Section 215 of the USA PATRIOT Act is one of the most controversial of an already hot-button portion of US law. Section 215 of the act allows for court orders, which can be made secret, to allow the government to collect data that may be relevant to a government investigation.
The big exception most take to the section is that it provides a much lower threshold for data gathering than a ‘probable cause’ warrant. Under Section 215, the government could force companies like Apple, Google, Yahoo, Dropbox or any other to disclose personal data about Internet usage, browsing habits or other items that it considers ‘tangible things’. And, because of the security requirements, it could force companies not to disclose that they had ever received such requests.
Obviously, this falls under the wider scope of government information requests with regards to user data that Apple spoke out against today, and that other companies like Dropbox have also filed Amicus briefs with the Foreign Intelligence Service Act court about.
But another aspect of Apple’s report today stands out as a bold and clever move. Senior Counsel & Free Expression Director at Center for Democracy & Technology Kevin Bankston, formerly an EFF Attorney, noted an interesting claim in the document. Specifically, Apple stated specifically that it had never received a PATRIOT 215 order.
The very last line of Apple’s report today states “Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us.”
The cleverness of this becomes evident when you realize that if it had received such an order, it could not disclose it under current rules surrounding national security orders for user data. This tactic of announcing ‘nothing’ with regards to a government subpoena for data is known as a kind of ‘warrant canary’. Basically, Apple says that at this point it has not received any such order. But, if that phrase stops appearing in future transparency reports, this acts as a ‘canary in a coal mine‘ that indicates to users that it may have been forced to comply with such an order and not disclose it in the future.
Civil Liberties attorney Matt Cagle notes that Lookout Security has also recently stated they’ve never received a national security order for user data.
This tactic was used by offsite backup company Rsync in what is believed to be the first commercial company application. While Apple’s specific application differs from that of an ISP or pure data provider, it shares the ‘silent alarm’ characteristics.