As Elijah wrote, the point of riseup is to serve a specific constituency. The point is not to help the general public encrypt their email. On Oct 18, 2013 1:30 PM, "Jonathan Wilkes" <[email protected]> wrote:
> On 10/15/2013 06:47 PM, elijah wrote: > >> On 10/15/2013 03:07 PM, Yosem Companys wrote: >> >> If you have any thoughts about Riseup, whether >>> security/privacy-related or otherwise, I'd love to hear them. >>> >> I think I am the only person from the Riseup collective who is >> subscribed to liberationtech, so I will reply, although what follows is >> not an official position or response from the collective. >> >> We started when it was impossible to get even simple IMAP service that >> was affordable. Very early on, it became apparent that one of the >> primary issue facing our constituency (social justice activists) was the >> rapid rise in abusive surveillance by states and corporations. >> >> Riseup does the best it can with antiquated 20th century technology. >> Without getting into any details, we do the best that can be done, >> particularly when both sender and recipient are using email from one of >> service providers we have special encrypted transport arrangements with. >> Admittedly, the best we can do is not that great. And, of course, our >> webmail offering is laughably horrible. >> >> Riseup is not really a "US email provider". The great majority of our >> users live outside the United States, and email is just one of many >> services we provide. >> >> There has been much discussion on the internets about the fact that >> Riseup is located in the US, and what possible country would provide the >> best "jurisdictional arbitrage". Before the Lavabit case, the US >> actually looked pretty good: servers in the US are not required to >> retain any customer data or logs whatsoever. The prospect of some shady >> legal justification for requiring a provider to supply the government >> with their private TLS keys seems to upend everything I have read or >> been told about US jurisprudence. Unfortunately, no consensus has >> emerged regarding any place better than the US for servers, despite >> notable bombast the the contrary. >> >> As a co-founder of Riseup, my personal goal at the moment is to destroy >> Riseup as we know it, and replace it with something that is based on >> 21st century technology [1]. My hope is that this transition can happen >> smoothly, without undo hardship on the users. >> >> As evidence by the recent traffic on this list, many people are loudly >> proclaiming that email can never be secure and it must be abandoned. I >> have already written why I feel that this is both incredibly >> irresponsible and technically false. There is an important distinction >> between mass surveillance and being individually targeted by the NSA. >> The former is an existential threat to democracy and the latter is >> extremely difficult to protect against. >> >> It is, however, entirely possible to layer a very high degree of >> confidentially, integrity, authentication, and un-mappability onto email >> if we allow for opportunistic upgrades to enhanced protocols. For >> example, we should be able to achieve email with asynchronous forward >> secrecy that is also protected against meta-data analysis (even from a >> compromised provider), but it is going to take work (and money) to get >> there. Yes, in the long run, we should all just run pond [2], but in the >> long run we are all dead. >> > > The first thing you should do is remove the social contract from your > registration page. It's creepy and (should be) completely at odds with > your privacy policy. (That is, it should read "even _we_ can't ban you > from using our service to talk about the following things in confidence > with others...") > > Furthermore, every single bullet point is ambiguous and would be > subject to a flame war if I posted them here. That is, they are so > wide open that people could reasonably take an opposing view for > any or all of them, in good faith or bad. > > Personally, I agree with Riseup's position on those bullet points > (assuming I understand them the same as you). But I disagree > with requiring people to answer them if they want to try to be > safer when they use the internet. > > Essentially, a requirement to click such a button is asking people to > lie to themselves in order to use your service. Even the Pope and > the military have seen fit to stop making people do that. > > Best, > Jonathan > > >> -elijah >> >> [1] https://leap.se/email >> [2] https://pond.imperialviolet.**org/ <https://pond.imperialviolet.org/> >> > > -- > Liberationtech is public & archives are searchable on Google. Violations > of list guidelines will get you moderated: https://mailman.stanford.edu/** > mailman/listinfo/**liberationtech<https://mailman.stanford.edu/mailman/listinfo/liberationtech>. > Unsubscribe, change to digest, or change password by emailing moderator at > [email protected]. >
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
