You might have seen warrant canaries on some VPN websites and had no idea why they're there.
Warrant canaries are open declarations that the company has not received a request from the government for access to their data. They serve as a proxy assurance that the company is not involved in a legal investigation, which would come with a gag order preventing them from saying directly that the government is accessing their data.
Here Are Some Examples of Warrant Canaries Issued by VPN Companies
While the presence of a warrant canary on a website doesn’t mean that your data will be safe if the company receives a legal order, it does mean that they have not received it yet so your data is safe as of now.
If you are using an online service that has a warrant canary, it is wise to know what they are. So, let's answer some of the most common questions related to warrant canaries.
Why Would A Company Publish A Warrant Canary?
Warrant canaries are tools that are used by companies to indicate that some users’ privacy might have been compromised. In the post-Snowden era, we know that all US companies are subject to secret court orders which compel them to reveal private client information.
The targeted client is never notified that their data has been compromised. In fact, the company is forbidden by law from making any such declarations. This is why a responsible company will resort to warrant canaries to warn all of their clients that they have legal notices demanding compliance.
Are Warrant Canaries Legal?
Legally speaking, using warrant canaries falls into a grey area. There is no direct law against using them. The warrant canary does not impede the process of delivering justice. There may come a time where warrant canaries are made illegal. But until then, they can be used by companies to forewarn users against their data being compromised.
How Are Warrant Canaries Protected Under Law?
According to the First Amendment of the US Constitution which protects freedom of speech, no person can be compelled by the government to say something untrue. Companies are legal persons and enjoy this same freedom. So, while a government agency may try to prevent companies from saying some things, it cannot compel them to lie.
Warrant canaries are statements by companies that they are free to stop once the statement becomes untrue.
Are There Any Examples Where This Rule Was Exempted?
There are very rare examples where compelled speech has been enforced by law. A very common example is warnings on cigarettes. Most of these instances of compelled speech have been upheld because what the company is compelled to say is true, rarely they have been struck down for legal reasons.
Have Warrant Canaries Ever Been Upheld by Law?
At present, there are no warrant canaries which have been challenged in courts of law. The Electronic Frontier Foundation considers them legal and actively supported their adoption.
What Is Permissible For A Company With A Gag Order To Say?
The legal processes which any company can resort to after receipt of a gag order will obviously vary by country. In the US, for example, companies cannot declare exactly how many government requests they have received but they can give a range.
So, a company with 30 legal orders can say it has received 0 to 100 of them.
What Is the Ideal Frequency for Updating Warrant Canaries?
When it comes to issuing canaries, different companies have different regularity standards. These standards are subject to the company’s services, the demands of the audience and board discretion. Ideally, a company should update its warrant canary once every few months.
However, companies should step up the update rate if user privacy is a big part of their company values. Something we'd expect from VPN companies.