
Riseup moves to encrypted email in response to legal requests - semente
https://riseup.net/en/about-us/press/canary-statement
======
JumpCrisscross
Seven Spanish activists were jailed in 2015 for their "possession of certain
books...and the fact that the defendants used emails with extreme security
measures, such as the RISE UP server" [1]. Do we know what became of that
case?

[1] [https://www.eff.org/deeplinks/2015/01/security-not-crime-
unl...](https://www.eff.org/deeplinks/2015/01/security-not-crime-unless-youre-
anarchist)

------
hackuser
They encrypt using a Dovecot plugin named Trees that comes from Riseup Labs:

 _How it works:

1\. On IMAP log in, the user's cleartext password is passed to the plugin.

2\. The plugin creates an argon2 digest from the password.

3\. This password digest is used as a symmetric secret to decrypt a libsodium
secretbox.

4\. Inside the secretbox is stored a Curve25519 private key.

5\. The Curve25519 private key is used to decrypt each individual message,
using lidsodium sealed boxes.

6\. New mail is encrypted as it arrives using the Curve25519 public key._

[https://0xacab.org/riseuplabs/trees](https://0xacab.org/riseuplabs/trees)

If someone would briefly describe argon2 and libsodium to the non-crypto
geeks, it would be appreciated.

~~~
pmontra
Maybe I misunderstood the meaning of one or more of the steps above. However
it seems that if law enforcement wants to look at the messages of a user they
only need to make Riseup decrypt for them every message at step 5. The only
protection is not logging in because they need the cleartext password to start
with.

People check their email often, so maybe this is why they are writing

> this type of encryption is not end-to-end message encryption. With Riseup’s
> new system, you still put faith in the server while you are logged in

The message should be "if you think you're under investigation, abandon your
email and don't login anymore."

Another attack is with the received messages: I assume they are all cleartext
and can be intercepted before they are encrypted at step 6, with or without
the cooperation of Riseup. Messages in a conversation often integrally quote
all the previous messages so there might even be no need to force Riseup
decrypt anything at step 5.

~~~
tankered
As of today, there is no case where the government has pressed the issue about
modifying systems. They thought they had the perfect case with San
Bernadino/Apple, in fact they are trying to pick the best case in terms of
players in order to establish precedent, but they backed down because all of
silicon valley rose up in protest. If Riseup became a test case for this it
would be a big deal, this would be a legal fight that would bring armies of
lawyers who have been dying to litigate this exact scenario, and sillicon
valley would also get behind such a case (as they did with Apple). But the
government isn't likely to pick Riseup as the target for such a case, they
want someone big like Apple.

In particular, what you are talking about is a Title III Wiretap (in transit)
order with an additional element of technical assistance that requires
significant re-architecture that would expose massive take, or enforced lying
(endorse a false cert). This would put a huge burden on Riseup, and
significantly undermine their operation. A Title III Wiretap order can only be
done in _very_ specific cases, it is much harder to obtain one of these than
it is for a simple search warrant, or subponea. In fact its so difficult, that
in 2015 Google received 15 wiretap orders in total and more thaan 8k search
warrants. Not only that, but the government must show they can do data
minimization and there is a notification requirement (unlike a search warrant)
where they notify the target after 90 days. The tighter particularity
requirements built into the statute make this a very good position for Riseup
to be in.

~~~
hackuser
Thanks. With respect, do you have expertise on this issue? It's just useful to
know if we're hearing from an attorney who practices in this area or someone
who happens to be well-read in it.

> there is no case where the government has pressed the issue about modifying
> systems

Do we know that, or would it be more accurate to say 'there is no case that we
know of'? And we do have some reason to believe that the U.S. government has
pressured large telcos to modify equipment; look up Qwest's story.

------
_delirium
Background:
[https://news.ycombinator.com/item?id=13007234](https://news.ycombinator.com/item?id=13007234)

------
WhitneyLand
What kind of people is Riseup supposed to help?

For anything serious it seem inadequate unless I'm missing something.

How is it even better that something like proton mal?

~~~
SwellJoe
It is intended for activists, but I have never felt comfortable recommending
it to my activist friends. I trust the people who run it not to give up data
easily, but I don't trust their tech to be at all resistant to a state level
actor, which is primarily who activists need to fear.

I'm not convinced this change alters that assessment, as the implementation
seems questionable (the secret exchange seems to be on the wrong side of the
connection). But maybe I just misunderstand it.

~~~
amdavidson
The secret exchange is certainly on the wrong side of the connection, but it's
either that or change the way email clients work. We are living in an IMAP4
world and if you choose to "trust the server", as they state it, this seems
like a reasonable solution.

------
Cyphase
I would be very interested in seeing people experiment with more specific
warrant canaries. Many of them currently are of the form, "This service has
not received any of these kinds of orders at any time before YYYY-MM-DD." What
if instead, to go to an extreme (though it could be somewhere in between),
each user could check a page that had a long list of statements regarding
their account, e.g. "We did not comply with a {TYPE} order between 02:00 and
03:00 GMT on 2017-02-17 that affected your account." Obviously that's poking
the surveillance bear more than a really broad canary (ooh, big deal, now
people know X provider with 100 million users received an order within T time
of the last update to the canary), but I'm not sure that it's qualitatively
different.

~~~
secfirstmd
Or even better, have a distributed canary across multiple jurisdictions.

------
Esau
Proof that a warrant canary is useless.

~~~
_delirium
It seems to me that it did its job here. The only thing a warrant canary
claims to be able to do is to make people aware that a warrant was served on a
provider, even when a gag order prevents the provider explicitly saying so.
The warrant canary at riseup disappeared, which did have the effect of making
people aware of that fact.

Now it turned out that the warrant was just for some malware-extortion ring,
not due to a crackdown on political dissidents, so arguably a "false positive"
from the perspective of what most people using riseup for its stated purpose
care about. But the warrant canary didn't claim to make those kinds of fine-
grained distinctions in the first place. It claimed that it would let you know
when there was an unannounced warrant, and it succeeded in doing so.

~~~
nebabyte
> Now it turned out that the warrant was just for some malware-extortion ring,
> not due to a crackdown on political dissidents, so arguably a "false
> positive" from the perspective of what most people using riseup for its
> stated purpose care about

Except that now that it's gone there's nothing to say that people who were
previously held at bay by the canary [side note: hah] moved in right after it
disappeared.

Thus I agree; a WC should be seen as nothing more than a "probably not" to a
"maybe/assume so".

------
nachtigall
I'd like to recommend [https://posteo.de/en](https://posteo.de/en) which also
has strong encryption on various layers, including the user's data:
[https://posteo.de/en/site/encryption](https://posteo.de/en/site/encryption)

------
captainmuon
Question: Can a gag order in the US force a person to lie? If they say
publicly there are no outstanding gag orders, FBI warrants, or other
compromizing orders (and assuming I'd trust them apart from that), can I trust
that they are telling the truth?

~~~
n4r9
I think they respond to this in the Q&A below.

------
N0RMAN
Off Topic: Does anybody have an invite left?

~~~
smonff
You are supposed to receive invites only from people you know. Riseup users
who deliver invites to somebody creating trouble will have their account
revoked.

