Has Australia killed the warrant canary?
Amoungst liberal democracies, the Australia Government has lead the way in legislating against digital privacy and security. Calling on all the usual bogeymen in their justifications, while giving law enforcement and intelligence agencies warrantless access to individuals metadata and attacking encryption protections.
One of the tools privacy and security advocates have used to fight against excessive government intrusion is the Warrant Canary. Many governments have warrants that can demand IT service providers hand over information about their customers, combined with a gag order making it illegal to tell anyone that they have received such warrants. Service providers have responded to these laws by telling their customers when they have not received these warrants. They continue publishing these “warrant canary” statements at regular intervals. Once they cease publishing them, customers see that “the canary has died” and are left to assume that the service providers have received a warrant and are not allowed to speak about it.
In 2015 ArsTechnica reported on new Australian laws making some warrant canaries illegal. It made it illegal to “discloses or uses information about the existence or non-existence of such a [journalist information] warrant.” They asked “Is this the first law to make warrant canaries illegal?” To date it seems this question has remained unanswered. But at least they asked the question. Others reported outlandish claims that “Australian surveillance law killed all their canaries in 2015” (emphasis mine), a claim that can quickly be debunked.
The law in question, the “Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015”, more commonly known as the “Metadata Retention Act”, requires telecommunications companies to store all metadata related to their customers for a period of at least 2 years. They are required to give access to this information to a range of government agencies on request. No warrant is required. To provide a small amount of protection to journalists, a warrant was required if the data being requested was in relation to a journalist.
The “Journalist Information Warrant” is obtained in a private court, and carried out without the awareness of the public or the journalists targeted. And it is illegal for anyone involved to disclose the existence or non-existence of such a warrant. A warrant canary stating “We have not received a Journalist Information Warrant” could see it’s author being jailed for 2 years.
In answer to the question from ArsTechnica, this is not the first Australian law, to outlaw warrant canaries or the “disclosure of the non-existence of a warrant”. It is a relatively simple matter to take the wording of the Metadata Retention Act in relation to this non-disclosure and search for similar wording in Australian Governments Federal Register of Legislation. It is not surprising that this search brings up other Telecommunication related legislation. As an aside, the other area of law in Australia that uses similar wording is Freedom of Information law.
The first law outlawing Warrant Canaries seems to come in 1995 with the “Telecommunications (Interception) Amendment Act 1995” which came fully into force in late 1996. This law made it illegal to state that an Interception Warrant did or did not exist.
This is well before the first talk of Warrant Canaries. It appears that in 2002, Steven Schear was the first to suggest a method that would develop into what we now know as Warrant Canaries. It is beyond the level of investigation that I am willing to do at the moment, but it would be interesting to know what lead to the wording of this law in 1995. Was Australia, not only the first to outlaw Warrant Canaries, but potentially the first to use them?
From 1995 to the present, it seems all subsequent federal telecommunication related warrants or orders which required secrecy made Warrant Canaries illegal in a similar way. Given this history it is unsurprising that Warrant Canaries are largely absent from the Australian tech landscape.
What this means for the privacy landscape in Australia today is unclear. With the wide-scale availability of easy to use, end-to-end encrypted messaging systems such as Signal or Protonmail, the use of Warrant Canaries may not be as key to securing of online privacy as they once were. Added to that, the Metadata Retention Act 2015 gives law enforcement agency unfettered access to anyone’s metadata without a warrant (with the exception of Journalists — as already mentioned). And the Australian government clearly sees the current battle ground as encryption, with it’s Access and Assistance Act 2018 requiring InfoTech services providers to assist in breaking encryption of targeted individuals messaging systems.