Canary Statement

Please, read this before anything else.<p><a href="https:&#x2F;&#x2F;theintercept.com&#x2F;2016&#x2F;11&#x2F;29&#x2F;something-happened-to-activist-email-provider-riseup-but-it-hasnt-been-compromised&#x2F;" rel="nofollow">https:&#x2F;&#x2F;theintercept.com&#x2F;2016&#x2F;11&#x2F;29&#x2F;something-happened-to-ac...</a>

I wonder why they don&#x27;t make the statements more granular. Then when you update all other canaries but not a particular one you know for sure it&#x27;s not due to forgetfulness and you get more information about what happened.<p>Or does that cross some arbitrary legal line?

Most of their servers are encrypted I imagine, so a seizure just means a TLA gets a bunch of encrypted disks to have fun with. My only worry is that a TLA can just ask for the keys to these disks and get Riseup rubberhosed¹.<p>¹ — <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Rubber-hose_cryptanalysis" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Rubber-hose_cryptanalysis</a><p>Worth reading up about Key Disclosure Law too: <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Key_disclosure_law" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Key_disclosure_law</a>

The tweets and statements to The Intercept back in November seem to imply that there was an incident covered by the canary statement that they aren&#x27;t allowed to talk about, but ruled out &quot;a NSL, a FISA order&#x2F;directive, or any other national security order&#x2F;directive, foreign or domestic&quot;. Optimistically, perhaps they had to turn over some encrypted data to a criminal (non-political) investigation. Hopefully more information comes sooner rather than later.

Is this a case where a government has compromised a system, and the administrators are legally bound to remain quiet about it?<p>If so, why not compromise the system yourself, and then advertise that? Accidentally leaving your SSL private key online temporarily would do it, surely?

&gt;As of August 16, 2016 [1], riseup has not received any National Security Letters or FISA court orders<p>[...]<p>&gt;Riseup intends to update this report approximately once per quarter.<p>So, 5 months later, no update means they have been compromised after August and received a gag order.

Nobody should be using riseup anyway, it&#x27;s a fundamentally flawed service.<p>There are absolutely no benefits to be gained from choosing riseup over any other provider, but a plenty of harm comes from centralizing communications of at-risk users.

Isn&#x27;t this jumping the gun a bit? I&#x27;d give it at least another month before a lack of update means anything.