Riseup’s Canary Has Died

UPDATE: Riseup has sent out a tweet asking people not to panic, asserting that they still have full control over their servers, and saying more information will come at some future date. Their studious failure to refute having a gag order basically certifies the existence of one. But again, don’t panic. A gag order doesn’t mean their servers are compromised. We have every reason to trust that Riseup would rather pull the plug.

Popular provider of web tools for activists and anarchists and backbone of much infrastructure for internet freedom, Riseup.net has almost certainly been issued a gag order by the US government.

Riseup regularly updates a canary located here certifying that they haven’t received a gag order, court orders or the like. That canary has gone dead (ie has not been updated). In addition just before it expired Riseup posted a tweet with Cohen lyrics “listen to the hummingbird, whose wings you cannot see, listen to the hummingbird, don’t listen to me” and a tweet saying “we have no plans on pulling the plug” with a screencap of the segment of their FAQ that says they’d rather pull the plug on services than comply with surveillance. Of course this entry in their FAQ also says you should back up email in preparation for such a shutdown.

My read is that Riseup is complying with the gag order while fighting the surveillance demanded in court. Riseup is made up of long-time anarchist activists who would feel obliged to go to prison rather than collaborate in snitching out others. However there is a small chance someone could crack from threats of decades in prison. Additionally there’s a much more substantive chance that regardless of their optimism Riseup may soon be forced to close everything down.

This is an incredibly unfortunate development given the Riseup collective’s longstanding role for many activists and radicals in providing email, listservs, VPNs, and assorted tools like Etherpad. However this should serve as a stark wakeup call about the dangers of relying on centralized services. The last decade has seen a collapse of the once varied and widely networked internet into a number of centralized services (like Facebook and Gmail, but also Riseup and Signal).

If you currently use Riseup you shouldn’t panic, but there are a number of productive steps you can take:

1) Backup all your emails on your Riseup account locally. This may require you to (install and) connect Thunderbird to your email account rather than just using the webmail through your browser. See this array of options for backing up while using IMAP. (Additionally it’s a good idea to enable full disk encryption or separately encrypt your email back up. The EFF has guides for full disk encryption for Windows. For Macs see this. Ubuntu, Linux Mint and several other Linux variants provide full disk encryption as an option when first installing the operating system.)

2) Get another email address that you can use as a fallback. Riseup maintains a list of other server services run by radicals. Protonmail is based in Switzerland, although be a bit suspicious about the “encryption” claims they make, there are problems. There are many other email providers. Gandi is popular. Time to shop around or — if you’re a confident sysadmin — roll up your sleeves and run your own email server.

3) Set up another listserv with another provider if your group currently uses riseup for listservs.

4) You can set up email forwarding with Riseup. Either to pipe emails to your Riseup account to your new account or pipe emails to your new account to Riseup (if say you want to start popularizing a new email address but continue primarily answering through Riseup for the time being).

5) Remember that while some providers may encrypt emails once received on their server, all email is basically sent unencrypted between servers and often stored unencrypted. Every email is a postcard, readable by nearly everyone. Unless you and the person you’re corresponding with use PGP. So use PGP. It can be daunting to set up and to get a handle on using (the user interface is infamously non intuitive), however PGP is very useful and provides a good baseline. Email is a federated (moderately decentralized) protocol in wide use that will thus be one of the last services shut down by authoritarians (unlike encryption services that use centralized servers like Signal). The EFF has good guides to setting up PGP for Linux, Windows, and Mac. And Micah Lee has a good overview of it.