Warrant CanaryIf you’ve ever researched VPNs either for privacy, watching another country’s Netflix or streaming services, engaging in illicit illegal activity, or planning the overthrow of your government, you may have noticed the term Warrant Canary, usually in conjunction with someone attempting to sell you a privacy service.

The term harkens back to the days when canaries were used in coal mines as gas detectors (dead canary = gas in the mine shaft = get out before you die) and has been adopted into the digital age to indicate that the FBI, NSA, or other law enforcement agencies have not contacted the company to wiretap or request records.

The theory goes that on the service you’re using, they put up a picture on a regular basis that says that there have been no contacts or requests by the FBI, NSA, MI-x, etc and you know you’re safe. The legal system of most countries can require you to not disclose if you’ve been contacted by a government agency, but they can’t compel you to lie (at least how the theory goes, in the US the First Amendment protects against compelled speech). The instant that image is outdated or pulled you’ve legally said nothing and by your inaction have not violated any law, or so they claim.

There are a few setups for a Warrant Canary that I’ve seen: the assertion/removal (here’s a sign, if it’s gone run) the it’s {today’s date} and we’re clear, and the videod assertion on a third party service.

The Warrant Canary approach is currently untested in the court systems, but it’s pretty easy to show the scenario in which the Warrant Canary sign was removed as being a willful action to inform and circumvent the gag order. Therefore, removal of any “if this sign is gone, don’t use our service” methods are on very shaky ground. It hasn’t been fought yet, and it will be interesting to see what happens when it is.

The next approach is the continually updated Warrant Canary in which said sign is updated and posted on the website. The idea here is that the day it’s not updated, and they can’t compel the service owners to update these Canaries, you know that there’s something up. This is a little harder legally, but I doubt it’s far fetched to think that when the NSA/FBI/etc. walk into your VPN service, that they are there with the backup ability to drop a forensic data analyst / IT specialist to post that Warrant Canary photo claiming all is clear and violating no law against compulsion, although perhaps false advertising might come into play.

The next type of Warrant Canary involves publicly broadcasting a video  in which you assert that there has been no government involvement as of that day. This one’s a bit more difficult to force or fake as you have to have the person who makes these statements there to film and upload. The theory goes that you can’t legally force this person to make a statement. This is all well and good if the person doesn’t mind going to jail, has no loved ones, and may be dying in a month anyway, but for those with friends and family, you don’t really have to attack the idealist, just threaten their parents for something as most evidently commit a few federal crimes a day on a regular basis.

The only Warrant Canary approach I can see reasonably working securely is setting up third party monitoring services in other countries/jurisdictions with multiple firms watching cameras of the service offices, and multiple Canary distribution locations based in different countries and on different services (web, YouTube, balloon floated in front of a public webcam at 2:17pm on a given Tuesday, Twitter, bittorrent, etc)

But in the end, the Warrant Canary is an illusion of security used to sell you a product. Privacy and security are only temporary illusions as we’ve found out recently with the continued failures of SSL (Apple GoTOFail, Heartbleed, POODLE, FREAK,) SIM encryption keys stolen by the NSA, email and what’s it’s been since 2001,etc.

Even if an agency like the NSA can’t crack your $4 a month VPN traffic now it doesn’t mean they can’t record it and when the next exploit is found, or your computer is snagged for reasonable suspicion, undo the cryptography used to transmit data and then come after you in one form or another.

Or I’m wrong and the powers of a $4 a month VPN club can be used to thwart national security interests, or more likely the MPAA with a wad of cash for local policing agencies to encourage them to find out who’s stealing and hosting pre release DVD copies of  whatever the latest multi-million dollar box office movie is out there.

[eff]