[Updated] SpiderOak cans warrant canary - has the service been compromised?

Update (August 07): SpiderOak reached out to us to share their response on the matter. The company says:

More info here.

Original story follows:

In a major development, popular US-based cloud backup service SpiderOak has announced that the company is moving away from signed warrant canaries. The company said the canary is being replaced by transparency report, which will be updated every six months.

Officially, here’s the reason the company gave for this move:

The way the canary is built happens by one of us writing the contents of it, cryptographically signing it, then distributing it among 2 other spideroakers in 2 other parts of the world to sign it as well.

This process takes time, as people keep their canary signing keys in a secure offline machine (UX vs security juggling act) and also have to deal with all the other tasks they have. So it’s not a perfect science the exact moment when the canary gets published. It might vary for a day or two, and that has added some understandable stress to some users.

On top of this, the canary’s effectiveness as a tool has been questioned, the usage of it at other companies is not consistent, and verifying it and keeping track of it is complicated for users

However, if you go by the very basics of warrant canaries, if a canary is dropped, canned, or done away with, this means the company behind the service has received government request for user data. Many companies have done this in the past – none said anything publicly, simply because they aren’t allowed to do so.

Curiously, the service also went down for several hours last week. While rumors are that this outage was directly related to the presumed government data request(s) (which resulted in the death of warrant canary), SpiderOak said it was due to a miscommunication with their ISP about a scheduled maintenance.

These developments, especially the termination of warrant canary, are being aggressively discussed on platforms like Reddit, where many users say they are now looking for alternatives to SpiderOak.

For what it’s worth, the company’s transparency report says they haven’t received any law enforcement or government data request so far. But the report also clearly says:

Although the security of your data is our top priority, we might not be able to inform you of such a request if served with a secret subpoena

PiunikaWeb is a unique initiative that mainly focuses on investigative journalism. This means we do a lot of hard work to come up with news stories that are either ‘exclusive,’ ‘breaking,’ or ‘curated’ in nature. Perhaps that’s the reason our work has been picked by the likes of Forbes, Engadget, The Verge, Macrumors, and more. Do take a tour of our website to get a feel of our work. And if you like what we do, stay connected with us on Twitter (@PiunikaWeb) and other social media channels to receive timely updates on stories we publish.