After the drama of the past few months, Julian Assange could be forgiven for wishing that the world still communicated via passenger pigeon.
Seattle-based email provider Riseup’s “canary” expiration baffled the public for months and led to emotional, nonfactual accusations that Wikileaks had been “compromised” by state actors. But what is Riseup’s canary and how did an anomaly related to it cause so much concern? To explain that, it is necessary to outline the legal processes that made canaries necessary, how they work in relation to the law and what a canary is exactly.
Historically, canaries have been famously used in mines as a way to warn miners when oxygen levels are dangerously low. In the modern world, a “canary” is a method that programmers have devised as a way to get around legislation that allows intelligence and regulatory agencies to legally silence private individuals and organizations. Programmers and IT workers love metaphors. The main screen of one’s computer is called a “desktop” when it is clearly not, the device one uses as a pointer on a computer is known as a “mouse” when it is clearly not a rodent. A “canary” is no different and merely serves as a metaphoric way to describe how the entity functions.
I. The Laws And Secret Courts Which Made Canaries Necessary
Before explaining exactly how a canary works, it is necessary to explain why they are needed at all. In the United States, the canary was developed in response to the actions of the Foreign Intelligence Surveillance Court (FISC), which was founded under the Foreign Intelligence Surveillance Act of 1978 (FISA). The Court has greatly expanded the power and control of U.S. intelligence agencies and has been accused by the New York Times of becoming “a parallel Supreme Court.” The FISC is generally what activists and whistleblowers refer to when talking about “secret courts” in the United States.
The FISC (and courts like it in other countries) are authorized to issue gag orders to individuals and organizations which can legally forbid them to talk about certain topics under the Electronic Communications Privacy Act of 1986. The gag orders can also obligate individuals to surrender electronic devices to authorities or allow the devices’ programming to be altered by the state for various purposes (uploading malware to allow the state to spy on all customers for example). Any company or individual who refuses to cooperate and comply with these orders risks being sent to jail and having their business interests destroyed by the state. Even talking publicly about the fact that one has received a gag order is a violation of the law. In 2013, Edward Snowden’s email provider Lavabit shut down its operations to avoid having to comply with a gag order which they believed would force them to become complicit in crimes against the American people.
II. How Canaries Allow Private Parties To Subvert Gag Orders
So how does an individual or business tell their collaborators and the world that they have received a secret gag order? The answer is actually quite simple when broken down clearly. In the United States, the government may stop certain kinds of speech, but they are barred by the Constitution from compelling it.
Companies have taken to including a paragraph known as a Canary Statement into their Terms of Service, stating that they have never been targeted by National Security Letters or FISA court orders, that they have never been subjected to a FISA gag order and have never placed or been asked to place malware or backdoors into their software for a government agency. The Terms of Service are updated regularly (usually once a month or financial quarter) to confirm that they are still not subject to gag orders. The United States cannot compel a company to update their Terms of Service, so when they fail to update it, it indicates to observers that they have now received a secret court order and are compromised.
III. How Canaries Are Verified Using PGP Encryption
Many times, especially in cases where the company is a provider of secure online services, the Terms of Service will be signed and verified by a Pretty Good Privacy (PGP) “key” to provide added assurance of who is really sending the message.
Invented in 1991, PGP is a method of encryption cipher that can be used both to encrypt messages as well as to add a unique signature to a document. An individual using PGP will create two “keys,” or mathematically generated long strings of randomly organized letters, numbers and symbols which are nearly impossible to crack without using a supercomputer. One key is “public” and is shared with individuals who are to receive encoded messages. The other is “private” and held by the original author.
When a message is encrypted, the normal text is transformed by a mathematical algorithm into a string of indecipherable text that looks similar to the public and private keys. A special key known as a “session key” is automatically added to the public key so that it will be able to decrypt that specific message and re-convert it back into normal text. An author wishing to sign their message using a PGP cipher merely needs to encrypt it and post the string of indecipherable text along with the normal text of their message. Individuals holding the public key can then use it to decrypt the text and ensure that the encrypted message matches the unencrypted one.
A PGP key is merely one of many ways to verify identity and should not be considered the most important or only means of establishing an author’s “proof of life.” Wikileaks holds a number of PGP keys, none of which are associated with any particular individual in the organization. The organization has repeatedly stressed in press releases that it does not use this form of encryption for proof of life due to the fact that the private key can easily be hacked, stolen, or otherwise manipulated. Wikileaks advises that parties do not contact them via PGP due to the potential for abuse of this communication method.
IV. Riseup’s Canary Interruption, And Why It Does Not Affect Wikileaks
Riseup.net is a Seattle-based volunteer collective which provides a secured email service used by Wikileaks. On August 15, 2016, users on Twitter noted that Riseup had not updated their Canary Statement since April 10, 2016. Riseup apologized for the delay and their Canary Statement was updated the next day. Speculation continued however, as Riseup made a number of other tweets which many speculated were indirect communications indicating that they had been served with a FISA gag order. Riseup has continued to insist that its systems are fully under control.
In a January 19th, 2017 press conference held over online streaming service Periscope, Julian Assange was asked whether he was concerned over the expiration of the Riseup Canary Statement. Mr. Assange gave a brief explanation of the purpose of Canary Statements and how they are used to alert others that a service provider has been served with a gag order. He further explained that Wikileaks does not use one particular email provider, that they operate under the assumption that email in general is a compromised form of communication and any theoretical compromise of Riseup’s services would not affect the organization’s day to day operations.
Assange noted that the delay in the Canary Statement update was likely due to an attempt to subpoena or take some other kind of legal action against Riseup which might account for their statements that they would be seeking legal counsel on the matter and not make any public comment beyond an assurance that their service was not compromised. He refused to make further comment until Wikileaks was able to diversify the number of sources they could cite with information on the matter.
The speculation about Riseup’s Canary Statement and the alleged service of a gag order follows a number of conspiracy theories circulating online, making unfounded speculations that Julian Assange was dead, that he had been extradited secretly to the United States or that Wikileaks was otherwise compromised and untrustworthy. None of these theories have been proved to be accurate or founded in fact and Wikileaks has denounced them as being part of a “Black PR” campaign being pushed to discredit the organization. Mr. Assange remains in Ecuador’s London Embassy, where he has been held in de-facto captivity since August 2012 after being granted asylum by Ecuador. On April 6, 2016 the United Nations Working Group on Arbitrary Detention found that Assange’s detention was unlawful. They ordered that he be released immediately and compensated by Sweden and the United Kingdom for the roles these states played in his captivity.