Warrant canary.
A statement whose absence speaks. Published when nothing has happened, removed when the operator can no longer say so.
A regularly-published statement asserting that the publisher has not received any secret legal demands — gag orders, National Security Letters, sealed warrants — up to that date. When the statement disappears or stops being updated, its absence is itself the signal: compelled lying is illegal in most jurisdictions, but compelled silence is not.
The signal we publish until we can't.
A privacy-first host that asks you to take its word for it has already lost the argument. Every infrastructure operator above a certain scale will, sooner or later, receive some form of compelled-disclosure request — a subpoena, a preservation order, a national-security letter — and the operator under gag is, by definition, unable to tell you. The warrant canary is the workaround: we publish a positive statement on a fixed schedule saying nothing of the sort has happened, and we keep publishing it until the day we can't.
NordBastion's canary lives at /warrant-canary/ and is reissued on the first business day of every month, co-signed by two named directors of NordBastion OÜ with their personal PGP keys. The signed text embeds the most recent Bitcoin block hash, which forecloses the trivial pre-signing attack — the statement provably could not have been signed before that block was mined. Past months are kept on the page indefinitely; nothing is ever silently rotated out.
If the canary fails to appear within seven days of its scheduled date, or if the PGP signature stops validating, the appropriate response depends on your threat model. We will not explain a missing canary — that is the whole point. We will, however, never publish a false one.
Follow the canary across NordBastion.
- · /warrant-canary/ — the canary itself, with all previous months and PGP signatures.
- · /transparency/ — rolling 12-month transparency report with the aggregate counts the canary would not.
- · /doctrine/ — the operating principles that put the canary on the publication schedule in the first place.
- · /pgp/ — the two director PGP fingerprints used to sign each canary, plus instructions for verifying locally.
- · / — the homepage links into the latest canary from the transparency strip.
Questions about the canary, answered.
Is a missing canary legally meaningful?
In most common-law jurisdictions, yes — though the meaning is indirect. A gag order can compel an operator to stay silent about a specific demand, but it generally cannot compel them to actively lie by publishing a false denial. So an operator who stops publishing — or removes the previously-published canary — is not violating the gag, but the audience is free to draw the obvious inference. Some jurisdictions (notably France for certain national-security demands) have ambiguous case law; NordBastion publishes from Estonia precisely to avoid those grey zones.
Who signs the canary?
Two named directors of NordBastion OÜ co-sign the monthly canary with their personal PGP keys. The fingerprints are pinned in /pgp/, and the signed statement is mirrored to a third-party Git repository so anyone can verify that the file was not silently edited after publication. Verifying it locally is two commands: gpg --verify and a sha256sum compare against the Git tag.
How often is it updated?
Once a month, on the first business day, with a reference to the previous Bitcoin block hash inside the signed text. The block-hash inclusion proves the statement could not have been pre-signed in advance — it must have been signed after that block was mined, so the date is cryptographically anchored. Past canaries stay on /warrant-canary/ indefinitely; nothing is ever silently rotated out.
What does silence mean in practice?
If the monthly canary fails to appear within seven days of its scheduled date, or if the page is removed, or if the PGP signature stops validating, treat it as a signal that something material has changed — most likely a legal demand the directors are gagged from describing. The appropriate response depends on your threat model: rotate to a new host, migrate keys, or simply note the date for the public record. NordBastion will never explain a missing canary, by design.