Please, read this before anything else.<p><a href="https://theintercept.com/2016/11/29/something-happened-to-activist-email-provider-riseup-but-it-hasnt-been-compromised/" rel="nofollow">https://theintercept.com/2016/11/29/something-happened-to-ac...</a>
I wonder why they don't make the statements more granular. Then when you update all other canaries but not a particular one you know for sure it's not due to forgetfulness and you get more information about what happened.<p>Or does that cross some arbitrary legal line?
Most of their servers are encrypted I imagine, so a seizure just means a TLA gets a bunch of encrypted disks to have fun with. My only worry is that a TLA can just ask for the keys to these disks and get Riseup rubberhosed¹.<p>¹ — <a href="https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis" rel="nofollow">https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis</a><p>Worth reading up about Key Disclosure Law too: <a href="https://en.wikipedia.org/wiki/Key_disclosure_law" rel="nofollow">https://en.wikipedia.org/wiki/Key_disclosure_law</a>
The tweets and statements to The Intercept back in November seem to imply that there was an incident covered by the canary statement that they aren't allowed to talk about, but ruled out "a NSL, a FISA order/directive, or any other national security order/directive, foreign or domestic". Optimistically, perhaps they had to turn over some encrypted data to a criminal (non-political) investigation. Hopefully more information comes sooner rather than later.
Is this a case where a government has compromised a system, and the administrators are legally bound to remain quiet about it?<p>If so, why not compromise the system yourself, and then advertise that? Accidentally leaving your SSL private key online temporarily would do it, surely?
>As of August 16, 2016 [1], riseup has not received any National Security Letters or FISA court orders<p>[...]<p>>Riseup intends to update this report approximately once per quarter.<p>So, 5 months later, no update means they have been compromised after August and received a gag order.
Nobody should be using riseup anyway, it's a fundamentally flawed service.<p>There are absolutely no benefits to be gained from choosing riseup over any other provider, but a plenty of harm comes from centralizing communications of at-risk users.