Over the last week, rumors have been spreading across the digital activist community that the technology collective riseup, which provides email, chat, VPN, and other services to activists, may be compromised after receiving a secret government subpoena accompanied by a gag order. The collective provides email service to roughly 150,000 users, hosts activism-related mailing lists with 6.8 million subscribers, and delivers more than 1 million emails per day. According to a representative of the riseup collective, the rumors are outsized. But it is clear that something happened, and that riseup is unable to speak about it publicly. “Riseup will shut down rather than endanger activists,” the spokesperson said. “We aren’t going to shut down, because there is no danger to activists.”
Riseup, which began in Seattle in 1999, is one of the most privacy-friendly and anti-surveillance service providers online today. “We believe it is vital that essential communication infrastructure be controlled by movement organizations and not corporations or the government,” the collective’s website states. “Riseup does not log IP addresses and has not done so since the early ’00s,” the collective member told me in an encrypted email. “We work hard to minimize the amount of data (and metadata) stored as [much as] possible. The only way to protect the information of activists around the world is by not having the information in the first place.” Riseup’s privacy policy promises that the service will log as little as possible and never share user data with any third party.
Riseup publishes a warrant canary, a statement that the collective has never received a secret government subpoena, has “never placed any backdoors in our hardware or software and has not received any requests to do so,” and has “never disclosed any user communications to any third party.” If riseup ever does get such a government request, and if the request comes with a gag order that prohibits the collective from informing its users, it won’t update its warrant canary, and from this users can infer that something is wrong.
Riseup’s warrant canary is supposed to get updated “approximately once per quarter.” The last update was from August 16, 2016 — nearly two weeks past the last three-month deadline. Some users have noticed that riseup’s canary seems to have died, and they inferred that something is wrong. Users have also noticed that some of riseup’s recent tweets appear to contain hidden messages, like this screenshot from the policies section of its website where it promises to shut down its service before submitting to “repressive surveillance by any government”:
we have no plans on pulling the plug https://t.co/7Bm0KrEnKA pic.twitter.com/MvEu6itTX6
— riseup.net (@riseupnet) November 21, 2016
The warrant canary’s apparent expiration, together with riseup’s tweets apparently full of hidden meaning, caused some people to speculate publicly that riseup had been compromised, or at the very least, had received a secret national security order and was currently fighting it in court. This speculation started right before the Thanksgiving holidays.
“Due to Thanksgiving and other deadlines, our lawyers were not available to advise us on what we can and cannot say,” the collective member told me. “So in the interest of adopting a precautionary principle, we couldn’t say anything. Now that we have talked to [counsel], we can clearly say that since our beginning, and as of this writing, riseup has not received a NSL, a FISA order/directive, or any other national security order/directive, foreign or domestic.”
On November 24, riseup tweeted that there was no need to panic:
1. There is no need for panic.
2. Our systems are fully under our control.
3. We will provide additional information at a later date.— riseup.net (@riseupnet) November 24, 2016
4. Our prior tweets did not have any hidden subtext.
— riseup.net (@riseupnet) November 24, 2016
To be fair, since riseup began publishing a warrant canary, it has updated it 10 times, and not at regular intervals. The shortest amount of time between updates was just over two months and the longest was more than four months. Technically, the August 16 canary update could still fall within the precedented window — which is to say that not enough time has passed to infer that it has expired. When I pointed this out, the collective member told me, “Yes, this is a bad system, we should have a specific date. The ambiguity is no fun for anyone.”
And yet, when I asked if riseup had received any request for user data since August 16, the collective did not comment. Clearly, something happened, but riseup isn’t able to talk about it publicly.
However, the spokesperson did provide some context: “There are a lot of conspiracy theories going around because people think that this is something bigger than it actually is,” he said. “The reality is that these theories are way out of proportion to the truth. It isn’t something that people should freak out about, or be scared, or burn their computer, and run for the hills.”
In short, riseup is asking its users to trust it. “It’s annoying that we can’t detail why people should believe us when we say that, but people have put their trust in us for over 16 years, so we hope you would believe us when we say that you should continue to do that.”
The spokesperson also pointed out that some people might think that the government could be forcing them to say that, “but the reality is that compelled speech by the government is incredibly rare, and really only done for consumer protection (such as requiring warning labels on cigarettes) or other safety regulations.” He pointed to the Electronic Frontier Foundation’s warrant canary FAQ and blog posts about Apple’s fight against the FBI for detailed information about compelled speech law in the United States.
The riseup collective is currently having internal discussions about when it will be able to update its warrant canary.
In December, riseup is launching a new feature called personally encrypted storage. All messages and metadata of email users will be encrypted with the users’ passwords so that the collective itself won’t have access to that data and therefore can’t be compelled to hand it over to any government. Riseup will publish all of the code that makes this possible as an open source project, so that other service providers can use it as well. “It is designed to protect the service provider from ever being able to comply with a subpoena or warrant,” the spokesperson told me. While the new system isn’t perfect, “this will help us all breathe a lot easier.”
In the meantime, riseup has published tips for how users can reduce the amount of data stored on their servers. “These are uncertain times for all service providers,” the collective member said. “Technology won’t solve social problems, but in this specific case we believe that new technology under development will dramatically improve the outlook for service providers.”
Top photo: Illustration from the activist technology collective riseup
Instead of using any email service, people should use encrypted messages through Whatsapp, Pidgin, Signal, or other such apps. Emails should be used only for yoga and marriage arrangements.
Ask Johnny. That’s Mr John Podesta, though finding him these days can be quite a task.
Life in post-freedom-of-speech USA.
see the last 2 twitter post by assanges embassy cat.
it talks about the dead bird C (probably riseups canary) and the dead bird T (wikileaks twitter)
the other one talks about being on the grandma (ship) able to hear but unable to talk
“FBI to gain expanded hacking powers as Senate effort to block fails”, Wed Nov 30, 2016 | 3:03pm EST, on reuters.com.
is it cynical for me to assert that most courts, let alone a FISA court, would allow compelled speech if national security interests were invoked?
Better a company with the right attitude and ambiguity than one with the wrong attitude and no ambiguity, the wrong way. It’s a pity I never heard of them before. Indeed, my prediction is they delayed the notice so they’d get in the news so more people would hear of them and donate their $1 before they had to close for lack of funds.
Micah: Is it also “fake news”?
“Here’s a small sample of what the Broadcasting Board of Governors funded (through Radio Free Asia and then through the Open Technology Fund) between 2012 and 2014:
Open Whisper Systems, maker of free encrypted text and voice mobile apps like TextSecure and Signal/RedPhone, got a generous $1.35-million infusion. (Facebook recently started using Open Whisper Systems to secure its WhatsApp messages.)
CryptoCat, an encrypted chat app made by Nadim Kobeissi and promoted by EFF, received $184,000.
LEAP, an email encryption startup, got just over $1 million. LEAP is currently being used to run secure VPN services at RiseUp.net, the radical anarchist communication collective.
A Wikileaks alternative called GlobaLeaks (which was endorsed by the folks at Tor, including Jacob Appelbaum) received just under $350,000.
The Guardian Project — which makes an encrypted chat app called ChatSecure, as well a mobile version of Tor called Orbot — got $388,500.
The Tor Project received over $1 million from OTF to pay for security audits, traffic analysis tools and set up fast Tor exit nodes in the Middle East and South East Asia.”
https://surveillancevalley.com/blog/internet-privacy-funded-by-spies-cia
Fascinating. I’m sure these open technologies are checked by many eyes, but “It is difficult to get a man to understand something, when his salary depends upon his not understanding it…”
It’s an American company, right? I thought that we were well past trusting American companies post-Snowden.
It’s a non-profit volunteer-run anarchist collective, started in the US but with collective members around the world.
Well Said! For your own good you cannot! I repeat cannot trust at all! Thanks to The American Dream!
thanks Micah informative , lets not worry about pro fed trolls
‘The only way to protect the information of activists around the world is by not having the information in the first place.”’
That’s unfortunate.
Micah / You’re so very right re: ” fake news ” but indirectly it does relate to your probe on surveillance / privacy / encryption… #pizzagate emails and posts did excite conspiracy minded activists due to very peculiar or cryptic messages… VERY suspicious. However, rather than pedophilia, it’s easier to suspect illicit drugs / $ laundering …. and only among a few persons. It is certainly phenomenal how pizzagate mushroomed into serial PERSECUTIONS of innocent people… Lots of raw data there for you to consider a future opinion article! PEACE BRO ??
I appreciate your thorough and timely updates. Don’t you think it’s fair to review the destruction of Jake Appelbaum by the snakepit of mediocrity that has compromised the struggle against surveillance and control? Even the old Soviet Union had a mechanism for “rehabilitating” citizens who had been made “non persons” by the government apparatus. What was done to Jake was worse. Consider who was the real victim.
The Washington DC Child Molestation/murder ring that’s being exposed today!
They’re trying to cover it up with a campaign against Fake News. Don’t believe it everyone! They’re starting the implementation of censoring investigative independent reporting by independent journalists. The sudden appearance of The Fake News term that’s everywhere right now is the start of a massive war by the powers that be to remove Truth from being accessed by You! Me! Us!
Wake up! Do a search on the Franklin Coverup. It’s happening again in Washingtom DC-children sexually abused and murdered during initiations ( much like college hazing! That’s where it starts!) of elites into higher levels of class status. They must prove they’ll do anything for the class-Anything! This is where a lot of missing children are Right Now! Being tortured, having organs removed only to be put into the aging bodies of evil people such as Henry Kissinger and the Senior Bushes.
Look up PizzaGate! The latest coverup of all this is happening right now. It’s not Fake News! That’s what they want us to think. In fact they don’t want you and let’s face it your children too to think for yourself. They want you to watch TV and stuff yet another pizza down the life pipe.
How about doing an article on this Micah? Am I wrong about this?
You are absolutely wrong about this. Fake news, evidence-free conspiracy theories, and science denial fueled by a proud lack of critical thinking skills has been a big problem for a very long time. I’m glad that people are finally addressing it, but sad that it took Trump getting elected to do that.
But in any case, your comment is completely unrelated to the article you’re commenting on. So that’s all I’m gonna say about that.
The fact that you answered him sets a dangerous precedent! I did ask about the warrant canary last week, but didn’t know it might be an extra month before we have closure – so yes, I do appreciate your updates, including this one, but I think my suggestion is reasonable….
I thought I had challenged the borders of relevance! jeez put a bird on it – a canary if you will.
Pizzagate exposes the Clinton Foundation as an pay-for-play Modern Day Slave Trafficking Syndicate.
The evidence is already public. Connect the dots.
Very sinister world we live in. I’ll feel optimistic for the future when I see the likes of those clintons get justice!
And the politely prisoners set free and and and.
Can you say standard criminal warrant?
Why would I say that? Riseup did lose several hard drives to the feds in a questionable incident and they have been a target since day 1, just like IndyMedia esp. in the Rackspace fiasco. Most certainly Riseup is far more trustworthy than Rackspace but they do have to rely on basic 3rd party services. They’re asking us to be calm and give them until sometime next month. Not unreasonable.
If they have several thousand users it is basically inevitable that some of them are involved in major criminality. Major criminality tends to occur somewhere around 2% of population. Basically, only a matter of time until a criminal conspiracy used the service, was discovered, and a warrant issued.
Now many of the people that use and support these type of platforms don’t believe that people should necessarily have to comply with criminal warrants. But that is something else.
“What about child porn, drugs, corruption, etc. Would you fight law enforcement requests for users doing these things?
Those things violate Riseup’s Terms of Service and, unlike some more ‘American Libertarian’ service providers, we do not exist to provide privacy for doing anything you want. We would close the accounts of people doing those things and the collective may even decide to cooperate with law enforcement rather than set all the servers on fire and destroy the organization, and your email.”
https://riseup.net/en/about-us/policy/government-faq
It doesn’t matter what they promise us! They are and always will be targeted. We are all targets. We are done for!
Rise up sounds like a great decoy name to me.