by involuntary omission before the fact. Which I am pretty sure would not stand up in any reasonable court.

CraigMarch 31, 2015 9:35 AM

It seems like every few years I learn about some new offense against liberty in Australia. I don't think I want to go there. It seems even worse than Canada.

Dave XMarch 31, 2015 9:38 AM

So you imagine that they can write a warrant require to require folks to actively lie? If judges can require that we're doomed.

The Australian solution is a prior restraint on these classes of speech. With such a restraint, each of the companies listed at canary watch, canary watch itself, and maybe folks who publicize Canary Watch are guilty of passing this information.

Geoff HMarch 31, 2015 9:47 AM

I think the government agencies involved will be happy if they've succeeded in moving the conversation to "should warrant canaries be legal?" instead of "should gag orders on warrants be legal?"

65535March 31, 2015 10:01 AM

Odd... This law is very well timed and opportunistic given the recent pilot suicide during the Germanwings Flight 9525 and the Easter holiday.

“…Labor agreed to vote in favor of the Bill once a requirement to use special "journalist information warrants" was introduced for access to journalists' metadata, with a view to shielding their sources. No warrant is required for obtaining the metadata of other classes of users, not even privileged communications between lawyers and their clients. Even for journalists, the extra protection is weak, and the definition of what constitutes a journalist is rather narrow—bloggers and occasional writers are probably not covered [probably not covered means there will have to be a legal court test – a difficult process - ed] – Arstech

http://arstechnica.com/tech-policy/2015/03/australian-government-minister-dodge-new-data-retention-law-like-this/

I am no expert in German law; I would hope this law would be blocked by the courts until a full examination of the scope of this law is presented.

That is - does this new law allow American communications to be vacuumed-up and recorded by the German government without warning.

If so how will the law be adjusted to conform to the USA Constitution which USA citizens and "agencies" operate under - if at all.

The timing and the scope of this law stinks of the emotion card being played after the apparent suicide flight of Germany wings crash [and the Easter holiday].

[Please excuse all grammar and other errors]

u38cgMarch 31, 2015 10:05 AM

>> It seems even worse than Canada.

Well, it is. Snakes. Spiders. Merciless heat. Sharks. Australia basically consists of sexy people and things that will kill you, or both.

Are they seriously proposing to jail someone who stands up and declare that he has not been served a warrant?

jggimiMarch 31, 2015 10:22 AM

@u38cg:

Are they seriously proposing to jail someone who stands up and declare that he has not been served a warrant?
Yes. For two years.

AnonMarch 31, 2015 10:27 AM

I find it hard to believe that in a country that allows freedom of religion, any government could force someone to "bear false witness". From what I'm reading, Section 116 of the Constitution of Australia, has the same kinds of protections against "prohibiting the free exercise of any religion" that the USA does, so it's highly likely that this law is unconstitutional even in Australia.

willMarch 31, 2015 10:31 AM

Did anything much happen after people noticed that Apple removed their warrant canary?

I've googled and can't find any kind of followup.

Chris WMarch 31, 2015 10:34 AM

So does this mean if you have, lets say, a secure email service and you receive such warrant with gag order. You cannot terminate the service because that would be a warrant canary? Even if you (claim to) have another reason for terminating said service?
That gotta have all kinds of constitutional implications.

David LeppikMarch 31, 2015 10:36 AM

It would be hard for this to fly in the US, with its long tradition of first amendment protections— especially when it comes to speaking truth to shareholders...

...hard but not impossible. It's simply a matter of passing this legislation in the dark of night (i.e. hidden in a much larger, cannot-afford-to-delay bill) and then intimidate plaintiffs into not pushing the issue— or force everything into a secret judicial system.

Democracy dies by a thousand paper cuts; the only salve is constant vigilance. That's why we have the ACLU and the EFF and student organizations and religious institutions all needing to fight these battles over and over again— not just to protect our rights, but to keep them visible. Once the law disappears under a cloak of secrecy, it becomes hard to defend our rights.

Tony H.March 31, 2015 10:40 AM

So generalizing for a moment, if I say (as I have on a number of occasions) to one of my employer's customers that I have never been required or asked to install any kind of backdoor into any of the security products I work on, then this would be an offence?

yo bruce bruhMarch 31, 2015 11:03 AM

what is up with TLS being broken??

also, what????? APPLE REMOVED THEIR WARANT CANARY????????????????

SofakinbdMarch 31, 2015 11:07 AM

Wouldn't a simpler defeat by the government be to issue 1 warrant request to all organizations you want the canary removed on? It could be a nonsense warrant, but it would mean the organization would no longer be able to say we have never received a warrant from that point forward.

Perhaps I'm missing something here.

Also, it is very difficult to prove a negative. http://en.wikipedia.org/wiki/Philosophic_burden_of_proof#Proving_a_negative

Proof of impossibility:
http://en.wikipedia.org/wiki/Proof_of_impossibility

Evidence of absence:
http://en.wikipedia.org/wiki/Evidence_of_absence

OnTheWaterfrontMarch 31, 2015 11:07 AM

This law would seem to make anyone who proclaimed they have not been served with a secret warrant a criminal, even if its true. I don't know about Australian law but in the US that would be a prime example of prior restraint of free speech.

zMarch 31, 2015 11:09 AM

Tony H,

I haven't read the whole bill, but it refers to warrants specifically, so I don't know how it would apply to software backdoors. However, it would be very easy to draft a bill with the same language to cover backdoors.

In that case, the answer would be yes, as I understand it. Not only that, but anyone who "uses" your disclosure about the non-existence of backdoors is also guilty. So if I choose to buy a security product you write because you tell me you have not inserted a backdoor, both of us would be guilty, since you disclosed info about its non-existance and I used that information for my decision. Likewise, I could theoretically be prosecuted for not buying it if you said there was a backdoor, or if you no longer claimed there wasn't, since I am now using that information.


Here's the relevant portion of the bill:

(1) A person commits an offence if:

(a) the person discloses or uses information; and

(b) the information is about any of the following:

(i) whether a journalist information warrant (other than such a warrant that relates only to section 178A) has been, or is being, requested or applied for;

(ii) the making of such a warrant;

(iii) the existence or non-existence of such a warrant;

(iv) the revocation of such a warrant.

Penalty: Imprisonment for 2 years.

(2) A person commits an offence if:

(a) the person discloses or uses a document; and

(b) the document consists (wholly or partly) of any of the following:

(i) a journalist information warrant (other than such a warrant that relates only to section 178A);

(ii) the revocation of such a warrant.

Penalty: Imprisonment for 2 years.

SofakinbdMarch 31, 2015 11:09 AM

Wouldn't a simpler defeat by the government be to issue 1 warrant request to all organizations you want the canary removed on? It could be a non-sense warrant, but it would mean the organization would no longer be able to say we have never received a warrant from that point forward.

Perhaps I'm missing something here.

Also, it is very difficult to prove a negative. http://en.wikipedia.org/wiki/Philosophic_burden_of_proof#Proving_a_negative

Proof of impossibility:
http://en.wikipedia.org/wiki/Proof_of_impossibility

Evidence of absence:
http://en.wikipedia.org/wiki/Evidence_of_absence

d33tMarch 31, 2015 11:19 AM

"Expect that sort of wording in future US surveillance bills, too."

I would expect nothing less (or more) from our corrupted US congress and the last 8 (many more) criminal presidents we've endured. Only key, crime family members get "elected" in the US political system. Civil rights across the world are in serious jeopardy thanks to a few really ruthless, terrible people and the many apathetic citizens who believe they are free or somehow more righteous than others because they saw someone claim it on TV or heard someone waxing religion over a loud speaker.

I have some very dear friends in Australia. They are smart, generally well informed people. In spite of this being true, due to carefully crafted propaganda, they have been led to believe a lot of the same garbage that we have been led to believe in the US. They rarely give the expansion of the mass surveillance state any thought at all. People are busy leading their lives, which is important, and also allows the creeps time and space to destroy lives "legally".

It saddens me to know, that after all of the exposed plots carried out after WWII by CIA (with the help of other "intelligence agencies") and their foreign counterparts, that we have continued to suffer their existence. They and their pals have made a lot of us enemies of one another in an effort to maintain the status quo all the way up to the destruction of the planet itself.

Do you remember "OIL" and all those crafty shell games with weapons of mass distraction?

Len JaffeMarch 31, 2015 11:50 AM

What about claiming to have received one, so that when you do, they gag you and you stop being able to say so?

Is it as dumb as it sounds?

SkepticalMarch 31, 2015 11:51 AM

I've never looked specifically at the question of warrant canaries in detail, but I'd agree that they're unlikely to work. I don't think a law like that in the post is really necessary.

A warrant canary is simply a type of published code, the meaning of which is given to everyone. If an individual or entity uses a warrant canary, receives a warrant, and the warrant requires the recipient to keep the fact of the served warrant confidential, then a court could certainly order the recipient to continue publishing the canary as per their normal operations.

It's the signal that's important, not the manner of communication. Would it matter to you if your health insurance provider published every medical condition that you DON'T currently have? Hey they haven't published the conditions you DO have, right? Would you be terribly impressed with a health insurance provider who made that argument to you?

Getting cute with how you break a confidentiality order is very unlikely to impress a judge. In fact it's likely to annoy both the court and the prosecutor involved. Depending on the circumstances, it could lead to serious criminal charges. Not recommended.

If you receive a warrant or order which you do not believe is proper, you should consult with an attorney and fight the warrant or order legally.

vas pupMarch 31, 2015 11:57 AM

@Bruce:"Expect that sort of wording in future US surveillance bills, too." Not exactly wording - It'll be substantially more than two years. That is one of the factor US have highest prison population per capita in the whole world.

MrCMarch 31, 2015 12:02 PM

In the US, warrant canaries should hold up thanks to the First Amendment.

We need to look at two possible scenarios:
1. A law (or naked demand) that the recipient of a NSL (or its kin) who has previously published a warrant canary to continue to publish that now-false canary.
2. A law purporting to ban publishing a warrant canary in the first place.

Scenario #1 runs face-first into the prohibition on compelled speech. Simply put, the government cannot compel you to engage in expressive conduct with which you disagree. See West Virginia Bd. of Ed. v. Barnette, 319 U.S. 624 (1943); Wooley v. Maynard, 430 U.S. 705 (1977). Since, in this scenario, the government would be ordering you to engage in speech that was not only disagreeable to you, but objectively false, there's simply no way it could ever pass constitutional muster. (As an aside, I note that there are three very strong bulwarks insulating these cases from the possibility of being overturned: (a) They're manifestly correct. (b) The have "originalist appeal" (see Barnette, 319 U.S. at 663 n. 13) which means that the usual enemies of civil liberties (Scalia, Thomas, sometimes Alito) support them. (c) They've been co-opted by corporate interests that will now fight to keep them. See U.S. v. United Foods, Inc., 533 U.S. 405 (2001).)

Scenario #2 is both a prior restraint -- which were generally prohibited under English common law even before the Revolution, and are almost automatically invalid under the First Amendment -- and a clearly content-based restriction on speech, triggering "strict scrutiny." (Since publishing a warrant canary conveys not only the factual information that you haven't received a NSL, but also the political viewpoint that you object to the surveillance state, it's probably also a viewpoint-based restriction -- which triggers what some commentators call "super strict scrutiny.") The most on-point case that comes to mind is the Pentagon Papers case, New York Times Co. v. United States, 403 U.S. 713 (1971). The closest thing to a standard to come out of that case is that the government's "national security" interest justifies a prior restraint only upon "proof that publication must inevitably, directly, and immediately cause the occurrence of an event kindred to imperiling the safety of a transport already at sea." Id. at 726-27 (Brennan, J., concurring). (I have some old notes with the quoted phrase "overwhelming evidence of an impending catastrophe" as the standard, but I cannot at the moment source that quote.) Two things of note: First, the government lost the Pentagon Papers case. Second, the Pentagon Papers were at least a specific thing; the the non-existence of a NSL is non-thing. Frankly, it's bullshit to equate disclosure of receipt of a NSL with people-are-going-to-die-now disclosure of troop positions; but it is orders of magnitude more bullshit to equate disclosure of non-receipt of a non-NSL with disclosure of troop positions. The rationale for placing a prior restraint upon warrant canaries is that if a warrant canary is uttered now, then the existence of a hypothetical future NSL could be disclosed via constitutionally-protected silence in the future. This "harm" cannot be "inevitabl[e], direct[], and immediate[]" because there's no guarantee that a NSL will ever be issued to that recipient, or that disclosure of that particular NSL would be so serious that it would be "kindred to imperiling the safety of a transport already at sea."
Also, as other posters have noted, such a law would be hopelessly unenforceable. The warrant canary could be uttered in coded language natural enough to plausibly deny that it was intended as a warrant canary. E.g. "My First Amendment rights hav enot been violated recently"; or "This is my favorite YouTube video: [rickroll if no NSLs received, else some other video]."

BuckMarch 31, 2015 12:09 PM

@Skeptical

I'm interested in your opinion of signals communicated thanks to the 'human condition' such as those described by @paul. Is there a line drawn somewhere as to how much a person's 'private' behavior can be constrained by such a warrant?

Clive RobinsonMarch 31, 2015 12:18 PM

I must admit the first thing I would want to know is the jurisdictional limits of this law.

Secondly what the Australian law says on kidnapping and assult and the rights of those who believe themselves to be being kidnapped or attacked by assailants...

Thirdly the right of privileged communication with an out of jurisdiction legal representative...

I suspect there is a massive hole in this legislation that a bus can be driven through...

TimMarch 31, 2015 12:25 PM

So instead, it needs to be linked to a religious observance. Once you receive the warrant, then you start saying, I will be attending religious services weekly, or political activity. At least make them fight the first amendment on a very firm foundation.

bobMarch 31, 2015 12:35 PM

Tim, that's a good one, but better yet, start talking about how you are now dedicating 100% of your time to working to help poor children get food and books or protect them from child abuse or pedobears, because then you can use their logic (e.g. "but think of the children!") when they try to do anything to you

MuffinMarch 31, 2015 12:53 PM

I'm confused. What exactly is illegal in Australia now? Saying "I have not yet been served a secret warrant" when you really haven't, or ceasing to say it once you have in fact received one?

I'm reasonably sure - as a legal layman - that the first would indeed be at odds with the 1st Amendment in America, though as others have pointed out it would take a defendant willing to take this to the Supreme Court to get confirmation that this is indeed the case.

The other's a thornier issue. I think we can all agree that it SHOULD be unconstitutional for the government to compel certain forms of speech (including but not limited to lies). But is it? The courts might rule that laws compelling speech run afoul of the 1st Amendment, but they equally well might not, and I wouldn't count on the conservative wing of the Supreme Court not coming up with some tortured reasoning for why this is indeed compatible with the 1st Amendment as written.

Either way, until such a law is found unconstitutional it would remain on the books to scare people who might otherwise put up warrant canaries, so in that it would serve its purpose. Whether we are going to see this in America depends on political opportunity, not considerations of constitutionality (or lack thereof).

MichaelMarch 31, 2015 2:58 PM

I don't think I've ever been happier that I no longer live in Australia, though I guess legally, as a citizen, I am still subject to their laws. Truly a scary prospect, and the Government here (Canada) isn't much better...

RonKMarch 31, 2015 3:48 PM

This law can be bypassed if you are a private individual.

Presumably, it is still OK to ask your own lawyer about the consequences of various acts which relate to this law, and to tell him about the gag order you have been served. If you choose to use a web mail account to do so which is, for example, hacked via your having a weakish password or your actually giving truthful answers for your recovery questions, I don't see that it would be very easy to show you had any connection with the hacking (and you could very easily have such a connection via a friend posting on the appropriate Russian forum through a VPN from a public wireless connection). One just has to be careful to use this account for a few other things also (e.g., a few forums), so as not to raise suspicions.

It would seem to be more difficult to pull this off if you are a large corporation, however. But anyway, everyone should just assume that large corporations are cooperating with governments.

Zainelabdeen Ibrahim OmerMarch 31, 2015 4:25 PM

So Australia has joined Saudi Arabia and Myanmar in the exclusive club of basket-case shitholes that don't make the grade as sovereign states, having decided they can't even live up to this:

"As the Committee observed in its general comment No. 16, regarding article 17 of the Covenant, every individual should have the right to ascertain in an intelligible form, whether, and if so, what personal data is stored in automatic data files, and for what purposes. Every individual should also be able to ascertain which public authorities or private individuals or bodies control or may control his or her files."

Sure, that is what the Australian state pledged to do. But let's be fair. Why should Australia pretend to be sovereign? It's obvious to everybody that Australia is CIA's bitch, ever since they gave Gough Whitlam the boot. If Abbot puts a foot wrong he's gone too, poor sad little jug-eared puppet. When D/NCS tells Abbot to institutionalize dog rape in conformity with US secret rules, Abbot will do that too, with a smile.

Predictably, arch-submissive skeptical is here to wag his finger and admonish you to grovel and crawl for illegitimate authorities so you don't... annoy them. No balls. See, this is why Snowden makes fools of you vermin, he's got balls.

HawigerMarch 31, 2015 5:25 PM

Personally I think this law has a rather Australian flair to it.

Their government just thinks they have a right to pass this sort of laws.

When I lived there I could not understand why they thought they have some right to demand that people fill correct and truthful data on those population census forms. I shouldn't have to tell any government whether I am religious or not, for example. If I am an atheist, or not, that is my personal business.

But I guess people there are sort of grown into a mentality that allows it.

BuckMarch 31, 2015 7:48 PM

@Kyle

Does this also mean that the involved attorneys, jailers, judges, juries, media and voyeuristic public are all going to jail for violating the same law!?

When someone can be imprisoned for existing, what sane actions are available other than vomiting right now!?

mooMarch 31, 2015 7:53 PM

@Skeptical:

The very idea of a "confidentiality order" is antithetical to a free and democratic society. No matter how useful it may be to the authorities to be able to gag the speech of individuals or businesses using threats of (legal) force, that just shouldn't be allowed by any civilized society. Secret courts, secret laws with secret interpretations--its all too fascist for my taste. Unfortunately, the citizenry don't seem to have control of their governments today, and if they think about it too hard, may wonder if they ever really did.

I grew up under the fond delusion of living in a civilized country. The last few years in particular, have destroyed whatever remained of that illusion for me. I want western nations to set an example to the world of what free and open societies _really_ look like. Unfortunately they seem to have decided instead to emulate nations like Iran and China, with a whole raft of censorship and invasive spying policies. Its sort of inevitable at this point, assuming it hasn't happened already, that an elite 0.1% will end up in control of the databases and have enormous leverage over everyone else. At this point I'm just hoping it will all take a few decades to play out, so I don't have to be around to see it.

If the U.S. founding fathers could see their country today, they'd shake their heads sadly and say "we warned you, but you didn't listen".

No Such AgencyMarch 31, 2015 8:20 PM

Does anyone else see a gap in this law?

You can't say you didn't receive one, and you can't say you did receive one, so what if you say you did receive one when you didn't, then stop saying you did when you really do receive one?

The statement would be a lie, thereby not breaching the point about disclosing the non-existence of the warrant??

JacobMarch 31, 2015 9:26 PM

Weekly Prayer to the God of Truth, King of Kings, Master of the Harmonious and Truthful Universe:

"Oh Mighty God, this is your pious servant, a faithful follower, cherishing your infinite wisdom and bowing before your unending power, hereby solemnly declare and attest before thou that no evil deed nor violation of the Holy Principle of accepting, receiving, looking, or being served anything that can not be presented before your avid followers and disciples for the last week by any creature or organization that crawls or resides on the face of the earth has been materialized. Hallelujah!

Attesting and Signing before thou on this 1st day of April, 2015 years to the birth of our saviour, I, Jacob Son of Clara, hereby submit my signed attestation :

--- Begin Signature ---
OxA55Fc...
---- End Sinature ----
Amen.

Dirk PraetMarch 31, 2015 9:36 PM

@ Mr.C

Re. compelled speech and prior restraint

Assuming legal or constitutional restraints on compelled speech, the First Amendment could indeed prevent the USG from forcing companies to continue publishing their warrant canary. Truth be said, there is very little scholarship on point and no real cases testing the theory. Twitter on October 7, 2014 did file a lawsuit against the government (Twitter v. Holder) seeking the right to publish a canary in the first place. The outcome hereof may give us a a first clue of what to expect.

In addition, the question whether or not a company can be forced to publish "zombie canaries" is pretty much tied to whether or not the initial gag order accompanying the NSL is considered unconstitutional prior restraint. If so, the false canary is out of the window too. Conversely, if the courts rule the initial gag order constitutional prior restraint, then compelled false canaries would probably be permissible too in order to maintain its efficacy after the fact.

Unfortunately, this goes for the US only. Canada and New Zealand have little constitutional protection against compelled speech, whereas the situation in Australia and the UK is even worse. In Australia, there is no explicit or implied constitutional protection for freedom of expression, nor right against compelled speech beyond narrow common law limits. In 2012, the Australian High Court ruled that tobacco companies could be forced into government prescribed standard packaging and intrusive health warnings, which is obviously compelled speech. Under RIPA in the UK you can be forced to hand over encryption keys, which in itself is also a form of compelled speech.

So what can be done if traditional warrant canaries can be legally suppressed ? There is an alternative approach called "disclosure by design", i.e. a technologically implemented canary in which the very design of a system would either directly or indirectly expose the receipt of a covert surveillance order to a target interpretive community.

What this means is that a government would have to prohibit a systems design ex ante to create an effective NSL gag. One solution could be to build in a sort of tripwire. If the company receives an NSL/gag order and someone is accessing a user's data, the wire is tripped and the user is notified. If the tripwire is disabled, the user gets no notification, but a system can be put in place in which a 3rd party on a regular basis accesses the user's data, generating normal notifications. If the tripwire has been disabled, either one user or an entire group will no longer be receiving these notifications, indicating that something dodgy is going on. I'm sure @Clive and @Nick P. can think of far better implementations ...

In essence, it would be very hard for any government to ban in advance any such type of design. Moreover, it would be even more difficult for the government to claim that a perfectly legitimate system functionality from a design planned in the past is communicating information (i.e. existence of NSL) that a company has just learned from the government. A possible government work-around can be to mandate backdoors with which built-in triggers or tripwires can be overcome, but this is something entirely different than a simple gag order.

Another method can consist in a company making certain (security) claims about their product or service, discontinuation thereof may indicate to an alert community that again something fishy is going on.

@ moo

If the U.S. founding fathers could see their country today, they'd shake their heads sadly and say "we warned you, but you didn't listen".

Which reminds me of Mike Rogers in his recent rant against encryption mentioning that surely the Founding Fathers today would have had a serious problem with encryption too. He must have forgotten that Jefferson had invented a wheel cipher which he actually used to communicate with James Madison and James Monroe.

Nick PMarch 31, 2015 9:48 PM

@ Jacob

BRILLIANT! Freedom of religion might do the trick! In the U.S., at least. Need more people thinking on that angle.

jdgaltMarch 31, 2015 10:26 PM

I think I would borrow from Carter's treasury secretary and just say that I have not received a banana.

milkshakeMarch 31, 2015 10:52 PM

How about raising a middle finger, by using a strongly suggestive language: "While I am not allowed to confirm or deny that I have received a national security letter to provide IP address informations about the visitors of this site (NSL is a type of warrant which typically comes with a gag order), here is why I think this kind of warrant is problematic and likely unconstitutional:"

Clive RobinsonApril 1, 2015 3:52 AM

@ Dirk Praet, MrC,

Yes @Nick P, myself and others have had conversations about RIPA and equivalent as well as methods of avoiding unwarranted searches at borders etc.

Most times they have involved an out of juridiction third party and some kind of automated trip wire / timeout / deadmans switch.

The idea is that an out of jurisdiction agent can not be influenced by the courts in your local jurisdiction. Thus if you pick a multiple agent solution in multiple jurisdictions some of which are antagonistic to each other you in effect force a stalemate on your local jurisdiction, where you can not comply with their requests whilst still being in their jurisdiction. In effect authority has limits, and those limits can be used against it.

There is however certain pre-conditions on this working, one of which is ensuring that the system can not be impersonated by authorities, not just to out of jurisdiction agents, but also to third parties in your local jurisdiction.

As we have seen in the past the FEDs solution to this problem is to "kidnap the system" by just smashing down doors to take over the system in situ to either prevent the tripwire activation, or to ensure they control what message third party / end users see.

European legislation is a bit of an oddity because it confers legal status to entities as "Any person legal or natural" in it's founding treaties and over arching legislation from which other legislation is derived. Whilst I'm not aware of any case law it raises the question of compelling a company which is an entity that has a legal status similar to that of a person.

That is humans can and do treat a company with human attributes such as "trust", "reputation" and many others, and not just for the purposes of "tangible trade". We see this in cases of fraud and other financial misconduct where a "directing mind" is only occasional sought out by authorities, and often a fine is imposed on the company and it is alowed to continue trading. This establishes the notion that a company can be punished as an independent entity. Which raises other questions about what a company might or might not be compelled to do as an independent entity, especialy if it is multi jurisdictional.

In the UK the forcing over of keys under RIPA applies only to those that are used for or have been used for obscuring contents of messages. It does not apply to keys used only to authenticate messages such as signing keys. Further it does not lay down a legal requirment that keys be kept after their usefull life has expired.

This quirk as some saw it came about because of the very real concern that the authorities would commit fraud by impersonation to further an investigation illegally by the use of entrapment etc (something that has subsiquently proved to be a valid concern with with the revelation that Met Police "under cover" officers doing virtualy anything including entering into relationships and having children etc to gain unwarrented influence and control to further what can only be seen as entrapment).

These RIPA exceptions create a series of interesting loop holes, in that there are certain key negotiation protocols that can establish a secret key in plain sight of adversaries, that is unobsficated plaintext. The problem with some of them is they are not resiliant to Man In The Middle attacks, which signing messages can secure against. Thus it is possible to design a system where a user has no access to the message keys at any point, and as the keys are only needed for the duration of a single transmission they can be destroyed by the system at the end of a transmission. Thus it is not possible for a user to hand over these single use message keys as they never had access to them, nor were they required to do so.

This is a part technical and part legal limitation solution, where a future change in legislation will not solve the used message key problem for the authorities.

However a future change in legislation might well alow the authorities to impersonate one participent and get messages re-sent etc. Thus a layered aproach is required where other steps are taken to negate such changes in legislation. Hence using one or more out of jurisdiction entities that can not be compelled.

It is finding such loop holes and limits and using them which forces authorities into "unjust action" that over time removes their reputation, then their legitimacy and if history follows as it has in the past the eventual fall of the authority at the hands of the citizens. This can happen either by the citizens action --civil unrest-- or inaction alowing others from outside to depose the authority by not defending the authority against them. The only defence an authority has had against this in the past is to not appear "unjust", which they could have done by either not being unjust, or not appearing to be unjust temporarily by using FUD ("think of the children" etc).

The use of "in the past" is important, technology is now widely recognised as a "game changer, and from this arises a question of "technology tipping points". The power of authorities relies on the resources they have to "compel others". In the past the limiting resource on authority was the citizens prepared to carry out the orders of an authority against other citizens, which placed limits on the excesses of authority. However it can be seen that technology can replace human resources, thus reducing or removing that limiting effect from authority...

The question then becomes one of not just defeating unjust authority at just the human level, but of first defeating the technology they employ, thus forcing the human resource limitation back on them...

WmApril 1, 2015 6:11 AM

Add this somewhere to your web page if hit by a letter:

('>
/))
/ "

And then keep your mouth shut if asked what it is supposed to mean. Most people will be able to read between the lines.

HugoApril 1, 2015 6:26 AM

It’s not clear to me how someone can have information about the non-existence of a gag.

Do I commit an offence (if I were in Australia) if I say I am not currently gagged – or do I only commit one when I stop saying that I am not gagged when I am actually gagged?

Clive RobinsonApril 1, 2015 7:11 AM

@ Milkshake,

How about raising a middle finger, by using a strongly suggestive language

Flicking the bird, or other possibly inflammatory --therefor arrestable-- behaviour is not required.

For example it has been reported that "The Father of Linux" was asked the warrant / NSL question in a public venu where he was on stage in front of very many people. Reportedly he verbally answered no whilst vigoursly shaking his head yes.

Now I can't say if that was legal or not under the Australian Law or other similar laws yet to come in, but it does show that a little bit of thought can give you a great deal of "expression without vocalization" or written word and importantly in a non inflamitory way that stops you making a target of yourself and thus encoraging the authorities using that as a further charge / avenue of attack against you..

Further if you are unfortunate to be trapped into a position where you can not avoid being questioned it enables you to lie without being untruthful because you can simply say to an authority figure "I did not say..." and you would be telling the truth. You can then repeatedly say "I have answered your question" or "no further comment" and if they get pushy you simply say "I believe you are trying to illegaly engineer a situation to endanger my safety and I am now going to seek my legal representatives opinion" if you can then back slowely away and seek witnesses, if you can not simply answer all further questions with "no comment at this time". That way you are not refusing to answer their questions, you are explainably trying to ensure your safety untill assistance arives.

Depending on the jurisdiction and who the LEO's claim to be you may need to modify what you say slightly.

It is better to avoid this situation alltogether by not being available to be questioned in the first place. I won't go into the how's or why's, I'll simply say, not being the subject of unwanted attention is by far the best position to be in.

But in the unfortunate cases when you can not be out of harms way and you are aproached in public or other places where there are likely to be independent witnesses, you have two choices be trapped on your own or not. Thus don't make the mistake of behaving what appears to be rationaly when on your own, you need to attract attention and witnesses.

Thus don't make the mistake of acknowledging LEO's or asking to see identification, or look at it if it's held up step, that's trapping yourself. Step back / away quickly and start screaming loudly for help and don't stop.

Importantly scream loud enough that you can't hear them or witnesses will belive you either can not hear or understand them. Having witnesses around does you most favours, often it upsets the LEO's game plan or wrong foots them as it does with most people that waylay others for ill intent.

Further if the LEO's are daft enough to do anything other than step back they are making the situation worse for themselves in the long run. Nearly all your subsiquent behaviour is then explainable by any reasonable psychologist.

Remember for them to have authority over you, you either have to give it willingly, or they have to use some kind of overwhelming force which long term puts them at a significant disadvantage, because in most democratic places they will have to explain their actions.

And if you are in a place that is either not sufficiently democratic or the LEO's have to much unchecked power ask yourself what you are doing there, and if you can't avoid being there how you reduce the power the LEO's have over society or you as an individual.

The first step as an individual is usually not making yourself an "available target" and as I advise most people, the easiest way to do that is being "situationaly aware" and thus "be somewhere where trouble is not".

Unfortunatly, reducing LEO's power over society means making yourself a target, because few people or organisations willingly give up power of any kind at any time. In the UK the police currently have way way to much power via seemingly quite minor powers. For instance they can arrest you on suspicion and without charging you release you but with conditions that if you break them you are then commiting a criminal offense. One such condition is they can put areas "out of bounds" such as your home, shops etc etc.

Most jurisdictions have such rules and legislation and they are one of the indicators of a "Police State" arising.

Michael.April 1, 2015 8:26 AM

I saw this. And I got really pissed off. I am going to update my website soon to explicitly break the law. "I have not yet received a warrant under this law, but I'll remove this comment if I'm able if I do."
Also, I'm going to start using Tor even more often. If only it updated through Ubuntu nicely and automatically like most of the other software I run.

BarneyApril 1, 2015 8:28 AM

There are lots of methods for "expression without vocalization", including head-nodding as Clive Robinson mentioned, writing, typing, mouthing, sign-language etc.

But I don't see how that helps. The Australian law is against 'disclosing information'. I don't think it says anything specific about vocalization. I'd be surprised if any similar laws apply to vocalization and not other means of communication.

HugoApril 1, 2015 9:40 AM

Where the Australian Law would hit you is if you have a permanent notice up which said, “I have not been gagged yet.” – and then on the receipt of a gagging order you took it down.

What if you erratically put up and took down a notice of this kind. Each time it appeared it would tell readers that you had not been gagged yet. Could the Australian law actually compel you to put it up and lie?

zApril 1, 2015 10:37 AM

Hugo,

"Do I commit an offence (if I were in Australia) if I say I am not currently gagged – or do I only commit one when I stop saying that I am not gagged when I am actually gagged?"

As far as I can tell, saying you have received a warrant is illegal--whether you have received one or not. Saying you have not is also illegal--whether you have received one or not. "Using" (whatever that means) either of these statements is illegal--regardless of whether they are true or false.

Unless I missed it, the law applies regardless of whether there actually is a warrant. Otherwise it wouldn't do anything to prevent canaries, since it would be legal to say whatever you want until there is a warrant.

SomebodyApril 1, 2015 10:44 AM

The law can not compel you to do anything. People with guns may compel you to do something. Arguing about what the law says is moot if the people with guns don't care what it says, or are selective in their caring.

EvanApril 1, 2015 10:59 AM

Would it be legal to state:

"Nobody at [website] has been charged under section 1(b)(iii) of this act."

Or is this recursive limbo?

Clive RobinsonApril 1, 2015 11:14 AM

@ Barney,

But I don't see how that helps. The Australian law is against'disclosing information'. I don't think it says anything specific about vocalization. I'd be surprised if any similar laws apply to vocalization and not other means of communication.

Whilst the law might target "disclosure of information", proving what disclosure is, and even if it was deliberate is entirely a different matter.

When "field craft" is taught to field officers, they are taught how to set up communications channels that are only obvious to those in the know but virtually unprovable to anyone else. They are also taught to watch out for people doing odd things and logging them.

The fact that a third party knows somehow does not prove which of many individuals in the know leaked the information if they even conciously leaked it at all.

I don't know how old you are but there is a story from before the First Gulf War started, every journalist and just about every body who could think new it was imminent. Suddenly on the night befor the Pentagon thought it had a mole because journalists knew with just hours to go...

Eventualy the leak was traced to insiders lots of them but it was not a concious act of leaking... basically they were all pulling "all nighters" and ordered Pizza delivered, the very large numbers gave the game away, to the delivery boys and the odd journalist watching the Pentagon and other Military "front doors".

There is a lot of difference between a gut feeling that somebody has leaked information, and even thinking you know they leaked information, but there is still a heck of a long way to go to proving they leaked information.

After all the leak could be infered by some one with access to the organisations phone records who sees phone calls to specialised lawyers practicing in that area of law.

Then there is "the setup" a company can exist in a number of independent jurisdictions a smart person can set things up in such a way that complying with any information request has to go out of jurisdiction to be met. Thus the judge has a choice compliance or disclosure one or the other not both.

That's the problem with these stupid laws, there is always going to be a way to negate them if people put their mind to it and the judges and legislators just end up playing a pathetic game of "catch up".

Also remember some people will take a moral stand irrespective of the outcome.

In the UK not disclosing encryption keys can get you a jail sentance upto X years so far, as far as we can gather the actual sentances handed down are a fraction of this. There are very many crimes where the max sentance is 5X or more years and those sorts of crime tend to get close to the maximum sentance. So for some people it's a 'no brains' choice...

Then there are "codes of silance" type criminal groups, where not leaking the information to them could result in one of your loved ones disappearing...

Some of the more worldly judges are well aware of these sorts of issues and are not likely to act on all but provably blatant examples of infringment.

It's something the SFB politicos need to wake upto, because if it ever turns out somebodies loved one gets hurt or disappeared over these laws then they are going to find "think of the children" working against them rather quickly.

Sancho_PApril 1, 2015 6:05 PM

Q: Are you under a gag order? A: No, I’m not.
Next day:
Q: Are you under a gag order? A: I can’t answer that question, sorry.

Sorry if that was posted already, TL;DR

LukeApril 1, 2015 10:25 PM

Its worth pointing out that unlike the United State or Canada (Charter), Australia has no Bill of Rights offering any kind of positive protection to journalists (or anyone else for that matter).

Rights are almost non-existent in Australia. Like the UK, rights are drawn from the common law - which means they are essentially subject to judicial interpretation relative to various common law tests; such as laws that are "reasonably appropriate and adapted for the functioning of a representative democracy".

Unlike the UK however, Australia has no Human Rights Act, and is not subject to the European court of human rights, which would significantly govern this area of the law in the UK.

Its also worth pointing out that this kind of law is unlikely to operate simply on the basis of meta-data collection alone. Its more likely to be one piece of the investigative pie and thus carries serious sinister overtones.

Australia has become an Orwellian nightmare. I can't help but think that sounds dramatic, nevertheless its understated.

Leon WolfesonApril 4, 2015 10:46 AM

@Luke - Hence why the Tories and further right in the UK are so keen on scrapping the HRA and leaving the ECHR.

SkepticalApril 4, 2015 7:55 PM


@moo: The very idea of a "confidentiality order" is antithetical to a free and democratic society. No matter how useful it may be to the authorities to be able to gag the speech of individuals or businesses using threats of (legal) force, that just shouldn't be allowed by any civilized society.

Secrecy during an investigation can be both vital to its success and vital to the reputations of persons investigated but not pursued further.

A society in which a court cannot order an individual to keep a matter confidential is a society in which the mere act of investigation strips guilty and innocent alike.

It is also a society bereft of basic requirements for investigating complex criminal enterprises.

The system as it exists takens a far more balance approached, and while I have my criticisms, they are others who done far worse.

@Mr C: I agree with Dirk on this subject. However, I will say this in your favour: a court court could accept the arguments you are making. They are, as it were, viable.

But I do not think they are strong. When a person, by his repeated course of conduct, has created on ongoing signal for "no warrant", and transforms what was a passive act of silence into a statement as loud as any, requiring such an indidivudal to continuing publishing is the equivalent of requiring that individual to remain silent.

I actually think warrant canaries are very likely misleading, and probably lead to unnecessary antagonism and frustration that helps no one.

Alexander GoldmanApril 5, 2015 7:21 PM

In the USA, First Amendment law makes it more difficult for the government to make people lie ("forced speech") than to make them not speak ("prior restraint"). A warrant canary does not solve the gag order problem but increases the burden on the government.

It is also civil disobedience: the start of a conversation where none has been possible. The purpose of civil disobedience is to make people aware of a problem and to start a conversation.

Finally, Twitter is fighting the court battle (it's fighting prior restraint, not forced speech, I think):

HeyMomImInJailApril 7, 2015 4:51 AM

Do not persume, for even a second, that courts in Australia always operate by a means that could be considered reasonable.

gag-order NSL = KGB method, NSA created chaosMay 4, 2015 4:07 PM

legal hacks are cute, and indeed should be discussed, but the necessity to have recourse to such trickery at all to counter the arbitrary actions of an overbearing state-security apparatus reveals the true heart of the system mistakenly referred to as "western democracies" in current doublespeak. it is a symptom that cannot be mistaken except by the most naive people. it reveals that the so-called democratic and liberal states are anything but democratic and liberal. so they put on a show of being totally different from the defunct soviet union, and now they are copying its police-state excesses to a fault.

it is the hallmark of a Kafkaesque twisted dictatorship that people have to know all kinds of tricks to work around the system in order to retain any autonomy of action. it shouldn't be that way. rules should be fair, and there should be no secret law and no injunctions to lie.

information can be shared in unprovable ways. be stealthy. there is no law anymore. secret law is not law, arbitrary law is not law. remember, even if you are a supporter of that system and benefit from it, dictatorships are notoriously fickle.

the NSA-centered total national security system has created chaos by perverting the meaning of "rule of law". maybe some of them understand what they have done, and are already vying for a post-collapse position of power just like in the USSR. regardless, they will stumble over their own hypocrisy sooner or later, and in their downfall threaten to bring down a civilization.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.