Proxy.sh hints at gag order after VPN node withdrawn from warrant canary
Company promises to commit “corporate seppuku” if need be.
The Seychelles-based VPN provider Proxy.sh has withdrawn an exit node from its warrant canary—a statement certifying that “to the date of publication, no warrants, searches, or seizures that have not been reported in our Transparency Report, have actually taken place.”
The blog post in question simply states: “We would like to inform our users that we do not wish any longer to mention France 8 (184.108.40.206) in our warrant canary until further notice.” The statement implies that the France 8 node has been subject to a warrant, but that a gag order forbids Proxy.sh from revealing that fact directly. It is not clear who served the warrant, and for obvious reasons, Proxy.sh is unable to say.
However, the TorrentFreak site obtained the following comment from Proxy.sh: “We recommend our users to no longer connect to it. We are striving to do whatever it takes to include that node into our warrant canary again.”
Proxy.sh went on to say: “The warrant canary has been particularly designed to make sure we could still move without being legally able to answer questions in a more detailed manner. We are happy to see it put to use after all and that our users are made aware of it.”
Another site, VPNCompare.co.uk, which seems to have been the first to notice the withdrawal of the warrant canary, pointed out that despite Proxy.sh’s warning, “The France 8 server coupled with their French servers in general continue to be some of the most utilised of their network.”
Ars wrote about Proxy.sh back in 2013. The article was less than impressed with its overall policy on handing over user data and protecting user privacy—it quoted Nate Cardozo, a staff attorney at the Electronic Frontier Foundation, as saying it was the “single worst policy” he had seen. However, since then, Proxy.sh has made changes to the terms of its ethical policy. Ars has asked whether that was in direct response to the EFF’s criticisms, but has not yet received a reply.
Significantly, the policy now includes the following section: “We are based in the Republic of Seychelles and if any domestic law or constraint contradicts our mission and values, we will not hesitate to relocate into another location. Additionally, if we cannot find a right location to strive for such principles, we will submit ourselves to ‘Corporate Seppuku’. We will close business and provide refund to all our present customers within the cash budget we have at our disposal.”
That promise to commit “corporate seppuku” is a reference to the decision of Ladar Levison, the CEO of the e-mail service Lavabit, to shut down his company rather than be forced to provide real-time monitoring of one of its users, which was recently confirmed to be Edward Snowden.
Earlier this year, Ars’ sister publication Reddit also removed a “warrant canary” from its latest transparency report, in another sign of the growing use of such indirect signalling mechanisms—and of their necessity.
This post originated on Ars Technica UK