A Warrant Canary Gives VPNs a Legal Loophole with Warrants

Recently BolehVPN announced that it would be joining a growing list of VPN providers that publish a warrant canary, an official statement signed by the company that states it has not received any warrant or demands from authorities yet.

Many VPN providers highlight their “no log policy”, meaning that it does not log or store data on users’ browsing habits. In theory this also means that should the provider receive any search warrants, there would be no data to search for.

At the same time, if a warrant is received the company can be gagged from talking about it or making it public by, for example, publishing a notification on its blog.

A warrant canary is intended to meet this challenge head on, where the company will publish a warrant update regularly like every week, month, etc. The update states that the company has not received any legal requests as there are no legal binds that prevent you from stating you haven’t received something. When or if these updates stop, then it would appear something is amiss and customers would be able to see that.

Just how effective can a warrant canary be though? There are many variables at play, says attorney David Coher who specializes in cybersecurity.

“First, it requires knowledge on the part of the user to understand how the warrant canary works. If you, as a user, don’t know to look for it, then you won’t notice when the graphic or statement is missing,” he says. “Second, a warrant canary is only telling you that the company received at least one warrant. It doesn’t tell you if the warrant targeted the company itself, if it targeted another user of the service, or if it targeted anybody using the service at all!”

Who publishes a warrant canary?

LiquidVPN operates a warrant canary in a very similar way to BolehVPN. Its page updates every 48 hours with a clear message saying there has been no legal activity.

“If this message is removed or suddenly stops being updated then you should exercise extreme caution when using any LiquidVPN resource until the signed updates start to be published once more,” says its CEO Dave Cox in the statement.

VikingVPN says it also has a warrant canary with something a little more subtle, which was introduced in December 2013. The logo graphic on the company’s homepage will change color if a warrant or National Security Letter is ever received as a means to trigger a warning. If this ever happens, Viking VPN encourages its customers to the contact its customer support to speak to someone directly.

“If we give you come cryptic answers like ‘we don’t know what government programs might cause us to trip the Canary’, then you know we have been compromised,” says Viking. “If we give you a straight answer like ‘a bug caused it to trip, we have not received any national security letters or government surveillance requests’, then you can probably guess that it was not a legitimate Canary warning.”

Legal limbo

Using a warrant canary is based on an “untested legal theory”, says Coher. “While it seems to take advantage of a loophole in the laws, the courts may not like the non-affirmative disclosure that is taking place,” he says. “Alternatively, the courts may be comfortable with the warrant canary approach because of the limited disclosure taking place.”

Given that there are legal loopholes being exploited with this practice, this may end up being addressed at some point from by the US Supreme Court but that may be “years from now”, adds Coher. “So, the delay in the courts reaching a final decision on this matter will lead to a legal limbo for the foreseeable future.”