We entrust websites with a lot of personal information. From your preferred entertainment to your deepest secrets, it’s all stored in your browser and search histories.
And the government is well aware of this.
Law enforcement relies heavily on internet data to investigate and prosecute crimes.
It regularly demands that web companies hand over user data. When they receive such demands, those companies have no choice but to comply.
But due to the secret nature of these orders, websites can’t tell users about them. Your data could be in the government’s hands, and you wouldn’t even know it.
There’s a way around this, though, and it involves clever exploitation of a legal loophole: warrant canaries.
So what exactly is a warrant canary, and how does it work? We’ve got the lowdown on how to make the most of this valuable transparency tool.
What Is a Warrant Canary?
Back before the invention of electronic sensors and advanced safety equipment, coal miners would bring a canary down into the mines with them.
The canary’s tiny organs were far more sensitive to deadly carbon monoxide than the miners’. As carbon monoxide levels rose, the bird would succumb to the effects of the gas, fall ill and die.
When the canary got sick or died, the miners knew that it was time to get out before the carbon monoxide killed them, too.
This effective, if morbid, early alert system gave rise to the phrase “canary in a coal mine.”
And that, in turn, gave rise to the modern-day digital warrant canary.
A warrant canary is a statement affirming that a website has not received any secret legal demands from the government. It’s often linked to in website footers or periodic transparency reports.
As long as you see that statement on a website, you know that the FBI and other authorities haven’t been secretly gathering user data from it. If the canary keeps singing, you know you’re in the clear.
But when the singing stops — when the warrant canary statement is removed from the site — you know there’s trouble.
The removal of the statement means that it’s no longer true. That is, the site has now received a secret order from the government demanding user data.
How Do Warrant Canaries Work?
When the government issues a demand for user data to a website, it often includes a gag order. A gag order prohibits the website from mentioning or discussing the warrant.
Obviously, this means that the website can’t tell its users that the government has their data.
But while the gag order may prevent the website from telling the truth, it can’t force it to lie.
In the USA, compelled speech is prohibited under the First Amendment. By law, the government can’t force anyone to say anything — especially not if the statement would be false.
So the website can’t be forced to leave the warrant canary up after receiving secret demands.
By taking it down, the site reveals the existence of the demands without explicitly mentioning them. It remains compliant with the gag order without leaving users in the dark.
We’ve heard of lying by omission, but a warrant canary can be thought of as telling the truth by omission. Removing the warrant canary indicates that to leave it up would be to lie.
What Do Warrant Canaries Warn About?
Cop shows and crime films would have you believe that collecting evidence is a long, arduous process. Authorities need to get approval from a judge before obtaining anything, including digital data.
While that’s true for certain types of warrants, others require little to no oversight.
And when they’re accompanied by gag orders, any type of warrant is bad news for a website and its users.
National Security Letters
A National Security Letter (NSL), for example, allows the federal government to obtain information without a judge’s approval. The only requirement is that the information pertains to national security.
But “national security” is incredibly broad, meaning anything from terrorism to expressing dissenting political opinions online.
And “national security” also provides a great excuse for including gag orders along with the NSLs.
NSLs only authorizes the collection of metadata, not the actual content. URLs can be collected but not website content; phone numbers can be collected but not the calls themselves.
In that sense, NSLs aren’t as powerful as full warrants. But even URLs and phone numbers can be used as incriminating evidence in a variety of crimes, real or alleged.
And the ease of issuing NSLs means that they’re used with alarming frequency. In 2009 (the most recent year for which data is available), the FBI issued 30,442 NSLs (PDF link); in 2008, 41,299 NSLs were issued.
Other Secret Orders
Other types of secret orders include section 702 orders, which are used to gather data for the infamous PRISM program. These orders don’t require approval from a judge and are usually accompanied by gag orders.
Even judicial subpoenas and warrants can — and often do — include gag orders. This is especially true when they’re issued under the Electronic Communications Privacy Act, which pertains to digital data.
If a website receives any of these orders along with a gag order, it’s legally forbidden from notifying its users.
And that’s where the warrant canary comes in. Notifications may be illegal, but the lack of them isn’t.
Warrant canaries can’t target specific users, so there’s no way to know if your own data was obtained by the government.
But they serve as a general warning: this site is being watched, be careful what you use it for.
Are Warrant Canaries Legal?
Authorities certainly don’t like warrant canaries, but they’re legal almost everywhere.
They’re most useful in the US, the UK and other countries that allow gag orders. In the US, where you can’t be compelled to lie, they’re particularly valuable.
But they’re less useful in countries with strong privacy laws like Switzerland. There, users must be directly notified if their data is obtained by law enforcement — it’s the law.
Unfortunately, warrant canaries aren’t future-proof. Any country could potentially pass a law forbidding warrant canaries as Australia did in 2015.
Which Sites Use Warrant Canaries?
Sites and services that emphasize user privacy are more likely to be targeted by law enforcement. Authorities tend to view privacy guards as evidence of illegal activity.
Thankfully, these sites are also more likely to have warrant canaries.
Keeping an eye on them will go a long way towards keeping your data safe.
Many people use virtual private networks, or VPNs, for completely innocent purposes.
They just don’t want their ISPs or governments monitoring their every move — a reasonable desire, we think.
But a few bad apples use VPNs to mask activities like malicious hacking, black market dealing, and even terrorism. The encryption and IP masking capabilities of a VPN make such users virtually untraceable.
That is unless the VPN receives an NSL or similar order.
Then, any information pertaining to the targeted user must be handed over, including usage logs (if they exist).
To assure their customers of their privacy, many VPNs have warrant canaries in place. Should the canary vanish, users know that the VPN has been forced to hand over user data.
It’s a good example of why it’s important to pick a VPN with zero activity logs. No government order, secret or not, can force a VPN to hand over information it doesn’t actually possess.
And in many international jurisdictions, VPN providers don’t have to comply with foreign demands for user data. That’s why it’s also important to research your VPN’s jurisdiction and relevant laws.
But even overseas zero-logs providers still benefit from having a warrant canary.
It’s important for a VPN to be as transparent as legally possible. Otherwise, you can’t be sure of your security.
Panama-based NordVPN, one of the most popular zero-logs providers, includes a warrant canary on its about us page. As of November 27, 2019, the canary affirms that NordVPN hasn’t received any NSLs or other warrants.
Swiss VPN Perfect Privacy also has a warrant canary attesting that it hasn’t received any secret demands.
ProtonVPN, another Switzerland-based VPN, keeps its warrant canary in its transparency report. Since Swiss law does not allow for gag orders, ProtonVPN also details the warrants it receives in the report.
The social media giants, like Facebook and Instagram, don’t have warrant canaries. They’re so huge that you should just assume that they receive many NSLs and other secret warrants.
But many other social media sites have — or have had — warrant canaries.
You might not think of Pinterest as a hub for threats to national security, but you’d apparently be wrong. In 2016, Pinterest removed its warrant canary, which had been up since 2013.
Pinterest also updated its transparency report to indicate that it received 0-249 NSLs — the most specific statistic the site is allowed to display. Previously, the NSL figure was simply 0.
2016 also appeared to be the end of Reddit’s warrant canary. Observant users noticed that it was missing from its usual spot in the site’s transparency report.
Privacy-Centric Web Services
Encrypted email provider Tutanota publishes a warrant canary and transparency report every six months. Since the site is based in Germany, it’s able to publish statistics about the requests it receives as well.
Private cloud storage site SpiderOak used to publish a warrant canary, but has replaced it with a transparency report as of 2018. This has led to speculation that the company received an NSL, thus causing the canary to be removed.
How Do I Find Out if a Site Has a Warrant Canary?
Unfortunately, not all sites use warrant canaries.
And it can be hard to tell the difference between sites that just don’t have them and sites that have taken them down after receiving orders.
The Electronic Frontier Foundation (EFF) used to maintain Canary Watch, a database of warrant canaries and their statuses. But as of 2019, the site no longer exists.
These days, you’ll need to do some research to find out if a site has a warrant canary.
Search for “[site name] warrant canary” and see if any results pop up. You might find the actual warrant canary itself (if it’s still up) or find other sites referencing it.
If you find the actual canary and the page is still live, you know the site is in the clear.
But if you can’t find it, you’ll need to go deeper.
When warrant canaries on popular sites are taken down, tech news sites frequently post about it. Try using Google’s “News” tab to find such results.
You can also use the Wayback Machine to see if a site previously included a warrant canary. Check out a few archives and you might be able to pinpoint when the canary disappeared.
If you can’t find any evidence of a warrant canary, try emailing the site owner. They’re allowed to tell you if the site has (or had) a warrant canary, even if they can’t tell you about specific orders.
Websites use warrant canaries to indicate when they’ve received secret government demands for data. This legal loophole lets them circumvent gag orders designed to keep users in the dark.