Canary Statement (opens in new tab)

(riseup.net)

19 pointswopwopwop9y ago15 comments

15 comments

15 comments · 8 top-level

dgoulet9y ago· 2 in thread

Please, read this before anything else.

https://theintercept.com/2016/11/29/something-happened-to-ac...

> But it is clear that something happened, and that riseup is unable to speak about it publicly. “Riseup will shut down rather than endanger activists,” the spokesperson said. “We aren’t going to shut down, because there is no danger to activists.”

If I would be a user of this service, that's enough of a red flag for me to quit it immediately. Even though I agree that most rumors are blown out of proportion considering the timing.

TillE9y ago

Has there been any news since then? I certainly wouldn't trust any organization that's being so evasive.

Looking at the warrant canary and why it might not have been updated, I suppose the most benign explanation is that they're under a "gag order" of some sort. But why? Under what realistic scenario would they be gagged, but not have disclosed user data?

rawnlq9y ago· 2 in thread

I wonder why they don't make the statements more granular. Then when you update all other canaries but not a particular one you know for sure it's not due to forgetfulness and you get more information about what happened.

Or does that cross some arbitrary legal line?

parenthephobia9y ago

The government believes it is entitled to limit NSL recipients to disclosing how many thousands of NSLs they've received.

If you had a canary for 0-99, 100-199, etc, and then removed the canary that didn't match, a court might decide that your decision not to assert that you didn't receive 0-99 canaries was as good as asserting that you did receive 0-99. Whereas, if you have a general canary, you can say you removed it because you just didn't want to use a canary any more.

Having said that, I suspect that a court that's sympathetic to the government might well decide that choosing not to speak is itself an act of speech, and that even if you can't be forced to restore a warrant canary, you can be prosecuted for removing it.

dingaling9y ago

And make the updates more frequent.

"Every third Tuesday of the month" is a canary whereas "About once a quarter, at our discretion, if Bob from Legal remembers" is useless.

Yes it makes more work for the staff, but if that's a problem then just don't do a canary at all.

maxt9y ago

Most of their servers are encrypted I imagine, so a seizure just means a TLA gets a bunch of encrypted disks to have fun with. My only worry is that a TLA can just ask for the keys to these disks and get Riseup rubberhosed¹.

¹ — https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis

Worth reading up about Key Disclosure Law too: https://en.wikipedia.org/wiki/Key_disclosure_law

resfirestar9y ago

The tweets and statements to The Intercept back in November seem to imply that there was an incident covered by the canary statement that they aren't allowed to talk about, but ruled out "a NSL, a FISA order/directive, or any other national security order/directive, foreign or domestic". Optimistically, perhaps they had to turn over some encrypted data to a criminal (non-political) investigation. Hopefully more information comes sooner rather than later.

tarkin29y ago

Is this a case where a government has compromised a system, and the administrators are legally bound to remain quiet about it?

If so, why not compromise the system yourself, and then advertise that? Accidentally leaving your SSL private key online temporarily would do it, surely?

iSnow9y ago

>As of August 16, 2016 [1], riseup has not received any National Security Letters or FISA court orders

[...]

>Riseup intends to update this report approximately once per quarter.

So, 5 months later, no update means they have been compromised after August and received a gag order.

ryanlol9y ago

Nobody should be using riseup anyway, it's a fundamentally flawed service.

There are absolutely no benefits to be gained from choosing riseup over any other provider, but a plenty of harm comes from centralizing communications of at-risk users.

zer0t3ch9y ago· 3 in thread

Isn't this jumping the gun a bit? I'd give it at least another month before a lack of update means anything.

ryanlol9y ago

https://news.ycombinator.com/item?id=13007234

>Isn't this jumping the gun a bit?

No.

Cozumel9y ago

This is from back in November so it's already been a couple of months.

zer0t3ch9y ago

I guess it's about the precedent they've set in the past. If they always do it on the exact same day every year, then being a week late means something. If they do it annually plus or minus a couple months, then a couple months doesn't mean much.

For reference, I have no clue what precedent they've set already.

j / k navigate · click thread line to collapse

15 comments

15 comments · 8 top-level

dgoulet9y ago· 2 in thread

Please, read this before anything else.

https://theintercept.com/2016/11/29/something-happened-to-ac...

minxomat9y ago

If I would be a user of this service, that's enough of a red flag for me to quit it immediately. Even though I agree that most rumors are blown out of proportion considering the timing.

TillE9y ago

Has there been any news since then? I certainly wouldn't trust any organization that's being so evasive.

rawnlq9y ago· 2 in thread

Or does that cross some arbitrary legal line?

parenthephobia9y ago

The government believes it is entitled to limit NSL recipients to disclosing how many thousands of NSLs they've received.

dingaling9y ago

And make the updates more frequent.

"Every third Tuesday of the month" is a canary whereas "About once a quarter, at our discretion, if Bob from Legal remembers" is useless.

Yes it makes more work for the staff, but if that's a problem then just don't do a canary at all.

maxt9y ago

¹ — https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis

Worth reading up about Key Disclosure Law too: https://en.wikipedia.org/wiki/Key_disclosure_law

resfirestar9y ago

tarkin29y ago

Is this a case where a government has compromised a system, and the administrators are legally bound to remain quiet about it?

If so, why not compromise the system yourself, and then advertise that? Accidentally leaving your SSL private key online temporarily would do it, surely?

iSnow9y ago

>As of August 16, 2016 [1], riseup has not received any National Security Letters or FISA court orders

[...]

>Riseup intends to update this report approximately once per quarter.

So, 5 months later, no update means they have been compromised after August and received a gag order.

ryanlol9y ago

Nobody should be using riseup anyway, it's a fundamentally flawed service.

There are absolutely no benefits to be gained from choosing riseup over any other provider, but a plenty of harm comes from centralizing communications of at-risk users.

zer0t3ch9y ago· 3 in thread

Isn't this jumping the gun a bit? I'd give it at least another month before a lack of update means anything.

ryanlol9y ago

https://news.ycombinator.com/item?id=13007234

>Isn't this jumping the gun a bit?

No.

Cozumel9y ago

This is from back in November so it's already been a couple of months.

zer0t3ch9y ago

For reference, I have no clue what precedent they've set already.

j / k navigate · click thread line to collapse