This is what the tweet said/says: 
"We just released our most recent transparency report, available at https://spideroak.com/transparency/ . This will replace our #warrantcanary. The final version of the canary is available at https://spideroak.com/canary . The transparency report will be updated every six months."
The transparency report, updated a few days ago this month, shows zeros for every kind of request, which means there haven't been any kind of court orders for information from February to August 2018. 
Are there still reasons to be concerned? I don't understand how they can list NSLs in the transparency report, since those are the ones with the gag orders necessitating legally confounding workarounds like a warrant canary.
One thing to realise is that they (AFAIR) never said they'd quit the business if they ever get served with an NSL.
Correct. You can list the ones you don't have, but not the ones you do. So to a first approximation, the transparency report will always say "0".
Now, the theory behind a warrant canary is that the government can compel your silence but (maybe!) it cannot compel you to make false statements. And if that applies to NSLs and gag orders, and thus makes warrant canaries valid, it might apply to the transparency report too.
And in that case maybe we can take the "0" at face value, and we can assume that they haven't received an NSL, but if they do they'll just silently drop that section from the transparency report. (Their warrant canary had some cryptographic signatures, but as far as I know, that's totally irrelevant. If a court decides to compel you to lie and say you haven't received a NSL when you have, then they can compel you to sign the canary too. If they opt not to compel speech, then they won't compel a false transparency report. The crypto is window dressing.)
But while on paper it looks to me like the transparency report is probably just as meaningful as the canary, the ham-handed way they've announced it leaves me suspicious.
The US Government can't force someone to do something if they aren't a US citizen and not on their territory. Their best option is extradition, but that would raise more eyebrows than they'd want.
So you can legally say you’ve received no NSLs; until you get a NSL.
A gag order doesn't compel you to lie; it compels you not to talk about the topic in question. Removing a statement testifying to no NSL is in compliance with a gag order.
Was it ever challenged? If not, you can't say anything about them. Probably FBI/NSA/et-al simply did not care if there was no real disclosure.
> A judge does not have to approve the NSL or an accompanying gag order.
> The letters come with a life-long gag order, so businesses that receive such letters are prohibited from revealing to anyone, including customers who may be under investigation, that the government has requested records of transactions.
> NSLs are almost exclusively served in secret alongside an indefinite gag order, which prevents anyone from disclosing the contents of the letter to anyone.
> Since the first national security letter (NSL) statute was passed in 1986 and then dramatically expanded under the USA PATRIOT Act, the FBI has issued hundreds of thousands of such letters seeking the private telecommunications and financial records of Americans without any prior approval from courts. In addition to this immense investigatory power, NSL statutes also permit the FBI to unilaterally gag recipients and prevent them from criticizing such actions publicly. This combination of powers — to investigate and to silence — has coalesced to permit the FBI to wield enormous power and to operate without meaningful checks, far from the watchful eyes of the judicial branch. Not surprisingly, this lack of checks has contributed to a dramatic expansion in the use of these tools across the country. Indeed, for the period between 2003 and 2006 alone, almost 200,000 requests for private customer information were sought pursuant to various NSL statutes.
Yes, the NSL and gag order are effectively one and the same. However, the point of these "warrant canaries" is that they don't have to talk about the request to let people know that they have likely received one. They simply remove their existing statement that they have never previously seen one.
The theory is that the government cannot compel you to continue to make a statement now that it is false and your removal doesn't technically constitute a disclosure of the NSL.
AFAIK, this theory has never been tested in court.
Before you have received any NSL, you are not bound by any gag order. (Because they come together).
So, before you have received any NSLs, you can say you received 0 NSL.
(I did not downvote you).
If the gag order would only prohibit the disclosure of the contents, then businesses could simply show the list of NSLs received (basically the date and time of when they got it and when they complied with it).
The moment they recv an NSL, they cannot say statement 1 anymore. So they say something different... not sure what that is.
That canary has now died. It did so along with a statement  that signing a canary every 6 months with an airgapped computer is too impractical, which isn't very plausible as this is a perfectly schedulable event which will take at most an hour for every person involved, twice a year. I suppose they sign their (APT, RPM) releases in the same way (please ask them; seems answerable). Additionally, they were three days late with their statement about moving away from the canary, which is otherwise irresponsibly late for an event that can completely erode trust in them as a security company.
The irony is that their conclusion in  that the "canary’s effectiveness as a tool has been questioned, the usage of it at other companies is not consistent, and verifying it and keeping track of it is complicated for users" is spot on; the confusion that can be created about whether the canary is dead or merely deprecated, that after it has died once it cannot be reinstated, and that the only recourse for users is to move away from the service, makes it a pretty useless signal to act upon.
If they're not really compromised? You don't need to ask that; trust is based on evidence, not some abstract Truth. When the trigger activates, you deprecate trust. It's really that simple.
I don’t think it’s helpful to think in such absolutist terms. Coal mine canaries died of natural causes. A canary is meant to prompt investigation (and heightened vigilence), not conclude it.
Assuming it is a good comparison - if you are the one in the coal mine and the carnary keels over, are you going to start trying to figure out the exact cause of death or just hurry up and get the hell out of the mine?
No. There is no need to add an economic element. You could post a bunch of PGP-signed messages, but even that’s excessive.
Will they give you a fine? And what if you don't pay the fine? Will they arrest you? And if they do, how can they prevent people from finding out about it?
Given gag-orders, and waving the word 'national security'. I expect the court proceeding dealing with your arrest / punishment would be sealed.
Heck, if certain things are marked as US government secrets and you publish them, that is treason which can be punished by death.
Sure, but at a certain point, surely they will have to come and pick you up? What if there are journalists present who ask that you are being put away for? "We can't tell" surely isn't an answer they won't accept? That's eerily close to arbitrary detention.
Edit: it seems they had removed it on purpose and added it back to elaborate on the decision and that it wasn't removed to signal something --- seemingly: "So after thinking about this ... we have decided to move away from ... canaries and instead publish a ... report located at ..."
If your canary dies, you can buy a new one, but you still have deadly gas in your mine. You can't trust the words or actions of someone who just declared they have been compromised.
I don't think you can draw that conclusion. As I understand it, the NSL can only compell them to shut up about it, but it cannot compell them to dish out arbitrary lies and false justifications for taking the canary down.
What I'm saying is that it doesn't logically follow from the legal situation that their "further statements are to be interpreted as being manipulated by secret court order".
The FBI cannot arbitrarily manipulate SpiderOak's further statements.
the logical flow is:
1: "I declare that if this canary is removed for any reason, it is to be assumed that I have been served an NSL and I may no longer be trusted"
2: Canary is removed.
3: You are no longer trusted.
4: Further statements are made, but they can not be trusted.
They never declared that if the warrant canary dies they can no longer be trusted in anything they say or do ever again.
We know exactly what they can and cannot legally say or do once an NSL has been served. Therefore we also know that they cannot be legally compelled to make false statements.
That is the feature of canaries that makes them respected, and the need for such features is why secret courts are so corrosive to our society.
I think the main point here needs to be that the entire notion of a canary only works if we can count on them being killed only for the purpose they were created. If it becomes acceptable to kill canaries because the signers are tired of signing them then we have a bit of a problem.
Now, for this specific case...
It sounds like you are arguing that a NSL has compelled them to make false statements. This seems fairly unlikely given what we know about the current legal situation. The idea that they may be lying for the sake of their business is more convincing.
However, if they are lying for whatever reason, why not just continue to sign the canary? The only plausible reason to do this is some sort of malicious compliance with a sloppily worded order compelling them to lie. It would make no sense for them to decide to lie for the sake of the business and then do all of this instead of just signing the canary.
If they have received a NSL this basically leaves two sequences of events, both of which contain some rather unlikely events. If I had to bet, I'd probably bet against them having received a NSL.
However, the canary should still be considered dead. They literally killed the canary. Their reasoning provided for it is really quite bad. Basically they ask users to trust their unsigned website because users already trust their (closed source) code. So they have either received a much more powerful NSL than thought legally possible, or are doing the worlds worst job of lying about not receiving a NSL, or they have not received a NSL and view a regular page on their website as a suitable alternative to their previous solution which involved three people in three different countries signing the canaries with keys stored on air-gapped computers. If you are counting on them for security, none of options are good.
As for why they would kill the canary and then backtrack, I think a plausible story could be that the canary was killed by an engineer, and then the backtracking happened by management because they don't want to own the consequences. This could explain why there was a delay between removing the canary and putting out a cover story.
Collectively as an organization, they're either acting in bad faith for whatever reason, or else they're incompetent.
As for the engineer/management idea,their statement revoking it was signed the same as their canary. Aside from the exceptional circumstances I described earlier, if you trusted their canary then the statement should be trusted too.
Like I said, I think we're most likely looking at incompetence.
Maybe not directly, but they could be coerced into it. A sort of "it's in your best interest to redact XYZ.. or else" unwritten statement would do the trick for most folks.
From my understanding, a Warrant Canary is a provision to disclose subpoena(s) that a company is not allowed to disclose and now SpiderOak is shutting down that provision?
A warrant canary dies when a warrant is served. If a company has a statement that says "We have not been served a warrant as of X date" and they update it monthly, then they suddenly stop updating it or remove that statement, the canary has died. They might have been served with a warrant.
It's also possible that the canary died of natural causes, of course. It could be that a lawyer told them it was a bad idea, or maybe a shift in management removed it. But there's no way to know.
This is done as it is usually presumed the government can legally force your silence, but can't force you to say something (e.g we hadn't received secret warrant, last updated: Aug, 08)
Although it should be noted that as far as I'm aware, warrant canaries haven't actually gone through the court system to determine if they are actually a legal way of circumventing gag orders. Not to mention that the legality of warrant canaries has mostly only been discussed by internet lawyers in relation to US laws -- in other jurisdictions they may not work at all (I've spoken to some Australian lawyers and they think that even the basis of the theoretical arguments don't apply in Australia).
On the other hand, I don't know of any company that has actually used warrant canaries (and has "activated them" like Reddit did) which ended up being tried for violation of the NSL's gag order.
The government can issue secret warrants to companies that they are not allowed to disclose, requiring them to hand over customer data. A warrant canary is a periodical statement from a company that they have not received such a warrant. The idea is that if they do receive a warrant, they will stop publishing the warrant, and the court can't compel them to.
The idea being that a gag order cannot force you to speak, only prohibit you from speaking. Thus, a gag-order cannot force you to continue publishing a canary. Often, canaries have an 'expiry date' after which they will be republished. This is to avoid 'removing a document' as being interpreted as speech, and thus prohibited by gag order.
Now spideroak had a canary with an expiration of 1 aug. They did not republish; and 3 days later, gave an explanation why. In this explanation they state they will switch to a slightly different, non-cryptographically signed document that is much like a warrant canary. The 3 day gap is most notable here. Spideroak states that the cryptographic signing wasn't useful because you need to trust the signers, who are the same people that publish on the website.
I, for one, would not use their service going forward.
Props to them for making a canary and then following through on it.
It doesn't mean that they received a warrant, but it does mean SpiderOak is telling you not to use them, and I think that when a service tell you that, for whatever reason, it means quite a lot. :)
(Even if, as you suggest further down, they received legal advice that warrant canaries were a bad idea and they needed to take it down, the way they handled the entire process makes it clear that they aren't taking this seriously. Posting a warrant canary, updating it regularly, and then taking it down while not telling the real (legit) reason is reckless at best, and in my view is basically the worst way they could handle it.)
Whatever a realistic estimation of SpiderOak's security was before this news, I think it has to be strictly lower now, right?
(Mind you...on further reflection I'm not convinced the transparency report is any more - or less - meaningful than the canary. The theory behind both is that the government cannot compel false speech. If that's true, then both are equally protective; if it's false, both are equally pointless.
SpiderOak did say "if we stop updating this stop using us", and then they stopped updating it, but...then they published a transparency report saying "0 NSLs". So...maybe they're just really awful at communication.)
People that are serious about opsec/etc. will read this (fuzzy/distorted) signal and jump ship. They will not be dwelling on the nature of this signal.
People with real concerns aren't going to rely on an untested legal gizmo.
That's the whole point of the warrant canary.
Don't "who knows?" on this subject, it makes you look like a government shill trying to lull privacy conscious people into indifference.
We're on a site where we strive to assume good faith, avoid name calling, reply to the argument not the person, take the strongest possible form of what someone is saying (iron man not straw man), etc.
Unless you want to cite a bunch of jurisprudence that warrant canaries actually work, I'm gonna stick on "who knows", even though I'm not a government shill (I'm more "pragmatic about who really has the power in that particular relationship").
If you don't continue updating a deadman's switch, it doesn't matter if you died or not: it activates.
Then a nice solution would be to say "our lawyer explained to us that removing the canary for a reason is likely to be criminal, so we're letting you know we're going to remove it in 2 months to make you more sure we're not doing it in response to a current issue".
However, if you trust them on the canary, why distrust them on the claim their service was zero-knowledge. It might make sense if they are 'amoral enough' to lie about being zero-knowledge, but 'moral enough' to admit to being served a warrant. I think space for that level of morality exists, but is small. The other issue would be if they weren't zero-knowledge through an unintended bug.
I can't really give a definitive judgement.
I submit that warrant canaries are at best legally and politically naive virtue signalling and at worst deliberate obfuscation of the actual threat model.
I am bound by the law of France but my associate in the US could not care less and vice versa. If we cross check, say, code daily and I see a discrepancy then I raise an alert on my .fr page, controlled by myself. He would not be involved.