Questions remain about the status of encrypted email and messaging service Riseup.net after several users this week noticed that the service's warrant canary had apparently expired.
Discussions on both Hacker News and Reddit have led some to believe that the service, which is popular with activists and journalists, has been served with a secret surveillance order, because its warrant canary -- issued quarterly -- had not been updated before the three-month deadline.
These warrant canaries are displayed publicly, usually on a webpage. When removed, they can silently indicate the company or service has received a secret surveillance order and has been prevented from telling anyone.
Riseup's last warrant canary says that, as of August 16, the service "has not received any National Security Letters or FISA court orders, and we have not been subject to any gag order by a FISA court, or any other similar court of any government." It also said that the service "has never placed any backdoors in our hardware or software and has not received any requests to do so," and that it has "never disclosed any user communications to any third party."
The warrant canary's signature is still valid, but there have been no updates to the warrant canary.
Riseup says that it updates the warrant canary "approximately once per quarter."
Either the last quarter of the year started on October 1, and it has until December 31 to update the warrant canary -- or, as some have interpreted, the quarter represents a three-month period beginning on the day of the last warrant canary.
Because the company missed that November 16 deadline, some have expressed worry about the status of their accounts.
For the past week, ZDNet has been trying to figure out what's going on. (Motherboard was first to report the story.) We reached out to Riseup co-founder Micah Anderson and legal officer Devin Theriot-Orr, but we did not hear back.
The service said in a cryptic tweet earlier in the week that the service has "no plans on pulling the plug," and that it only would if it was subject to "repressive surveillance."
But the service added more details were to come -- without specifying what or when.
Some didn't find the message so reassuring.
"So then what the f**k does it mean? Are you folks compromised or not?" said one reply. "Stalling unless canary is updated. Just saying. You guys are doing this wrong if you're serious about you not being compromised," said another.
Given that you can all but guarantee that at least a handful of avid users will be keeping an eye, it's always a good idea to keep your warrant canary up to date. At the very least, set a specific date to release the next one, rather than a vague and approximate time.