english translation of the second review by autistici/inventati
Let's try and summarize the facts.
The cryptographic services (those which guarantee e-mail confidentiality, for example) offered by the Autistici/Inventati server located at Aruba's webfarm have been compromised on 15.6.2004. We have become aware of this on 21.6.2005. One year after.
On that day, one year ago, the officiers - aka Polizia Postale - working on the enquiry that leaded to the suspension of a mailbox (croceneraanarchica-at-inventati.org), in collaboration with Aruba's staff, switched off our server, giving no notice or communication whatsoever, and copied the keys they needed in order for them to be able to decrypt the Webmail, which works under the encryption protocol recognizable by the https acronym; since then, they potentially got access to the whole content on the disk, including each user's private data.
When we became aware of the impossibility to reach the server, we repeatedly phone-called aruba webfarm's again and again, asking for explanations about the down. They invented some false techincal problems, comfortably deciding that their customers, their contracrual agreements, their user's rights aren't worth a phone call to inform the server's owners; that's a place where lies and lack of respect for the most fundemantal civil rights rule.
Our presence and that of our lawyers during their action would have made it possible to let them collect the data with no violation of the privacy of all the users who utilize our encryption services: at least we could and would have warned our users in time.
We always suspected that a company with such a self-explaining name ['aruba' reminds of stealing], with a webfarm located in Sergio Ramelli street (S.R. was a much extimated fascist martyr, according to what Paolo Landi, reception clerk at the webfarm, told us), was not to be trusted, not under a personal perspective nor under a technical one.
The awful service they provided got us sadly used to hearing poor excuses for lots of technical problems.
Unfortunately, in june 2004, we had no other choice. The server had to be located and none of the other places we had found gave more guarantees about customer's privacy and respect of contractual duties. We decided to rely on them, and we did wrong.
What happened is very serious for us, and we don't want to hide behind unlikely prospects of revenge. It will be a difficult battle, that we'll fight on every possible field, including the legal one.
Our daily paranoy about personal data security, aimed at defending all our user's data, did not suffice, for lack of resources and maybe for a subconscious and inappropriate confidence in laws which rule privacy rights.
We interrupted our cryptography services, since at this time they're no longer secure, and we'll soon interrupt our mail service too. We will soon reactivate a second cleansed-up server at a different provider.
But this will not suffice. It's quite clear that in order for us to face an ever growing use of men and instruments for systematic violation of user's privacy, it's necessary for us to rethink the sense and strategy of our project.
Aware as we are of the state of weakness we are in (sadly proved by the fulfilment of the worst theoretic scenery), we have been working for one year now on re-building our facilities, adjusting as much as possible the attention needed for a minimum user's privacy. Soon (within the end of summer, we hope), we'll give out technical details which we hope will make some clearness about the extent of the effort that is needed to build the minimum necessary facilities which can assure those which in theory should be civil rights [...].
But there's one thing that has to be clearly understood by everyone: it's not possible to delegate privacy management to someone else. No political structure or technological tool can assure your privacy.
Therefore we invite everyone, once again, to autonomously provide his/herself with strong cryptography tools (such as gpg) and utilize them for securing email communications and data storage on their disks without blindly relying on others. Consciousness should do the rest.
As far as we can be concerned, we just can assure we'll keep on doing what we can to protect your and our communication's confidentiality, and freedom for everyone to express and communicate.
2005-22-06. Autistici/Inventati collective.
|