Review of the Riseup anonymity service.
Riseup.net is a provider of several different online tools focusing on anonymity, privacy, and freedom of speech. This includes email, chat, and VPN service. "Antifa" activists in Seattle are its creators. As opposed to some email providers who scan your messages for data and use it for advertising or other nefarious purposes, Riseup emphasizes the preservation of your confidentiality.
Riseup is available on both the clearnet and through Tor, and is free to use. It is also available on multiple platforms.
Riseup also features a number of other Tor hidden services (such as XMPP), all of which are listed here: Tor - riseup.net
At present, all Riseup services are free. Previously, they had offered a premium service called Riseup Black, but this has since been discontinued.
Riseup offers a number of different services, including:
Email client - Riseup offers an encrypted email service available over both the clearnet and Tor. You can access it several ways: it has a web client at mail.riseup.net, Tor onion services at http://zsolxunfmbfuq7wf.onion/ and http://5gdvpfoh6kb2iqbizb37lzk2ddzrwa47m6rpdueg2m656fovmbhoptqd.onion, and it can also be configured to work with email clients like Thunderbird, Evolution, Claws, and Mutt.
Unlike some other email services, if you forget your password on Riseup, the only way to retrieve it is with a recovery code. Riseup will send you the recovery code, and it's up to you to remember it and keep it in a safe place. Unfortunately, if you lose this code, there will be no way to recover your login information. This is very similar to the master password on some password managers, like KeePass.
Lists - These are mailing lists dedicated to a number of different social, political, and educational topics. Subjects include "Alternative Agriculture," "Legal Activism," and "Health Care." It's worth noting that not all of the lists are in English; others include Italian, French, German, and Spanish. Still, there's a high likelihood that you'll be able to find a list that's suited to you.
Chat - Riseup has an Extensible Messaging and Presence Protocol (XMPP) service that allows instant messaging, voice and video chat. To access it, use an XMPP client such as Pidgin, Gajim, Jitsi, Swift, or Profanity (yes, there actually is a client called Profanity).
We found that using this service was quite simple, and felt no different than using any other XMPP client. You can log into this service using the same username through which you access your email. For instance, if your Riseup email address is [email protected], "codevancier" would be your username, and your domain would be "riseup.net." You would also use the same password that you use for your email client.
One important thing to note is that some XMPP clients aren't configured to always require encryption. In other words, some have a setting that says to use encryption "if available." Therefore, it's best to use a messaging client that always requires encryption, particularly if you're a whistleblower or someone else who is at high risk. Luckily, Riseup recommends several different clients that they trust at riseup.net - XMPP Clients. Among the clients they list are Gajim, Psi, Psi+, and Conversations (for Android).
VPN service - In addition to its email and chat features, Riseup offers a VPN service. While this may seem like a good idea in theory, there are disadvantages to using a VPN, and it's good to be aware of these. According to Riseup's site, "...we believe it is important for everyone to use some technology like VPN or Tor to encrypt their internet traffic. Why? Because the internet is being broken by governments, internet service providers (ISPs), and corporations."
We suggest reading the post VPN + Tor: Not Necessarily a Net Gain or Why is Home --> VPN --> Tor worse than Home --> Tor? before deciding to use any VPN service, including the one provided by Riseup.
In addition, we tried using the Android version of the VPN service, and while it did disguise our IP address (as advertised), it broke some of the functionality on the Android device in question. Specifically, the phone wouldn't charge due to a "moisture detected" error (which was not present when the VPN was uninstalled)!
You may wonder, then, does it have any advantages at all? Using a VPN sends all your internet traffic through an encrypted connection at Riseup.net, and then to the internet. Essentially, the VPN then becomes your ISP. This can help you circumvent censorship if you live in an area where the internet is restricted, and can disguise your identity. Even so, you can do the same by using Tor, and in that case, you aren't putting all of your trust in a single entity (in this case, the VPN provider).
Oddly enough, Riseup mentions some of the limitations of a VPN on their site:
In short, we do not suggest using this particular aspect of Riseup, but if you choose to do so, be aware of the limitations and issues that may arise.
Riseup's email and list services are compatible with most platforms, but the VPN service is available on GNU/Linux, macOS, Windows and Android systems.
On the plus side, both the email and VPN services do have user-friendly interfaces. In its web interface, the email inbox looks similar to this:
As you can see, your "Inbox," "Drafts," "Spam," and "Sent" menus are located at left, while your mailbox is in the center. The actual email texts are located at right. The interface may look familiar to some; the reason for this is that the same developers created Roundcube Webmail (which is still available, as a matter of fact).
If you're already familiar with RoundCube, then using Riseup should be easy. Some of its advantages are:
- Full disk encryption - Riseup's servers are encrypted so that only members of Riseup can access them; additionally, all communications between servers are encrypted.
- Encrypted email storage - Emails are encrypted individually on Riseup's servers, and even Riseup employees do not have access to your email messages.
- Hidden user ID - When you send a message via RiseUp, your user ID is kept anonymous.
- All services have Tor onion options - Every aspect of RiseUp, including email and XMPP, has a Tor onion service. This is helpful if you need additional anonymity or need to circumvent censorship for any reason.
- Traffic is encrypted at any possible time - When sending email to another encrypted email provider, your message is encrypted for the whole "trip." This makes it far less likely that an intruder will snoop on your email messages.
- Delivery to activist providers over Tor - If you email someone on another activist provider (such as calyxinstitute.org/ or boum.org), your message will be sent over the Tor network. The idea behind this is to defend against traffic correlation and other forms of surveillance.
- Location is not disclosed to email recipients - When you send an email with Riseup, your IP address (and therefore approximate location) are kept hidden from recipients; Riseup will not disclose this information to recipients.
- Internet (IP) address is not logged - Riseup does not log the IP addresses of its users (unlike some major email providers).
Be that as it may, Riseup still has some disadvantages:
- Not end-to-end encrypted - without using Mailvelope or another OpenPGP provider, messages are not end-to-end encrypted. Users have to do this independently.
- Your password is key to accessing your account - this should go without saying, but if anyone gets access to your password, they will be able to read your emails and any other confidential information in your account.
- Does not have backups of all old messages - if a user has an important message that they need to save, it's up to them to do so; Riseup leaves this in the hands of the users.
- If something is online, it is never 100% secure - while Riseup does make every effort to protect the confidentiality of messages, there's always a chance that data can fall into the wrong hands. They point out that if you have information that's extremely sensitive, you should keep it offline.
Pros and Cons
- Offers encrypted chat, email, XMPP, and VPN services
- Uses full disk encryption
- All services have Tor onion options
- Does not log your IP address
- Employees don't have access to contents of emails or messages
- Messages are not end-to-end encrypted (needs to be used with OpenPGP or another provider)
- VPN service has limitations on privacy, as well as some bugs
- Single password protects entire account