Warrant canary: What you need to know about this online privacy warning sign
Some companies still use warrant canaries to warn customers of threats to their privacy by US government subpoenas. But the legal waters remain murky.
There is a speculative US legal proposition that's been hanging around the internet since about 2002. Clung to by tech companies and website admins desperate to protect users' personal data from an unseen undertow of Patriot Act-enabled secret court warrants, subpoenas and gag orders, this seemingly untested legal proposition acts as a desperate raft made of the a few surviving planks of the USS Fourth Amendment.
The proposition is this: The government can secretly subpoena your company for information on your patrons or customers, and can force you to be silent about it with a gag order. But if before this you had a public sign in place that read "We have not been subpoenaed," they can't make you leave it in place, lying to your customers or patrons.
That proposition relies on a firm history of US legal precedent against what would be known as "compelled speech," or speech the government forces you to say. And that signage -- whether on the front page of a website, or posted behind the circulation desk of your local public library -- is known colloquially as a warrant canary.
Just as its fabled namesake of the coalmine, traditional internet wisdom holds that when a warrant canary drops dead, trouble is afoot. When a site administrator removes the signage -- or fails to update it in a previously agreed manner -- it is generally accepted that the company has been subpoenaed for records relating to one or more users' activity and personal information held in the site. Some sites like Rise Up, which provides online communication tools for social justice purposes, even sign their warrant canary with a PGP key to help verify its authenticity.
Are warrant canaries still useful?
It's been argued over the years that warrant canaries -- which rose to global adoption from their fledgling origins on a post-9/11 cypherpunks mailing list -- are a relic of an earlier internet, and that this last-ditch effort to warn the public of secret surveillance has outlived its usefulness as a hailing mechanism.
Among the most famous critics of the warrant canary and its underlying proposition is Moxie Marlinspike, creator of encrypted messaging app Signal, who said in 2014 "every lawyer we've spoken to has confirmed that this would not work."
Then there's security legend Bruce Schneier, currently a fellow at the Berkman Klein Center for Internet & Society at Harvard University. In a well-cited 2015 blog post, he mused prudently that "courts generally aren't impressed by this sort of thing, and I can easily imagine a secret warrant that includes a prohibition against triggering the warrant canary. And for all I know, there are right now secret legal proceedings on this very issue."
He's not wrong. Australian surveillance law killed all their canaries in 2015. And because of the US Patriot Act's ongoing contraction of free speech rights and Fourth Amendment protections against warrantless search, we don't currently know whether warrant canaries have ever been tested and found to be effective protection in US courts.
Though US national security gag orders were ruled unconstitutional back in 2013, they are still in use, so we may never know. As the Electronic Frontier Foundation explained following a massive undertaking of tracking warrant canary deaths, "Under the law, a company that has received a national security request can report in bands of 250, starting at 0, semiannually."
That's generally taken to mean that a site can only tell its users every so often about whether it has received a National Security Letter and if, for example, it has received only one, it can only tell users it has received between 0 and 249 such letters.
The bigger argument against warrant canaries, though, is that they no longer matter, that we've all grown so accustomed to the notion of perpetual government surveillance of private internet property that a notice posted on the door -- or removed, as is the case here -- of our local internet watering hole, signaling a government tap, no longer fazes us.
It's a fair argument. Apple's warrant canary died in 2014. Pinterest's died in 2015. Reddit's died in 2016. The ubiquity of these companies, and others like them, is unabated. Users still come for the product.
Bird-watching holdouts: VPNs
Nevertheless, there's one online space still worth watching for canaries: virtual private networks headquartered outside of the jurisdiction of Five Eyes, a mass surveillance and intelligence-sharing alliance between the US, UK, Australia, New Zealand and Canada, and others like it.
A trusted VPN should be one which not only strives to provide maximum transparency through a reader-friendly privacy policy and regular third-party audits, but also one which routinely discloses the number (and details where applicable) of any subpoenas received from a government.
Some VPNs, like Panama-based NordVPN, have embraced the use of a warrant canary along with other transparency tools. Other VPNs, like US-based Private Internet Access, have gone to hand-wringing lengths to defend their suspicious avoidance of the canary.
VPNs that communicate potential threats to privacy better protect their reputation and customer trust, killing two birds with one stone.