Late last year, popular activist-focused email service Riseup failed to update its warrant canary. At the time, no additional information was provided. But the move raised suspicion, as warrant canaries are cryptographically signed messages that, when not updated per an expected schedule, are intended to warn users that a company or service is facing some sort of legal battle, but is also under a gag order and can't address it publicly.On Thursday, Riseup clarified what happened. The FBI had served two warrants onto Riseup, which the service complied with. In response, Riseup said it is now implementing encrypted storage so it won't be in a position to handover useful data again."After exhausting our legal options, Riseup recently chose to comply with two sealed warrants from the FBI, rather than facing contempt of court (which would have resulted in jail time for Riseup birds and/or termination of the Riseup organization)," a Riseup statement reads. ("Riseup birds" are volunteers that help maintain the service.)To be clear, those warrants did not relate to activism. According to Riseup, the first concerned the contact email address for a DDoS extortion ring, and the second was related to a ransomware campaign."Extortion activities clearly violate both the letter and the spirit of the social contract we have with our users: We have your back so long as you are not pursuing exploitative, misogynist, racist, or bigoted agendas," Riseup's statement continues.Riseup was unable to inform its users of the warrants because of related gag orders, although it did say in a November 2016 interview with The Intercept that the case did not concern a National Security Letter—controversial legal demands for data that the FBI often uses.Regardless, this event has inadvertently shown that Riseup's warrant canary was perhaps not phrased in the best way."A Canary is supposed to signal important risk information to users, but there is also danger in signaling the wrong thing to users or leading to general fear and confusion for no good reason," the statement adds. Now, the canary has been tweaked to only apply to "significant events that could compromise the security of Riseup users."Most importantly, Riseup is now going to store user emails in such a way that, theoretically, even the service's administrators won't be able to read their contents."Starting today, all new Riseup email accounts will feature personally encrypted storage on our services, only accessible by you," the statement reads.This isn't end-to-end encryption: your data may still be read if intercepted in transit. But it should protect user emails if a server is physically seized, or if Riseup is legally compelled to hand over info.
Advertisement