Given the way this warrant canary works, in that it’s published daily, wouldn’t the government instructing that you cannot opt to stop publishing the canary equate to compelling speech, and be a fairly clear path to a First Amendment violation? I ask this as a total outsider to both the United States, and US law.
I wonder if any companies have considered publishing warrant canaries as part of their public securities filings (for example, inserting it into the risk factors sections).
There is a fairly reasonable argument one could make for doing so:
- The company's value is tied to its reputation for securing its users' data
- An NSL or similar would risk their users' security and the company's reputation
- This will affect the value of the enterprise and therefore the existence of an NSL ought to be disclosed to investors
However at the meta-level, this would be a substantial escalation since an order to continue publishing a canary is no longer just compelled lying, but compelled securities fraud, effectively pitting one branch of government (the national security apparatus) with another (the SEC).
Concrete case: you are the owner of an encrypted chat app, let's say "WhatsSignalGram".
Tomorrow, the government is asking you to capture messages of some users that are planning a terrorist attack.
By default your app is not capturing these messages, but technically you could do it with a specific update.
The lawyers already challenged the decision, they confirmed the request cannot be avoided.
You end up pushing a backdoor targeting specific users ("a law enforcement custom update").
Court is explicitly asking you to not disclose the existence of this special update.
As a business owner, why would you reveal it ?
You'll go to jail (or struggle in court at least) for few years, have a horrible reputation and end up poor because your company is going to lose all its user base :/
This sounds like an insane decision.
The users, upon learning you got backdoored are going to go away, because the competitors "Telegram", "WhatsApp", etc, they will not have removed their canary or they will simply not have claimed anything :)
Perhaps on paper the law cannot force you, but if you don't comply you are cutting the branch you are sitting on.
The alternative is just to leave the warrant canary and live happily after.
Perhaps you even made the world better after all and actually prevented an attack.
The sort of banana republic that can generate a court order for you to do that is the same kind that would simply put a gun to your head instead. In the US, no court would order that type of equitable relief.
But, pretending that's not the case:
> As a business owner, why would you reveal it ?
Because you have principles? Backed up with at least a little bit of spine?
> You'll go to jail (or struggle in court at least) for few years, have a horrible reputation and end up poor because your company is going to lose all its user base ?
It's not clear that you would go to jail. You can simply shutdown[1]. For those that actually care about privacy, your reputation would only increase.
Not a single doubt that the authorities (everywhere in the world!) have plenty of ways to coerce businesses and their owners to collaborate if the cause is important enough.
Blockchain-based OSS regularly gets negative comments here on HN, but they do implement such workarounds (personally I think xx Network is well-protected), as do non-blockchain based Open Source projects. The problem for the latter is no funding for devs and independent, decentralized infrastructure.
> The alternative is just to leave the warrant canary and live happily after.
Another alternative would be to implement Binary Transparency, and make the app only download updates whose hashes appear in an independently-run jurisdictionally-decentralized append-only log. (Rolling out such a change might take too long to help the target of the current NSL, but it would protect future users, and announcing such a feature would itself be sending quite an important message).
I suppose if your business relies on keeping its source code secret, then you could just put an "if userName == the_target_mentioned_in_the_NSL" branch into the code, so that all your users receive the same update, but hopefully someone out there would be able to reverse engineer that code (perhaps after an anonymous tip-off).
Perhaps the government would be willing to pay for a software engineer to obfuscate the code enough that this malicious branch won't be detected in time, but I think that would put selective pressure on software companies to not distribute obfuscated binaries.
I'm late to add to this conversation, but one of the reasons Storj is open source is so that our customers can audit our code and end-to-end encryption to confirm that no backdoors exist.
> wouldn’t the government instructing that you cannot opt to stop publishing the canary equate to compelling speech
We compel speech in companies all the time. We force them to disclose ingredients and add labels to their products. We force them to hand over financial information and employee records. Forcing them to lie is something I haven't seen though.
I don't see how the government could be stopped from forcing a company to hand over their encryption keys and just continuing to publish the canary on the company's website themselves though.
> I don't see how the government could be stopped from forcing a company to hand over their encryption keys and just continuing to publish the canary on the company's website themselves though.
The government could force the handover of encryption keys, with the caveat that if a set of keys controlled by the provider can compromise your security, it's a trash system.
Forcing the existing canary to remain would be straightforward as well.
Compelling false speech, i.e., continuing to publish a time-based canary, is a huge leap from either of those things.
I thought it was more that you can't be ordered to lie.
Not saying something is one thing, saying something false is something else.
It boggles my mind. "Why do I have to comply with this order?" "Because not complying with a legitimate authority is breaking the law." "Can you really use an argument based on the sanctity of the law to justify ordering me to break the law?"
Imagine you are a 5 year old child, and the judge is your parent. You think that this argument would work for them?
Trying to logic bomb your way out of this is just asking for a summary judgement against you. It doesn't matter if it's not logically consistent, most rulings aren't! They will simply ignore this argument.
The counter to the "compelled speech" argument is that the government is not the one that forced you to start doing warrant canaries! You started doing warrant canaries, the gov't wouldn't ask for a remedy of you putting up continued canaries. You put the onus on lying on yourself, and if you don't do it you'll just be charged with revealing the facts.
Government demanding you to compel speech is not what would happen.
I would take odds that the current supreme court would rule the government forcing you to continue to publish the canary was compelled speech in violation of the 1st amendment.
NSL are already on shaky legal ground in the first place with a good part of the court looking for ways to curb them. Which is why when push comes to shove the government often drops challenges to their authority instead of allowing it to get up to the Supreme Court.
They, like common thugs, exist because of the threat and the fact that most people lack the resources to fight them so they just give in
It's not a 'logic bomb'. US law sets a high bar for prior restraint, an even higher one for compelled speech, and has never compelled false speech as far as I'm aware.
And no, most rulings are, in fact, logically consistent.
I still contend that "compelled speech" is not what's happening when you get charged for publishing the existence of the NSL through a bed of your own making. Though I do agree that the feeling is very different compared to regulation of other commercial speech because of the ... lying aspect.
If we take the inverse, and we are talking about prior constraint, I have a really hard time imagining courts not siding with the executive. There are so many more controversial things the courts side with on law enforcement, "do not tell people who we are investigating" feels like such an easy win (and honestly much more acceptable to the general public than anything).
I feel like there's some fundamental argument here about negligence. In what way is the government responsible for you making a promise you can't keep to your customers?
But... ultimately there's no "real" answer except what the case looks like when it gets in front of judges and how they feel about it. And I will admit arguing it's not compelled speech takes a hell of a lot more effort (even if I believe it's true!).
If compelling this speech is a First Amendment violation, wouldn't the prohibition on outright saying you got the warrant also be a First Amendment violation?
No. US law makes a distinction between 'prior restraint' and 'compelled speech'.
Prior restraint is the government forcing you to _not_ say something.
Compelled speech is the opposite, forcing you _to_ say something.
Both have a high bar to meet, and meeting one does not mean you that you meet the other. In the case of compelled speech, I don't believe a US court has ever ordered someone to lie, which is what would be required here.