One of the tools used by the FBI to investigate national security threats is called a National Security Letter (NSL). The NSL is designed to allow the government to request and monitor data from an ISP secretly. Often the letter will include a gag order that prevents the ISP from notifying its customers that it received this request. Some say that this tool is unconstitutional and there is a fierce debate ongoing from the date of the article, both in public opinion and the courts. At stake
What is an NSL?
National security letters are issued by a FISA court (Foreign Intelligence Surveillance Court) in secret to allow the US government access to information required to surveil their suspect. The courts work in secret because the information discussed during the cases could be used to interrupt active investigations. Many times the NSA letters are issued to ISP’s so that the US government can monitor emails from one of their targets. Since the courts and their resulting warrants are secret there is very little insight into this process. The NSL’s also include a gag order that prevents the ISP from notifying its customers that they’ve been compromised. A federal court has ruled that a NSL + gag order is unconstitutional, but the US government is currently appealing the decision.
In 2014 the Inspector General investigated the FBI’s use of NSL’s and concluded that there were times that they were misused. The report recommended among other things that the FBI do a better job of record keeping and performing regular reviews to make sure that NSL’s were being used properly.
So how does one know when an ISP was compromised if the ISP has been gagged from saying so?
What is a Warrant Canary?
This is where warrant canaries come into play. The warrant canary is a public statement (usually on the ISP’s website) indicating that:
- They have not received a NSL or any other Gov request for information as of this date…
- That this statement will be updated on a predictable recurring frequency.
As long as the warrant canary is updated with a new date, on schedule, the ISP has not received a NSL. However if the warrant canary page is deleted or if it isn’t updated during its scheduled window, then you can assume that the ISP did in fact receive an NSL.
Why should ISP’s publish warrant canaries? We live in an unprecedented time of mass government surveillance. When an ISP publishes a warrant canary, they are supporting greater transparency around government surveillance and supporting the debate on whether or not these programs are constitutional.
Medium has a great example of a warrant canary. You can find it here.
Even large corporations like Apple have recently adopted warrant canaries. In their first published transparency report Apple stated:
Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us.
This simple line of text is clearly a warrant canary. If that line is missing from any future Apple transparency reports it would signal that Apple has indeed received
Warrant Canaries in Real Life
Most recently a popular encrypted email service called Riseup.net failed to update their warrant canary. The canary was due to be updated four days ago and it still hasn’t been touched. Speculation is that they’ve received an NSL request in the past quarter. The official twitter account for Riseup has this strange tweet and there have been no more tweets further fueling speculation that they’ve been served.
In the past there have been other incidents where warrant canaries signaled that NSL’s were received. In March 2016 the popular website Reddit removed their warrant canary from their regular transparency report. This signaled to folks that they had in fact received NSL letters.
Another famous incident happened with the developers of the popular encryption software called Truecrypt. This encryption software had been downloaded over 30 million times. The developers of the software have always remained anonymous and the project is open source hosted on sourceforge. One day the source forge page read:
WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues
The developers went on to explain that they had abandoned the project and recommended that folks migrate their data to something else.
Many security experts speculated that this was a form of warrant canary. The Truecrypt developers had probably received a NSL and decided to shut down the project rather than put some government back door into their product.
Another interesting clue that could just be coincidence:
Using TrueCrypt is not secure as it
If you take the first letter of each bold word:
TrueCrypt is NSA
There are many more examples where warrant canaries set off speculation that NSL’s were served.
The debate on the constitutionality of NSL’s and gag orders is still being determined in the courts. For the time being the government is going to try to use what ever resources they have available to them to do their job.