lowkeymail
Sign up
transparency

Transparency, by the numbers.

What we're asked for, what we hand over, and what we couldn't even if we wanted to. Updated quarterly. Last revision: May 14, 2026.

12
government requests received
2
partially fulfilled
0
message bodies disclosed
0
gag orders received

Government requests · Q1 2026

We received 12 government requests this quarter. The vast majority asked for routing metadata we don't retain. Two requests were partially fulfilled — both produced encrypted blobs we cannot decrypt and which we informed the requester would not contain readable mail content.

PERIOD               2026-Q1
REQUESTS RECEIVED    12
  subpoenas             7
  search warrants       3
  emergency disclosure  1
  foreign government    1
REQUESTS REJECTED    10   (no responsive data)
PARTIALLY FULFILLED  2    (encrypted blob only)
USER ACCOUNTS NAMED  3    (notified, where legally allowed)
GAG ORDERS RECEIVED  0

Warrant canary

As of the date below, lowkeymail has not received any of the following: a National Security Letter, a FISA Court order, a gag order preventing us from disclosing the receipt of one, or any equivalent foreign instrument compelling silence about it.

If this notice is removed, modified, or stops being updated on schedule — assume the worst and behave accordingly.

-----BEGIN LOWKEYMAIL WARRANT CANARY-----
date:    2026-05-14
period:  2026-Q1
state:   ALL CLEAR

We the operators of lowkeymail confirm:
  1. lowkeymail has received 0 National Security Letters.
  2. lowkeymail has received 0 FISA Court orders.
  3. lowkeymail has received 0 gag orders of any kind.
  4. lowkeymail has not been compelled to weaken or modify
     its cryptographic configuration in any way.

This statement was signed by all current key holders.
Next scheduled update: 2026-08-14.

-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEE… (signature truncated for display)
-----END PGP SIGNATURE-----

Verify the signature against the keys published on the open-source page. If a scheduled update is missed by 14 days, treat the canary as broken.

Abuse & takedowns

Aliases on a shared pool can be misused. We respond to abuse reports against specific aliases within 24 hours. Verified abuse results in alias-level termination — we do not terminate accounts wholesale, and we don't share account data with reporters.

  • Abuse reports received this quarter: 117
  • Aliases terminated for verified abuse: 83
  • Accounts terminated: 2(repeat-offender pattern across > 12 aliases)

Open source

Anything cryptographically interesting is in the open. The mail-layer plumbing is not (yet) — but everything that touches your key or your message body is auditable.

  • github.com/lowkeymail/client — browser-side OpenPGP, key management, encrypted local storage.
  • github.com/lowkeymail/alias-router — the SMTP layer that maps aliases to inboxes. AGPL-3.0.
  • github.com/lowkeymail/canary — this canary template and signing tooling. Public domain.
  • keys.lowkeymail.com— public keys for the team, signing the canary & releases.

How we count

A "request" is any communication from a government body asking us to disclose, preserve, or remove data, regardless of legal basis. We count each request once at receipt; appeals and re-issuances don't double-count. "Partially fulfilled" means we produced data that was responsive but not what the requester actually wanted (typically: an encrypted blob, or routing metadata older than retention). Where we are legally permitted to notify the affected user, we do — usually within 14 days.

How encryption works →Request an invite