From page 5:
Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us.
With that simple statement, Ars Technica’s Cyrus Farivar explains, Apple has become one of the few big tech companies to use a warrant canary – a method that companies can use to inform their customers when they have not been served with a secret government subpoena.
Such secret subpoenas, including those covered under the Patriot Act, come with gag orders that prevent companies from telling customers they’ve been served.
When a company publishes the dates that it hasn’t received a subpoena, customers can then infer – from the missing information – the dates that the company must have been served with the subpoena.
In the same vein, Apple might have also managed to inform customers that it’s been served with a subpoena for customer data, with attendant gag order, under Section 702 of the Foreign Intelligence Surveillance Act (FISA) Amendments Act, all without breaking the law, moving its lips or saying a word about FISA.
The fact that it didn’t mention FISA could mean that it has been served, given that it did mention the subpoenas it hasn’t received.
FISA is a US law that compels companies to share data on foreigners (or “foreign powers”, which may include US citizens and permanent residents suspected of espionage or terrorism) and provides the legal basis for the National Security Agency’s (NSA’s) surveillance program.
This way of passively informing customers about subpoenas doesn’t violate laws, though it hasn’t been tested in court.
Nate Cardozo, a staff attorney for the Electronic Frontier Foundation, said in his comments on the Ars Technica story that there are two nice things about Apple’s use of the warrant canary: the fact that Apple’s a big name, and the fact that Apple’s transparency report is only published once every six months:
I don't mean to say that Apple is magic, but that Apple is a name every federal judge will know. This relates to my second point...
...This canary is designed to chirp only twice a year, and only after a several month delay (transparency report published every six months, with a several month lag between the last data and the report). Why is this a good thing? Federal judges are inherently risk averse. They don't like to rule in a hurry, and when forced to rule in a hurry, they tend to err on the side of maintaining the status quo. In the warrant canary context, I fear that a judge forced to rule quickly would attempt to maintain the status quo by forcing the service provider to "feed the canary," that is to lie.
Apple is fully aware of that risk, Cardozo said, and that’s why the company has opted for “an every-six-months-with-a-several-month-delay-canary.”
That way, if Apple is faced with a Patriot Act request, it will be able to litigate without being in a mad rush.
“Think Lavabit, but worse,” Cardozo said.
...In the cool light of morning ... they'll be able to tee up the issue on full briefing to a federal judge who's NOT feeling rushed and who knows that he or she is dealing, not with some fringe security freak of a company (again, think Lavabit), but with a titan of industry.
Cardozo said it all in his summation: “Should be interesting!”Follow @NakedSecurity