So in the end, my speculation and cynicism was actually justified. Seeing how I wasn’t certain whether I did them injustice or not, that’s quite good to know.
Now this obviously means that, at least I, don’t consider them to be trustworthy in the future. They claim that they’d go out of their way, encrypting the mailbox, though not like Protonmail on the client side, nor like Lavabit in “Cautious or Paranoid mode” with the former being like Protonmail and the latter actually keeping even the encryption key on your system. You still would have to trust their server in the proposed configuration which after such an ordeal feels like a cruel joke, not a serious proposal to win back anyones trust.
But the cynical and quite frankly dangerous approach to winning back their users trust goes even deeper:
Q: Couldn’t the government just make you say that?
A: Forced speech is actually quite rare in the US legal context. It’s usually only in cases of consumer protection where the government has been successful in compelling speech (e.g. forced cigarette warnings). Nevertheless, no they aren’t forcing us to say anything.
ARE YOU TAKING THE BLEEPING PXSS?!?!
Call me a conspiracy theorist at this point but seeing how you’ve just admited to being served a gag order, saying “it is rare” is not reassuring.
Furthermore, they have been quite agressive when people called out that they might have been served a gag order.
If you recall, when people started calling it into question that A) their canary wasn’t getting renewed and B) they continuously made posts about birds, they posted this:
and ffs, this has nothing to do with warrants or canaries. that’s why we end up not tweeting.
In my opinion, that is not the way to talk to a community to which it is crucial to trust you. The security of journalists, activists and others relies on this trust and reacting like this, as I’ve said in the past is A) impolite and B) really terrible in retrospective, now that it has been proven that you actually got forced to cooperate with the FBI.
Q: Why didn’t you update your canary?
A: In the Winter of 2016, the canary was not updated on time. The canary was so broad that any attempt to issue a new one would be a violation of a gag order related to an investigation into a DDoS extortion ring and ransomware operation. This is not desirable, because if any one of a number of minor things happen, it signals to users that a major thing has happened.
Are you doing this on purpose? Are you trying to get me as fired up as possible by making these kinds of statements? Because this is not something you should take lightly and I for one evidently passed the point of being polite about this some time ago.
But let’s deconstruct this for a second. First, they state that “The canary was so broad that any attempt to issue a new one would be a violation of a gag order”. Yes, so?
THAT IS THE PURPOSE OF THE CANARY! The way this statement has been made, it seems like you might actually believe that the canary you youself set up in this way actually was to restrictive for law enforcement to make requests while keeping it up. But that’s what the canary actually is supposed to do. Are you sure you are in the correct business?!
Their continuation with “it signals to users that a major thing has happened.” is even more ridiculous.
So a running FBI investigation on a service like your isn’t what we should consider “a major thing”?! WHAT CONSTITUTES AS A MAJOR THING?! The Great Old One Cthulhu comming over to take your servers away? What did you think would happen when the FBI knocks? What did you think you needed a canary for if not for this exact case?
Q: Why does the new Canary not mention gag orders, FISA court orders, National Security Letters, etc?
A: Our initial Canary strategy was only harming users by freaking them out unnecessarily when minor events happened. A Canary is supposed to signal important risk information to users, but there is also danger in signaling the wrong thing to users or leading to general fear and confusion for no good reason. The current Canary is limited to significant events that could compromise the security of Riseup users.
I have no words.
Just this: The fact that you now genuinely feel convident in telling your users that you can assess what is and isn’t a “important risk” terrifies me.
Riseup.net you are so much worse in this regard than I could have ever imagined when I made my previous posts, which were mainly based on a reasonable amount of speculation and analysis of your reactions. In my last post, I gave you the benefit of doubt that you simply lack someone to properly communicate in your team, now, I sadly stand corrected.
I honestly wanted to be proven wrong on this. Or at least see them take proper meassures after this has come out. They didn’t.
Have a nice day,