> But it is clear that something happened, and that riseup is unable to speak about it publicly. “Riseup will shut down rather than endanger activists,” the spokesperson said. “We aren’t going to shut down, because there is no danger to activists.”
If I would be a user of this service, that's enough of a red flag for me to quit it immediately. Even though I agree that most rumors are blown out of proportion considering the timing.
Has there been any news since then? I certainly wouldn't trust any organization that's being so evasive.
Looking at the warrant canary and why it might not have been updated, I suppose the most benign explanation is that they're under a "gag order" of some sort. But why? Under what realistic scenario would they be gagged, but not have disclosed user data?
I wonder why they don't make the statements more granular. Then when you update all other canaries but not a particular one you know for sure it's not due to forgetfulness and you get more information about what happened.
The government believes it is entitled to limit NSL recipients to disclosing how many thousands of NSLs they've received.
If you had a canary for 0-99, 100-199, etc, and then removed the canary that didn't match, a court might decide that your decision not to assert that you didn't receive 0-99 canaries was as good as asserting that you did receive 0-99. Whereas, if you have a general canary, you can say you removed it because you just didn't want to use a canary any more.
Having said that, I suspect that a court that's sympathetic to the government might well decide that choosing not to speak is itself an act of speech, and that even if you can't be forced to restore a warrant canary, you can be prosecuted for removing it.
Most of their servers are encrypted I imagine, so a seizure just means a TLA gets a bunch of encrypted disks to have fun with. My only worry is that a TLA can just ask for the keys to these disks and get Riseup rubberhosed¹.
The tweets and statements to The Intercept back in November seem to imply that there was an incident covered by the canary statement that they aren't allowed to talk about, but ruled out "a NSL, a FISA order/directive, or any other national security order/directive, foreign or domestic". Optimistically, perhaps they had to turn over some encrypted data to a criminal (non-political) investigation. Hopefully more information comes sooner rather than later.
Is this a case where a government has compromised a system, and the administrators are legally bound to remain quiet about it?
If so, why not compromise the system yourself, and then advertise that? Accidentally leaving your SSL private key online temporarily would do it, surely?
Nobody should be using riseup anyway, it's a fundamentally flawed service.
There are absolutely no benefits to be gained from choosing riseup over any other provider, but a plenty of harm comes from centralizing communications of at-risk users.
I guess it's about the precedent they've set in the past. If they always do it on the exact same day every year, then being a week late means something. If they do it annually plus or minus a couple months, then a couple months doesn't mean much.
For reference, I have no clue what precedent they've set already.
https://theintercept.com/2016/11/29/something-happened-to-ac...