There was a time back in the heyday of coal mining (back when it was both an extremely lucrative and extremely dangerous endeavor) when many miners fell ill or died due to very high levels of carbon monoxide. As it happens, the deeper they go, the more likely it is that carbon monoxide concentrations increase. The problem is, they did not have technology back then to determine when the gas concentrations have reached dangerous levels. Carbon monoxide is a silent killer — it’s odorless, and you’ll only start feeling the effects when it’s too late.
So they came up with a novel way of detecting the hidden danger. Miners started to bring canaries with them, setting them free inside the tunnels. These little yellow birds are very sensitive to carbon monoxide levels, and they are affected much more easily than humans. Miners observed when the canaries started falling ill or dying. They then mark those places or block them off, careful not to descend to those levels for fear of their lives.
Warrant Canaries live again… through VPNs?
Over time, the term “canary” evolved to also mean something that warns people about the hidden presence of something. If you know what to look for, a “canary” will tell you whether something has or has not happened — and this concept has become pretty important in such privacy-oriented industries as VPNs.
VPNs have been getting the stink eye from both hackers and untrusting governments for some time now. The latter’s interest in what goes on within VPN servers isn’t surprising — many bad actors have indeed used VPNs to perpetrate unsavory deeds. VPN + Tor is a very common combination for those who deal illegally in the Dark Web, for example.
Due to this many a VPN company has been served warrants, subpoenas, National Security Letters, and other types of order or summons to get them to divulge their subscribers’ data. Almost always, these are coupled with gag orders to make sure that they can’t forewarn their users of the warrant. And this has been more and more prevalent in the United States and in the other countries within its 14 Eyes alliance.
It has only been during recent years that some VPN companies have started using RAM-based servers to make sure there is nothing to divulge, even if the government comes banging on their doors. But for most companies, their servers are still installed with old-fashioned hard disk drives — which means they have data to divulge.
For more “business-oriented” VPN companies, the law is the law and being served a warrant and a gag order means they just have to comply. After all, if they don’t, they’re breaking the law. And if they tell their users to be careful because a warrant has been served, they’d also be breaking the law.
But there are still some VPNs out there that truly take privacy to heart. These are those for whom canaries have been revived. Essentially, a “warrant canary” is anything — a page, a marker, or even just a sentence — that when gone, tells the vigilant VPN subscriber that something’s off.
What does a warrant canary look like?
Most often, a warrant canary contains a line that says “we have not received any summons, orders, subpoenas, or other legal notices for X days”. This way, subscribers know that they are safe from the prying eyes of the government. But if this line disappears, is changed, or is simply not updated, then it’s time to steer away from using the VPN service until the canary appears anew.
This type of workaround beats gag orders, and it’s perfectly legal as well. After all, gag orders only stop companies from divulging what they have received — but telling other what they did not receive doesn’t run afoul of any rules or regulations.
The Downside of Warrant Canaries
But while warrant canaries are great, and their presence is a mark that the VPN company really values the privacy of its subscribers, it has a different significance as well: the presence of a warrant canary may also mean that the VPN company has some logs (possibly in the form of encrypted and anonymized user sign up data, but logs nevertheless) that can be shared to the government should they respond to a warrant.
In fact, some VPN companies say that the reason they don’t keep warrant canaries is that they either have RAM-based server structures that store no permanent data, or they have third-party audited no-logs policies that collect no information whatsoever. In that case a warrant canary would be moot because if ever they do receive a warrant, they can’t respond to it anyway (and the law cannot demand something that is nonexistent in the first place). That doesn’t mean all warrant canaries belie the logging of your data — some companies like the redundancy, and consider it just proper to inform their customers about what they did or did not receive.
This is why it’s still important to not just rely on any single factor when determining whether a VPN is right for your privacy needs. Neither a no-logs policy nor a warrant canary could be taken as the determining factor that says your VPN protects your privacy. An in-depth research, as those we embody in our reviews, is always needed. Only a combination of several factors — from the location of the company’s headquarters to the robustness of the apps they develop — can tell you whether a VPN is good or bad.
Also, it’s good that the concept of warrant canaries have been recognized in the VPN industry. It’s important to note that other companies such as ISPs, social media networks, search engines, and all manner of tech companies can be served similar warrants or subpoenas. Google, Microsoft, and Apple, for example, publish the requests they receive, though the existence of gag orders would make such lists incomplete. If only warrant canaries can also be used by all these other companies, we would be one more step closer to building a more private internet for all.