Why PIA doesn’t fly a warrant canary: it’s solving the wrong problem

Posted on Oct 11, 2016 by Rick Falkvinge

Private Internet Access doesn’t have a warrant canary. That’s because warrant canaries alert somebody to damage that has already happened. The right way to go about the problem is to prevent the damage from happening in the first place.

At PIA, privacy is at the soul of what we do. Our business partners have occasionally been surprised when we say upfront that we’re in privacy first, business second – but that’s the passion we have. Making money is a matter of being able to continue pursuing the primary goal, privacy, on a sustainable basis.

Given this, we’re sometimes asked why we don’t fly warrant canaries on our web page: having a short statement designed to technically circumvent gag orders about what, when or where various authorities have legally coerced us to give up private information on our customers. A warrant canary can look like this:

“In 2014, this company did not receive any coercing legal request for private customer information.”

The idea is that if and when this statement disappears, it’s the equivalent of saying there were authorities grabbing what they wanted and preventing the company from talking about it – so what the company does, in order to circumvent the gag, is to remove the statement that it’s never happened.

This is going about the problem in the wrong way, when you’re a privacy company. The right way is to not have any collectable information in the first place.

A warrant canary is a little bit like a fire alarm going off. Great. You know there’s a fire. Now what do you do?

This is why at PIA, we have designed our operations to prevent this from happening in the first place. There are no logs. There is no identifying information that can be collected, regardless of the amount of force applied. There are several companies who claim they don’t log, but do anyway at the end of the day. In contrast, we have public court records to prove we don’t log anything, available for anyone to read (pages 11-12):

“All of the responses from 1&1, Facebook, Twitter, and Tracfone have been traced back by IP address to … privateinternetaccess.com. […] A subpoena was sent […] and the only information they could provide is that the cluster of IP addresses being used was from the east coast of the United States. However, [PIA] did provide that they accept payment for their services with a vendor company of Stripe and/or Amazon. They also accept forms of payment online through paypal, bitpay, bitcoin, cashyou, ripple, ok pay, and pay garden.”

The actual court record looks like this, with this passage divided across a page break:

US Court record showing PIA doesn't log

So with nothing logged that can identify our users, and public court records to show for it, the question remains what to do if PIA is coerced into logging – or rather, if authorities try to coerce PIA into something like that, such as was the case with Yahoo recently, when the NSA had forced it into spying on its own users.

There is a precedent for this, and it is Lavabit choosing to shut down operations instead of selling out its users (specifically, selling out Edward Snowden). That’s also exactly what Private Internet Access has already done once, when Russia demanded that we start logging our users’ identities, after seizing PIA servers.

Our response was to immediately shut down operations in Russia:

The Russian Government has passed a new law that mandates that every provider must log all Russian internet traffic for up to a year […] Upon learning of the above, we immediately discontinued our Russian gateways and will no longer be doing business in the region.

And this, in summary, is why Private Internet Access doesn’t use warrant canaries.

Comments are closed.


  1. nutterboxer

    Just read this, awesome response to the warrant canary! Was discussing with a co-worker, and the two things we said, BEFORE reading the article, where don’t log anything, and if it comes down to betraying your users, shut it down. If PIA continues to follow these mandates, they will NEVER hurt for customers.

    7 years ago
  2. T

    If PIA kept no log, how were they able to identify that a “cluster of IP addresses being used was from the east coast of the United States”?

    7 years ago
  3. Mark

    I also have to disagree. Yes, I know the canary tells us what happened in the past, but at least we know! Not knowing is the issue. Your argument makes me think that PIA has obviously been served with a National Security Letter and thus doesn’t want to have to post a warrant canary that provides the proof. For me, I’ll stick to VPN services that have both a warrant canary and a no logging policy based in a non 41 Eyes country.

    7 years ago