Privacy Seppuku Pledge & Wall of Honour

[cryptostorm_team]

direct link to this page: seppuku.cryptostorm.org

The Privacy Seppuku pledge is simple: if a company is served with a secret order to become a real-time participant in ongoing, blanket, secret surveillance of its customers... it will say no. Just say no. And it will shut down its operations, rather than have then infiltrated by spies and used surreptitiously to spread the NSA's global spook malware further. You can't force a company to do something if there's no company there to do it.

This list is, for now, a place to make note of companies and projects who have taken the Privacy Seppuku Pledge, publicly. They mean it. And to the various government goons considering approaching them to compel them to become part of the modern Gestapo: don't bother. You won't get what you want, and you'll just make another round of (temporary) martyrs who will go forward and replicate their operations elsewhere, with their reputations burnished and their public awareness increased by orders of magnitude.

Already Chosen Death Before Betrayal:

- Lavabit email service | details
- Silent Circle email service | details

- Cryptocloud Secure Networking, version 1.0 | details


Taken the Public Pledge:

- Cryptocat web-based secure chat tool | details
- Riseup nonprofit secure email service | details
- Mega encrypted file storage | details
- cryptostorm darknet | details

There is always a choice: choose to support companies, projects, and services that have taken the Privacy Seppuku pledge. The more of us there are, the less tempting it is to pressure any one target enough for them to actually take the final step and shut themselves down. The more of us there are, the less vulnerable our customers are to harassment and intimidation by the surveillance abomination. We owe our customers our loyalty - and actions speak louder than words.

Now is the time for us to stand against mass surveillance, before it's truly too late...


...additional background on the Pledge:

We've seen, in recent years, countless examples of technology companies and service providers who have by any reasonable standard betrayed their customers. Customers are people who pay them to use their services - either directly, with their money, or indirectly with their time and attention (as in ad-supported models).

Loyalty means that we stand strong in support of someone, even if doing so is costly or painful or inconvenient or is likely to result in us being attacked, ourselves. Loyalty isn't cheap, and it isn't fickle. Also: it matters, alot. There's a reason why, in every human culture throughout the world, loyalty - to one's family, friends, associates, colleagues - has been treasured as one of the foundational pieces of what it means to be a good person. And it's not even uniquely human: we celebrate our canine friends, in part, because we respect the loyalty that's such a staple of social organization in Canis lupus, the wild wolf.

Questions of loyalty don't stop just because there's "corporations" involved. Companies are just collections of people, acting in concert to accomplish something. Can we expect companies to be "loyal," in the same way a friend can? Well, not the same way - companies aren't people (sorry, John Roberts) and they don't have an inbuilt moral compass. But, given that, we certainly don't expect them to betray us when we enter into reciprocal business relationships with them. That's bad.

In the context of privacy issues, "corporate seppuku" means shutting down a company rather than agreeing to become an extension of the massive, ever-expanding, secretive global surveillance network organized by the U.S. National Security Agency. It means, in short, saying "no." Sometimes, we hear people say that this or that company "had no choice" in what they did. Bullshit. There's always a choice; it's just that the consequences of certain options might be really severe, and are thus not chosen. But that's a choice. It's always a choice.


Note: this is a placeholder post, and will be moving to a public wiki shortly. If you'd like to help with the migration, and with maintaining this #privacyseppuku resource in the future, post a reply here or DM us & we'll get you looped into the team's discussions and activities.

[Baneki]

#PrivacySeppuku: game-theoretic exploration of the asymmetric power of "no" in ephemeral, privacy-centric markets


As we were part of the development of the original "corporate seppuku" pledge that Cryptocloud incorporated into their privacy policy, back in 2008, we've a good understanding of what the motivation was behind the pledge. Actually, it's more than that. We pushed strongly for the inclusion of this language in their founding framework - now known as the Privacy Seppuku pledge, as others have adopted it - because we think it's a high-leverage, low-cost way for the entire community to create a resilient, reliable bulwark against certain forms of mass surveillance. The really creepy, destructive, trust-negating sorts.

Since then, we've always intended to more fully expand our thinking behind the issue, because on the surface it seems either trite, or dumb, or perhaps both: shut the whole damned company down? What possible good could that do? I mean, sure you might stop the goons from getting at some certain individuals - this time. But now you're "out of the game," and you've just removed an otherwise-useful service from the market, and thus being available to everyone else out there.

This is an understandable criticism, but it's totally wrong.

We say that because we've always envisioned the Privacy Seppuku issue as being of use only when it gains broader acceptance and visibility. As a one-off for one company - Cryptocloud - it's at best some marketing polish that nobody's likely to notice unless it was actually needed in a realtime shutdown. Then, as we've since seen, people do notice. They notice very well. And, with Lavabit's leadership coming to the fore, now the topic is back on the move and it's time to get this "essay" done. Alas, this won't be a nicely-footnoted, well-polished, academic document - we're pushing to get it out timely, and perhaps someday (ha) we'll have one of our folks find space in her life to publish the "proper" version. The perfect is the enemy of the complete, and we choose completion over perfection. Apologies for the rough edges involved - particularly to academic readers, who will find our assertions lacking in citations and reference to the wider literature(s) relevant to this topic.

Game theory involves analytic tools that embrace dynamic, multi-party interactions that are temporally fluid. That is, game theory is used to model things that involve a bunch of agents interacting over a period of time. A big part of game theory's strength is that it doesn't give needless primacy to any one participant's actions: all actions impact all other interactions, and the way the whole thing flows depends on the sum total of the interactions, not merely one decision by one agent. In more expanded versions, each agent can - and does - make predictions about the likely decisions of other agents in the event they themselves make certain choices: "if I do this, she'll do that, and then I'll have to do that other thing... which I don't want to do - so I'll do something else instead, so she'll probably respond by doing that other thing, and then I get what I want, yay!"

Chess is game theory in motion, of course: a pawn is sacrificed to get the opponent to think an effort to castle is in process... only it's not, it's just bait to open up a different attack. And so on. This stuff is part of our everyday lives, as social mammals. Game theory simply wraps a nice, powerful mathematical framework around it and allows it to be deployed systematically and across lots of data sets.

Game theory is often used for interactions that take place over time ("n-iteration scenarios," for the buzzword-hungry). A does this, B reacts, then A reacts, then B reacts... and in parallel channels, A is predicting all those future B reactions, as is B to a. I know you know I know that you know that I know - that sort of thing. This can get iterative, and recursive, very quickly; it can also eat computational cycles, and turn into NP Complete, intractable problems with little warning.

The PS Pledge (for short) takes place in an n-iteration world, where there's a whole series of interactions between "them" and "us." That's obviously a false dichotomy, but it's a starting point: there's the spies, and those of us who want to remain secure against spying. We interact. What happens?

Here's where things stand, right now:

The spies have compelled companies not only to give up historical data on customers, but also to provide ongoing, realtime, continuous tracking of current activities. Single-target examples, like Hushmail's injection of bad javascript into web-based encryption at the DEA's insistence (Hushmail is Canadian, btw - this isn't an uniquely American issue, despite hopeful fantasies on the part of some non-US citizens) have been supplanted by broader deployments of realtime surveillance against mass populations: every indication is that major US telco and internet companies have become, in practice, realtime spyware machines: feeding current data into the NSA's massive databases, across the board, with no disclosure to customers. Indeed, many have lied bald-faced about the alleged "security" of their #snitchware - see Microsoft lying about Skype, or Apple and the iMessage disinformation scheme run alongside the NSA.

As a result, users of network services now have a reasonable concern that they are being spied on by their tech tools - not only the ones already "outed" as snitchware, but also those claiming vehemently not to be such. Worse, because the court orders compelling these activities are themselves secret and require their targets to remain secret or face contempt of court charges (possible federal felonies, in the U.S.), silence is not good news. Not at all. We're all sort of cringing and cowering, unsure who to trust - or whether to trust anyone at all. But, per Schneier, trust is the foundation of all digital security - indeed, of all security... and of all societies, as well. We trust nobody, and we're hamstrung in the process.

For the surveillance overlords - "them" - this is an excellent outcome. Everyone is afraid they're being spied on, all the time. It's Bentham's Panopticon, made real. Worldwide. Without confidence that privacy tools can actually keep them private - how can we be sure? - many people just give up trying, and use stuff that they know is #snitchware, but at least it's shiny and pretty and makes nice TeeVee ads for us to watch, or whatever. Dissidents and activists are hampered in communicating securely; when they do, they're still holding back, because... you never know. Everyone self-censors. Nobody wants to criticize the madmen in power - publicly or privately - because we all know we might get a late-nite knock on the door. Or a SWAT team smashing the door in, guns drawn, shooting our dogs and vandalizing our homes. Or, a trip via extraordinary rendition to a far-off place where torture is on the daily menu. Or Guantanamo.

Now, let's play out a scenario with Privacy Seppuku mixed in:

Folks worried about their security shift their support over to companies that have made a public statement in support of privacy seppuku: they'll shut down before becoming ongoing, dragnet, secret components of Alexander the Geek's surveillance regime. The spies - "they" - see this, and now they have to make some choices...

They go after a company that seems juicy and ripe for plucking: let's say it's lavabit. Secret order from a secret court, compelling secrecy from the target. Lavabit says (we're paraphrasing a bit here"): go fuck yourselves, and shuts down. Servers wiped. Code deleted (or archived in encryped offsite containers). Here's what you get, NSA: you get nothing. Oh, and we're going public with our shutdown. No, we're not going to disclose you're double-dog-secret NSA super-secret court order from your secret rubber-stamp court. Nope. We're just shutting down, so we don't have to betray our customers. Read into it what you will. Want to charge me with contempt of court? Go for it: we'll go in front of a real judge, not some Republican clown on a kangaroo court packed with John Roberts' fascist friends. We'll get coverage, worldwide, about things. Not very secret, is it?

Yikes. That didn't go over so well.

So maybe "they" decide, what the hell: we'll make an example out of one of these crazy crypto-hippie do-gooder troublemakers. We'll make his life hell, and that'll teach 'em. Well, to do so they'll have to dig deep - fake up something, a bit of extra-legal harassment on the side. All along, you're going to have the press - the real press, not the usual neutered lapdogs, and also the people's press (twitter and reddit and whatnot) - following along. Maybe his car has an "accident" all by itself, goes up in a ball of fire. Poof. There, you hippie scum - try that again. But wait... now we've kicked a hornet's nest. Congress is investigating, Front-page stories that even Fox News can't ignore. Pressure. Heat. Maybe someone cracks, and leaks the facts to a Glenn Greenwald... and maybe, even, some of us end up in prison for our crimes.

And even if we beat the shit out of that one guy, what happens if there's a dozen more? A hundred? A thousand? Can we have them all get into inexplicable "car accidents?" Not really practical. Will smashing one really stop everyone else? No. In fact...

That one that went thru with the seppuku? She'll likely have a new service up and running in a few days or weeks. The customers who got dinged by the shutdown? They'll all get up and running on her new service. This is all 1s and 0s, remember? You don't have to demolish a car manufacturing plant, after all - you're just wiping some VMs and reincorporating elsewhere. Lease new machines. Call it "lavabutt" on the new corporate docs, in Andorra. Sign on to the Privacy Seppuku pledge, as lavabutt, again. Off you go. Do you think it'll be hard to get customers - old ones migrated over, and new ones alike? Think on that: a privacy company that shut down rather than be #snitchware... do you trust them, now?

Yep, we do. Actions speak louder than words.

Because, we forget: a company is just people (and not the Soylent Green kind). These teams, they're (mostly) small. Facebook is a behemoth, but let's not kid ourselves: we won't see Facebook on this list. Most of our teams are a handful of folks - people, with names and email address and twitter handles and stuff. When we "shut down" a company, we're still alive! This isn't real seppuku, the kind where you eviscerate yourself (read: slit your stomach with a sharp sword, cut your abdominal muscles, and watch your intestines fall out and splatter across the floor in front of you). These are just damned companies: pieces of paper, words. It's not even the code: the code can go where it wants, particularly if it's opensourced.

In the second scenario, what have "they" learned? That shutdown just made a (temporary) martyr of someone - or a team - and that team's now earned serious credibility to start up elsewhere. Maybe the same service category, maybe something new. Whatever the case, they're not vanishing into thin air - and now they've got a pretty big gold start in terms of their credibility in standing up against surveillance pressure.

Whack-a-mole, on steroids... because even the moles you whack come back - smarter, stronger, higher visibility.

Spooks aren't dumb - far from it. They do these kinds of analysis - hell, they hire some of the best game theoretic minds in the world, and always have. Local cops might be power-drunk and unable to see how their actions play out over time; the NSA isn't any of that. They have whole buildings full of very smart people paid good money to think about this stuff. They won't get it wrong.

And the outcome is simple: if the Privacy Seppuku concept spreads, it becomes useless to target companies on the pledge list! You won't get what you want, you'll make some heroes who go out and do bigger stuff next, you'll out yourselves as dangerous thugs, your "secrecy" is shot to hell, and after all the effort involved you end up backwards from where you were before. That's the scenario, it's how it plays out. There's really no alternative scenario.

No, it doesn't just drive everyone to companies that don't support the pledge: that would assume that companies who do seppuku themselves into an early grave don't simply get reborn elsewhere... and that's wrong. They will get reborn, same team or new team it matters not. They'll be reborn smarter, better refined to make spying pressure against them harder however they can. And they'll be on the pledge list, again - with a bullet. They'll get waaaay more publicity, too - and they'll draw more people to use them. Multiply that by a few hundred, and you're just breeding smarter privacy tech projects.

As to the impact on those who do shut down? C'mon, this isn't Bradley Manning being tortured in the desert for a year by vengeance-maddened military goons. Tech project teams are fluid anyhow, we come and go and today's new is tomorrow's old-and-boring. The value of the gold star - "I shut down rather than become #snitchware, and I'll do it again if I need to - is almost impossible to measure, in terms of value. And it's for life.

Cycle the domain names, spin up new server instances... hell, rewrite the codebase from scratch, it always did need a bit more OO-ish love. Eat some ramen, if need be - none of us are going to starve to death. And come back with one that does it better, bigger, broader, more badass (or bradass). Take that, "them."

[align=center]- - -[/align]

This is applied game theory. Model your opponent's reactions, and build those projected reactions into your decisioning process. Embrace the fluidity of events - these are n-iteration games... they go on, and on, and on. One round passes - lavabit shuts down - but there's a bunch more rounds to come. Look at the totality of interactions, and the scenarios come pretty clear in this case.

This is asymmetric power: a diverse community of folks engaged in privacy-centric services can, collectively, protect themselves against a vastly more powerful adversary by using that adversary's very power against it - judo for the private soul. It's low-cost, it's legal, and it's (predicted to be) powerfully effective. But it's also, in a sense, counterintuitive: how can shutting down be a powerful act? It isn't - it's the larger context, the public pledge to shut down, that has the real power.

There's classic example scenarios in game theory that work like this: one party has something the other party wants. The wanting party has an incentive to force the owner to give it up. But if the owner can convince the wanter that pressure will just result in the destruction of the desired object, the wanter doesn't waste time on pressure - it won't get her what she wants. Simple model, but the logic is relevant.

The Privacy Seppuku version is really interesting because we're considering digital goods and corporations - both of which are ephemeral, non-physical, intangible. "Destroy" a company and it can pop back into existence as the proverbial Newco, overnight. Delete the code? There's backups. Or it's opensourced, anyway: just go pull the src from github, eh?

That's the thinking behind the Privacy Seppuku pledge. It's what we always meant to say about it, but never got around to doing. The go around has come 'round, and now we've done our best to document the bigger framework for others to consider.

With respect,

Baneki Privacy Labs

[loldongs]

I had something longer written, but it comes down to this.

A pledge is nice, but if all it takes to set up a honeypot that Certain People will think is legit, is to set up a service, shut it down citing vague non-disclosable interactions with g-men, and set it back up again somewhere else, well, that's also a pretty easy thing to do.

[Pattern_Juggled]

A pledge is nice, but if all it takes to set up a honeypot that Certain People will think is legit, is to set up a service, shut it down citing vague non-disclosable interactions with g-men, and set it back up again somewhere else, well, that's also a pretty easy thing to do.

The issue of honeypotting is both directly relevant to the VPN market (link to forum thread here with validated examples of VPNs being created specifically as honeypots), and of larger-scale relevance(link to outside article on the growing use of honeypots by FBI). It's also one that is rarely discussed outside of small spheres of the OpSec world, for the most part.

Your concern also highlights the challenge of validation, for example in the "no logging" language now so routinely deployed in marketing messages by VPN companies. I mean... how many of these companies actually aren't logging? Not even that they must be nefarious honeypots (that's possible, too) - even simple technical incompetence and/or laziness can result in logs being kept; counterintuitively, it's actually harder to stop most server-side stuff in wide deployment nowadays from keeping logs than it is to just let it log its little heart out. There's many bits and pieces to even a simple VPN "service" that merely uses broken PPTP as its protocol; forget (or just don't bother) to turn off logging on all the pieces, and you're now bragging about "no logging" in your marketing, whilst logging in your network. It's not uncommon; I know, personally and firsthand, of examples of this - and second-hand of dozens more. It's easier to say than to actually do.

Which both come down to validation. Validation can be independent, or it can be built on trust. Independent is either via audits, or via some kind of structural mechanisms that make it possible for outsiders to know enough to be sure of their conclusion. Trust is... trust. A whole subject area of discussion: who to trust, who not to trust, how to decide.

In the end, honeypots are known for grabbing anything that can confer apparent legitimacy and sticking it to themselves in an attempt to borrow credibility from others. Honeypots are also, almost without exception, new entrants into a market that is big enough for them to just blend in and act like they've been around for a while - and almost never folks who have been around long enough to be more or less known quantities. It's possible, of course, to set up a honeypot, run it for years, and then harvest only far down the line - which could be really damaging. But in practical terms, this never happens - the risk of the honeypot being exposed goes up exponentially the longer it runs (staff leaks, mistakes in server admin... the usual Murphy factors, compounding over time), and besides LEO folks want promotions and kudos and arrests - so sitting for five years nurturing some trap is not really congruent with that. The NSA and those kinds of folks? Yeah, their time horizon is long... but they aren't running small-scale honeypots anyway. Their biggest honeypot is, in functional terms, Facebook - so why bother with small fry?

There will be companies and projects that agree to this pledge, but then betray it - that's in the nature of life, and humans, and our society. That betrayal, sooner or later, will become public: via court cases, prosecutions, indictments, discovery, and all that. And when that happens, the individual people who did that betrayal should - must - be shunned by the privacy industry, forever. Create a high cost for betrayal, in being ostracised from future projects, and disincentive the decision in others.

Conversely, there will be companies that flat-out refuse to sign on to the pledge, in public. Make of that what you will - surely there may be legit reasons for that (many of them, really)... but also potential data to be pulled out of the tangible fact itself. It took Nadim, at Cryptocat, a couple of minutes' time to decide to make a public stand on this issue (in favour of the pledge) - that speaks volumes.

Finally, a request: what can be done to decrease the risk, and/or temptation, of honeypottting in the privacy services community? That's a question that could well stand to benefit from some heavy, creative inquiry...

[Baneki]

Spy or Die
Can corporate suicide stop the NSA?
BY SHANE HARRIS | AUGUST 9, 2013 | Foreign Policy


When the U.S. government orders a communications company to give up its data, the firm has two basic choices: resist, and risk its leaders going to jail, or comply, and break faith with its customers. On Thursday, Aug. 8, however, two privacy-minded businesses chose a third and unprecedented option: They committed corporate suicide rather than bend to the surveillance state's wishes.

It could just be the opening battles in a new front of the surveillance war.

In a move that blocks governmental monitoring of private email accounts, two secure email providers closed shop on Thursday rather than divulge information about their users to the authorities. The first Dallas-based Lavabit -- which reportedly counts among its users NSA-leaker Edward Snowden -- stopped operations after apparently fighting a losing battle to resist a federal surveillance order. (Snowden called the decision "inspiring" in a note to the Guardian's Glenn Greenwald.) A few hours later, Silent Circle, headquartered outside Washington, D.C., announced it was suspending its encrypted email service as a preemptive measure before ever receiving a command from the government to spy on its users.

The companies' extreme actions put them in an exclusive club. Security and legal experts said they could not recall a company preventing government access to its customers' information by shutting down its business. Some companies have appealed surveillance orders in the courts or attempted to force more public disclosure about the secretive intelligence-gathering process, but they have remained functioning. Refusing to comply with an order also means the government is cut off from potentially valuable information that it may have no other means of obtaining.

Ladar Levison, the owner and operator of Lavabit, said in a cryptic public message to his users that he had "been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit."

Levison didn't say precisely what events had led to his decision, but his letter strongly suggests that he had refused to comply with an official order to hand over Lavabit users' emails and give the government ongoing, prospective access to the company's systems. In the letter, Levison said he was forbidden from discussing "the events that led to my decision." Recipients of secretly issued government surveillance orders are often prohibited from disclosing or discussing them publicly.

Silent Circle, in a letter to its customers, cited Lavabit's decision. "We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail [its encrypted email service] now. We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now."

The company also acknowledged that its email service didn't have protections as strong as those for its phone and text services, which can delete communications entirely, as well any corresponding metadata records. Email leaves a digital trail that can be recovered and therefore forcibly disclosed by the authorities.

"Tough decision but we couldn't wait for the inevitable risking member security," Vic Hyder, the company's chief operations officer, wrote on Twitter.

"We huddled this afternoon and saw no other choice," Jon Callas, Silent Circle's chief technology officer and a noted computer security expert, wrote on his Twitter feed.

Companies that receive surveillance demands find themselves in an unenviable position. Some, such as Yahoo!, Microsoft, and Google, have either fought surveillance orders in court or petitioned the government to let them disclose more information about what the authorities are asking about the companies' users. But until now, these companies and others, including Internet mainstays such as Facebook that have hundreds of millions of users, have complied with the orders and helped form the backbone of official surveillance.

Companies also know they cooperate at the risk of undermining their reputation and their business. Take the encrypted email service Hushmail, a Canadian company that like Lavabit had marketed itself as a secure system. In 2007, the firm gave over information on three customers as part of a U.S. federal investigation into illegal steroids. Although Hushmail was complying with a court order and a legal assistance treaty between the United States and Canada, its reputation was significantly damaged among its product's core users.

Closing a company is certainly not illegal. But evading an official demand is. What penalties or charges Levison might face depends on what the government is seeking. He could face a contempt proceeding, which could include jail time, if he refused to comply with a court order, said Albert Gidari, a lawyer with the firm Perkins Coie who represents companies on surveillance and communications law.

But the government might also be looking for ongoing or prospective surveillance of Lavabit's customers and access to the company's systems. Given Levison's drastic actions, that is likely the case. Shuttering the company would do little to stop the authorities from gaining access to Snowden's or any other customer's old emails. But going out of business would mean Lavabit couldn't comply with any future surveillance.

"It may be that by shutting down the service, he can't comply, and so it's doubtful he would be held in contempt," Gidari said. But "shutting down the service could be viewed as obstruction of justice, so he isn't necessarily out of the woods yet."

Levison faced two bad options. That helps explain why Silent Circle's executives may have decided to avoid the quandary altogether.

Levison's decision was greeted by some as a heroic act of protest. A fund was set up to help pay for his legal expenses. "We've already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals," he wrote.

But Silent Circle's decision added a new wrinkle. The company appeared to be making a business decision, rather than a legal or ideological one. It had not been served with a government order. Indeed, the company, which was founded by an ex-Navy SEAL and the inventor of the first widely distributed commercial encryption software, says it counts intelligence agency employees and special operations forces as its most loyal customers. Silent Circle has billed its encrypted email service as a way for people with secretive jobs to communicate securely, not as an end run around federal surveillance. (The firm has been known to help privacy-minded journalists stay beneath government radars.) By preemptively shutting down its email service -- and purging all data related to it -- Silent Circle preserves its reputation as a secret-keeper. It will continue to sell its secure phone, text-messaging, and video services.

Companies may also find resisting NSA surveillance a losing battle. Recently disclosed documents show that the agency has the legal authority to collect and store any electronic communication that uses encryption. And if companies are storing email in servers within the government's jurisdiction, they may not be able to make good on promises to users that their communications are absolutely private and secure. In his letter, Levison said, "I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States."

The government has given no indication that it will back down from using surveillance orders to demand all kinds of customer records, from Internet searches to phone logs to email metadata and content. But what Lavabit and Silent Circle have done may mark the beginning of a resistance.

The truth is that for all the government's extraordinary powers under surveillance law and the NSA's global reach, the U.S. intelligence community is largely at the mercy of companies to help it monitor the world's networks. Indeed, current surveillance law was modified a few years ago to give telecom companies that assisted the NSA with warrantless wiretapping legal immunity from prosecution. Officials feared that without those protections, the companies would do everything in their power not to help the government.

If enough companies were to take the drastic step of shutting down, the government would find itself in the dark on potentially crucial intelligence. The likelihood of this happening is still remote. But the fact that two companies would take such drastic measures to preserve their independence and keep the government out of their business may speak to a dawning awareness: While the government may hold the legal power, it is not all-powerful.

[cryptostorm_team]

According to this excellent article by Occupy America, we've got a new addition to the Wall of Honour. Quoting:

Riseup email service issued a statement saying, “We would rather pull the plug than submit to repressive surveillance by our government, or any government.”

Also citing earlier public statements made in the campaign:

Following Levison’s move to shutter Lavabit, encrypted internet service provider Silent Circle has followed suit. Other encryption services have suggested that they would do the same if put in a similar position by the US government.

...

Encrypted chat client Cryptocat stated, “If we receive a surveillance or backdoor order that we are unable to legally fight, we will shut down Cryptocat rather than implement it.”

There will be more news on the part of one of the earliest supporters of the Pledge shortly...

~ Cryptostorm Team

The full text of Riseup's statement is as follows:

Riseup and the recent email provider closures

We have received your emails asking a number of good questions in light of last week’s news about Lavabit and SilentCircle closing down (1). We would like to clearly state that Riseup has never given any user information to any third party. We have never permitted installation of any hardware or software monitoring on any system that we control.

We will do everything in our power to protect the data of social movements and activists, short of extended incarceration. We would rather pull the plug than submit to repressive surveillance by our government, or any government. We are doing everything we can, as quickly as possible, to forge forward with options that would prevent us from having to shut down, in case we are faced with making such a decision. In cooperation with other groups, we are hard at work to develop and deploy a radical new infrastructure that would allow us to provide email in a way that is a thousand times more secure and that would prevent us from having access to any user’s data. We have been working on this for over a year, but we have a lot more work to do before it is finalized.

(1) [en] The Guardian 08-09-13 “Lavabit privacy row: second email service closes ‘to prevent spying’” http://www.theguardian.com/technology/2 ... shuts-down


FAQ

Don’t panic. Here are some questions and answers.


Q: Is Riseup working with the NSA?

A: We would rather stop being Riseup before we did that. We are not working with any government agency. We have never simply handed over information when requested, and for years have had a no logging policy. We have fought and won every time anyone has tried to get us to give up information. We have never turned over any user data to any third party, fourth party, fifth party or any party.


Q: But your servers are located in the U.S., doesn’t that mean you have to install backdoors/monitoring/etc?

A: We have no control over our network providers, but we have physical control of our servers, they are not hosted “in the cloud.” This gives us much more physical assurance of the security of our machines. We would not consent to the installation of any external hardware or software on our network and would end the organization rather than install any. However, once our fiber connections leave our space, they could be monitored. This is not new, and has been our assumption from the beginning. When you send an email to someone with an email hosted elsewhere, we have no control over it once it leaves our servers. Also, the US still has better laws for internet providers than in many other countries, including many places in Europe, where there are data retention laws requiring providers to keep logs. The US has no such requirement and it has been our policy for years to not keep any logs.


Q: How is Riseup different than Lavabit and Silent Circle?

A: These were commercial services whose primary mission was to provide paid private email. Riseup is different in that we are a non-profit whose goal is to support activists and keep them safe. Those companies were for-profit businesses, Riseup is in it for social change!


Q: What if someone (like law enforcement) takes Riseup’s servers?

A: They have in the past! This usually happens when they want logs, we tell them that we don’t have any and then they come and take the machine because they don’t believe us and want to see for themselves. However, all of our servers use full disk encryption, which means they cannot see or do anything with the data on the disks without the keys. Nevertheless, we do not keep IP identifying logs, and store as little data as possible on our users. But this is not just Riseup’s responsibility, each user is responsible for limiting the amount of data that Riseup stores for them!


Q: How can I limit the amount of data that Riseup stores for me?

A: There are several ways

- Account info: When you applied for an account you provided a little information. After you are approved we don’t need this information anymore and you can clean it up. Login to user.riseup.net and review the information that you have provided there and consider what information you have given us that identifies you. For example, if Obama had a secret email address with Riseup and applied for the address using president@whitehouse.gov as his alternate email address, it would be a good idea for him to remove president@whitehouse.gov from his alternate email if he wanted to be able to engage in Constitutionally-protected, anonymous, speech.

- But please note: If you do remove your alternate email, and you later lose/forget your password, it will not be possible for us to reset your password. You will be permanently locked out of your account and will not be able to access your emails. You have been warned!

- Email: If you are not already, consider using an email client that lets you download email via the POP protocol and deletes it from the server. There is no getting around the mail arriving on Riseup’s server, but if you download it and it’s deleted from the server then Riseup doesn’t have it anymore. But note this does have a downside, using webmail or the IMAP protocol does allow you to check email from more than one computer. If you need that ability, one approach might be to move older email offline to a single computer and just check newer things from multiple locations.
Here are some directions for downloading your email: help.riseup.net/downloading-email

- Lists: one of the nice features of having a mailing list is having a message archive. But if the idea of someone you don’t want getting access to that archive scares you, then it might be better to do without an archive or periodically move the archive to a more secure location. But don’t forget that any subscriber to your list gets a copy of every message, so even if you have the archives removed, there is nothing that prevents subscribers from leaking those messages! More info at: help.riseup.net/en/archives#downloading-archives

- Ask yourself: where are the important emails, documents, and manifestos of your group stored? Do you have a good place for them for people to find when you are gone and people want to write the history about how you changed the world? If they are only stored in Riseup, that isn’t good. Download them and put them somewhere safer! We are birds, so we like eggs, but we don’t like people putting all their eggs in our basket.

Q: Will Riseup services last forever?

A: While we are committed to doing everything in our power to protect the data of social movements and activists, short of extended incarceration, we would rather pull the plug than submit to repressive surveillance by any government. We would be really sad to see Riseup go, but if we are forced to, we would rather it go away than to betray your trust and compromise the activist community. With this in mind, you should be sure you are prepared in case something does happen, such as downloading and archive your email on your own computer!


Q: What about child porn, drugs, corruption, etc. Would you fight law enforcement requests for users doing these things?

A: Those things violate Riseup’s Terms of Service and, unlike some more “American Libertarian” service providers, we do not exist to provide privacy for doing anything you want. We would close the accounts of people doing those things and the collective may even decide to cooperate with law enforcement rather than set all the servers on fire and destroy the organization, and your email.

[privangle]

Very interesting and encouraging texts for privacy engaged people!

When I was reading the thread, I thought about something: if ever the pressure from NSA or ~approaching powers~ becomes a real thing for you what I wish will never happen (!!), don't hesitate to ask publically a financial participation. Little contribution from many people can help to finance lawyer support if members of yours gets in real trouble or are threatended, intimidated etc.

I agree with your engagement and your considerations about the asymmetric war of defending privacy and secure communication. We are placed thousand of kilometers over the earth and it's good not to feel alone.

[marzametal]

https://www.startmail.com/#section-why

[andyson]

This weekend, we were fortunate enough to capture a CIN footprint at work, and we're documenting it here in this thread

!	Message from: parityboy
	Spam link removed.

[harry56]

My sense is that, thus far, we've done a suboptimal job of explaining what voodoo really is. Not for lack of trying, mind you... I suspect instead that we're too close to the operational side of it, within the team, to step back and put it into words in a way that's really useful.

!	Message from: parityboy
	Removed spam link.