As a collective we have a responsibility to act carefully and compassionately when it comes to security of the users of both our physical and internet spaces. There are some things we do well and some things we need to work on. If you have questions you can email us at firstname.lastname@example.org.
This website is served over HTTPS only with legacy TLS versions disabled.
This website is also available as a TOR hidden service at http://spartyiv5gf77hab.onion/ (this is just being tested now, there may still be request leakage to our main site).
We operate a wireless network in the store (Spartacus). This network is open to anyone using the space. Your network traffic enters the internet through the Shaw network. We store no logs of network usage beyond a list of recently connected devices with their hostnames and MAC addresses. We regularly audit this data for suspicious clients.
We provide a public computer for anyone to use. These computers run Ubuntu. We keep them up to date as much as we can. We store no logs on these machines (and are working toward reimaging them regularly). However, we encourage folks to use Tails or another live operating system on these computers if they are concerned about security.
Our events calendar and email is hosted by Google. You should consider the security implications of sending us information via email or the events form.
We take the privacy of our volunteer application system seriously. When you apply your application is only visible to collective members. We have processed volunteer applications in a few different ways over the years. As a general principle, we regularly clear our volunteer applications and data that are no longer relevant. If you have questions about if we hold data about you and how it is stored you can email us or give us a call and we can look into it.
Prior to about 2014, we processed volunteer applications as paper forms filled out in the store. Every paper application submitted has been destroyed, we retain no information submitted on these applications.
Between 2014 and the beginning of 2022, we processed volunteer applications using a google form and google spreadsheet. At the beginning of 2022 we deleted all volunteer application information stored on google. We moved information still under process to an internal system.
As of February 2022, we have migrated our volunteer application away from google. Now volunteer applications are processed directly on our web server and transmitted to our internal systems as we review them. The information you enter in the form will never leave our servers unless it is encrypted with a key only we have access to (for the purpose of backups).
We can only receive email to our google mailbox at email@example.com. Please exercise caution with what you send us and what email addresses you use. If we have outgoing mail that we deem sensitive we may route it through another provider that aligns more closely with our values.
We always can accept PGP email sent encrypted with our public key (fingerprint = 25C3 A3D3 5DD5 FB19 CBC8 1704 EDE2 4E51 2DE5 47FF). And if you include your key, we will send you back email encrypted as well. It will take longer to receive a response if you use PGP as not many collective members can use PGP.
See https://riseup.net/en/canary for explanation on what a canary is. The below canary is signed with our signing subkey (fingerprint = 263F 6812 3BA2 CC67 F18A 1CB3 AC78 BC6C 7875 F028). If our canary is out of date please start by emailing us (from a safe email please!), we are sometimes forgetful, if you receive no response with a week, you can assume we are unable to reply for legal reasons.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Spartacus Books positively confirms that to the best of our knowledge the integrity of our systems are sound. We have not disclosed any private information, and we have not been forced to modify our system to allow access or information leakage to a third party. We have not been forced to install equipment (eg: recording/monitoring devices) our store that could impact the privacy of those who use the space. This canary will be signed every year on the following dates: * April 24 * October 24 We will include a link to a recent news article  in each update to establish that the signature was not pre-generated. Signed on Nov 7th, 2022 by the Spartacus collective.  https://www.cbc.ca/news/politics/csis-emergencies-act-1.6643337 -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEJj9oEjuizGfxihyzrHi8bHh18CgFAmNpc4gACgkQrHi8bHh1 8CiAdhAAkbVFE4WBKnsMGkatkMgo+lI2LtbhNng9MOuwKDz1AaLjLcDRIuRZudX5 73VYY07/ud3EzYeQh4m4fONMzHDrzRFZo6zwPxo4GiaDEHIbesHYTy25fSYagGKV +FTyDpMtaV6Qy2VGNg86ij7aZ+k9IfageS5bcoLYpK+AYb6yB7t+ClpBGS2FA2YM Atd2iNU+jf8B+uyhAVYt4Q6M9Gkzkz8ao43wda62zWbVHajXUtKyWVtTQf+oUmzg kMRVXj9cAU2Hj0xmxkLQrRex0aTb4PLOf1gUfsJERCGGHh4w0ycwsP9XrZvOOQ/X ePN2/t9v/TYIdTTnwg9FnJldtdIqbLDnLvKPeJkD9QSGu1bcbHFMnb+zd4odBMTQ an/A3o7j7QSbi9pu2b39d2h4/VmZmtVk42hmnJm5tEbtPepBGhpn/fHRCorE96Nq U3lxyvFBNM4ZkW5DPkMJ2LoCjrQRjPUKfS7/RYM4tLwyVagu8iYXAmRABt2WFkzm zJWFPgfxHE7weD0YZd9hNLFQ4ZlvdS64ac7nPTKKR+KkyKjt6XX6MdgytuSusbU9 ZG4mPTj7jCbBLlO6RXnAbP00ulkh46TvG1jhT6IErkFR5KvxTszyCUgBIWuDr40R rVLKSUmCdW7I17OOu+xbqZtQhsZMaroCTsCpwc8Lt8jGPoCa4lY= =PQne -----END PGP SIGNATURE-----
To verify our canary you need to do the following
- Receive the key into GPG:
gpg --keyserver keys.openpgp.org --recv-key 25C3A3D35DD5FB19CBC81704EDE24E512DE547FF
- Confirm that the fingerprint matches, the output should be
- Verify the signature:
gpg --auto-key-retrieve --verify canary.txt
There is no guarantee that this website hasn’t been tampered with, so the above key should not be automatically trusted. For better assurance that our key is correct you can come in to our store and we have a printed copy of our fingerprint posted on top of the store desk.