Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: Riseup.net fails to update canary; fingerprints deleted without notice
317 points by orthoganol on Nov 21, 2016 | hide | past | favorite | 127 comments
After almost a week of direct questioning, canary is still not updated:


Certificate fingerprints deleted for certain domains on Oct. 22nd without notice:


Page where fingerprints no longer appear:


If you're doing any kind of radical political work --- left or right --- and are worried about the attention you're going to attract, don't use things like RISEUP.NET. You shouldn't be running mailing lists at all. You shouldn't be using Jabber and asking all your peers to enable encryption. These are fundamentally unsafe services, and the idea that they can be provided safely just by paying attention to network security is terribly misleading.

In the universe of possible media in which to conduct discussions with a group of peers, there may be none less safe than SMTP email mailing lists. Keep secrets off mailing lists. Never use mailing lists for secrets. Assume your mailing lists are public. Nobody is going to deploy a mailing list security solution that will ever be adequate against state-level adversaries. Any site claiming to keep political activists secure that offers mailing lists should be viewed with suspicion, because "don't use mailing lists" is close to the only thing that messaging security people agree about.

I remember clearly a Tunisian opposition party was using a RISEUP mailing list around 2006 to spread its articles, political statements, etc... (When they were banned before the revolution of 2011).

Not all politicians can/know how to operate anything more complex than an email account.

That's an interesting piece of history. It kind of makes sense that accessibility can sometimes be worth the potential downsides.

By the way, are you a fellow Tunisian? I'm kind of surprised because I've never run into a Tunisian on HN :p

Maybe one day I'll release an archive of pre-2011 emails and IRC logs.

Yes I'm Tunisian, I only know of a couple active people around here, but there is a ton of readers.

Wow, so you operated mail and IRC servers for use by dissidents pre-2011? I would definitely attend a talk about that! A blog post would be amazing too.

I see, that's great to hear. I don't live in Tunisia, so I'm not familiar with the Tunisian tech scene. Judging by your Twitter feed, it seems to be really active, which is awesome!

Nothing that impressive, I was just a bystander, I had a bot that logged IRC conversations on certain rooms and I subscribed to a number of mailing lists.

I just need to find the time to filter that data and publish something.

We in the XMPP community work hard to make "Jabber" secure. Forward secrecy, federation and client scoring, carefully constructed extensions. But without end-to-end encryption like PGP or something, you're open to attack. There are some really neat specs that work on making this more transparent and better, but yes, you can't just blindly use someone else's service and go "it's secure."

While you are not lying, and mailing lists should be avoided if you want to share secrets, most of the times you need a mailing lists not to do that, but to simplify communications.

At least in the global south, most of radical activists groups have strong "no-internet policies" for any type of secret, and no cellphones ones for their work. They have learned with their own history what they can or can't do, learned how to deal with IRL infiltration, and even learned how to communicate without any kind of contact or even agreements between groups. To survive and act against dictatorships or invading armies is not easy, they had to be smart.

But still, because travelling is expensive and networking today is a need for some of those groups or collectives, they can communicate with each other talking about their resolutions or activities, which are not secret (as I already said, it's assumed there can be a IRL infiltrate) but they are also not public.

You can see SMTP and mailing lists as a huge security risk, and they are, it's just not very common to see people that assume the opposite around here.

Also, sometimes, some activists can deliberately use a mailing list as a public expression channel because it is important that these things can be eared by everybody.

I see it as sticking posters in the street. There is no reasons to use Facebook or Google Groups for most of the Riseup (public) Lists users, not because they want something secret and hidden, but because they don't want to play with some companies rules and appreciate to be a part of a network run by volunteers more than to use profitable fake-free services.

Because it makes sense, not because it is more or less secure.

Don't use things like RISEUP.NET. You shouldn't be running mailing lists at all. You shouldn't be using Jabber and asking all your peers to enable encryption.

So what are the types of services one should use?

Instead of looking for anti-authoritarian services to hide from authoritarian government services you should probably blend in with the fish like Mao said:

> The guerrilla must move amongst the people as a fish swims in the sea.

It's better to create false identities that are seemingly legit and fully fleshed out, for example: with back stories, and utilize regular services as a normal person would. The key is disconnecting your own identity from the false one. Rather than trusting your security to a 3rd party service that makes a name for themselves on helping people trying to hide their identity, thereby attracting scrutiny.

That being said there are ways to use encryption services in a way to protect your communication but the bar for doing so is very high and most people will either make mistakes or get lazy. Fortunately services like Whatsapp and to a lesser extant Signal are so popular that you could easily blend in using them, while still having high-quality data encryption. Although they both use phone phone numbers for authentication and the device itself is always a weak-link which is why the identity part is so critical.

thegrugq posted an article a long time ago about how CIA agents in Lebanon [1] got caught because they used burner phones in a way that was unlike the way anyone else used cell phones, if I remember correctly: they were turned off the device most of the time except to make a few calls to other phones that were similarly not used often - not in the way normal people make calls. So anyone in control of the mobile operators would be able to ID potential evasive behaviour an zero-in on those devices/people for extra scrutiny.

That type of behavioural analysis that applies to real life can even more easily give you away in the digital world. Which is why it's important to not stand out from the crowd by using services like Riseup when your entire goal is privacy.

[1] http://grugq.github.io/blog/2013/03/12/anonymity-is-hard/

And from riseup.net @riseupnet

    listen to the hummingbird, whose wings you cannot see,
    listen to the hummingbird, don't listen to me. #LeonardCohen

That was probably just commemorating Leonard Cohen's death, and the certificate fingerprints were probably just removed because they switched to Let's Encrypt for those domains. But you never know.

What good is a warrant canary if it's also used for whimsy or commercial speech? If they don't take it seriously enough for people know what it means then their system isn't worth using to start with.

A Twitter feed is not a warrant canary.

Edit: the exact link to the official warrant canary is specified in the top post, please don't answer if you haven't recognized that much:


The "If they're relying on double entendres then it might as well be" as a response to "A Twitter feed is not a warrant canary" really has no sense.


Also worth reading:


Think about it a while longer.

If they're relying on double entendres then it might as well be.

OK, good point.

This could just be drama.

Maybe it's worth checking their feed before writing?

That's the problem with canaries, though. By definition, they exist for situations where the canary-owner can't offer positive evidence for compromised security.

I don't particularly think Riseup is in that position, but unless someone actively says "don't worry about our lack of a canary, we took it down for $REASONS and all is well", negative evidence is all you can react to.

It could have been an attempt at plausible deniability.

Have you happened to see their other messages from the same day?

"Dear friends, please remember that internet is not always the answer..."

"by the way, that wasn't a trump related tweet..."

"listen to the hummingbird, whose wings you cannot see, listen to the hummingbird, don't listen to me. #LeonardCohen"

It all "has nothing to do with" canaries.

or it means "the canary is dead for a reason; don't trust us"

Okay, that's telling, but the canary on its own seems to be valid still - it's from August 16, 2016, and they say it should be 'updated approximately once per quarter'

If "quarter" is defined as "3 months", we're officially just on the outside of a quarter since the last update — 3 months and 5 days, to be precise.

Well, after (I'm sure) many inquiries about the canary, their latest update says nothing specific, just:

> we have no plans on pulling the plug https://riseup.net/en/about-us/policy/government-faq


This reads like a vague suggestion that everything is fine, but in context (ie, no clear denial) it's a huge red flag being waved.

If I were a scary government type and took control of riseup.net, that is exactly the thing I would post to twitter if I couldn't compel them to update the canary.

I certainly have no clue. I'm still getting email :)

And they've had indirect FBI attention before: https://riseup.net/en/about-us/press/fbi-seizes-anonymous-re...

> I'm still getting email :)

The failure mode of their warrant canary is not that you stop getting email, but that other people start getting your email too.

Sure. But you see, the prudent assumption is that adversaries always get all your email :)

Your comment is a distraction, not a contribution. People came here to discuss whether a warrant canary had died, not to hear you trot out security 101 cliches.

> I'm still getting email :)

While obviously this is not about preventing you from "getting email", you might not have received everything. You should consider the service compromised.

A beautiful quote. A nice picture. Also worth seeing the previous two messages there made on the same day while also thinking about the hummingbird.

October 23:

"If you are doing certificate pinning with us, we are updating certs! so keep calm and check the new FPs here https://riseup.net/en/security/network-security/certificates …"


Updated fingerprints (PGP signed Oct 22):



See OP below restating that fingerprints for certain subdomains are what is missing. Should have read more closely ;)

Yes I linked to the current certs in the post text. The issue is with the domains that were deleted in the commit (also linked) which no longer appear in these links.

Black, labs, and a few others have their own certificate that no longer can be verified with fingerprints, since Oct 22nd.

I'm uninformed. What is the significance of riseup.net?

They're my email and VPN providers with a great history for privacy.

I remember it being used a lot by radical leftist (mostly anarcho-*) groups when I was at university. But even then it was basically assumed that riseup was infiltrated or a honeypot run by the feds.

I hadn't heard of it either until just now. I remember when Reddit removed their warrant canary. I barely even use it now. For most people I bet it didn't matter. I have a feeling with mission of Riseup, this will have a much larger impact on their userbase .. the ones who are aware of this.

I'll bet they placed bets on how quickly people would stop caring once it left the front page. That plus their usage of Moat display analytics tags on the homepage, and pushing for people's email addresses should be a clear telegraph of where they want to take the site.

I'm also curious about the security of things like RES.

labs.riseup.net is home to the git repo for Tails.

From top of their page: " Riseup provides online communication tools for people and groups working on liberatory social change. We are a project to create democratic alternatives and practice self-determination by controlling our own secure means of communications. "

Total surveillance means a full frontal attack on democracy. And this situation here seems to be a tiny reminder.

Imagine if your office live-broadcasted nearly everything. From the corridors, reception area, to the opening of physical mail. The PR and generally more "public" email addresses could be transparent as well.

This means when the NSL arrives, it will be seen by the world.

> Imagine if your office live-broadcasted nearly everything.

The next step in the fight against ongoing, overbearing surveillance is... ongoing, overbearing surveillance?

Transparency, not surveillance.

I bet you a jam sandwich that an NSL is not actually a letter sent in the regular post.

They certainly are real letters, though you're right in that they might be hand delivered by an official process server. Either that, or just mailed with a return receipt and signature required.

Yahoo was able to publish the letters they received: https://s.yimg.com/ge/tyc/Redacted_Non-disclosure_Terminatio...

Of course, it is ultimately a piece of paper...

But in every company I've worked for mail is signed for by whoever and, if it's addressed to an executive, delivered to a secretary who reads it and decides what to do it.

Given the requirement for secrecy, there is zero chance that an NSL will be treated in this way. And it won't be served by a random process server. Most likely it will be served by an NSA employee, in a discreet situation of their choosing.

A NSL is a legal document that originates from the DOJ (via the FBI) that requires no judicial approval. Nevertheless it is a legal document. The NSA does not participate, authorize, approve, initiate, or distribute NSLs.

or the feed goes black

Or the CEO met in his doorstep by Men In Black, or whoever it is that delivers these things.

I am highly skeptical of any claim that an email provider is more private than other providers. E-mail is fundamentally not secure and not private, unless you enhance it with PGP, which requires you to, of course, have something you want private.

Most people don't encrypt because they're not scared enough. It usually takes some time before their wordlview is repeatedly shattered enough that encryption is the only choice they have.

The parent statement is very misleading. Here are some significant differentiators between email providers:

* Encryption in transmission emails sent and received, using SSL/TLS

* Encryption in transmission of webmail sessions, using HTTPS

* Authentication security: Do they use 2 factor or other tech?

* Logging and retention of logs

* Reading your mail to build marketing profiles and social graphs

* Access by employees to your data

* Retaining and sharing your personal data with other businesses

* Security of your account information; can they easily be persuaded to surrender it

* Security of the email provider's systems

* Responsiveness to 3rd party requests for your information, whether private parties in lawsuits or legal authorities with/without warrants

* Cooperation with government surveillance dragnets

Security always is a matter of degree. Email will never be perfectly secure but there are some big differences between providers.

> Authentication security: Do they use 2 factor or other tech?

Sorry for sniping this specific one, but 2FA is (more often than not), security theater. It gives the illusion of security like how TSA baggage check is a big dance of scanning, pat-downs, and key ceremonies.

For context, consider Yahoo Mail, where emails are read by intelligence agencies before the user even gets them. Does my 2FA help here? Probably not.

I can understand that 2FA does have its uses, but frequently I'm seeing it being used like those 'Secured by Comodo SSL' with a picture of a shield to make a would-be shopper feel like the transaction is more secure. It can be theater.

That's like arguing that an airbag is safety theater because it doesn't prevent drowning if you drive off of a bridge.

MFA is used to prevent a third-party who has access to your credentials from being able to login as you and, in the case of U2F, to prevent a successful phishing attempt from compromising your account.

MFA offers no, and never has been billed as, protection against a subverted server or an attacker who can decrypt or tamper with traffic on the wire.

Security is a large, complicated problem. There will never be a single measure which protects against every threat.

It doesn't help a system-level adversary, but it does help prevent trivial takeovers by malicious actors attempting to get access to your email as a vector to compromise other services.

To summarize, 2FA does not prevent email reading if the provider doesn't, however it does help prevent run of the mill takeovers, especially if you've reused a password somewhere.

Security is all about defense in depth, it's worth keeping in mind that 2FA is an important step there, but by no means the only one.

If you aren't encrypting+signing a message, you've already decided that security requirements of that particular message is minimal.

It seems like you're just ignoring HackUser's argument that security is a degree.

Securing against low-level hackers and intrusions increases security, even if it doesn't stop the NSA. It also doesn't stop the CIA from physically spying on you.

Securing yourself against low-level hackers and intrusions is not security theater. For most people, these are the most frequent and direct threats.

I would also argue that over-securing yourself is security theater. It's the same as overselling insurance products to people whose risk profile doesn't match the product. If you're not making security decisions based on the profile of risks you encounter, then you're engaging in theater to make yourself feel better.

> Sorry for sniping this specific one, but 2FA is (more often than not), security theater.

This is a completely wrong statement. It helps prevents compromise from non-system-level attackers. Telling a user that 2FA is "security theater" is doing far more harm than good.

2FA is generally effective but not enough to guarantee security by itself.

> E-mail is fundamentally not secure and not private, unless you enhance it with PGP, which requires you to, of course, have something you want private.

That's not true. A friend and I use GPG just to use GPG. You don't have to want to keep something private, just like you don't need to be doing illegal things to want curtains on your house.

Thanks for clarifying. I have to remember this quote:

"If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged"

What I mean is that I can decide to not encrypt and have my emails under public scrutiny, but as I said, most people are not scared enough because it doesn't happen on their watch.

It doesn't matter what the content is, or how non-libelous - if it's encrypted with PGP, it's private.

I would add that Riseup don't claim to be the best on security or privacy.

> Riseup provides online communication tools for people and groups working on liberatory social change. We are a project to create democratic alternatives and practice self-determination by controlling our own secure means of communications.

This is what they claim on their homepage[1]. Tools built by people who believe in a certain philosophy for people working on "liberatory social change".

They try to operate and control their tools. They don't claim that they are "the-most-secure-email-provider".

They claim to work on what they call "Network Security"[2] (traffic encrypting and providing services outside of the tracking bubble), and define other fields of security ("Human Security", "Device Security", "Message Security"), that the user can improve himself by education. They provide means of education for this.

This is an alternative. Gmail is maybe more "secure", or maybe not, but don't claim these kind of social changes. Gmail is "free" and commercial. Riseup is not free and volunteer-run.

[1] https://riseup.net/

[2] https://riseup.net/en/security/#security-overview

edits: typos

I was running my own e-mail server for a while before I finally got around to generating/publishing a PGP key. It's a pretty simple process, but also an incredibly complicated process for the uninitiated.

New tweet: https://twitter.com/riseupnet/status/800815181190217729

Confusing update IMHO. Could be read as reassurance. Could also be read as being threatened with incarceration and being forced to keep the site up. or a reminder to archive stuff immediately because of impending shutdown.

Not really sure what to make of it, other than they have obviously heard the concerns and /not/ updated the canary.

Not really my area of expertise, but it strikes me as completely clear.

The canary hasn't been updated and the tweet implicitly acknowledges that they are aware of the concerns that people have about the overdue update. I can only think of two reasons to do this. 1. get some publicity or 2. for whatever reason they are unable to update the canary and are unable to say why. Personally, I doubt it's reason 1.

But why say they have no plans to shut down and link directly to the part of their FAQ where they say they will shut down if they are under government surveillance? Why not just tweet something like "We have heard your concerns" or something similar

You might not be able to shutdown if you have been forced to keep the service running.

The purpose of the hyperbole, I'd assume, is to make one ask the same questions you're asking. In the philosophical sense: if we have to ask, we already have our answer.

Maybe they lost access to their infrastructure and twitter account. Who posted this (to-date) last message? Better be cautious, activists.

> If you are doing certificate pinning with us, we are updating certs! so keep calm and check the new FPs here


If you care enough to post canaries, shouldn't you also care enough to just close shop instead of subtly telling your users to stop using your services?

I'd imagine that since lavabit NSLs make that harder if not illegal.

its not within legal purview to force someone to continue doing something, is it?

But they could order them to give them access to administer their servers, with acts of sabotage being punishable. There's no reason you should assume that the people running RiseUp right now are the same people that ran it a week ago.

Even if you shut down immediately (more on that in a moment), you can't wipe your storage and The State can still look through that

And if it is an ongoing investigation, shutting down immediately may be very difficult. Unless you can make a compelling case that you were already doing so for whatever reason, it is a very clear textbook case of obstruction of justice/interfering with an ongoing investigation.

Or at least care enough to update them more than once a quarter... worse than useless, since those Unspeakable Agencies will have had their fill of information by then. And then the canary dies and people panic into moving their hosting to 'stay private'.

They just tweeted that they have no plans of doing so


which means either they haven't received anything, in which case why not update the canary. That the orders were very limited in scope and they think they could keep operating safely. Or that they have been ordered not to shut down. Ambiguous tweet is ambiguous, though it's telling that they made it and still did not update the canary.

You mean like CryptoStorm's famous `Privacy Seppuku` pledge? https://cryptostorm.is/seppuku.html

Looks like issue will be resolved soon:


    .@flanvel Thanks for noticing. A refreshed canary statement will be up shortly.

Disregard, I forgot to check date.


That tweet is from august

Before the most recent update, it was updated April 10th. So 121 days between updates. At the same rate, it would be updated next around December 21st. But yeah that is a strange tweet, and lack of tweets since is also strange.

Perhaps I'm doing this wrong but when I try to verify the gpg signature I get

gpg: Signature made Tue Aug 16 01:01:19 2016 EDT using RSA key ID 139A768E

gpg: Good signature from "Riseup Networks <collective@riseup.net>" [unknown]

gpg: aka "Riseup Treasurer <treasurer@riseup.net>" [unknown]

gpg: WARNING: This key is not certified with a trusted signature!

gpg: There is no indication that the signature belongs to the owner.

Primary key fingerprint: 4E07 9126 8F7C 67EA BE88 F1B0 3043 E2B7 139A 768E

Do you have a trust path between you and that key? If not, that message is normal, but you have no in-band way of knowing whether it's a valid signature from the right key or a valid signature from a fake key. However, if you have some trustworthy source that that's the right fingerprint, then you know it's a valid signature from the right key.

(This is why I hate PGP.)

Is it due to be updated by today? Or is it not late until the last quarter of 2016 passes without an update?

I Don't get it. They last updated in august. Wouldn't the next be due in December?

Misleading title. There were no "fingerprints deleted without notice"

I love how this conversation devolved into pedantry, honestly. Worry about the a/an usage, don't address the root issue, why don't you. Yup: programmers are grammar nazis.

Speaking for myself, this was brought to my attention in the context of a developing story about WikiLeaks being under duress or Julian Assange missing, who has not sent direct communication let alone signed communication for around a month now.

EDIT - if curious, https://www.reddit.com/r/WhereIsAssange/

Are you aware that the current top post (about blockchain) reads like a parody of a conspiracy theory?

Yep that doesn't look too good. Iirc there was more reasonable discussion on r/bitcoin. They have used the blockchain in the past, I will say that.

Without trying to turn this thread into a full "Where is Assange?" discussion, for me I just can't imagine why he has not sent communication since mid October, now long after the election, especially since the chorus is now strong enough that their Twitter has to say "everyone relax." He usually sees a lot of visitors, and they have access to millions of dollars, so he certainly has various ways to connect to the Internet just to say "I'm fine."

Without trying to turn this into a full "Where is Assange?" discussion, unless the conspiracy against Assange involves compromising such disparate actors as Ecuadorean embassy staff and prosecutor, the Swedish prosecutor, his own legal team, Wikileaks staff posting press releases in his name, Pamela Anderson and John Pilger, all of whom have communicated with him since his supposed disappearance, it's probably safe to assume that he has other priorities than sending a signed "I'm fine" message, particularly since it's already been documented that his preferred method of internet access was cut.

Yes, I know there are a few people who have said "He is fine, trust us", but it would take all of 2 seconds for him to send a message himself, a picture, a video clip, stand by the window, or go on the balcony, and there has now been a very long, uncharacteristic time window where he has not done this. He has many means of communication, regularly has visitors, and has a very legitimate reason for doing it (to silence all the people who are concerned, constantly Tweeting at them, calling to cease donations, etc.) - so the fact he hasn't is worthy of our suspicion.

EDIT - I really did mean "didn't want to start full discussion", because there apparently is a whole lot more circumstantial evidence, including regarding some of the people you mentioned (like some members of his legal team being barred entry), but seriously, I'm going to leave the fullness of that discussion for Reddit, and think anyone who is interested in it should take it up there.

To be honest, people that aren't going to be convinced that an in-depth video interview John Pilger asserts was made on October 30th or an abundance of statements from all parties about two days worth of formal interviews over the court case that's dogged him for a while aren't going to be convinced by a quick video of him saying "I aten't dead yet", or probably even a keysigned message.

There are an abundance of pretty straightforward hypotheses consistent with the known facts(e.g. "Assange isn't feeling fine because he's still angry and/or paranoid about his preferred internet connection being taken away", "Assange feels this story is good publicity, relative to other kinds of publicity he's getting at the moment") but of course these aren't the ones being discussed on "Where is Assange?" subreddits.

Sorry, but c'mon, that entire subreddit would disappear overnight if Julian gave just one, basic proof of well being. The majority of the 12,000 (and fast growing) are not conspiracy people, they just have a very simple request for a PGP message, a picture, a video, a public appearance, anything.

Again, I encourage the debate of circumstantial evidence on Reddit instead of here, but Julian does not say anything to indicate recency (pre mid October) in the Pilger interview, otherwise that would have probably ended the subreddit. And it's ambiguous to what extend Julian was involved in the recent posing of questions to the Ecuadorian prosecutor by the Swedish prosecutor (just the 1, without Assange's lawyers). Again, Julian just needs to take a quick minute and say "I'm fine," and that community would disappear.

Exactly. Every day that goes by w/out a proof-of-life from Assange adds weight to the theory that he is in fact no longer alive.

it's well known that his internet is cut off. I think if somebody was sending communications with his signing key while he is known to be unable to communicate, that would be the real problem.

He usually sees a lot of visitors, and the organization has access to millions of dollars, so he certainly has various methods available to him to say "I'm fine." They can't physically "cut him off" the Internet, but they can demand that he pause the election-related PR he was doing. They asked him to not interfere in the election, specifically.

However, the election has been over for some time. Even if they could, I doubt the Ecuadorian Embassy would forbid him from sending a basic message, picture, clip to verify he is OK, especially since pressure has been on them for a while now about his well being.

He could probably just give a wave from the embassy balcony? He's been out there before, though perhaps his circumstances have changed.


Sorry, I don't understand this. It's incredibly bizarre to be posting selfies with messages on HN.

Granted. You're right that this is bizarre. I'm posting a proof-of-life of myself because Julian Assange is unable to, and I'm trying to get the word out. It's not just a selfie -- It's proof that I'm alive.

Basically I'm pretty much freaking out at the moment because it appears that Julian has been disappeared, and I'm doing whatever I can to try and spread awareness about this issue.

Previously, there were people on HN who were sympathetic to WikiLeaks and their cause, and this appears to be changing.

It's more likely that the relatively logical and thoughtful HN community isn't sure if Julian has become somewhat unhinged, if you will.

thanks for that. :) yeah, I need to calm down a bit, lest I become unhinged myself.

It changed because of elections.

Truth often hurts when it's bad and is against people you support.

I hope Assange is doing well.


We detached this subthread from https://news.ycombinator.com/item?id=13007469 and marked it off-topic.

Depends on how you're reading it in your head. If you read "Freedom of Information Act", then it's "a FOIA" but if you read "Eff Oo Aai Aay", it's "an FOIA"

That's why you get "an X-Ray"

I've always read it "faw-ya".

Actually a matter of debate. Different house styles suggest different approaches in this situation

Depends if you pronounce it as one word, or as 'Ef Oh Ai Ey', I suppose.

For the abbreviation,"an FOIA" is correct. For the term "a Freedom of Information act" is correct. Its based on the sounds, not the word being abbreviated.

"a FOIA" is correct if you pronounce it "foya".

I believe the reason for "a FOIA" is "FOIA" is being pronounced as a word like "foya" instead of the individual letters "F-O-I-A".

maybe they're reading "a foy-uh"

Got any references to anyone speaking a foy-uh out loud? Ive only ever know it to be 4 letters, said discretely, and not as a word like SQL.

I've only heard "foya", and I find "sequel" for "SQL" to grate like nails on a chalkboard. YMMV!

I'm now imagining that's pronounced Yim-Vee!

I don't have a citation, but am sure I've heard people say "foya requests" out loud, probably lawyers at hacker conferences.

I work with government people and contractors a lot and I've never heard it not pronounced "foya."

I would cringe when I would hear pronounced acronyms like "sequel" and "scuzzy" (SQL and SCSI) back in college; some acronyms simply aren't meant to be pronounced as words, especially if the pronounced word gave an uninformed listener the wrong impression. "Eww, why does my computer need to be scuzzy??"

Though note that:

> It was initially called “Structured English Query Language” (SEQUEL) and pronounced “sequel”, though it later had to have its name shortened to “Structured Query Language” (SQL) due to trademark issues.

I don't think, even in its heyday, I ever heard "SCSI" pronounced as anything but "scuzzy". Much more efficient and universally understood.

Ie: an F.

Ie: a friend.

Is an FOIA request useful?

FOIA has a specific exemption for national security, so it's probably not useful regarding national security letters. https://www.foia.gov/faq.html#exemptions

to whom hoping to get what? Probably not. You obviously can't get secret security letters or sealed warrants via an FOIA.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact