ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

Are Warrant Canaries Useful?

Public concern about mass government surveillance of the internet has grown ever since Edward Snowden exposed the incredible scale and scope of the NSA’s spying operations to the world. It has since become popular among internet services that handle sensitive data, or which are intended to protect users’ privacy (such as VPN services), to issue  warrant canaries. These are intended to reassure customers that the service has not been compromised by the government and served a gag order.

In the United States, any company can be issued with a secret government subpoena or national security letter (NSA). This forces them to hand over all data pertaining to either a named customer, or even to comply with a blanket order to hand over information on all customers. The company may also be required to start keeping logs of users’ new activity, even if it would not otherwise do so.

Such subpoenas or NSLs are typically accompanied by a gag order, which prevents the company (or any of its staff), under threat of serious legal consequences (as time in jail), from disclosing the existence of the subpoena or NSL to its customers. Most other countries have similar laws.

Perhaps the most infamous case involving such a gag order is that of Lavabit. In 2013 this secure webmail company was subpoenaed (with gag order) to hand over the SSL private keys of all 400,000+ customers to the NSA in order to spy on Edward Snowden (who was believed to have used the service).

Owner Levi Levinson chose not to comply, and immediately closed down his company in order to protect the privacy of its users. He was later convicted of contempt of court.

What are warrant canaries?

A warrant canary is a regularly updated statement by a company that it has not been compromised and served a gag order. If a warrant canary is not updated at regular intervals (usually to a set schedule) then users should assume that the service has been compromised.

VPN outfit iPredator, for example, publishes a warrant canary "at least quarterly,” which states that,

"IPredator has not received any National Security Letters or FISA court orders, or has been silenced by similar (il)legal and anti-democratic law tools.

This statement is signed with a PGP key intended to verify its authenticity.

Warrant Canaries work on the notion that a government can legally silence an individual, but that it cannot force them to tell a lie (i.e. to falsely update the warrant canary).  In the US it is argued that the First Amendment protects against compelled speech. As the Electronic Frontier Foundation (EFF) notes,

"While the government may be able to compel silence through a gag order, it may not be able to compel an ISP to lie by falsely stating that it has not received legal process when in fact it has.

The idea of warrant canaries has been championed by the EFF, which operates Canary Watch, a website dedicated to monitoring whether companies allow their warrant canaries to lapse.

Can a warrant canary be trusted?

On the face of it, warrant canaries sound like a good idea. Many are not convinced, however, arguing that warrant canaries are little more that puff and smoke advertising with little to no real substance.

1. First Amendment protection for the use of warrant canaries is purely conjectural – it has never been tested in a court of law. It is very possible that a US court would rule that failure to update a warrant canary constitutes contempt of the legal requirement placed on an individual.

This is even more true outside the US, where people do not enjoy the explicit Constitutional rights afforded to US citizens. Australia is the first country to explicitly outlaw the use of warrant canaries, and other countries (such as the UK) are likely to follow soon.

2. A website can be easily be taken over by a government and false updates given. Securing a warrant canary with a PGP key is intended to protect against this, but a) how many people actually check these PGP keys?, and b) if a company owner can be compelled to compromise his or her service, they can also be compelled (or bribed) to hand over their PGP keys.

As Brett Max Kaufman, a lawyer at the American Civil Liberties Union, told the BBC,

"If the government asked a company to leave its warrant canary up (and therefore communicate something false to the public), the company would have the right to challenge any gag (under the First Amendment... or under certain provisions of the USA Freedom Act) in court. But if a court upheld the government's request... the public would be none the wiser, at least for some time. Indeed, that would be the entire objective from the government's perspective."

An individual who was quick enough might be able to destroy all copies of their PGP key (which will be stored in a variety of places so it that can be verified) before being forced to hand it over. This would allow an eagle-eyed observer to notice the missing signature if the company is forced to keep updating its warrant canary. There is still no way, however, for customers to know whether or not a key has not been destroyed.

Secure web storage firm SpiderOak makes a brave attempt to address this problem by having its warrant canary digitally signed by 3 different high ranking individuals within the company (who are presumably located in different geographical locations). This would certainly make coercing (or bribing) all signers more difficult (or expensive), but provides no cast-iron guarantees that this is the case and that they can all be trusted.

3. Even when warrant canaries are "triggered” (i.e. they are not updated in a timely manner), this is often ignored. A good example is Apple, which in 2014 removed its warrant canary from its latest transparency report. Despite this, it was widely argued that the removal probably did not mean that Apple had been forced to hand over data following secret government orders. This may or may not be true, but whatever the case, the incident was quickly forgotten and customers carried on trusting Apple as usual.

Another example is the missing warrant canary in Reddit’s 2015 transparency report. Despite some initial concern among a small subsection of Redditors, business on the Reddit forums has also since continued as usual.

What, then, is the point of having a warrant canary, if its disappearance causes no alarm!?

Conclusion

Warrant canaries are a flawed idea that serve mainly as promotional fluff for companies keen to display their privacy-friendly credentials.

The fact that even when warrant canaries are triggered, this is routinely ignored (presumably because acting on the trigger is inconvenient for users) only serves to further undermine what little confidence we can have in such a measure.

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

6 Comments

allseasonradial
on July 6, 2019
VPNSecure's warrant canary is no longer available, if anyone is still interested.
Yoshi
on July 30, 2018
I am not sure, maybe it would take a "quantum canary" or Schrödinger's purring cat sitting in the VPN provider's server rack in order to really ensure that kind of 'passive proof of compromise' but I wonder if something similar and more practical couldn't be implemented instead. Like the attempt to start logging, copying any data or disconnecting devices would already lead to changes of continuously announced signatures. I thought by Devil's Advocate you'd be referring to the great movie with Al Pacino and Keanue Reeves but I guess not.
Guy Haiar
on May 12, 2016
Strange. Despite the fact that Australia bans warrant canaries, AU based VPNsecure.me still has one: https://www.vpnsecure.me/files/canary.txt
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small_webp.webp
Douglas Crawford replied to Guy Haiar
on May 12, 2016
Hi Guy, That is indeed strange - good catch!. It might be worth noting that the new ban on warrant canaries has not yet been tested in front of a court of law...
Dave Cox
on May 11, 2016
Hi Douglas, I appreciate your views on Warrant Canaries and thought I could provide some perspective from the other side. Perhaps you might be surprised to hear that I agree with your conclusion that "Warrant canaries are a flawed idea that serves mainly as promotional fluff." With regards to the Canaries you mentioned and here is why. A Canary that is updated once or twice a year or a Canary that is updated on a "when we feel like it" schedule is not very trustworthy. However, a Canary that is frequently updated on a set schedule can serve as a valid warning for the people that care to use them and that is who we publish it for. I will be the first to admit that when we first implemented it I didn't really expect many people to check the signatures. Believe it or not, there are a lot of individuals that do check them. Last month we released a post explaining that we were modifying our Canary some and changing the day of the week it is signed. We received tweets and tickets from people that did not see the announcement but noticed the signature was not updated. I have to assume that if we did not answer their questions and show them the announcement they would most likely quit using the service.
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small_webp.webp
Douglas Crawford replied to Dave Cox
on May 12, 2016
Hi David, Thank you for providing such a considered response. There are, of course, valid arguments to be had on both sides of this debate, and I agree that a warrant which is regularly updated to a set schedule is more useful than one which is not. Your account of your experiences with LiquidVPN customers is also interesting. Of course, the truly paranoid out there might conclude that by changing the day of the week you sign the warrant canary, you are actually letting them know that the NSA has a gun to your head, and that any reassurances you give to the contrary are only to cover your ass! (Sorry, couldn't resist playing devils advocate! ;) I think it does make the point, however, that the issue of warrant canaries can be a very deep rabbit hole).

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

A large brand offering great value at a cheap price

One of the largest VPNs, voted best VPN by Reddit

One of the cheapest VPNs out there, but an incredibly good service