Edward Snowden’s recent revelations that the NSA (National Security Agency in the United States of America) regularly spies on people’s online content made a turmoil, and for a good reason. The government may believe it has the right to sniff on what the people do or visit on the Internet, but that doesn’t mean that users with a clean conscious have to accept the meddling if they don’t want to.
It’s not just in America: numerous governments around the world are gaining interest in seeing what their people are doing and watching online. Some may claim that it is for the protection of ethical standards, as it happens in some the Middle East and Muslim nations. Others argue that they need to know people’s traffic and online activity for national security matters. The fact is that these authorities are using the Internet as a weapon to gather information about their netizens.
Struggling for the right of privacy – Warrant Canaries!
But people don’t have to accept that! It is a right to have privacy, and that is extensive to Internet use. Some of these governments have legal statutes in place to force Internet and communications companies to reveal personal information and data from its users. That is because responsible users need to know if their ISP and VPN providers have warrant canaries.
Now, let’s recap a little bit what we know. ISP stands for Internet Service Provider, which are the companies that allow you to connect to the web in exchange for your payment. On the other hand, VPN, which means Virtual Private Networks, are tools for privacy and encryption: if a user needs to be anonymous online, they hire a VPN client, which will hide its traffic and IP address. Lots of people use VPNs to unblock restricted international content, torrenting, streaming, or just for security.
Since both ISPs and VPNs can have access and handle their customer’s information and data on a daily basis, they are the most vulnerable companies to receiving secret subpoenas and warrants from the government.
Some legal concepts of Warrant Canaries
Let’s take out our legal dictionary for a minute. A subpoena is just a request made by an authority for the production of files or documents. It may also involve a petition to appear in court. A subpoena asks you to do something, such as testifying or providing information in litigation. People that ignore citations or fail to show up, or follow its instructions, may receive a legal punishment of varying sorts.
A warrant, on the other hand, represents a document, often issued by legal or governmental officials, that authorizes the police to arrest, search, or execute legal actions relating to justice administration.
So what is a warrant canary?
When a company shows a warrant canary on its website, it means that is free of recent subpoenas, warrants or any other petitions from legal or governmental authorities to share information of any kind on its users, their data and activity logs.
A warrant canary is a declaration that a site is free from petitions of governmental or legal agencies to get information about its users and customers. A web page with a warrant canary on it means that clients and visitors don’t have to worry about privacy issues and their ISP (or VPN provider, if they use one) keeping logs of their data and activity.
The declarations, or warrant canaries, are often updated with specific dates to provide a stouter sense of security for Internet users. If you value your privacy and the last thing you want to see is that your VPN or ISP shared your data to authorities, then you should regularly check for warrant canaries in your providers’ sites.
What do warrant canaries look like?
SlickVPN, one of the VPN companies that shows a warrant canary, says it is prepared to make one available on a monthly basis in the form of a cryptographically signed message containing something like this:
—–BEGIN PGP SIGNED MESSAGE—–
“As of March 2nd, 2018, SlickVPN.com, Slick Networks, Inc., Slick Network, LTD., (“SlickVPN”) has not received any National Security Letters or FISA court orders, and we have not been subject to any gag order(s) by a FISA court, or any other similar court(s) of any government. SlickVPN has never placed any backdoors in our hardware or software and has not received any requests to do so. SlickVPN has never disclosed any user communications to any third party. No searches or seizures of any kind have ever been performed on SlickVPN assets”.
Here is what NordVPN, another client with a warrant canary, has to say on the matter:
“We officially confirm that we take full control of our infrastructure. It has never been compromised nor suffered a data breach. We have not disclosed any private keys or any information on our users, and we have not been forced to modify our system to allow access or data leakage to a third party of any kind.
Up to now we:
have NOT received any National Security letters;
have NOT received any gag orders;
have NOT received any warrants from any government organization.
NordVPN operates under the jurisdiction of Panama and will not comply with requests from foreign governments and law enforcement agencies. We are 100% committed to our zero-logs policy – we never log the activities of our users to ensure their ultimate privacy and security”.
Is there any point to Warrant Canaries? Well…
VPNs are companies that rely on their ability to offer users privacy and anonymity when they browse the web. That is because warrant canaries are useful elements to the experience: they indicate that the service has not received any petitions to share information about the users’ performance and usage. However, let’s be clear, most of the biggest VPNs don’t have warrant canaries because they don’t need them. They have good legal terms and teams.
A subpoena or a warrant is the equivalent of demand of disclosing information about one or several users of a VPN service. If a provider received such notification, it would be under an obligation of complying and facilitating the government or agency what they may need, so having a canary gives the user a sense of security when browsing the web with that VPN. It is beneficial to the user when a VPN or a site that they use has a canary because it shows that the matter is relevant to them. At least they are concerned about your privacy! If a page doesn’t have a canary, privacy-aware customers could believe that they are feeding information about the users’ logs and activity to authorities.
Warrant canaries are somewhat beneficial because they can serve as an indirect warning that something is going on. Companies use this tool to show that they are reliable and responsible and that they care about the privacy of its clients. What brings peace to everybody’s minds, though, is the constant update of these canaries. But a lot of that time, that might not even happen!
Warrant Canaries – Not that Useful After All?
There are many situations in which warrant canaries can’t be trusted–which makes them in most ways, a bit useless.
Of course, a VPN provider may claim that it will publish a relatively frequent warrant canary in its site. It is a good idea on the surface, and people will think that they don’t keep logs of users’ activity, or they won’t comply with subpoenas, warrants or other law enforcement agencies’ petitions. However, numerous people have come to doubt the real substance behind warrant canaries. The use of warrant canaries has never endured a legal scenario. In fact, Australia has outlawed them, and the UK could follow soon.
On the other hand, there is the possibility that, depending on the situation and country, governmental authorities take over a web page and the latter issues false updates, misleading users with a fake warrant canary, although securing it with a PGP key is supposed to alleviate those concerns, at least in theory.To convince people of the authenticity of the warrant canary, some sites make multiple high ranked officials within the company digitally sign the declaration, to avoid bribes, for the most part, to give away any security or PGP keys.
The primary issue for users that worry about privacy, however, is that when the warrant canary of a website (especially if it has been up for a long time) disappears – this is called “triggering” it within the industry – no one seems to notice or even care. That is worrisome since the details of hypothetical warrants or subpoenas are not public: they could be forcing the VPN service to provide information of a single, specific user, or they could all be involved in the investigation, so the agency gathers data and activity from every customer.
In conclusion, government meddling has created the need for introducing warrant canaries in VPN services. But not every provider has adopted the measure, because warrant canaries, when comes push to shove, have many flaws and aren’t that useful.