What are your views on warrant canaries? Which services still have them?

As I read on the subject of warrant canaries, it seems some people find them reassuring and others think they are pointless as a state actor could take over (or influence) a service and force the operators to not reveal it.

There has been a lot of material out there this past year on the Snowden revelations and I took the opportunity to read Greenwald’s No Place to Hide and listen to a bunch of Bruce Schneier talks.

After consideration, I think I fall in the camp that finds a warrant canary reassuring. What do you think?

Which services have warrant canaries? I’ve found (and added transparency report presence):

yes - IVPN - has both a canary (updated 2/3/24) and a transparency report
yes - Tuta - updated 1/1/24
yes- Filen - updated 2/15/24 (didn’t know about his company, found them while reading on warrant canaries)
yes - Purism - last updated on 1/1/24

possibly - Cloudflare - a 2022 statement has listed at the bottom that it is current as of 2/16/24 but they are attesting to 6 very specific statements

?? - Proton - I cannot find a warrant canary and their transparency report hasn’t been updated since 2022.
?? - Signal - cannot find a canary and the referenced/possible transparency report was last updated in 2021
?? - Simplex - I don’t see a canary or a transparency report
?? - Tresorit - no canary and the transparency report has not been updated since 2019
?? - Mullvad - doesn’t display a traditional canary and I cannot find a transparency report but they do go into detail on the laws affecting them in Sweden. They disclosed a visit by the authorities last year IIRC.
?? - NextDNS - cannot find a canary or a transparency report (!!) but they state they do not log. However, I suspect if this was changed by govt order, it would not necessarily be known.
?? - Control D - cannot find a canary or transparency report
?? - Quad9 - transparency report last updated in Q1 2023
?? - mailbox.org - the last transparency report I can find is from 2022 and they do not feature a canary
?? - addy.io - I cannot find a canary or a transparency statement
?? - privacy.com - I cannot find a canary, transparency report. Their privacy policy states they would share info under several conditions. I suppose this is not suprising as a financial entity in the US.
?? - MySudo - has a unique pre-emptive site for goverment requests which states they cannot decrypt content but they don’t appear to have a canary or transparency rept.

1 Like

And in a similar vein, should we have one here at privacyguides.org? Personally, they’ve never been very compelling to me. Moxie Marlinspike and Bruce Schneier don’t believe they’d work either (although it’s worth noting they’re obviously not lawyers lol)

I think warrant canaries might offer reassurance only if the jurisdiction is permissive with warrant canaries. There are jurisdictions that essentially criminalize warrant canaries, whether by making it a crime to disclose the absence of legal instruments (either in general or certain instruments) or by construing the removal of a warrant canary as a disclosure that something was served (lying would be compelled in this case).

Alternative to warrant canaries is service providers that are unable to disclose sensitive information because of technology baked into the service they provide prevents them from doing so. Not logging helps too. IIRC, when Signal could only turn over trivial data when they were subpoenaed, and some internet services accept only Tor traffic.

1 Like