Canary Watch deduces federal gag orders

The US government and its courts routinely demand personal user information from email services, banks, phone companies and other online, telecommunications or financial services. These demands compel services to disclose details about email, phone calls and financial transactions. They also gain access to hordes of so called “metadata”, which can be just as personal as a user’s phone calls. It includes information about user relationships, locations, browser configuration and even search history. Many of these demands, such as the infamous National Security Letter stipulate that the service may not divulge that they were asked for the information in the first place. In fact, they can’t say anything about a de facto investigation!…

My friend, Michael, occasionally points out that skirting the law with Wink-Wink-Nod-Nod is still likely breaking the law. His point, of course, is that law is often based on intent. So with this in mind, what do you think about this clever reporting service?…

Canary WatchA service called, Canary Watch, lets online services like Verizon or Google send a continuous stream of data that repeatedly states “We are not currently compelled to turn over any data on our users”. Naturally, if the service suddenly refrains from sending the statement, a reasonable person can infer that the government is demanding personal information with the usual GAG order attached.

If you extrapolate this technique, a service like Verizon could continuously broadcast a massive list of usernames (or shorter hash codes representing individual users). These are the users who are not currently being investigated. Any change to the data stream would allow a 3rd party to infer and alert users who are the subject of an investigation.

With the launch of this service, Canary Watch wins the 2015 Wild Duck Privacy Award. This is the type of cleverness that we like! Why? Because it enhances transparency and helps everyone to control their own privacy, if they choose to do so.

Wild Duck Privacy Award

