Rise Up are a primarily US based radical tech collective that have provided email and other services to activist communities since 1999. They have strict policies regarding privacy and try to keep as little data on their users as possible. Many people from around the world rely on Rise Up to host their emails securely.
Sadly, there have been some indications that they may have had some legal or technical compromise of their systems. This story by the Intercept has all the important details.
We recommend that if you’re using Rise Up for your emails, you consider there might a possibility the service has been compromised. We can’t say for sure based on the current evidence but frankly it is a bad idea for so many people on the radical left to rely on a single service provider for their critical infrastructure.
Unsurprisingly, the Investigatory Powers Act was just passed by the UK parliament which authorizes extensive sharing of surveillance data between government agencies. Even if there is no reason to suspect that you’re under active surveillance, selecting and supporting service providers who are not based in the UK or a nation state that’s part of the Five Eyes surveillance network can only be a good thing.
We also need to diversify our tactics, especially when we know that unions have always been a target of state surveillance. While using PGP and Tor with email can be effective, they are not that easy to configure. Email was just not designed with consideration for security or privacy in mind. Unless you really know what you’re doing, it’s a good idea to treat all email as potentially public information. Cast your mind back to what happened to a certain US presidential candidate recently.
Using a modern open source encrypted messenger such as Signal that is painstakingly designed to protect your privacy is a much more pragmatic idea. Because Signal messages use end to end encryption. This means that due to strong mathematics, the content of your messages could only be read by the sender and recipient. This is enabled by default between all Signal users.
That means that even if the Signal servers were compromised, no content of any users messages could be decrypted. Open Whisper Systems, who design Signal also pledge to keep minimal logs which was confirmed when they recently received a subpoena and weren’t able to hand over any useful information about the user.
Remember that security is a process not a product and there are some reasonable steps you can take today to mitigate the ongoing Rise Up situation.
Update: We’re glad Rise Up has started to tackle this issue. You can see the danger of gagorders/warrants. It’s important to choose a provider that provides encrypted email storage: https://riseup.net/en/about-us/press/canary-statement
Some alternative email services that you might consider:
Posteo (Commercial service)
Proton Mail (Commercial service with free tier)
Kolab (Commercial service)
Mailbox (Commercial service)
Use Signal for easy end to end encrypted messaging and voice calls:
Signal Messenger (Android/iOS/Chrome App)