Recently, Apple updated the privacy section on its website. While this was likely part of their response to privacy concerns due to the recent iCloud controversy, and fortuitously timed with the release of the newest batch of phones from the company, it also contains the latest edition of their transparency report. This report is a collection of the requests made by governments around the world for information about Apple device users and account holders. Curiously though, the most controversial aspect of the report may be what is not included.
As the Electronic Frontier Foundation reported Apple was one of the first major companies to make use of the device known as a warrant canary. A warrant canary is one of the methods that a company may use to alert the public of otherwise secret demands made by US government. Following the passage of the USA Patriot Act in 2001, the availability of secret subpoenas has been dramatically expanded, and may be used against anyone who may have information which the authorities consider relevant to their intelligence or terrorism investigations. Because of the nature of these subpoenas, criminal penalties may be assessed against individuals who reveal even the existence of the requests for information. To get around this, a company may publish a public statement that they have not received such a request. If that is no longer true, removing the statement, or refusing to make it again, signals the public that the government has asked for data. In the transparency report covering early 2013 Apple stated that it “has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us.” This language is missing from the more recent reports, instead stating “To date, Apple has not received any orders for bulk data.” This shift in language may be Apple’s signal that it has been forced to comply with an order under the Patriot Act.
An alternative view is that Apple is just complying with the latest addition to the government’s scheme of actually reporting on these kinds of requests. Detailed in a January 2014 letter to the general counsel of major tech companies, there are essentially two options available. A company may publish the amount of requests for specific kinds of information in bands of 1000, or may publish total aggregate numbers in bands of 250. Apple’s latest report indicates that it currently sits in the 0-250 band. The major flaw in both of these reporting capabilities is that the starting number is in fact zero, which is where the warrant canary can do its work. The letter indicates that there is to be a significant time delay between the issuing of a request and when a company may report on it, ranging from six months to two years for a new government security product. A timely published warrant canary may also circumvent this requirement. The risk of the canary from the government’s standpoint is that it undermines the nature of the secret orders and reduces the effectiveness of a major national security tool.
Whether the absence of the canary language indicates Apple’s compliance with the new government reporting scheme or is an admission that Apple has actually received a secret order, the takeaway is clear: The government has an arsenal of methods to acquire information about users of Internet services without their knowledge. The validity of these secret orders is an issue of supreme importance in our increasingly interconnected world. Among the variety of ways for companies to advocate for their users, publishing transparency reports similar to Apple’s is probably one of the simplest, and subtlest, ways to bring the discussion into headline news once again. The warrant canary is a device with perhaps questionable legal heritage, but it promotes a vigilant and informed public discussing a question at the crossroads of national security and personal privacy.