The US Government and foreign governments have served secret warrants that allow them to monitor and obtain records of Internet traffic from ISPs and other services. This can apply to VPN services and, because of the way that gag orders are being used, the provider would not be able to tell their subscribers that they had been served with a warrant and subjected to monitoring or that they’ve had their records subpoenaed. There is a solution to this that is advocated for by several privacy groups: a warrant canary.
How it Works
The idea is simple and allows the provider to get around a gag order with a technicality. While the government can prevent a provider from telling its subscribers that they have been served with a warrant, there is no law that prevents providers from telling their users they have not been served with a warrant.
The provider simply posts a notice on their site that, as of the date that the notice was posted, they have not been served with a warrant. This allows them to avoid having to break the gag order, but allows them to let their subscribers know if there is a problem. It solves the problem of transparency with government intrusion, at least to some extent.
It’s Been Used
Rsync.net has used this method and was the first commercial user of the concept. Apple has done the same thing and librarians started using this method to let patrons know that they hadn’t received any warrants under the Patriot Act, unless there was no notice displayed, in which case they had.
Why it Matters for VPN Users
One of the methods of securing privacy with a VPN service is to make sure that you use a service that doesn’t log. The problem is that there is still no way to establish that the provider is honest in this regard. International jurisdictional layering can also provide a way to protect surfing records, but this is also dependent upon the provider being honest and there’s no inherent transparency that allows this to be verified.
With the warrant canary, the VPN provider could offer a way to inform their users whether or not they have been served with a warrant. If they have, the users would know about it, despite the government’s efforts to keep their snooping secret.
Between a no-logging policy and a warrant canary, it could be possible for VPN providers to offer better service than ever to their customers in terms of privacy protection.