What is a Warrant Canary?
VPN Transparency Explained
TLDR: A warrant canary is a statement on a website that says "we have not received any secret government subpoenas". If the government issues a gag order preventing the company from speaking, they cannot legally be forced to lie. So, they simply remove the statement. Its disappearance is the warning signal.
The Dead Man's Switch
Silence Speaks Volumes
In many jurisdictions, specifically under the US Patriot Act, authorities can issue National Security Letters (NSLs). These demands for data come with a strict gag order, making it illegal for the service provider to tell users that their data has been compromised or requested.
The solution is the Warrant Canary. It is a regularly updated statement confirming that no warrants have been served. If the canary is not updated, or if it disappears entirely, users must assume the worst: that the provider has been served a secret subpoena.
This method circumvents the legal restriction on speech by utilising a restriction on compelled speech. A government can stop you from speaking, but they typically cannot force you to lie and say "everything is fine" when it is not.
Mechanism of Action
A proper warrant canary is not just a static text file. To be effective, it must be impossible to forge or replicate without the correct credentials. Here is how the process generally works:
- The Statement: A text file is created stating, "As of [Current Date], we have received 0 National Security Letters, 0 Gag Orders, and 0 Warrants."
- The Proof of Time: To prove the message wasn't pre-written, the admin often includes recent news headlines or the latest Bitcoin block hash.
- The Signature: The message is digitally signed using the admin's PGP key. This ensures that only the authorised personnel could have published the update.
- The Schedule: The canary is updated on a strict schedule (e.g., every 14 days). If the date passes without an update, the canary is considered "dead".
Threat Analysis
Why do we need this subterfuge? Because the legal landscape for privacy companies is hostile. The table below outlines the specific threats that a warrant canary attempts to mitigate.
| Threat Vector | Traditional Response | Canary Result |
|---|---|---|
| Gag Order (US) | Company forced to stay silent | Canary expires, alerting users |
| Secret Seizure | Servers compromised unnoticed | PGP signature fails validation |
| Compelled Speech | Company might be forced to lie | Silence acts as the warning |
Why It Matters to You
If you trust a VPN provider with your data, you are trusting that they will defend your privacy. However, you cannot trust them to break the law. If a court order forces them to hand over keys or install a backdoor, they will likely comply to avoid prison.
- The limit of trust: A warrant canary allows a company to signal distress without technically violating a court order.
- Verification: It moves the trust model from "blind faith" to "verifiable consistency". If the PGP signature changes or the date is missed, you leave.
- Global Relevance: While originating in response to the US Patriot Act, the concept is now used globally to combat overreaching surveillance in the UK (Investigatory Powers Act) and Australia (TOLA Act).
Limitations & Risks
It is important to note that the legal standing of warrant canaries is not fully settled in all courts. There is a theoretical risk that a secret court could order a company to falsely update their canary. While this would be "compelled false speech" (which is generally unconstitutional in the US), it is a risk vector that specialised users must consider.
FAQs: Warrant Canaries
What if a canary is not updated?
If a canary misses its scheduled update window, users should assume the provider has been compromised or served with a warrant. You should disconnect immediately and seek an alternative service.
Can a government force a company to update a canary?
This is the main point of contention. In the US, it is generally believed that the government cannot force a person to lie. However, in other jurisdictions with stricter secrecy laws, the legal protections against compelled speech may be weaker.
Which VPNs use warrant canaries?
Many privacy-focused providers maintain them, including NordVPN, Surfshark, and ProtonVPN. It has become a standard requirement for any service claiming a "No Logs" policy.
