Now… as I have discussed before, I usually consider such warrant canaries to be primarily promotional fluff for companies who keen to display their privacy-friendly credentials. In my view, they are of only very limited use as a practical security measure.
A big part of the reason for this is that even when they are triggered (often out of sheer laziness over updating them!), they are simply ignored. This defeats their entire purpose!
On 2 June, however, Proxy.sh issued a very specific warning,
“France 8 removed from warrant canary until further notice
We would like to inform our users that we do not wish any longer to mention France 8 (22.214.171.124) in our warrant canary until further notice.”
When questioned about the move, Proxy.sh said,
“We recommend our users to no longer connect to it. We are striving to do whatever it takes to include that node into our warrant canary again. The warrant canary has been particularly designed to make sure we could still move without being legally able to answer questions in a more detailed manner. We are happy to see it put to use after all and that our users are made aware of it.”
This leaves little room for doubt – Proxy.sh has been issued with a legally binding surveillance order, and is not allowed to talk about it (at least directly).
Interestingly, the website that first noticed the warning also noted that it had largely fallen on deaf ears. Despite being very specific that users should avoid France 8, Proxy.sh customers have continued to use the popular server almost unabated.
“Most worryingly it would appear that the clear announcement coupled with the removal of the France 8 server from the warrant canary has fallen on deaf ears. The France 8 server coupled with their French servers in general continue to be some of the most utilised of their network.”
Somewhat peculiar is that the wording of the warning goes far beyond the usual method of triggering a warrant canary via inaction. The idea behind warrant canaries is that a government can legally silence an individual, but that it cannot force them to tell a lie (i.e. to falsely update the warrant canary).
“While the government may be able to compel silence through a gag order, it may not be able to compel an ISP to lie by falsely stating that it has not received legal process when in fact it has.”
By being so specific in its wording, however, Proxy.sh is not so much triggering a warrant canary, as issuing a clear and unambiguous warning. As such, it is likely that any court would find the company in contempt of a legally mandated gag order by issuing such a statement.
It is, of course, possible that the government issuing the gag order has no legal recourse against a company registered in the Seychelles. In this case, however, why even bother couching the warning in terms of warrant canary at all?
So what is a Proxy.sh customer to do?
The first thing, obviously, is to not use the France 8 server! This probably also applies to all servers in France, as the canary warning implies that the server has been compromised by the French government.
Should I stay ..?
Alarming as this news is, Proxy.sh has demonstrated a high degree of integrity and transparency by triggering this warrant canary. It clearly takes its responsibilities for keeping its users’ data private very seriously, and is willing to risk its reputation to do so. This is highly commendable, and in my view inspires a great deal of trust.
… Or should I go now?
This is, in fact, not the first time that Proxy.sh has courted controversy. In 2013 Proxy.sh announced that it would install a traffic sniffer in order to catch or deter “hacking activities”. The move divided the VPN community on similar grounds to the current debate.
Many were understand appalled by the decision, while others praised Proxy.sh’s transparency, and the fact that it was willing to admit doing something that many other providers might also do, but in secret. The balance opinion at the time, however, was highly critical of Proxy.sh.
This incident was followed by a report from Ars Tecinica, which called Proxy.sh a “shadowy VPN firm” and generally gave it a good kicking,
“In short, Proxy.sh—a company whose employees and origins are completely obscured—asks its customers to simply trust its ethical judgment about perceived user wrongdoing. Without knowing more about the company in the first place, it’s hard to know what impact its policies will have on the Proxy.sh bottom line.”
Proxy.sh has since released an improved Ethical Policy which makes the following promise,
“We are based in the Republic of Seychelles and if any domestic law or constraint contradicts our mission and values, we will not hesitate to relocate into another location. Additionally, if we cannot find a right location to strive for such principles, we will submit ourselves to ‘Corporate Seppuku’. We will close business and provide refund to all our present customers within the cash budget we have at our disposal.”
“Corporate Seppuku” refers to the infamous incident where Lader Levison, owner and operator of secure email service Lavabit, closed down his company. He did this to prevent his customers from being compromised after he received a National Security Letter (and accompanying gag order) from the US government. It is now confirmed that the government was looking for emails belonging to Edward Snowden.
Personally, I am impressed by Proxy.sh’s honesty and transparency in this case. I can fully understand, however, why many might be leery of having anything to do with the company. This is especially true in light of Ars’ finding when it investigated the company (albeit almost 3 years ago). I would therefore be very interesting in what you, dear readers, think about the situation…