Ulitmately, the user is responsible for their own security. You cannot entrust this with the service operators.

• There is no way of proving that the software actually running on SN servers is the one that's on GitHub, and not a forked version that FBI made them run. (You can only theoretically verify the client yourself.)
  • Does it make sense for you guys to have a canary page? @ek @k00b
• If you want to use multiple identities and hide that fact from the service, use a different Tor/VPN exit node for each. Use separate browsers or browser profiles too, to avoid fingerprinting.
• ALWAYS assume someone (could be your ISP) logs your IP and the fact that you connected to this or that website.
• Be conscious of "social fingerprinting" - activity hours, writing style, tipping patterns.