Online Privacy

What Is a VPN Warrant Canary and How It Works

Story Highlights
  • What is a warrant canary?
  • How does it work?
  • What happens when a VPN warrant canary is removed?
  • Importance of warrant canaries

Companies like Apple, Google, and Microsoft regularly publish how many secret government subpoenas or National Security Letters (NSLs) they receive from the authorities. In these requests, state agencies ask corporations to hand over user data that could help them in investigations. But tech companies aren’t the only ones who receive such warrants.

Virtual private network (VPN) services also get similar subpoenas from government agencies, hence a warrant canary page was introduced.

Basically, a warrant canary is a statement by VPNs that they have not received any legal requests for disclosing user sensitive data. Once the VPN service receives a warrant, subpoena, or letter, it removes the warrant canary from its website.

What Is a Warrant Canary

When it comes to investigations relating to criminal activities or national security threats, government agencies may sometimes ask tech and digital companies to submit user data. That includes Internet service providers (ISPs), VPNs, and cloud-storage and instant messaging services.

And these secret requests usually come with a gag order, preventing companies and their employees from disclosing any info about the subpoena to their customers. Authorities all over the world send such warrants to companies operating within their jurisdiction, not just countries that are part of the Five, Nine, or 14 Eyes.

The latter alliances represent cooperation between nations in the field of communications surveillance and intelligence. Their main focus is to monitor users’ online activities, while also sharing the data with one another. It features government agencies from the US, the UK, Canada, Australia, Germany, and France.

Since ISPs and VPNs are among the service providers that handle user data on a daily basis, they are the most common targets of secret subpoenas and warrants all over the world.

Therefore, some VPN providers introduced warrant canary pages on their websites. That way, they can inform their customers of any secret letters they’ve received without actually breaking any gag order.

How Does a Warrant Canary Work?

A warrant canary page is actually a statement by a VPN provider that it has NOT received a request from government agencies to hand over user data. The VPN provider sets up this page and keeps it on the website as long as it is warrant-free.

The idea came from miners who used to take canaries down mineshafts to alert them of toxic gas. If the birds died, workers knew they had to quickly evacuate the mine.

If, and when, the VPN receives an official request to reveal user information, the provider removes the warrant canary from its website. This course of action allows VPNs to alert customers about warrants and subpoenas while also abiding by government gag orders.

List of Some VPN Services with Warrant Canaries*

*NOTE: The list features VPNs that still have a running warrant canary. That could change at any time, however, if they receive a National Security Letter.

In short, if a VPN removes the warrant canary from its website, you should conclude that it most-definitely received a government warrant.

Warrant Canary

What Do Warrant Canaries Reveal?

VPNs have broad warrant canaries that don’t discuss too many details in fear of breaching gag orders. When the online community Reddit removed its warrant canary and hosted a discussion on the subject, one user asked if websites could set up a warrant canary for each profile. That way, customers would know if they are the target of subpoenas and government letters.

“The more practically useful and informative they are, the more legally risky they are too.”

Brett Max Kaufman, lawyer at the American Civil Liberties Union

However, American Civil Liberties Union lawyer Brett Max Kaufman said that individual warrant canaries can interfere with investigations. That’s because companies would be alerting suspects and criminals.

Another Reddit user asked whether the government could force companies to keep their warrant canary pages even after receiving a warrant. Kauffman replied that if the company is forcefully communicating wrong information, it can take legal action against any gag order.

Why Canary Programs Are Important

There is an ongoing debate whether issuing a gag order along with an NSL complies with the US constitution. Another controversial topic is if law enforcement officials can abuse such power, as it allows them to investigate without interference or alerting the target.

We can all agree that these warrants help the authorities with their investigations, making them crucial for national security. But what if some parties used it illegally? After all, most subpoenas don’t require a court order.

As a result, government agencies like the FBI and NSA can take advantage of real or fabricated claims to place surveillance orders on individuals or organizations. And while the constitutionality of a gag order is disputable, the VPN has moral obligations to notify users of any data-sharing. That is why we think every VPN service must have a warrant canary page.

There are several occasions when governments issued gag orders that affected the private data of hundreds of thousands of customers. In 2013, the US National Security Agency (NSA) submitted a gag order to Lavabit, an encrypted webmail services company. The NSA asked Labavit to hand over the private encryption keys of more than 400,000 of its customers.

The entire operation was related to an investigation involving whistleblower Edward Snowden.

Concluding Words

Having a warrant canary page shows that a VPN is trying to be as transparent as possible with its subscribers. Nonetheless, you should take this alert page with a pinch of salt because there is no guarantee that your VPN is updating its warrant canary on a regular basis. Furthermore, you’ll have no idea which user data law enforcements have requested.

Still, it is an extra step for VPNs to remain transparent and honest with their customers, something that is quite valuable in the VPN industry.

Do you think a VPN warrant canary is important, especially since reputable VPN services have a zero-logs policy? Tell us what you think below.

Ralph Peterson

Ralph was bitten by the tech bug from an early age. Today, he is an expert cybersecurity geek with 13+ years of online privacy and streaming experience under his belt. Spoiler alert: He hates bottled TV show endings (Game of Thrones) and whenever his favorite teams lose.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Articles

Back to top button