Riseup, Assange’s Email Provider, Has Received a Legal Request but Isn’t Compromised

Over the past couple weeks, the prized privacy-oriented email provider, Riseup, was believed to be compromised or served some government order forced to keep them quiet. Even in our post yesterday, we questioned if Assange’s email provider had been compromised or forced to turn over user data. Speculation was largely based off the simple fact that Riseup hasn’t updated their warrant canary, a system that allows the public to know if Riseup has been compromised or forced to turn over user data. The system works by them publishing they have not been compromised and updating it every quarter, if the update fails, it’s safe to presume Riseup has been served a gag order or has been forced to turn over user data.

Riseup has made it clear they would rather shut down their service than turn over user data. Following right behind Ladar Levinson, the founder of Lavabit, a man who actually shut down his entire business before disclosing user data. It was believed Edward Snowden had been using Lavabit as his personal email provider. When feds caught wind of this they put a gag order on Lavabit, who promptly turned his service offline.

The collective, who runs an email service, secure chat, VPN and other activists tools spoke to the press yesterday about recent events, dismissing many rumors. An unknown Riseup representative spoke with The Intercept on Tuesday, silencing a number of “outsized” conspiracies among other things.

“Riseup will shut down rather than endanger activists,” the spokesperson opened with. “We aren’t going to shut down, because there is no danger to activists.” Riseup, the anti surveillance and pro-privacy oriented service began back in Seattle in 1999. The service prizes themselves on extreme privacy and believes the internet should be open, not be controlled nor surpressed by corporations or governments. “We believe it is vital that essential communication infrastructure be controlled by movement organizations and not corporations or the government,” the collective’s website clearly states.

“We work hard to minimize the amount of data (and metadata) stored as [much as] possible,” a Riseup representative told the Intercept. “The only way to protect the information of activists around the world is by not having the information in the first place.” The privacy policy even goes as far to say that they will never share user data with any third party.

How the Rumors Began

The reason Riseup has been under such heat recently is due to their warrant canary. The canary allows users to ensure that Riseup is safe and has not been forcibly compromised by any rogue entity. At this time, the canary dated August 16th states that Riseup “has not received any National Security Letters or FISA court orders.” Additionally noting “we have not been subject to any gag order by a FISA court, or any other similar court of any government.”

The canary, which was signed by their PGP key even states “riseup has never disclosed any user communications to any third party.” The canary works in the way that if it is not updated every quarter, it’s presumed Riseup has been compromised in some form. Well, Riseup’s most recent canary was due November 16th 2016, and it’s not here. It’s not uncommon for it to be late, but this has sparked intense controversy since Assange’s recent whereabouts remain unknown.

Following the lack of updates, the group also made, what appeared, to be a series of cryptic tweets. Take them as you will, but the alignment with the way everything is going was just a little suspect. Many believed Riseup’s canary had died and we should assume they are compromised.

Riseup: We are not compromised

Good news everyone, it appears Riseup has not been compromised and is not under an intense attack suppressing their speech.

“Due to Thanksgiving and other deadlines, our lawyers were not available to advise us on what we can and cannot say,” the collective member told the Intercept. “So in the interest of adopting a precautionary principle, we couldn’t say anything. Now that we have talked to [counsel], we can clearly say that since our beginning, and as of this writing, riseup has not received a NSL, a FISA order/directive, or any other national security order/directive, foreign or domestic.”

Riseup even sent out a series of tweets telling everyone not to fear, making it clear that they would rather shut down their service before turning over user data.

we have no plans on pulling the plug https://t.co/7Bm0KrEnKA pic.twitter.com/MvEu6itTX6

— riseup.net (@riseupnet) November 21, 2016

4. Our prior tweets did not have any hidden subtext.

— riseup.net (@riseupnet) November 24, 2016

While these could be suspect, the fact that Riseup has come out stating this information is quite convincing. To date, the canary has only been updated 10 times in their 16 years of life. With the shortest time between a canary being two months and the longest being four months. So it’s fair that the canary wasn’t updated. “This is a bad system, we should have a specific date. The ambiguity is no fun for anyone,” Riseup pointed out.

It’s Clear Riseup HAS Received a Request for User Data

After The Intercept pressed the Riseup collective for answers, they were able to easily reply. Though they blatantly said there are current legal restrictions, they were able to clearly point out they hadn’t been taken by a National Security Letter or FISA court order.

What’s striking is when the publication asked Riseup if they had received any request for user data since August 16, the collective did not comment. Clearly pointing out that something has happened over at Riseup, but they can’t publicly speak on it.

To ensure that the public didn’t take the warning wrong, they gave some context: “There are a lot of conspiracy theories going around because people think that this is something bigger than it actually is,” Riseup said. “The reality is that these theories are way out of proportion to the truth. It isn’t something that people should freak out about, or be scared, or burn their computer, and run for the hills.”

“It’s annoying that we can’t detail why people should believe us when we say that,” Riseup explained, “but people have put their trust in us for over 16 years, so we hope you would believe us when we say that you should continue to do that.”

The collective appears to have try to put every conspiracy to rest at one time. Riseup also pointed out that some people may think that the government is forcing them to say these things, “but the reality is that compelled speech by the government is incredibly rare, and really only done for consumer protection (such as requiring warning labels on cigarettes) or other safety regulations.”

The Intercept pointed out that the Riseup collective is currently having an internal discussion on when it will be able to update its warrant canary.

In December, Riseup is set to launch a new feature called personally encrypted storage. The infrastructure allows all messages and metadata of email users to be encrypted with the users’ passwords, ensuring that the collective couldn’t even access the data if they were ordered. Riseup said they will publish all code that makes the system possible, offering it open-source and for independent review. “It is designed to protect the service provider from ever being able to comply with a subpoena or warrant,” Riseup explained. While the new infrastructure isn’t perfect, “this will help us all breathe a lot easier.”

Riseup has published tips for how users can limit their footprint on Riseups servers. “These are uncertain times for all service providers,” Riseup concluded. “Technology won’t solve social problems, but in this specific case we believe that new technology under development will dramatically improve the outlook for service providers.”