Riseup Warrant Canary Died?


So it appears that Riseup failed to update its warrant canary. The one they have right now (https://riseup.net/canary) usually updates every quarter. But they didn't update this quarter.


Is there any consensus on what are appropriate steps to take when a canary dies? I use the riseup email & VPN & I wouldn't want someone to not contact me because of this.


Brief but still interesting mentions of RiseUp (2) here:

Short version: RiseUP VPN powered by LEAP which took us$1m from the Open
Technology Fund, which is funded by various American agencies.

Any thoughts on the impact of such funding, if any?


Caveat: I'm wary of Yasha Levine, who went full-bore conspiracy theorist and rape apologist when folks came out to say Jake Appelbaum assaulted them.

I've worked at a public defender's office, which is also funded by the same people who fund (a) the DA's office, (b) the police department, (c) the sheriff's department, (d) the judges, and (e) the jails. We never ever not one time ever felt any kind of allegiance to anyone but our clients. It's the same for a lot of deportation defense & asylum attorneys I know. Funding doesn't always mean there's a conflict of interest.

It's interesting, and it's definitely good to be aware of who's funding who and what projects, but Levine seems to be saying "the OTI is from the government, therefore you can't trust it." I'm unwilling to go that far when it comes to the OTI.


. . .

Good to be wary.

But "full-bore" and "conspiracy theorist" and "rape apologist" are rather loaded terms to be using in front of a journalism crowd.

I'm not sure what the jargon is for piling one allegation on top of another with multipliers in conjunction with the down-home use of "folks" but such an approach leaves me feeling ... wary.

As does the still anonymous nature of the accusers.

Then there is this:

Would welcome any other links that shed substantive light on this. From my reading, it sounds like he has acted like a total dick towards people in the past, and indeed apologises for that in the story. But that does not make him a rapist, or me a rape apologist.

Agree with you, totally, with regard to funding not indicating a conflict of interest. Otherwise thousands of publicly funded broadcasters would lose their jobs, and the public would lose hugely valuable sources of information. As well as, in your example, many other valuable public services.

As to trust, Levine never explicitly says not to. What he does point out is the huge gap between TOR, EFF etc promoting themselves as the source of solid security options, and the track record of people who rely on TOR being nabbed by authorities.

Again, I'm no expert in this area. So it would seem to me that experts such as yourself owe a duty of care to ensure that concerns raised by people like Levine are promoted to a much wider audience.

Worst case (security) scenario: Jacob Appelbaum is the victim of a honeypot op (abuse allegations) to protect a honeypot op (TOR).

Best case scenario: JA is a geek creep.

suggestionbox - that tinfoil press consider raising these security concerns, publicly.

. . .


Many of them have come forward with their names since the original accusations. You should read up on this.

He's a rapist creep. The women of the Bay Area hacking scene, for example, have known this for years. Others learned it. He was bounced from Tor for it (he didn't quit, he was let go and spun it). Hell, Tor had its whole board overturned with a new head of their org because of the scandal around these.

And, yes, the Pando fellow is a rape apologist.


Before this becomes a discussion about JakeGate more than anything else, Motherboard are also now reporting the same story on Riseup.


Before we go too far down the JakeGate / Yasha Levine abyss, I want to remind everyone of one of our community guidelines: criticize ideas, not people.

It's all right if we want to chat about issues in this community (in fact, it's encouraged) but let's not make it personal.


Yes, thank you to @mshelton and @corintxt for bringing it back home. Afaik, neither Appelbaum nor Levine have anything to do with Riseup's warrant canary dying.


Comprehensive coverage of the issue here:


"Riseup moves to encrypted email in response to legal requests."


Feburary 16, 2017

After exhausting our legal options, Riseup recently chose to comply with two sealed warrants from the FBI, rather than facing contempt of court (which would have resulted in jail time for Riseup birds and/or termination of the Riseup organization). The first concerned the public contact address for an international DDoS extortion ring. The second concerned an account using ransomware to extort money from people.

Extortion activities clearly violate both the letter and the spirit of the social contract 1 we have with our users: We have your back so long as you are not pursuing exploitative, misogynist, racist, or bigoted agendas.

There was a “gag order” that prevented us from disclosing even the existence of these warrants until now. This was also the reason why we could not update our “Canary” 2.

We have taken action to ensure that Riseup never again has access to a user’s stored email in plaintext. Starting today, all new Riseup email accounts will feature personally encrypted storage on our servers, only accessible by you. In the near future, we will begin to migrate all existing accounts to use this new system (for technical details, see 3).

To be absolutely clear, this type of encryption is not end-to-end message encryption. With Riseup’s new system, you still put faith in the server while you are logged in. For full end-to-end email encryption, as before, you must use a client that supports OpenPGP (and is not web-based).

We are working to roll out a more comprehensive end-to-end system in the coming year, but until that is ready, we are deploying personally encrypted storage in the mean time.

in solidarity,
The Riseup Birds


Q: Are you compromised by law enforcement?

A: No. We have never permitted installation of any hardware or software monitoring on any system that we control; law enforcement has not taken our servers; does not, and has never had access to them. We would rather stop being Riseup before we did that.

Q: Couldn’t the government just make you say that?

A: Forced speech is actually quite rare in the US legal context. It’s usually only in cases of consumer protection where the government has been successful in compelling speech (e.g. forced cigarette warnings). Nevertheless, no they aren’t forcing us to say anything.

Q: Why didn’t you update your canary?

A: In the Winter of 2016, the canary was not updated on time. The canary was so broad that any attempt to issue a new one would be a violation of a gag order related to an investigation into a DDoS extortion ring and ransomware operation. This is not desirable, because if any one of a number of minor things happen, it signals to users that a major thing has happened.

Q: Why does the new Canary not mention gag orders, FISA court orders, National Security Letters, etc?

A: Our initial Canary strategy was only harming users by freaking them out unnecessarily when minor events happened. A Canary is supposed to signal important risk information to users, but there is also danger in signaling the wrong thing to users or leading to general fear and confusion for no good reason. The current Canary is limited to significant events that could compromise the security of Riseup users.

1 https://riseup.net/tos
2 https://riseup.net/canary
3 https://0xacab.org/riseuplabs/trees


RiseUp stored emails in plaintext?