
Canary Statement - wopwopwop
https://riseup.net/en/canary
======
dgoulet
Please, read this before anything else.

[https://theintercept.com/2016/11/29/something-happened-to-
ac...](https://theintercept.com/2016/11/29/something-happened-to-activist-
email-provider-riseup-but-it-hasnt-been-compromised/)

~~~
minxomat
> But it is clear that something happened, and that riseup is unable to speak
> about it publicly. “Riseup will shut down rather than endanger activists,”
> the spokesperson said. “We aren’t going to shut down, because there is no
> danger to activists.”

If I would be a user of this service, that's enough of a red flag for me to
quit it immediately. Even though I agree that most rumors are blown out of
proportion considering the timing.

------
rawnlq
I wonder why they don't make the statements more granular. Then when you
update all other canaries but not a particular one you know for sure it's not
due to forgetfulness and you get more information about what happened.

Or does that cross some arbitrary legal line?

~~~
parenthephobia
The government believes it is entitled to limit NSL recipients to disclosing
how many thousands of NSLs they've received.

If you had a canary for 0-99, 100-199, etc, and then removed the canary that
didn't match, a court might decide that your decision not to assert that you
didn't receive 0-99 canaries was as good as asserting that you did receive
0-99. Whereas, if you have a general canary, you can say you removed it
because you just didn't want to use a canary any more.

Having said that, I suspect that a court that's sympathetic to the government
might well decide that choosing not to speak is itself an act of speech, and
that even if you can't be forced to restore a warrant canary, you can be
prosecuted for removing it.

------
maxt
Most of their servers are encrypted I imagine, so a seizure just means a TLA
gets a bunch of encrypted disks to have fun with. My only worry is that a TLA
can just ask for the keys to these disks and get Riseup rubberhosed¹.

¹ — [https://en.wikipedia.org/wiki/Rubber-
hose_cryptanalysis](https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis)

Worth reading up about Key Disclosure Law too:
[https://en.wikipedia.org/wiki/Key_disclosure_law](https://en.wikipedia.org/wiki/Key_disclosure_law)

------
resfirestar
The tweets and statements to The Intercept back in November seem to imply that
there was an incident covered by the canary statement that they aren't allowed
to talk about, but ruled out "a NSL, a FISA order/directive, or any other
national security order/directive, foreign or domestic". Optimistically,
perhaps they had to turn over some encrypted data to a criminal (non-
political) investigation. Hopefully more information comes sooner rather than
later.

------
tarkin2
Is this a case where a government has compromised a system, and the
administrators are legally bound to remain quiet about it?

If so, why not compromise the system yourself, and then advertise that?
Accidentally leaving your SSL private key online temporarily would do it,
surely?

------
iSnow
>As of August 16, 2016 [1], riseup has not received any National Security
Letters or FISA court orders

[...]

>Riseup intends to update this report approximately once per quarter.

So, 5 months later, no update means they have been compromised after August
and received a gag order.

------
ryanlol
Nobody should be using riseup anyway, it's a fundamentally flawed service.

There are absolutely no benefits to be gained from choosing riseup over any
other provider, but a plenty of harm comes from centralizing communications of
at-risk users.

------
zer0t3ch
Isn't this jumping the gun a bit? I'd give it at least another month before a
lack of update means anything.

~~~
Cozumel
This is from back in November so it's already been a couple of months.

~~~
zer0t3ch
I guess it's about the precedent they've set in the past. If they always do it
on the exact same day every year, then being a week late means something. If
they do it annually plus or minus a couple months, then a couple months
doesn't mean much.

For reference, I have no clue what precedent they've set already.

