How can the ToS ("Refraining from certain activities") be enforced while staying true to the (anti-survelliance) privacy policy?

Anonymous wrote...
Hello, the privacy policy states that riseup can't read mail sent to/from riseup emails ("as of March 2017, the storage for all new accounts is personally encrypted. Riseup is unable to read any of the stored content for these accounts"). However, the ToS states that it terminates accounts which do one of a number of activities, such as sending a virus.

How is this possible for riseup to do if they can't and don't read user emails?

This was originally posted as a ticket (https://support.riseup.net/en/ticket/ncrZMjO3VFax9Ggr), I meant for it to be public.
Upvote | 1
Df9oa4w88w3twnio
Mirlos replied...

Hi there,

Thanks for the question, is a very good and valid one.

What we use is a encryption model that stores all incoming email as encrypted files using a secret key derived from the user's password (more tech details available at https://0xacab.org/liberate/trees). This technology is only thought to be used for mail at rest, once they already landed on our server and need to be stored.

That means that we send and receive the emails in clear text, as email standards actually force to do between mail providers (unless PGP is in use). While the mail is in transit we apply many filters to control and prevent abuse such as Spam and such. That is one of the ways we use to control email service abuse.

Although it would be perfect for us, there is no way to not have access to the mail content in transit. The only exception for this is the use of end-to-end encryption technologies such as PGP, which would prevent us from read the content of emails at all (but we still would be able to read the email headers).

I hope this helps you understand the limits and controls implemented on our platform.

Upvote | 0
Anonymous replied...
Thanks for the reply. I have some further questions now.

1. When you write "many filters," what kind of filters do you mean?
2. Does riseup, for example, compare image and executable files against those in existing databases?
3. At any point, are users' files uploaded to 3rd party servers for them to check the files against existing databases?
4. Lastly, are there any cases where you do more than ban a user's account -- does riseup, for example, ever report people to law enforcement?
Upvote | 0
Df9oa4w88w3twnio
Mirlos replied...

Hi again

I won't go into detail here, but the filters we apply are only used to control Spam abuse and we do not share data with any external service. You should remember what is our purpose and our motives (https://riseup.net/en/about-us#riseups-purpose), in order to get an idea what approach we take regarding our user's security and privacy.

Take care.

Upvote | 0