As Wikipedia sums it up, a warrant canary is a method of trying to circumvent court orders that forbid companies to notify targets of surveillance that they are, in fact, being targeted:
A warrant canary is a method by which a communications service provider informs its users that the provider has not been served with a secret United States government subpoena. Secret subpoenas, including those covered under 18 U.S.C. §2709(c) of the USA Patriot Act, provide criminal penalties for disclosing the existence of the warrant to any third party, including the service provider’s users. A warrant canary may be posted by the provider to inform users of dates that they have not been served a secret subpoena. If the canary has not been updated in the time period specified by the host, users are to assume that the host has been served with such a subpoena. The intention is to allow the provider to warn users of the existence of a subpoena passively, without disclosing to others that the government has sought or obtained access to information or records under a secret subpoena.
Whether or not warrant canary’s would actually be effective is debatable, especially for a company doing business in the United States that might be subject to criminal prosecution itself for effectively disclosing to the target(s) of a secret subpoena that something is amiss. I am not a lawyer, but I suspect judges will look askance (to say the least) at companies essentially taking preparations ahead of time to circumvent court orders.
That said, SpiderOak’s implementation of a warrant canary appears well thought out,
The canary itself can take many forms, the one we’ve chosen is a specific plain text signed with multiple GPG keys.
The GPG keys belong to different SpiderOakers which we’ve selected based on geolocation. So besides doing all the legal (or illegal) things an adversary would need to do to get a backdoor somewhere in SpiderOak, they’ll also need to compel 3 people around the globe to sign a message at a specific moment in time.
. . .
In cases such as SpiderOak, killing a canary can quite possibly mean killing the business, so we switched to publishing the canary every 6 months. This means the first canary will be signed between August 10 and August 15, 2014. The next one will be signed between February 10 and February 15, 2015.
The actual warrant canary is here. It says a lot about SpiderOak that they’ve taken this step, but this should probably be viewed more as a signifier by SpiderOak about how seriously they take the security of their user’s data rather than a tool that is likely to be effective at informing end users of the existence of secret subpoenas.