Technical security

As a collective we have a responsibility to act carefully and compassionately when it comes to security of the users of both our physical and internet spaces. There are some things we do well and some things we need to work on. If you have questions you can email us at info@spartacusbooks.net.

Website

This website is served over HTTPS only with legacy TLS versions disabled. This website is also available as a TOR hidden service at http://spartyiv5gf77hab.onion/ (this is just being tested now, there may still be request leakage to our main site).

Store tech

We operate a wireless network in the store (Spartacus). This network is open to anyone using the space. Your network traffic enters the internet through the Shaw network. We store no logs of network usage beyond a list of recently connected devices with their hostnames and MAC addresses. We regularly audit this data for suspicious clients.

We provide a public computer for anyone to use. These computers run Ubuntu. We keep them up to date as much as we can. We store no logs on these machines (and are working toward reimaging them regularly). However, we encourage folks to use Tails or another live operating system on these computers if they are concerned about security.

Events form

Our events calendar and email is hosted by Google. You should consider the security implications of sending us information via email or the events form.

Volunteer Application

We take the privacy of our volunteer application system seriously. When you apply your application is only visible to collective members. We have processed volunteer applications in a few different ways over the years. As a general principle, we regularly clear our volunteer applications and data that are no longer relevant. If you have questions about if we hold data about you and how it is stored you can email us or give us a call and we can look into it.

Prior to about 2014, we processed volunteer applications as paper forms filled out in the store. Every paper application submitted has been destroyed, we retain no information submitted on these applications.

Between 2014 and the beginning of 2022, we processed volunteer applications using a google form and google spreadsheet. At the beginning of 2022 we deleted all volunteer application information stored on google. We moved information still under process to an internal system.

As of February 2022, we have migrated our volunteer application away from google. Now volunteer applications are processed directly on our web server and transmitted to our internal systems as we review them. The information you enter in the form will never leave our servers unless it is encrypted with a key only we have access to (for the purpose of backups).

Email

We can only receive email to our google mailbox at info@spartacusbooks.net. Please exercise caution with what you send us and what email addresses you use. If we have outgoing mail that we deem sensitive we may route it through another provider that aligns more closely with our values.

We always can accept PGP email sent encrypted with our public key (fingerprint = 25C3 A3D3 5DD5 FB19 CBC8  1704 EDE2 4E51 2DE5 47FF). And if you include your key, we will send you back email encrypted as well. It will take longer to receive a response if you use PGP as not many collective members can use PGP.

Canary

See https://riseup.net/en/canary for explanation on what a canary is. The below canary is signed with our signing subkey (fingerprint = 263F 6812 3BA2 CC67 F18A 1CB3 AC78 BC6C 7875 F028). If our canary is out of date please start by emailing us (from a safe email please!), we are sometimes forgetful, if you receive no response with a week, you can assume we are unable to reply for legal reasons.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Spartacus Books positively confirms that to the best of our knowledge the integrity of our systems are sound. We have not disclosed any private information, and we have not been forced to modify our system to allow access or information leakage to a third party. We have not been forced to install equipment (eg: recording/monitoring devices) our store that could impact the privacy of those who use the space. 

This canary will be signed every year on the following dates:

* April 24
* October 24

We will include a link to a recent news article [1] in each update to establish that the signature was not pre-generated. 

Signed on April 27th, 2023 by the Spartacus collective.

[1] https://www.cbc.ca/news/canada/new-brunswick/listuguj-mikmaw-radio-station-1.6822690
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEJj9oEjuizGfxihyzrHi8bHh18CgFAmRKlogACgkQrHi8bHh1
8Ch57hAAmsyEwIa0tJTmmMAl0BcLLp2upuGw5iz9k4UpcyWoHCt9zED8ZTnXKWt7
sHZgXQsVo1NqRkTWc/vi/mNPDRlpe2uK8KL+6cQIBLz/OpdsRREoOoufdnKRa9Ja
5ZWsXCdJ3K6VQbDXhAQl4wNGM3pzwnWP5KLgmLQ/u8Sa4v2GQL3Jfz3Qc4Bx6uiL
WZ42F3EZvEQaaeM1RRV6B5gzqLGpVmQj/0d+KfmzBRmXLQcilfpT1cQT9eI+p8Y8
7el15idDHpzXnUMfaJO4EZEiBbII5Jkyln19Amvi+JGderpVH0J/6YY8IuszwgN4
ZaMmzr1/NHV2PAa1mmjPaobYTPv1YP0141fY+8DL3tzWplyjiVXW2xlw8I3e1HME
GjnvvuhZcR4/8jgJBBy+k+p2rSrrFihw8Fa4A2oERmdRODQZRLtP8a97ccOiXSPS
4MmrsJPmZ/tttW+zkn+yK6UV2frKMrbFh77KcYQIe8+h6J7ScsIzt7QEXxI80w0a
TV+IBaHdThdTmPFn7i+aLk4NPm5awBbUKqquv4hckvdqa07xo6Yr+pUFdtAPMuzp
BiTiveSKEaGWGSE1GKFEu2JQY+fHmZlIYEnQqkEk4J+3gNAr+Vp0XIwECm3dqx4L
jHjvys0Seb+mzjMyJjWR15OA3k05HTTb3lFH4owNgem4f8ZIaQI=
=ifMI
-----END PGP SIGNATURE-----

To verify our canary you need to do the following

  • Receive the key into GPG: gpg --keyserver keys.openpgp.org --recv-key 25C3A3D35DD5FB19CBC81704EDE24E512DE547FF
  • Confirm that the fingerprint matches, the output should be 25C3A3D35DD5FB19CBC81704EDE24E512DE547FF: gpg --fingerprint 25C3A3D35DD5FB19CBC81704EDE24E512DE547FF
  • Verify the signature: gpg --auto-key-retrieve --verify canary.txt

There is no guarantee that this website hasn’t been tampered with, so the above key should not be automatically trusted. For better assurance that our key is correct you can come in to our store and we have a printed copy of our fingerprint posted on top of the store desk.