Why Clipperz is moving out of US

December 28, 2013

The recent Christmas maintenance went quick and smooth.
Clipperz is now up and running again … from Iceland!

Reykjavik

In fact we’ve been quietly moving Clipperz out of the US since September and the final step will be the switch from .com to .is. You may have noticed that clipperz.is has been active for 2 months, but starting from January 1st, 2014 .is is going to be the new official TLD for Clipperz.
From that moment, every access to clipperz.com will be permanently redirected to Clipperz.is, our new home.

You may wonder what was wrong with the previous arrangement. Nothing. We were completely happy with all our providers: Joyent for SmartOS hosting, Dyn for DNS services, Amazon for backups. Great, reputable companies. So why moving?

Because we are under attack. And when I say “we”, I mean Giulio and I as individuals. Neither Clipperz infrastructure nor your encrypted data stored on Clipperz are exposed to any risk.

The attack

It all started in June, right after the launch of the new website and the announcement of our plans to go paid.

One day I was summoned by Italian police officers because of a fraud complaint. The plaintiff declared that a bank wire transfer of 10K€ was ordered unknowingly to her from the online banking service of her bank and the beneficiary was indeed Clipperz. I just answered that Clipperz does not have any relationship with the plaintiff and no reason to ask for such a large amount of money. I signed the statement and left the police station with a weird feeling.

In the following weeks, about 15 similar fraud complaints were filed and I spent quite a lot of time answering questions by authorities (Carabinieri and the Postal Police). A couple of time police officers visited our workplace in Bagnacavallo and questioned Giulio, but it was mostly me because of my sole administrator role in the company.

Luckily all the transfers were blocked before execution and not a single euro reached our bank account. So we did not have to reimburse anyone.

What was going on? We did not know. There was no logic to it. If some evil hacker was successfully attacking Italian banks why send the money to Clipperz? How they were thinking to recover it? But the largest nonsense was the size of the transfers: almost all of them were slightly above 10K€ (e.g.: 10,044€, 10,126€, …), that is above the daily limit allowed by almost any bank for automatic processing. Chances for such orders to go undetected and executed were almost nil. The only effect they were certainly obtaining was putting a dozen district attorneys at work, from the Turin to Palermo. Each of them independently investigating Clipperz.

Months went by, we were not formally accused of anything and we hoped that everything was going to resolve by itself. The wave of attacks lasted just a few days between late May and early June (all fraudulent wires were ordered in those days), so we felt uneasy but relieved. But then, in early November a 10K€ transfer was deposited on our account! The bank called to ask the authorization to reverse it and we said “Of course!”. But it meant that a new wave of attacks had been launched. And more trips to police stations, more questions, and more lawyer expenses.

Furthermore the legal office of our bank (the largest ethical bank in Italy) is currently considering to terminate our account because of potential fraud allegations and internal money laundering policies. (!?)

What is going to happen now we don’t know. There is yet no formal charge against us, but it’s not completely unlikely that a single district attorney could order the seizure of Clipperz assets including the domain and servers as a “pre-trail precautionary measure”.

Our first goal at this point is to protect Clipperz, its users and their data. We’ve been working at it out of pure passion for almost 8 years. Doing nothing illegal, but allowing people to better protect their most precious bits of information. We will fight to prevent anyone from destroying it just by signing a paper. We can and will do everything in our power to make getting unauthorized access to your encrypted data as difficult and expensive as possible.

Our fight started by choosing the playing field: maintaining all the technical infrastructure of Clipperz in the US would have made life quite easy to a judge aiming to freeze Clipperz.

Joyent, our previous hosting provider, has a [safe harbor][SA] agreement in place with EU authorities which can intervene on Clipperz servers as if they were physically located in the EU. Or Joyent could be forced by a [FISC][FISC] order to hand over data, keys or fiddle with our code. Or US authorities can just cancel Clipperz from DNS registries or simply seize its TLD (read this [Wired article][seize]).

So we had no choice, but moving to a place where we have at least a chance to actually start the fight if necessary.

[seize]: http://www.wired.com/threatlevel/2012/03/feds-seize-foreign-sites/). [SA]: http://en.wikipedia.org/wiki/International_Safe_Harbor_Privacy_Principles [FISC]: http://en.wikipedia.org/wiki/United_States_Foreign_Intelligence_Surveillance_Court

#Iceland

Clipperz has chosen Iceland because we bet on the success of IMMI, the Icelandic Modern Media Initiative, a jurisdiction to provide protection of freedoms of expression and information.
Clipperz.is domain is registered with the nice folks at 1984.is that also manage our DNS records, while the servers running both the Octopress website and the actual password manager app are hosted on Greenqloud.

#What’s next?

Italy does not have any equivalent to the US National Security Letter, so we cannot be forced to do something without being allowed to disclose it (we are luckier than Lavabit was) and if there is any development in the fraudulent wire transfers story, we will communicate it on all available channels.

Clipperz was born as an Italian company subject to Italian laws and so it will remain. We are not planning to move people or assets out of Italy, we just moved the tech infrastructure to a place where our fundamental rights enjoy better protection.

Transparency is one of Clipperz core values. And we are not going to abandon it and become a secretive company. You have access to our source code, you can learn about the money we spend and the money we make, you can knock at the door of our office and have a chat with us, in person or online. You can even start a competing service using our own source code. This is not going to change.

If Clipperz will become a paid service, the transparency will remain. We enjoy pay taxes. We’ve been paying taxes on the donations you sent during these years and we’ll be proud to declare all our future Bitcoin income and pay taxes both on direct revenues and currency gains.

But first we need to keep Clipperz alive. We are ready now.

(I’m aware that this narration could sound a bit paranoid and epic. It took us months to realize and accept that Clipperz involvement in this story was not accidental. But still, we would be extremely happy to be proved wrong and forget about it.)