This is the kind of initiative that makes me want to sign up. Don’t care for VPNs in general, but maybe its time to get a proton mail account.

I couldnt easily find financial data for Proton AG, but they are still tiny. 100m proton mail users vs 1.5b gmail users. If one of the really big players wanted to, I am sure they could make proton an extremely tempting offer.

Dont forget that 20 years ago, Google/GMail was well trusted as well, once Proton reaches a critical mass with sufficient lock-in, there is nothing stopping them going down the same path Google did.

They typically have a date for the message and the date for the next update. If they miss their update, they have failed.

Wikipedia does claim that patriot act subpeonas can penalise any disclosure of the subpeona. But i am not a lawyer, and afaik this is untested (or at least undisclosed :/ )

https://en.m.wikipedia.org/wiki/Warrant_canary

Some subpoenas, such as those covered under 18 U.S.C. §2709© (enacted as part of the USA Patriot Act), provide criminal penalties for disclosing the existence of the subpoena to any third party, including the service provider’s users.

In September 2014, U.S. security researcher Moxie Marlinspike wrote that “every lawyer I’ve spoken to has indicated that having a ‘canary’ you remove or choose not to update would likely have the same legal consequences as simply posting something that explicitly says you’ve received something.”

I think my point is that a gag order with a long time out essentially kills the canary, even if it doesnt affect the vast majority of the services users.

Thanks for your response though, I appreciate the additional information.

A failed warrant canary is effectively a triggered warrant canary. If its triggered, you have to assume the company has been issued a warrant, and is therefore vulnerable.

None of those compelled speech examples include national security though, which has its own level of rules and courts. (I am not American or a lawyer, so i may be wrong).

And if a company can be compelled to hand over customer data, why wouldnt they be hand over access to the systems that update the canaries?

The other issue is thar once a canary is triggered, it cant be reset, which means that XXX agency can trigger the canary with something meaningless, and then its forever untrustworthy.

You may well be correct, and they are sufficient, but i am not convinced that canaries work, especially against the higher level adversaries.

Someone please correct me if I am wrong, but I was under the impression that warrent canaries were a broken concept. Anyone with the power to submit a warrant to a company also has the ability to prevent the company from triggering their canary.