The US government last week conceded for the first time that some companies have the right to publish so called “warrant canaries” in a new filing supporting its partial motion to dismiss Twitter’s effort to publish more detailed statistics about the national-security surveillance requests the company has (or has not) received. This is indeed a significant development, and it should remove a cloud of legal doubt for certain providers who publish statements indicating they have received zero national-security requests. But the government’s concession comes with several qualifications that significantly limit its reach, and the biggest statutory and constitutional questions surrounding warrant canaries will have to await decision on another day.
The government’s latest filing completes its effort to have the case dismissed ahead of oral arguments that are slated for March 31 in the Northern District of California. At stake is Twitter’s attempt to publish its preferred version of its transparency report — one that almost surely indicates an absence of certain types of national-security requests. Such a format currently violates a reporting structure the government has pointed to as “describ[ing] the bounds of existing classification (and declassification) decisions and restrictions on disclosure under legal authority.” Twitter filed its opposition brief in February, supported by five amici. (Disclosure: I supervised students in the NYU Technology Law & Policy Clinic in the filing of a First Amendment amicus brief in the case on behalf of the Freedom of the Press Foundation.)
The government’s new brief makes several points, but I will focus on the warrant-canary issue. In its complaint, Twitter alleges that the government blocked publication of its draft transparency report by relying on the terms of the so-called “DAG Letter” to claim that Twitter’s report contained unspecified classified information. The DAG Letter emerged from transparency litigation brought in the fall of 2013 by several major technology companies (not including Twitter) in the Foreign Intelligence Surveillance Court. The letter sets out various ranges in which companies can lawfully tally the national-security surveillance requests they receive over historical six-month periods. Notably, those ranges begin with and include zero, meaning a company that has not received any requests cannot plainly indicate that fact to its customers and the public through a warrant canary.
With last week’s filing, the government has responded squarely to Twitter’s argument, saying that the DAG Letter is not a legal authority that binds providers to a particular form of transparency reporting. Rather, as the government sees it, the legal obligations of any provider, including Twitter, stem only from “FISC orders, directives supervised by the FISC, the FISA and NSL statutes themselves, and nondisclosure agreements.” The DAG Letter, in the government’s view, simply reflects and memorializes past declassification decisions made by the executive branch.
As a result, the government concedes that companies who have never received any kind of national-security request from the government and who are not bound by other nondisclosure provisions vis-à-vis the government may lawfully publish warrant canaries publicizing that fact. The government states that it has never sought, nor would it seek, “a court order or otherwise tried to stop a company from reporting it has never received an NSL or FISA order,” even though “such statements may inform terrorists which communication channels are ‘safe’ for them to use and, thus, may hamper national security investigations.” Credit where it’s due: that’s not the kind of statement we’re used to seeing from the government. The government’s brief even cites one of the most long-standing warrant canaries — that of rsync.net — and portrays it as lawful.
However, as I mentioned earlier, the government’s concession comes with several critical caveats.
First, the government argues that the secrecy obligations attendant to FISC orders and national-security letters (NSLs) demand that once a company has received a national-security request of any type, it is prohibited from revealing which type. In other words, if a company has received an NSL (and only an NSL), it cannot post a warrant canary on its website representing that it has never received an order under (for example) Section 215 of the Patriot Act. This is because, on the government’s argument — which it previews in footnote 5 of its brief, despite claiming it to be beyond the scope of its motion — any statement by a company that refers to a particular type of national-security request may reveal, “even by implication,” intelligence sources and methods. (My clinic’s brief, as well as those of other amici, argued that this sort of argument could not withstand strict scrutiny under the First Amendment.)
Second, it is unclear whether the government intends to bless only “collective” warrant canaries — that is, canaries that only cover all national-security process, rather than canaries that refer to specific, individual authorities. In its brief, the government repeatedly groups NSLs and FISC-ordered process together, making it difficult to determine whether the government believes more specific canaries — for example, those indicating the non-receipt of Section 215 orders — are lawful. (Note, though, that this may not matter: Under the government’s position outlined above, a company that posts a Section 215–specific canary and then receives a different type of process — an NSL, for example — could no longer post the Section 215 canary as a result of the NSL’s secrecy obligations.)
And third, the government says nothing in its brief about what it will do in the case of an eventual warrant-canary showdown. As I’ve explained, that litigation scenario was short-circuited by Twitter’s complaint, but one day, it may play out as follows:
(1) a company publishes [a] canary for a particular type of surveillance request; (2) the government serves that type of surveillance request on the company; (3) the government seeks to prohibit the removal of the canary from the company’s site; (4) the company sues on First Amendment grounds, arguing that the government cannot compel it to lie to the public (i.e. that it has not received a type of request when, in fact, it has).
Despite its silence on this particular scenario, however, the government’s brief does make clear that it views the communication by a company subject to secrecy obligations of information regarding particular types of national-security requests — “even by implication” — to be unlawful.
As to the question of how far the government will go to prevent the communication of such information by a particular company, either before or after the fact, we’ll simply have to wait and see. But the government’s new filing brings us at least one step closer to finding out.