This project has moved and is read-only. For the latest updates, please go here.

VeraCrypt 'Warrant Canary'?

Topics: Users Discussion
Nov 21, 2015 at 4:29 PM
Edited Nov 21, 2015 at 4:33 PM
Hi all,

As you all know, there has been a huge amount of discussion in the news lately vilifying encryption. Especially after the horrible events in France.

In a nutshell, the media are pretty effectively convincing the general public that only criminals and terrorists use encryption. In none of the stories I have seen so far is there any mention whatsoever of the positive points of the legitimate use of ANY type of encryption.

If you use encryption of any type (e.g. encrypted files, encrypted e-mails, etc.), or (God forbid!) even Tor, you are most likely a terrorist.

If and when the public is sufficiently swayed to persuade legislators to enact laws forcing backdoors into any and all encryption, or outright outlawing it's use, our personal privacy is gone.

Now, my question here is if and when the developers of VeraCrypt get that dreaded order from law enforcement and demand secret introduction of a backdoor into VeraCcrypt, how will we know it?

Yes, I know all about the "Anyone can inspect the source code!!!". That's great but can I see a show of hands of people who can actually inspect line-by-line and -character-by-character of a huge pile of source code?

Don't brag and say "I can! I can!" because if you will note there has only been 2 official inspections of TrueCrypt source code. Ever.

And those were major undertakings of well funded teams of inspectors and both of them even admitted that they had not exhaustively inspected the whole, complete source code.

So that still leads to the question of whether VeraCrypt has been compromised at some point in time.

Some sites use what is called a 'Warrant Canary'. For those that don't know what that is, it's simply a signed message saying something along the lines of "We haven't been issued a warrant" and it's updated usually weekly. If at some time the message is OLDER than the specified time, the site can be considered compromised.

Currently, (Nov 2015) the U.S. Justice Department has ruled that this is legal, as long as the message is passive, meaning you cannot say "Hey we've been compromised" but you can leave a message that was posted previously alone and let it expire..

Australia has ruled that this is NOT legal. You may not use either active nor passive communications that you have been served a warrant or in some other way been contacted by the authorities or some entity of the government to either perform an action of their demanding or cease an activity, such as encryption program development.

What are you suggestions or ideas on this topic?
And please, like I mentioned before, don't just harp on and on that the source code is available for review by anybody at all. We know that. For 99.9% of us, that doesn't mean a thing.
If you have 40 years experience and 13 PhDs in cryptography, then feel free to inspect the source code and let us know if it's clean.

Please don't think that I'm accusing anyone of anything. It's just simply playing the devil's advocate and asking 'What if?"

Thank you in advance for your input.

EDIT: One silly idea that crossed my mind was to post all over Twitter and elsewhere that "VeraCrypt has a backdoor!!!" and see if it was immediately removed or I was contacted and ordered not to post that again. However, I will not do that for the simple reason that I love VeraCrypt and use it daily and am eternally grateful for the skillful and talented developers who continue to make it better and better and I don't want some un-informed person to see what I had posted and think that VeraCrypt had indeed been compromised.

Again, thanks for your input.

Nov 21, 2015 at 5:17 PM
Edited Nov 22, 2015 at 3:26 PM

Thank you for sharing your thoughts. Indeed, we are living in difficult times and being a French living in Paris I can tell you that the atmosphere is tense and filled with sorrow and anger.

Before continuing, I want to let you know that 4 days ago (on November 17th), I published the first Warrant Canary of VeraCrypt and I posted the link to it in Twitter: . I also updated VeraCrypt home page in Codeplex to include the link to this Warant Canary. You certainly missed it.

Concerning backdoors in VeraCrypt, this is not a new discussion. Every now and then, someone asks the question and every time I answer clearly these concerns. You can find some of my answers in the following links:
The arguments I used before remain the same, most important of them is that I'm not anonymous like TrueCrypt developers and I put my personal and professional credibility on the line by working on VeraCrypt. I don't make my living by working on this project and since the begining my objective was to offer something useful to the community. If tomorrow some government representative comes and tells me to compromise VeraCrypt (which I strongly doubt), I would simply shutdown the project and continue my life like before.

For now, there is no law in France that would force someone to add backdoor to an encryption product while keeping it secret. If anything change on this side, it will be known (laws can't be kept secret by definition) and in this case I'll communicate about it.

By the way, even in the US, there is still no law to force companies to introduce backdoor. Actually, if such backdoor is introduced with customer knowledge and if data theft or cyber attack occur because of this backdoor, the company in question will be sued for huge amount of money...this explains why all the Silicon Valley is against this. Of course, this doesn't apply to communication interception which is always possible but this doesn't apply to VeraCrypt since it doesn't handle any communications and it doesn't provide any server to store users data.

Voilà voilà...I hope this clarifies your point. Don't hesitate to share any further thoughts on this.

Nov 21, 2015 at 7:03 PM
Hello Mounir,

Thank you for creating the Warrant Canary. Will the Warrant Canary be provided on the mirror sites like SourceForge and GitHub?

Kind Regards.
Nov 21, 2015 at 7:25 PM
Edited Nov 21, 2015 at 7:28 PM
Hi idrassi,

Thank you for your fast and informative response.

I apologize for not seeing the Warrant Canary link that is indeed posted on the VeraCrypt home page. That would have made my whole question unnecessary.

I have noticed in the past that you are very, very active in the forums. My point of saying that is that based on what you said about quitting development of VeraCrypt rather than intentionally compromising it, I assume it's safe to say that if development stopped and you disappeared from the forums, that VeraCrypt was no longer safe to use.

I don't know anything about the laws in France concerning such issues but sometimes when certain warrants are issued in the U.S. (and I guess other countries), the person is ordered to not reveal that fact, thus the need for a Warrant Canary at all. From what you mentioned it sounds like in France you can say "I've been ordered to insert a backdoor into VeraCrypt. I'm not doing it. Farewell to all, and to all a good day."

My own mother was questioned years ago by 2 members of the FBI concerning whether she knew the whereabouts of a certain person (she did not) and she was told that if she revealed that she had even been questioned about the matter, she could be jailed. Obviously that didn't scare her because she told me. lol

I only mention that story to show how oppressive our "free" country can be. That must have been 25 years ago and it's much worse now. It's only a matter of time before the use of a Warrant Canary will be made illegal here. You will be forced to maintain the Canary.

Regarding your desire to provide something useful to the community, you have done that in superior fashion, sir.

I thank you again for your answer. Best wishes.

Nov 22, 2015 at 3:36 PM
@Enigma2Illusion: like other projects, the Warrant Canary will only be published at a single address, the one at Any problem with this?

@Thinking_Monkey: Thank you for sharing your insights and for your kind words. There is a risk indeed for things to get worse but let's hope that freedom and democracy will prevail.
Nov 22, 2015 at 4:13 PM
Hello Mounir,

I did not notice that the Warrant Canary on CodePlex was an external link to website so I just assumed that the Warrant Canary was going to be mirrored to the other sites for VeraCrypt.

Kind Regards.
Nov 27, 2015 at 11:25 AM
idrassi wrote:
Voilà voilà...I hope this clarifies your point. Don't hesitate to share any further thoughts on this.

In fact, the only solution that looks law-proof is if the canary is to be issued by an anonymous "auditor" rather than the author himself. The "auditor" of course will need to state, that "the software has been checked and is OK" and not that "it contains no backdoor", as the latest is more under the scope of the author. And obviously, the "auditor" (whoever he might be) has to be initially introduced somehow by the author in order to be trusted, at the same time be anonymous and completely unrelated to the author (after the initial introduction) so the author can not be subpoenaed to influence the "auditor's" future actions.