Resisting Access Requests

View

Be critical of any request for data that you receive from a governmental or law enforcement agency: not all requests from these agencies are lawful. They may try to scare you (e.g. by saying "you only have 24 hours to respond to this request"), but insist that they follow due legal process. They will likely need a warrant to obtain the data, and are hoping that you'll comply without one, enabling them to dodge accountability for their actions. Geofence warrants (requesting all data you have on users who were in a particular area at a specific time, for example attending a protest) have been ruled to be unconstitutional in the United States - the request must be much more specific for it to be legal. Check what legal precedents have been established in the legal jurisdictions your company operates in, and if you need legal advice on these requests, organizations such as the Electronic Frontier Foundation may be able to help.

And for every request you can't legally resist, there's a warrant canary. Like the proverbial canary in a coal mine, the idea behind these is incredibly simple: your canary acts as an early indicator of government interference. When the canary dies, it might be time to run. Typically, you would provide a webpage with some true statements. When those statements are no longer true, you silently take them down. Most users won't notice, but high-risk users who really need to know (such as journalists and political activists) will notice and can take action to try and protect themselves.

A photo of a noticeboard with a sign saying "The FBI has not been here"
Many US public libraries took a stand against the "library records provision" of the PATRIOT Act (which enabled the FBI to request access to individuals' borrowing records) by displaying paper warrant canaries such as this one. Photo by Jessamyn West.

For example, these were Cloudflare's warrant canary statements in 2020 (note how specific they are - and what's left unsaid):

1. Cloudflare has never turned over our encryption or authentication keys or our customers' encryption or authentication keys to anyone.

2. Cloudflare has never installed any law enforcement software or equipment anywhere on our network.

3. Cloudflare has never provided any law enforcement organization a feed of our customers' content transiting our network.

4. Cloudflare has never modified customer content at the request of law enforcement or another third party.

5. Cloudflare has never modified the intended destination of DNS responses at the request of law enforcement or another third party.

6. Cloudflare has never weakened, compromised, or subverted any of its encryption at the request of law enforcement or another third party.

Will the disappearance of your warrant canary hit your bottom line? Unless your business is tailored towards protecting high-risk individuals, most likely not. The warrant canaries of Apple, Pinterest, Reddit, and many other tech companies have sadly disappeared over the years, but they still have thriving user bases. When your canary does die, transparency reports are a sensible next step. In these, you disclose aggregate details of the government requests you've received (and from which governments) so that your users can judge for themselves of whether providing their data to you is within their risk tolerance. Again, this information is primarily for your high-risk users, who can use it to make informed choices based on which governments are targeting them.

⚠️ Please seek legal advice before publishing a warrant canary or a transparency report. While it may be legal to silently take down your warrant canary even if the data disclosure itself is subject to a government gag order, this is not legal in all jurisdictions. The legality of warrant canaries rests on the legal assumption that "a prohibition against speaking doesn't prevent someone from not speaking". In Australia, for example, this is unfortunately not true for several types of government warrant.


Further Reading