Pramen: Hi, how are you doing?
Riseup: Hi, could be worse!
Riseup is one of the oldest activist tech collectives. Can you tell us a bit how the whole thing started?
Sure… we had some neoliberals organizing a WTO conference in Seattle, and a couple of us were involved in organizing the counter protests. It quickly grew to be something massive, with people coming far in advance to organize all kinds of different resistance, from direct action, independent media, to educational lectures. This was when people were just starting to get cell phones, and email, and were struggling to figure out how to use technology in a useful and safe way. There were only three of us who knew anything about technology, so we were running around the city helping everyone get setup, fix things, and teach them how to do things. Many of the protesters didn’t have email accounts, but organizers did. Email, and push-to-talk phones were the cool tech to use. Unfortunately, email from Microsoft (hotmail) and phone technology from one sponsor of the WTO didn’t mesh well with the activism. It wasn’t our technology, and it wasn’t safe from police. We had the skills to provide email in a much safer way for movements, and once we finished shutting down the city and freaking out the elite by surrounding them in their convention center, we decided to build our own mail server and give access to activists. We knew that movement run infrastructure would be more in line with our ideals, and would provide protections that corporate aligned providers would never care to do.
It’s hard to describe today, but we were weird, we still are. There was no local tech scene to plug into, there was nobody else doing this, and we had to figure it out on our own. Much later we discovered that there were similar weird growths like ours happening in Germany and Italy around the same time.
What was the reaction of the local non-tech scene? Did everybody rush to you to get account or stayed with their AOL and whatever email provider people were using back than in 1999?
Quite a lot of the more radical organizers involved in the WTO got accounts with us, and some of them still have them. The more mainstream organizers didn’t get it, and that was fine with us. We wanted to find ways to provide aid and resources to the movements we were aligned with and not waste them on those who we didn’t agree with. We also wanted to find a way to scale our support. There were, and still are, more issues that we care about than we can devote ourselves to, so coming up with this project was a way we could help all movements at once.
We quickly found out that our ability to be reliable and stable impacted those people’s ability to be effective activists. We couldn’t just do this half assed, we had to do it all the way. If the server was down, then people could not communicate, and if people could not communicate, they couldn’t organize. As a result we worked to improve our ability to respond to failures and fix things quickly.
For example, we had a server in a dusty basement, and the machine kept turning off and we didn’t know why. After many trips back and forth to try and figure out what was going on, we discovered that a well-meaning, tree-sitting environmental activist was crashing on a couch at that house. She would go turn off the computer to save energy. We realized that to improve our ability to provide reliable services to all activists, we had to find a way to host servers in a more controlled environment.
How fast people from abroad started using the service?
Hard to say, but as some of us were deeply involved in Indymedia, and Indymedia had connections around the world, we quickly became internationalists. Our Brazilian Indymedia contacts did security trainings where they recommended us, and connected their friends, suddenly we had tons of brasilians and then it just took off around the world, we were getting tons requests from everywhere. We had no awareness of the political context in many parts of the world and had difficulty knowing if we should approve accounts for groups when we had no idea if their politics was something we wanted to support. Because of our international connections through Indymedia, we were able to ask people in those different parts of the world about different movements in their countries and ask them to help us determine if we wanted to spend our limited resources on them. It was critical that as more people abroad started using the service, that we developed more connections abroad to help us stay focused on using our resources for the political projects that we wanted to support. If we stayed as a myopic group of people in Seattle, we’d just be overrun, so it was important for us to grow our own international connections as our users also grew internationally.
What were the challenges of running political tech collective at the beginning of 2000s?
There were a lot of challenges!
We were alone, we were trying to figure out how to create a useful, and reliable service with free software. We didn’t have all the resources that are available online to help now days. There were no guides, no help forums, searching for answers to problems was useless. We had to spend absurd amounts of time trying things and failing. When we finally got something that worked, we documented it in meticulous detail. We created what was called the Grimoire. It was a detailed guide for setting up a mail server. We published this so others could learn and replicate what we did. There was nothing like it on the internet, and we still get comments today from people who say that this was critical for them.
We had no resources, and so we learned to squeeze every last drop out of everything we had. This made us very efficient, and independent. When the US Government led Internet Freedom Industrial Complex was created to fund technology, we were already well-established and self-sufficient, so we didn’t need to become dependent on the whims of the government, grantlyfe, or other sources of potentially problematic funding.
The work was overwhelming, and we struggled with burnout, some people developed chronic health conditions because of the stress.
The FBI story
Several years ago you had a warrant from FBI with a gag order to it. From one side you didn’t update the canary and people were concerned, but from the other side there was even a tweet trying to calm the community saying that everything is fine. Why did you decide to do it like that and not in any other way?
That whole canary thing was traumatic for us. We were facing indefinite jail time and fines up to $10k USD per day. It was also a holiday so all of our lawyer connections were not available. So it was very difficult to make a clear statement, that would not jeopardize us.
We had to weigh the situation. We are responsible for protecting activists and their data… this was a heavyweight on us. We have underground abortion activists in Chile depending on us, we had a comrade in a foreign jail whose lawyer was using riseup to communicate with his family and friends, we provide lists for groups organizing refugee support, a huge amount of the german anarchist scene depends on us.
We also regularly kick out people who are defrauding, spamming, extorting people, fascists, misogynist, racist abusers who violate our social contract. The warrants we received were for those types of people (denial of service extortion and ransomware). These weren’t the type of people we were providing the service for in the first place (but of course we had to do an internal investigation to determine this, because we cannot trust the police when they tell us this).
Once we determined that the data we had was nothing, our choice was fairly stark: punish all the activists who depend on us by making a hard stance against the police and destroying riseup, and put ourselves in jail…. or provide the minimal, and quite useless information that we did have. If we picked the first option, we’d be doing this to protect people who are actively trying to exploit our own users, and are violating our social contract. Should we would disrupt the organizing efforts of so many important issues, cause serious communication problems for people around the world doing hard work for social change, when we had nothing useful to give to the police about people who were violating our social contract?
This would be against our core purpose. Part of agreeing to protect people’s data is that they also enter into an agreement with us to not abuse our trust or our values, these users were not adhering to that agreement.
You gave away information about the people from FBI warrant to the government. In your text you were arguing that this was done to save the collective from repressions and prevent its destruction. I can imagine that this would be quite a controversial move. What was the reaction of the community on that?
We built trust in the community for more than a decade, and the nuance of this issue destroyed that trust very quickly. Many people did not understand it and were angry and left, this hurt. The effects of this still are out there, activists decide to go with protonmail because they heard that riseup cooperates with the government. Yeah, if people only knew the actual truth… The details of this are lost and the conclusions are different than if they were not. Being able to communicate nuance and details when everyone wants to understand things in 140 characters, when being drown out by conspiracy theories was disheartening. It felt like people felt like the correct revolutionary strategy was to burn down reliable activist infrastructure that took more than a decade to build, just to protect projects that engaged in capitalist exploitation. What the actual fuck?!
Since then you removed from your canary any information on warrants. Why did you do that?
Even though we felt we did the right thing, we didn’t feel good about it, and the canary made things much worse than it should have been, so we took several steps to mitigate these issues in the future, one was to change how we did the canary.
Around the time the canary was due to be updated, we received two warrants from the FBI that had “gag” provisions attached to them. The gag provisions have since expired, so we can talk about them freely now. Because we weren’t sure what we could say, and because we also did not want to lie, we had to not renew the canary statement. The canary at that time was so broad that any attempt to issue a new one would be a violation of the gag order.
A canary is a signal that it is time for people to worry, that there is a risk we’ve been compromised. But the canary statement was so broad that we were forced to signal something major happened, when actually nothing major did happen. People did not need to worry, there was NO risk that we’d been compromised, but because we did not want to lie and just renew the canary, we took the ethical position at our own peril. This lead to general fear and confusion for no good reason. The current canary is limited to significant events that could compromise the security of Riseup users.
What kind of information did the FBI get from you (Metadata? Content of the mailbox?).
Fortunately, we’ve had a long-standing policy of not collecting any data on our users. We have spent significant effort in developing software to minimize this data, as most things come out of the box with maximal logging. We already were not keeping IP logs, or asking users for any personal information. This work has covered us for all legal demands we ever received. Most of those demands are for meta-data that includes logs, and subscriber identity information. We designed our systems to not include any of that information and have made that public that this is our policy.
We already had fully encrypted disks, and all of our services are encrypted, but the one area we did not have protected (at that time) was the contents of people’s emails. There were two reasons why: 1. legal requests for the contents of communications are very difficult to obtain, and so very uncommon. 2. encrypting people’s emails in a way that made it so we did not have access to them was difficult to do right and we had to develop this ourselves as there was nothing out there that existed.
There were two accounts they wanted information on. The first one was just a mailbox that was full of spam and viruses that had accumulated in their account, they didn’t have anything other than that… so nothing at all interesting or useful for them. The other was the ransomware one, and its email was full of people begging the ransomware person to decrypt their personal data, or swearing at them for screwing them. We had no personally identifiable information, we had no logs, or IP addresses. We did have that mail, in cleartext, but it wasn’t anything that we should burn the whole thing down over. It’s really too bad that people thought we should have burned it all down for that.
Did you change something in your infrastructure since? Do you still believe that this was a proper decision?
We have been using full disk encryption for over a decade now. This means that you cannot just come and take our servers and access the data. Only riseup has access to decrypt these disks.
When the FBI demand happened, we were in the final stages of testing our encrypted mail system. This is another layer on top of our disk encryption. We had been working on this for years, and we were less than a month away from turning it on. Since then we’ve enabled that for all new users, and old users can turn it on as well. The emails can only be unlocked and read using your password. This means that Riseup does not have access to the plain-text versions of your email. We cannot read them, nor can we decrypt them in order to provide them to anyone who might wish to force us to. With this system, we’ve raised the legal bar, because the emails that we have stored are all encrypted, so we cannot provide them in response to a search warrant.
We have continuously iterated on improving our privacy protections since then. We used to keep a ‘last login’, to help us find inactive users, but because this information could be requested, we made that not be specific and instead only tells us if someone has logged in sometime in the last three months.
This system also only protects the email that we have stored on our servers, not all email is encrypted in transit, it is only encrypted to those providers that support it, and many do not (of course, we do). Also, when you send an email, even when you use openpgp, the meta-data (the subject, who you are sending it to, from where it is sent, and the time it was sent) all leak. Even using openpgp is not perfect, it is easy to screw up. When you are using secure mail, you don’t want to accidentally compromise your confidentiality and that of the people you communicate with. These are really hard problems to solve, we have been trying to eliminate these meta-data leaks, while making encryption safe and easy to use.
This system is not perfect. It is still possible to get what is called a title-3 wiretap order, with a technical assist modification. However,the EFF and ACLU and other civil liberties legal organizations still not aware of any case where the government has forced a technical assistance (that means modifying the system to bypass the encryption). If we received one of these, it would be a huge deal, and it is the legal fight that civil liberties organizations want to have. The FBI wants this, but they are going to try and get it through a company like Apple, not through us… and when they do that, everyone will know about it.
We believe we acted according to our principles and according to how we understand the situation we believe we did the right and ethical thing. Our deal with our users is we will protect them the best we can, provided that they don’t make us complicit in exploitative activities that are against our values.
Since then did you get any more warrants from FBI?
We did actually have the FBI come and take one of our servers before this. We even have video of it, very Men In Black. This server was fully encrypted and didn’t actually have any riseup data on it (it was used to host an italian organization).
We have been contacted by the FBI since, but none of the requests were for anything that we had access to, so we respond telling them that we do not have any responsive information (if we don’t respond, we will jeopardize the organization).
Did the situation with repressions against users change since 2016? Does collective itself face any repressions from the state?
The collective more or less tries to stay under the radar and not make a lot of noise about who we are so we can avoid repression like this. Since 2016, probably the biggest changes has been the rise in antifa movements in north america, and the corresponding responses to them, interestingly these aren’t specifically, or obviously, state initiated.
Which other states tried to get user information from you? Did you provide any of those requests with information?
We regularly get legal requests from all around the world. We are not required to respond, and so our policy is to not. So the answer is no, we have provided no information to any of these requests. We don’t want to go into detail about which other states and how often, because we don’t want to give them the clues they need to escalate their attacks, especially because this strategy works.
This strategy is what we call a techno-legal strategy. We have a very good grasp of the legal requirements of the US, and very good connections with legal entities like the EFF and the ACLU who have helped us understand how we can follow those correctly, while still protecting our users. We know exactly the legal line we can walk, and we protect our users by not collecting the metadata, and using encryption for everything else. Encryption that we do not have the keys to decrypt. In the US, we are not required to keep logs, metadata, or personally identifying information. If we have it, we can be forced to turn it over, so we simply do not have it.
Tech stuff
Today riseup provides people with emails, lists, jabber, vpn, crabgrass, etherpad and share.riseup.net. Are there any plans to go further?
Yes, but we have to balance our ability to maintain what we have now with the resources we have, with anything new. It’s easy to setup new things, but it is hard to maintain them in a reliable way for a long time. We are also not really interested in setting up things where we collect unencrypted data for people who depend on us for ‘privacy’, it’s just not a tenable option.
We looked into launching our own geo-synchronous satellite, but it turns out it is a lot harder than just coming up with the idea.
There is a lot of misunderstanding among non-tech activists about what is encrypted and what is not on riseup. Can you please specify which information can you see on your side and which information you save on the server if:
I have an email at riseup.net
When you create an account, we retain the date you registered (rounded to the nearest quarter year). Account request information is removed after four months, and invite status is removed after one month. If you choose to set a reset email address, we retain this record but in a format that is unreadable by us (it is stored in a hashed digest, similar to how passwords are stored).
While currently logged in, we keep a temporary session identifier on your computer that your software uses to prove your authentication state. This is erased immediately after you log out or the session expires. We do not use any third-party cookies or tracking of any kind.
To detect when our servers are under attack, we keep a log of the “from” or “to” information for every message relayed, but note that this does not include IP addresses. These logs are purged on a daily basis.
We keep a record of the quarter and year of your last successful authentication (in order to be able to disable and delete dormant accounts). We do not record the time or day of the last log in. For example, this information looks like “Q3 2018”.
We have your email on our systems, but it is stored encrypted by a key that can only be derived by your password. Basically we have this lockbox, inside is your secret key to unlock your email. We cannot open that lockbox, you need your password to unlock the lockbox.
All of our disks are fully encrypted, so unless they are unlocked, they are completely scrambled.
I have a mailing list at riseup.net
We have the same ‘to’ and ‘from’ data as email accounts, that only sticks around for less than a day.
Our list system is older, and doesn’t have the level of encryption that our mail has, so list archives are stored in a way on our servers where we can read them. However, they are stored on encrypted drives.
We also have access to the list configuration, which includes who is the moderators, who are the subscribers.
I have an account at we.riseup.net
The data here is pretty limited, to the point where we have a bit of problems with dealing with it. We don’t know last logins, and we don’t have any creation date information. There are files and associations with users that are in the database, but it’s difficult enough to detangle that we do not know how to do it.
I uploaded a file at share.riseup.net
We have encrypted versions of these files on the encrypted file system. We cannot decrypt these files. We have some web server access logs, which are IP anonymized, and are not kept around for very long.
I am using jabber with riseup.net account
We have have not enabled any additional jabber functionality that would store more information. However, for basic service, we have some details in the database of users, and probably their ‘buddy lists’. This service is not very well used, and we are considering discontinuing it because we’d rather not have any of this data.
I am using riseup VPN
We have no data on VPN users. The VPN users are anonymous, they are not tied to a regular user (you do not need a riseup account to use it), and we keep no logs of any VPN activity.
Are there US state regulations that are forcing you to record certain data of the users?
No. Weirdly, in the US, the crazy gun lobby (NRA), has spent a huge amount of money and time since the 60s to make sure that there was no US law that requires that any organization must keep records. They are really, really, against creating lists of people who own guns. They do not want to keep them, and if they have to have them, they will fight to keep the government from having them. Uncomfortably, we benefit from the work that they’ve done, because there is no law, state or federal, that requires us to keep records of users. There are laws that require you to turn over records, if you have them, when legally demanded… but if you don’t have them, you don’t have any obligation to keep them. This includes all meta-data, user registration information, etc.
This is why we consider our approach to be a techno-legal approach. We rely on strong cryptography, and a solid grasp of the legal requirements that we have.
The state really wants to change this, and they are desperately looking for a high-profile test case, where they can win and start to set a precedent. They thought they had a solid chance when the San Bernidino terrorist attack happened. They were sure they could go to Apple and get them to decrypt the iphone, because terrorism… but Apple did not agree to this, and in the end the FBI paid over a million dollars for a zero day exploit instead because they did not want to lose in such a case (as it sets the opposite precedent), so it was better for them not to bring it.
We are confident that our systems require the incredibly rare, difficult and very specific Title III wiretap order, with a technical assist modification. There has never been a successful technical assist modification, and if we get one, we are going to have all of the Silicon Valley civil liberties organizations behind us. We know that they will not bother with us for this kind of test case, because they need to go after some large company, like Apple, in order for it to be a useful precedent to build on. Besides, the technical assist that we’d have to do is not something we even know how to do, if its even possible to do, or if it were done would not jeopardize everyone… also we would not we be willing to do that, even if it were possible, this is the case where we’d rather shut everything down and where our canary would be murdered in a very obvious way.
We have never permitted installation of any hardware or software monitoring on any system that we control, and we are not aware of that every happening (except Snowden-level full-take of the entire internet that the NSA does to everyone); law enforcement does not and has never had access to our servers. We would rather stop being
Riseup before we did that.
Couldn’t the government just make you say that?
Forced speech is actually quite rare in the US legal context. It’s usually only in cases of consumer protection where the government has been successful in compelling speech (e.g. forced cigarette warnings). Nevertheless, no they aren’t forcing us to say anything. We’d again prefer to shut things down, than to lie about that.
Do you own your servers or they are rented from third parties?
We own our servers. We build them ourselves and have full physical control of them.
If you have your own data-centers, what are the measures you take to secure them (no need to point all the traps with nails :)).?
We have a pet dragon who is very hungry.
For many groups it is hard to maintain stable work in a long run. How did you manage to stay together and keep working for so many years?
We are fierce and determined, it hasn’t been easy when there are difficult things to work through. We try to just go slow, and steady and be careful not to burn out. It’s a long game, we cannot do it all immediately, so we have to prioritize and carefully build over time. But it should also be said that it is really hard to stay together and keep working for so many years, we have often failed in many ways, we do not want to give the impression that we have it all figured out. Failing is how we learn and grow. Our core is focused around keeping activists safe, and able to continue to communicate. Any of our own personal issues we might have with each other can still happen, but not at the expense of this.
How do you distribute work inside the collective? Do you have people who are working full time to cope with load or everything is done on a volunteer basis?
We would have a difficult time if we didn’t have people working full time or have a wonderful crew of volunteers. We try not to specialize on tasks, but it happens. We regularly meet to discuss priorities and track tasks that need to happen.
You describe yourself as friendly Ⓐutonomous tech collective. Can you talk a bit about political views of the people inside the collective? Are people in the collective see themselves as anarchists, communists, socialists?
We collectively believe in supporting the movements that use our services. Individually we have different political identities that we don’t spend a lot of time arguing the finer points of. Some people are anarchists, some are anarcho-syndicalists, some are anarcho-communists, none are anarcho-capitalists. We all hate spammers and nazis.
As a collective do you participate in some political struggles. If so which ones? Are there any congresses or gatherings where people can meet you?
No, except for Riseup’s role itself as a mean for movement autonomy. Individually several are involved in local struggles, sadly others don’t have much free time/energy available anymore.
Sometimes people will go to european hacker camps, and are open to meet with people, just follow the stickers!
There are a lot of tech activists who see your collective as an example. What advice can you give them?
Slow and steady, dot your i’s and cross your t’s. Be there for the people you are working with and the movements you are supporting. Feel free to hit us up if you have specific questions about something that might be helpful – whether is about tech, organizational issues or bureaucratic headaches.
Apart from financial help how can people support your collective and it’s work?
Start a collective that supports your local activist scene with their tech needs. The more groups who do this, the less work for everyone!