Riseup email service sparks concern after warrant canary 'expires'

Warrant canaries are useful but flawed when not implemented properly.
Written by Zack Whittaker, Contributor

(Image: file photo)

Questions remain about the status of encrypted email and messaging service Riseup.net after several users this week noticed that the service's warrant canary had apparently expired.

Discussions on both Hacker News and Reddit have led some to believe that the service, which is popular with activists and journalists, has been served with a secret surveillance order, because its warrant canary -- issued quarterly -- had not been updated before the three-month deadline.

These warrant canaries are displayed publicly, usually on a webpage. When removed, they can silently indicate the company or service has received a secret surveillance order and has been prevented from telling anyone.

Such canaries or statements were first issued in the wake of the Patriot Act, following the September 11 attacks.

Riseup's last warrant canary says that, as of August 16, the service "has not received any National Security Letters or FISA court orders, and we have not been subject to any gag order by a FISA court, or any other similar court of any government." It also said that the service "has never placed any backdoors in our hardware or software and has not received any requests to do so," and that it has "never disclosed any user communications to any third party."

The warrant canary's signature is still valid, but there have been no updates to the warrant canary.

Riseup says that it updates the warrant canary "approximately once per quarter."

Either the last quarter of the year started on October 1, and it has until December 31 to update the warrant canary -- or, as some have interpreted, the quarter represents a three-month period beginning on the day of the last warrant canary.

Because the company missed that November 16 deadline, some have expressed worry about the status of their accounts.

For the past week, ZDNet has been trying to figure out what's going on. (Motherboard was first to report the story.) We reached out to Riseup co-founder Micah Anderson and legal officer Devin Theriot-Orr, but we did not hear back.

The service said in a cryptic tweet earlier in the week that the service has "no plans on pulling the plug," and that it only would if it was subject to "repressive surveillance."


Riseup clarified in a tweet late on Friday that there was "no need for panic" and that its systems were "fully" under its control.

But the service added more details were to come -- without specifying what or when.


Some didn't find the message so reassuring.

"So then what the f**k does it mean? Are you folks compromised or not?" said one reply. "Stalling unless canary is updated. Just saying. You guys are doing this wrong if you're serious about you not being compromised," said another.

Many companies use warrant canaries -- including Apple, Github, and Reddit, which famously removed its statement of reassurance after what it was assumed to have received a secret gag order.

And while tech companies can easily issue warrant canaries thanks to a free-to-use tool released last year, there's no consistency across the board when it comes to timing and updating.

Given that you can all but guarantee that at least a handful of avid users will be keeping an eye, it's always a good idea to keep your warrant canary up to date. At the very least, set a specific date to release the next one, rather than a vague and approximate time.

Editorial standards