Throughout the 20th century, miners used canaries to protect themselves from carbon monoxide poisoning. When the bird stopped moving, it was time to get out!.
Similarly, warrant canaries are meant to protect you from private companies who might suddenly be coerced by police or government to spy on their users—it’s a great tool to alert users of possible surveillance.
A warrant canary can be a simple statement, such as:
“We have never received a secret government request to hand over user information.”
As long as the company can be trusted to always tell the truth, the disappearance of this statement, or warrant canary, will alert an observant visitor that a warrant was submitted.
Why would anyone use a warrant canary?
National Security Letters (NSL) are an instrument the United States government uses to secretly gather information from people and corporations, even without the approval of a judge.
NSLs can only request meta-data and not the actual content. In the context of a VPN provider, an NSL would be able to request which URLs a user looked at, but not the substance of these pages. If handed an NSL, you can challenge it in court, but it will take a long time and is expensive, and all the hearings are confidential—meaning you can’t mention the NSL.
Particularly in the United States or the United Kingdom, legal systems make it easy for governments to submit secret court orders that prevent a person or company from speaking (a gagging order), but it’s difficult for the government to coerce anyone to lie.
If a company issues a daily statement stating are not subject to an NSL, they cannot be forced to repeat this statement if they are subject to an NSL. The lack of a statement indicates the presence of an NSL.
What does a warrant canary look like?
The simplest warrant canary example is a sign or message posted to a website, but an NSL could theoretically force you not to tamper with a sign or existing message.
A stronger form of a warrant canary is repeatedly published, for example as part of an annual transparency report, as Peerio does on their Github page.
Spideroak, on the other hand, frequently publishes PGP-signed statements, time-stamped with headlines from popular newspapers.
A warrant canary could also be more subtle, perhaps hidden in a chatbot. You could ask the chatbot whether a warrant was served, and the chatbot can either say no or remain silent.
Problems with warrant canaries
There is no warrant canary legality issues, but they will only work with the assumption that companies are telling the truth, and that they cannot be forced to lie.
In countries where it’s legal for the government to force its citizens to lie, or where the government feels free to impersonate people and issue statements on their behalf, a warrant canary is useless.
Especially for privacy-orientated companies, there is a strong incentive to create a warrant canary in the beginning. However, once a company grows, the management might not be willing to compromise the long-term prospects of the company, as well as its perception with the core user base, and instead choose to keep the warrant canary online even after receiving an NSL.
When the warrant canary disappears
It’s not always easy for consumers to follow the status of warrant canaries, either. The warrant canary Wikipedia page has only an incomplete list and the project Canary Watch no longer provides updates.
While the concept of warrant canaries is very much alive, many see them only as a way to generate awareness for government surveillance as a whole, rather than provide an efficient defense against such intrusions for the user.