Let's Encrypt is enabling hate speech

If you go to the website of the neo-Nazi publication the Daily Stormer, https://dailystormer.su/ (I am not going to give them free SEO), you can see the certificate is issued with the blessing of Let's Encrypt.

This is incredibly harmful. From Wikipedia:

The Daily Stormer is an American far-right neo-Nazi, white supremacist, and Holocaust denial commentary and message board website that advocates for the genocide of Jews.[1][2][3][4] It considers itself a part of the alt-right movement.[5] Its editor, Andrew Anglin, founded it on July 4, 2013, as a faster-paced replacement for his previous website Total Fascism . The website also publishes its content in Spain and Latin America, Italy and Greece.

In June 2019, a federal judge ordered Anglin to pay $4.1 million to comedian Dean Obeidallah, whom Anglin had falsely accused of orchestrating the Manchester Arena bombing.[13] In July 2019, a federal magistrate recommended that Anglin pay $14 million to Tanya Gersh, a woman from Whitefish, Montana whom Anglin had organized a targeted harassment campaign against.[14]

All serious infrastructure companies (from Wikipedia: GoDaddy, Google, YouTube, Facebook, Discord, CloudFlare, Namecheap, DreamHost, ISNIC) have taken steps to kick white supremacy and violent hatred off their platform, and it's time for Let's Encrypt to do the same.

From ISRG's non-discrimination policy:

Internet Security Research Group does not and shall not discriminate on the basis of race, color, religion (creed), gender, gender expression, age, national origin (ancestry), disability, marital status, sexual orientation, or military status, or any other protected classification under federal, state or local law, in any of its activities or operations. These activities include, but are not limited to, hiring and firing of staff, selection of volunteers and vendors, and provision of services. We are committed to providing an inclusive and welcoming environment for all members of our staff, volunteers, subcontractors, vendors, and clients.

Harassment based upon an individual’s sex, sexual orientation, race, ethnicity, national origin, age, religion or any other legally protected characteristics will not be tolerated.

From ISRG's code of conduct:

We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone, regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation.

Examples of unacceptable behavior include:

  • The use of sexualized language or imagery, and sexual attention or advances of any kind
  • Trolling, insulting or derogatory comments, and personal or political attacks
  • Public or private harassment
  • Publishing others’ private information, such as a physical or email address, without their explicit permission
  • Other conduct which could reasonably be considered inappropriate in a professional setting

Enforcement Responsibilities

Community leaders are responsible for clarifying and enforcing our standards of acceptable behavior and will take appropriate and fair corrective action in response to any behavior that they deem inappropriate, threatening, offensive, or harmful.

Community leaders have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, and will communicate reasons for moderation decisions when appropriate.

Scope

This Code of Conduct applies within all community spaces, and also applies when an individual is officially representing the community in public spaces. Examples of representing our community include using an official e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event.

From the Subscriber agreement:

ISRG may, without advance notice, immediately revoke Your Certificate if ISRG determines, in its sole discretion, that: ... (v) You have violated any applicable law, agreement (including this Agreement), or other obligation; (vi) Your Certificate is being used, or has been used, to enable any criminal activity (such as phishing attacks, fraud or the distribution of malware); ... or (xi) there are other reasonable and lawful grounds for revocation. ISRG will provide notice of revocation via email to the email address of record.

Hate speech is illegal and criminal, and violates obligations to society (paradox of tolerance). It is a reasonable and lawful ground for revocation.

Therefore, you should do your part and help kick the Nazis off your platform.

Hi,

Disclaimer: I’m not related to Let’s Encrypt.

First of all, I agree with you that hate speech are harmful to community. I think the above blocks (in subscriber agreement) states that Let’s Encrypt can (reserved the right) revoke the certificate, but this is not required. I believe the other documents you quoted are focused more on the actual human parts, such as their employees, volunteers.

Also, revoking a certificate doesn’t forbid them from issuing certificates. It’ll just cause service disruption. You should bring this to their domain registrar, ICANN and related reporting agencies (such as Google’s Safe Browsing).

Pinging @lestaff for more information and further action.

Thank you

3 Likes

The certificates issued by Let’s Encrypt do not make any guarantees or endorsements about the content of the domains they are issued for. All they do is confirm that you are communicating with the domain listed in the address bar and nobody is listening in.

The only circumstances Let’s Encrypt revokes certificates is if the private key is compromised, the website owner/operator requests it, or the domain is listed on the U.S. SDN list by the U.S. Treasury Department.

As I find reading about court cases / laws somewhat interesting in my free time. I would also like to add, under United States law, technically there is no such thing as hate speech, however terrible it is – not that that has any particular relevance to this thread, just a point of interest for me.

3 Likes

Their domain registrar doesn't seem to care, unfortunately - they are Chinese, a country with a close relationship to Russia.

Which one of the following would it be?

Right, but why grant neo-Nazis this privilege? It explicitly says in the service agreement that they may revoke certificates if the websites are used for criminal activity, and they have done so in the past for phishing websites and the like.

If that is the official policy, please reconsider. Your actions may end up indirectly hurting many marginalized people.

In this case, here's what I personally stand: I think Let's Encrypt, should like all other CAs, stand neutral in topics like this. I believe CAs like Sectigo or Globalsign might revoke the certificate if some internal conditions are met, but they will not refuse to issue one at first (unless law or CA/B rules prohibited). CAs should be neutral in such standpoint. (I think this might also be the reason why Let's Encrypt stopped querying Google safe browsing API before issuance)

Well, but again. I'm just a volunteer.

Thank you

3 Likes

...or not, actually--unless you have reason to believe they're violating the terms of the registration agreement. "I don't like what they're saying" is not a reason to try to knock a site off the Internet.

Edit: The CA can not, does not, and should not in any way be seen as, endorsing, warranting, guaranteeing, certifying, or making any other assertion with respect to the content of sites using its certificates. The CA validates only that the certificate is owned by the entity whose name appears on the cert. This is, IMO, as it should be.

7 Likes

This puts you at odds with nearly all of the other infrastructure organizations, who have made the deliberate decision not to allow hate speech. If you are neutral in situations of injustice, you have chosen the side of the oppressor. If an elephant has its foot on the tail of a mouse and you say that you are neutral, the mouse will not appreciate your neutrality.

Not all service providers, and for good reasons:

To quote Frequently Asked Questions - NearlyFreeSpeech.NET

Most importantly, websites that advocate or represent viewpoints are created by people who hold those views. If those people are willing to stand up and wave their hands and say "Hey! Here I am! Over here! Look at me!" we prefer to let them. To some extent, we are willing to host certain types of content to rub the world's nose in the fact that people who think that way still exist. And if that makes you uncomfortable, good, it's working.

[...]

Of course, the simplest reason is that it's not up to us to decide what the rest of the world should or shouldn't see. Bad news, it's not up to you either. Worse news, it's still true even when we agree. Which is probably most of the time.

Finally, censorship is always bad, for a variety of well understood reasons that we don't need to repeat here. But in the case of some types of content, it has special dangers. When you censor a web site based on the extreme or dangerous views of its creator(s), you haven't stopped those people from thinking that way. You haven't made them go away. You certainly haven't stopped the people who hold those views from doing whatever else they do when they're not posting on the Internet. What you've actually done is given yourself a false sense of accomplishment by closing your eyes, clapping your hands over your ears, and yelling "Lalala! I can't hear you!" at the top of your voice. Pretending a problem doesn't exist is not only not a solution, it makes real solutions harder to reach.

1 Like

No, it is not. Full stop. Your understanding on this is simply incorrect in the United States, which is where Let's Encrypt is based, and as a result your argument collapses. There are, sadly, many in this country who would prefer it to be otherwise, but their desires are not the law, "hate speech" (however you define it) is not a crime, and cannot be made one without amending the U.S. Constitution.

There's been a bit of personal opinion in this thread, but nothing official from Let's Encrypt. Here's their statement on a different, but closely related (in that it deals with their content-based certification policies) issue:

Edit: It's also worth noting that phishing and malware do involve criminal activity. Let's Encrypt take a very minimal view of the proper place of the CA in policing content (and I applaud them for it).

4 Likes

So should we close all roads leading to the houses of known nazis?
Exactly how far would you go in your censoring?
Let’s Encrypt would be going down a dangerous path if they start to censor. Who decides what should be censored?

4 Likes

Disclaimer: I do not work for ISRG or LetsEncrypt.|

I appreciate your concern on this. I worry about stuff like this too. 15+ years ago I couldn't find an open-source way to prevent a neo-nazi group from using a package that I wrote (I even asked the OSF for help!), so I just made the project closed-source and deleted the last functioning versions from public repositories. I was lucky enough to be able to do that. (I found out because they emailed me for support, and was livid at what I saw)

When it comes to major service providers like LetsEncrypt, typical concerns about de-platforming include breaking the functionality of the internet and the moral implications of content-neutral platforms having these powers.

The best way to sidestep these concerns is to generally to cite specific acts that constitute a criminal act in a jurisdiction the platform is obligated to respect. Hate speech isn't illegal or criminal everywhere, and not everything that neo-nazis do is hate speech.

I'm not saying this to be combative, but to be constructive. As you've seen above, there are a lot of viewpoints to consider when de-platforming. IIRC, the CEO of Cloudflare raised many more when he decided to de-platform this same group. But if you can cite any actual crimes and their jurisdictions, you can effectively sidestep the philosophical debates and say "You should deplatform them for being nazis, but you must deplatform them because you are aiding in this specific criminal activity."

4 Likes

If a website using Let’s Encrypt is involved in illegal activities you should contact the authorities, LE is not the cyber police.

2 Likes

It was your choice to make, but, ugh, that's ugly.

Releasing stuff as open source or freesoftware is not free in and of itself, and keeping stuff as freesoftware is not a morally easy stance. See for example why the HESSLA license is not considered a free software license by the GNU Project: The HESSLA's Problems - GNU Project - Free Software Foundation

3 Likes

I was not happy, but it was the right thing to do and I have no regrets. It was CAPTCHA library/server, years before re-captcha existed (or google took it over). They were using it to throttle anti-nazi bots and activists from their forums. IIRC, I deleted the last few versions - up to a significant API and feature change - from the public module registry, and took the source repository offline. The intent was to cause them development headaches if they lost their installed version of the library. They did! i got hatemail! It was a legacy project for a language/platform I no longer used. Over the next 3 years two non-Nazis wrote me for help. I gave them the versions they needed and explained the situation. Both were supportive.

5 Likes

Some people would also like to see censoring of porn sites, pro-this and anti-that (political and/or religious) sites. Where would censorship end?

5 Likes

I just joined the forums .
Since i’m doing research of scammers & other unpleasant internet frauds, but bumped into this thread.
Full disclosure… let me make it clear from the start … I have a very strong dislike of more than a few groups that express this sort of sentiment…

Before getting involved in “free speech” issues it might be beneficial to watch this.

This is a debate in the UK about Oxford union (oxford University) on “De-platforming” as it is called in the UK… , it was about the University students wanting to “silence” people who they did not agree with
it’s about 12 minutes long …
so well within the attention span of most…

1 Like

An excellent speech by Ann. I’ve always believed that censorship, in any form, is the same as the book burning campaigns that occurred throughout the centuries.

2 Likes

There is currently a very sinister attempt by the left-wing to take over anything related to computer systems , get into code repositories, on “advisory boards” and push their “safe space” agendas.
It’s happened in Linux and in a number of key computing resources…

Childish things at first, relabeling of RS232 equipment, protocols referring to "master & “slave” and all of a sudden “inclusivity” statements into code bases.
looks like they will be going after key internet resources… SSL, since shutting that down or controlling that becomes a key internet choke point… will fit in nicely with the browsers refusing to visit non https sites due in the coming years… and more importantly DNS over TLS…
Certificate issuers are going to become key…

I guess that when a complaint comes from nothing other than a tool SocIng uses to make its enemies expose themselves, the correct answer is “who cares?”

(Spoiler is for 1984 by George Orwell)

1 Like