The cryptographic services offered by the Autistici/Inventati server, housed in the Aruba web farm, have been compromised on 15th June 2004. We discovered the fact on 21st June 2005. One year later.
One year ago the authorities (i.e. the postal police), during the investigation that led to the suspension of an email account (croceneraanarchica-at-inventati.org), shut down our server without any notice, and copied the keys necessary for the decryption of the webmail. Since then, they potentially had access to all the data on the disks, including sensible information about our users. This happened with the collaboration of Aruba, our provider.
When we noticed that the server was unreachable we repeatedly called the Aruba web farm, asking for an explanation. They made up silly excuses about technical problems, deciding that their clients, their contracts and the rights of our users weren't worth a single phone call to the server legal owners. They lied and totally disrespected even the most basic rights and the privacy of those utilising their services..
Our presence and that of our lawyers would have been a guarantee that they could obtain the information they needed without violating the privacy of all the people who use our cryptographic services. We could and we would have been able to warn and protect our users.
We always suspected that they weren't trustworthy, both on a personal and technical basis. The very low level of the service they offered sadly accustomed us to the silly excuses they made up for technical problems. Unfortunately at that time we had no alternatives. The server had to be housed and none of the possible solution we found offered more guarantees neither on user privacy respect nor even on fulfillment of their own contractual duties. We relied on Aruba and we made a mistake.
What happened is very serious and we don't want to hide behind unlikely perspectives of revenge. It will be a hard struggle. A battle that we will fight on every possibile level, including the halls of justice.
Our constant paranoia in dealing with personal data, aiming to protect our users data, wasn't enough. We lacked resources and an we incautiously and unreasonably trusted the laws protecting privacy.
We shut down our safe cryptography services since they cannot be considered safe any more. We will shortly stop the mail service too. We will, as soon as possible, reactivate all the services on a new server, cleaned and sanitized, hosted by a different provider.
But this won't, of course, be enough. It's clear that against such an enduring effort aiming at the systematic violation of Internet users' privacy we must reconsider the meaning and the strategies of our project.
Aware of our potential weaknesses, we've been working on a completely new version of our whole infrastructure, trying to rise the level of protection of our users' privacy. Soon, we hope before summer's end, we will disclose all the technical details, hoping that they will clarify the effort required to build infrastructures which could protect what should be considered - at least in theory - as a part of the basic rights.
What we hope everyone will learn from what happened is that privacy can't be appointed to anyone but ourselves. There's no political structure or technical instrument that can guarantee your privacy.
We are, one more time, asking and suggesting everyone to use strong encryption instruments (i.e. pgp/gpg) for the protection of both mail and data on personal computers. And to use common sense for everything else. We can only guarantee that we will continue to do everything we can to protect the privacy of your and our communications and your and our freedom of speech.
June 22, 2005. Autistici/Inventati Collective