Back in 2013 a new movement of something called a “Warrant Canary” started to make waves. One of the first providers to offer such a service was Proxy.sh which was met with some pondering by the community at large. Previous to this there was no known (to my knowledge) VPN provider who was offering such a service and so it attracted the attention of those interested in the VPN arena. To firstly understand if using a Warrant Canary is a good idea or not we need to understand what one is.
For those who are interested in their personal privacy, especially with government snooping at an all time high in terms of media coverage the use of a VPN service is of utmost importance. In fact it is one of the best (if not the best) ways to protect your privacy online in general and also from government snooping. For those of you who haven’t heard of a Warrant Canary before it is in a nutshell a way of informing you if the service has been compromised by a government agency, usually this relates to US companies in regard to the NSA.
It is entirely possible that a company, especially in the communications industry such as a VPN provider, ISP or other tech company could be ordered by way of court order or subpoena to continue to run a service that has been compromised by an intelligence agency without informing the general public of this fact. Should the company or owners break this then they would be liable to be imprisoned or worse. A similar situation was recently observed in the Lavabit incident in which founder Ladar Levison was required to hand over encryption keys so that the government could snoop upon his secure email network.
The way in which a Warrant Canary works is in a proactive approach. Basically a VPN provider informs you in advance, usually daily, although sometimes weekly that they haven’t been subject to any court order, subpoena or “pen register” that requires them to open their network to a law enforcement agency. Should a time come when they have been ordered to do such a thing then they stop updating the method by which they tell you they haven’t. Sounds complicated I know, but go back and re-read that one and you’ll understand the madness behind the purpose.
Although there are many excellent VPN providers out there (I should know, we list about 20 of them!) there is always room for those that offer a bit of a twist or something extra that you personally may be looking for. Each provider has its merits and depending on your use will depend on the need for certain features. Some use a VPN solely to stream TV content and as such wouldn’t be concerned by such things as a Warrant Canary, those who use it for privacy reasons are more likely to be concerned about features such as these.
Around three months ago LiquidVPN was criticised on social media site Reddit for how it handled a certain situation, similar to how Proxy.sh found themselves at the later end of 2013. Like Proxy.sh, LiquidVPN chose to totally rethink their public facing policies and became one of the set of VPN providers in the exclusive club that offer a Warrant Canary.
Both LiquidVPN and Proxy.sh offer a Warrant Canary in the form of a text based web page in which they post various details like the date it was published, a selection of recent news headlines and also a digital signature to confirm that they themselves published said document further reaffirming the authenticity of the document. This system of Warrant Canary is similar to that of RSync.net an offsite backup and data storage company which is considered “The first commercial use of a warrant canary” in the words of Wikipedia.
A third provider known to offer a Warrant Canary in a slightly different novel incarnation is VikingVPN who choose to use a rather passive logo changing method. Basically until the logo changes you can assume they haven’t been subject to any legal requirements in regards to user data. How this type of system works legally is somewhat more confusing as I would imagine updating a logo to inform users of such a legal requirement would amount to the same as passive telling users which in theory would violate the requirement not to tell users.
The daily text based updated system works in the opposite fashion in that the theory is that they can not be legally required to update and make a false statement about the issue thus making the LiquidVPN, Proxy.sh and initially Rsync.net system more legally sound and robust, feel free to draw your own conclusions.
As of the date of this article those are the only three VPN providers we are aware of that offer such a service. That is not to say that any other provider is in a worse position for not doing so, more the fact that if you have an ultra high security requirement then it may be more advantageous based on your requirements to make use of one of the three providers who offer such “extras”.