Were 11 Spanish Anarchists Arrested for Using Secure Email?
Few details have been made public, but a judge says that use of a legal, encrypted email service raises suspicion.
Protesters in Catalonia on Catalan Independence Day. Most of the people arrested in December were Catalan. Image: Eric Burniche/Flickr
In mid-December, 11 Spanish anarchists were arrested by Catalan police in Barcelona, and it now appears they were detained at least in part because they were using an encrypted suite of secure communication tools known as Riseup.net. At the moment, seven of them are still waiting to stand trial. No formal charges have been made public.
Early media reports suggested that those charged may have played a role in the destruction of ATMs around the city in 2012 and 2013, but that report hasn't been confirmed, because the Spanish judge presiding over the case has refused to make the official police report public. However, Judge Gomez Bermudez noted this week that the defendants "were using emails with extreme security measures, such as RISEUP.net." The defendants were also accused of having a book called Against Democracy and of having a "internal organizational and bureaucratic structures."
what email service they use shouldn't be one of the determining factors in whether they're arrested
In the activist world, RiseUp.net is a pretty well-known secure email service that's run by a nonprofit collective in Seattle. The website Security in a Box, which is run by a human rights NGO and reviews various encryption and personal security services, notes that it's "managed by trustworthy advocates of internet privacy and security." It also says, however, that using a RiseUp email address could draw the eyes of authorities, which of course is the concern here: "An unusual email service may attract unwarranted attention. It might make more sense in some situations to blend in by using a popular email service in your country."
And that's the problem. In this case, there's at least the appearance that the use of secure email and chat protocols somehow led to the arrests, members of the collective at RiseUp noted. It's very possible that the Spanish government has hard evidence that those arrested had committed or were actively planning to commit a crime—but if it does have that information, it's not saying. Instead, the implication is that the use of encrypted communication channels is somehow implicitly related to criminal activity.
"We reject this Kafka-esque criminalization of social movements, and the ludicrous and extremely alarming implication that protecting one's internet privacy is tantamount to terrorism," Riseup.net wrote in a blog post about the arrests.
"Riseup, like any other email provider, has an obligation to protect the privacy of its users. Many of the 'extreme security measures' used by Riseup are common best practices for online security and are also used by providers such as Hotmail, Gmail or Facebook," the collective added. "However, unlike these providers, Riseup is not willing to allow illegal backdoors or sell our users' data to third parties."
Josh Levy, the advocacy director at Access, a New York-based civil liberties group, told me that though we don't know whether these people were involved in illegal activity, it's highly concerning that governments are now pointing to encryption as something inherently associated with it.
"Whether or not they were doing illegal activity, what email service they use shouldn't be one of the determining factors in whether they're arrested," Levy said. "Given that this particular email service is used by activists around the world, I don't think it's much of a leap to say that this shows authorities elsewhere are more actively monitoring people who make the choice to use a secure email service."
More details are sure to come out, but for now, the Spanish government isn't talking. Lawyers for those detained maintain the group's innocence. And with little transparency in the whole process so far, it's unfortunately looking like using secure internet services can make you a target.