Updated privacy policy

[robmueller]

http://blog.fastmail.fm/2013/10/02/u...rivacy-policy/

[malcarada]

Thank you for making this clear as due to recent news I think that every email users out there should be informed about the chances of their emails being data mined by outside parties.

I had one question, according to that post last year Fastmail disclosured information from around 50 accounts, I wanted to know what is the usual information included in the disclosure, is it just account details and login IPs or does it also include email contents and files stored in Fastmail servers?

Thank you

[Jacinto]

Good day and thank you Robert!

I believe your new privacy policy is exemplary.

However, it is my understanding that, in spite of being an Australian company, its physical servers are colocated in New York City. As such, there isn't much that Fastmail can do if/when a federal or New York State or New York City governmental agency with investigative and subpoena powers decides to ask for subscribers' records or, for that matter, seizes one or more of your servers.

Unless Fastmail has deep pockets and constitutional law attorneys on retainer in New York, many of the protections from government intrusion stated in the Privacy Policy are illusory when it comes to United States law enforcement.

--
Jacinto

[robn]

Quote:

Originally Posted by Jacinto

However, it is my understanding that, in spite of being an Australian company, its physical servers are colocated in New York City.

Correct.

Quote:

As such, there isn't much that Fastmail can do if/when a federal or New York State or New York City governmental agency with investigative and subpoena powers decides to ask for subscribers' records or, for that matter, seizes one or more of your servers.

True, there's not much we can do. However its not actually possible for a US entity to serve us with a subpoena or other legal mechanism, as we don't have a legal presence in the US. In that situation they would have to pursue a different legal avenue (eg via some mutual assistance treaty) or ignore the legal process entirely and seize the servers, which would be very difficult to do quietly.

As noted in the privacy policy, we cannot guarantee that that your data can never be obtained by a third party. There isn't an online service provider on the planet that can legitimately make that guarantee. But we can and do take measures to ensure that if someone does want to get your data, they're going to have to go to significant effort to do so.

Its up to you as the customer to decide if the risks are acceptable to you. You may like to get your own private legal advice if the risks are a serious concern for you.

[Jacinto]

Quote:

Originally Posted by robn

. . .

However its not actually possible for a US entity to serve us with a subpoena or other legal mechanism, as we don't have a legal presence in the US.

Although Fastmail may not have "a legal presence in the US," its servers are in the US. Unless Fastmail was advised by American attorneys that this assertion applies to United States law, it may be that Fastmail is deluding itself and giving its customers a false sense of security.

Quote:

Originally Posted by robn

As noted in the privacy policy, we cannot guarantee that that your data can never be obtained by a third party. There isn't an online service provider on the planet that can legitimately make that guarantee. . . .

I concur with you here.

--
Jacinto

[curvefan]

I still, and I've posted this before, can't understand why people pay a bunch of money to certain providers thinking they are more secure than the next guy.

If certain people want to view your communications, they will. Plain and simple.

This thread confirms this.

So, why pay a bunch of money for security purposes?

Maybe pay for certain other features the provider offers, but not security.

But hey, it's your money.

[curvefan]

Privacy policies?

Do you really think anything is private on line?

If you want privacy, go hide in the closet.

First unplug the PC though.

[FredOnline]

Quote:

Originally Posted by robn

You may like to get your own private legal advice if the risks are a serious concern for you.

I'd be interested to see if anyone here has sought legal advice - that you not only talk the talk, but also walk the walk.

[ioneja]

Thank you for the new privacy policy! Well written, simple, and direct. Frankly it gives me more confidence.

However, I too have concerns about how the US government can intercept the data from FastMail servers, so it would be nice to know further details about how such an interception can take place.

My understanding and belief is that if US law enforcement wants the content from the servers, they'll get it one way or another, period. No way around that fact of life. No need to argue about that either. If the news reports are even 50% true that we've seen lately, it's that there is NO way around that fact.

However, the WAY they go about getting the email content would be more problematic for them, more difficult, more costly, and more time-consuming. So that's a good thing. :-)

1) In the US, they would have to get a court order to get the information, which would then have to go through an Australian court via some mutual assistance treaty. The Australian order would then be given to FastMail for a specific user, and then of course FastMail would have to comply. But that is a longer paper trail to go through than competing US email providers.

2) Alternatively, the US government could simply seize the server(s) in question at the New York hosting center that FastMail uses. This would create a huge stink and would be very, very difficult to hide... since the US government can't compel FastMail to be quiet about it, and it would likely disrupt some services for a lot of users. So this would be a costly and visible seizure of property, which they would be unlikely to do. But still, it's possible.

3) Alternatively, the US government can force FastMail's hosting provider to install a server adjacent to FastMail's servers in New York that will filter/mirror/capture whatever content is going in and coming out of FastMail's servers. If FastMail's provider was given a US National Security Letter, EVEN FASTMAIL WOULD NOT KNOW that this is happening -- there would be no way for FastMail to prevent this data-mining server from capturing all FastMail traffic. However, all content going into and out of FastMail's servers would be encrypted (hopefully with the best encryption standards available), and thus that would also be a very costly exercise for the US government to do, unless they have BROKEN the encryption, or ALREADY HAVE all the encryption keys.

4) A variation of #3 is that the US government can install some other device to capture data upstream from FastMail's hosting provider (which is probably more likely), and neither FastMail NOR FastMail's hosting provider in New York would know about it. And there is nothing we can do about that.

My feeling is that #1 is the way things would probably, most likely happen for specific users the US government wants to track, #2 seems really stupid and foolish for the US government to attempt (although I wouldn't put it past them), and parts of or ALL of #3 seems very possible, based on the news that has been reported. And #4 is probably already happening... again, nothing we can really do about that in our sad situation in this country.

In any case:

#1 is better than other US-connected email providers since at least the paperwork is harder for the US government to go through... in theory. So FastMail is better than other US email providers in this particular scenario. Again, FastMail can't receive a US National Security Letter, which right there is better than all US-based email providers in this specific scenario.

#2 is also better than other US email providers because of the stink it would create. The US government would have to be reckless and desperate for something like this... this is possible, but unlikely to happen. And also, let's face it, this could happen to any service provider in the US.

#3 -- well, there's nothing that can be done about it. Again, this could also happen to any other US-connected service provider, so there's no way around this one. However, FastMail must make sure to use the latest and greatest security standards, which would hopefully not yet be cracked or compromised by the US government... However, there's no way to know the full capabilities of the US government and for all we know, they've compromised whatever encryption standards that FastMail uses... in which case, there's nothing we can do.

#4 - well, I suspect this is already happening, and again, nothing can be done about this except to vote in legislators that will change the laws. That's a long-term battle for the 4th Amendment that will not be solved overnight, sadly.

In all cases, I'm now of the opinion that FastMail is therefore overall AT LEAST just as secure, or likely even MORE secure than their US email competitors, based on the hassle factor alone for the US government. Even though FastMail has their servers in the US, the "cost" of surveillance on them is higher than on a similar US-based business. So to me, that's good news.

HOWEVER, it would be FAR better if FastMail were to provide an option to host our accounts in a better jurisdiction. I don't know for sure what jurisdictions would be ideal (well, at least it's pretty easy to do better than the US for starters!), but I would be happy to pay FastMail for my account to be outside the US.

So hopefully FastMail will consider some additional, safer locations for a batch of servers that we can choose to move our accounts to.

In any case, at least for email providers based in or hosted in the US, FastMail probably is among the safer of the options.

At the very least, FastMail's privacy policy alone is VASTLY SUPERIOR to free email providers like GMail, Outlook/Microsoft, Yahoo, etc.... Mainly because no profile is being built, or used and sold about us, and also because they don't have a standing agreement or perhaps US National Security Letter allowing unfettered access to their servers. FastMail is also treating its email users as the *actual customers*, rather than Google, for example, which treats its email users as a *profile commodity* to sell to advertisers.

So in my view there is a vast difference between FastMail and any free email provider. And also a slight (or maybe not-so-slight) advantage to their US-based paid email competitors.

This is of course opinion only, I look forward to opinions of others about this important topic.

[Jacinto]

Hello ioneja.

There is yet another way:

<http://www.wired.com/threatlevel/2013/09/nsa-router-hacking/>

--
Jacinto

[ioneja]

Quote:

Originally Posted by Jacinto

Hello ioneja.

There is yet another way:

<http://www.wired.com/threatlevel/2013/09/nsa-router-hacking/>

--
Jacinto

Very sad -- I've seen that article before and it just makes me sad that we've come to this. I don't want to get political, except by saying we need to change things in the US and vote in some new politicians that will fix this problem. I'll leave it at that. But yes, you're right, it's another vector -- maybe all that can be lumped into a more generalized #4, and #4, sadly, is likely taking place right now, and there's not much we can do about it right now. The Founding Fathers of the US Constitution would be very saddened indeed if they saw what has happened, in my opinion. I better stop there... too easy to get political from this point on... and I appreciate how well this forum is run, so I'll respect the rules... :-)

[gardenweed]

Quote:

Originally Posted by Jacinto

Hello ioneja.

There is yet another way:

<http://www.wired.com/threatlevel/2013/09/nsa-router-hacking/>

--
Jacinto

But isn't traffic encrypted between computers & servers, so is router hacking a big threat?

[Jacinto]

Quote:

Originally Posted by gardenweed

But isn't traffic encrypted between computers & servers, so is router hacking a big threat?

You would think not, but take a look at this:

<http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?>

--
Jacinto

[drew]

Guys don't get me wrong. i love to read about what NSA do
and know it is good to share such info but please start a new thread

Topic is

Updated privacy policy for Fastmail.

thanks for creating this thread Rob

[ewal]

As per updated Privacy Policy:

Quote:

...
Also, if enabled, emails reported as spam are forwarded on to some external email reporting services. These services aim to help monitor and reduce overall spam on the Internet. Currently the services we report to are Return Path and LashBack. These may change in the future. If you don’t want this, you can disable the reporting in the FastMail advanced settings.
...

Up to now I have not enabled 'External Reporting' in my settings as I don't want external services to be able to know what email addresses I use. However I'm wondering if it is beneficial if I did enable such reporting and also if Fastmail actually transmit users 'To:' addresses (perhaps Fastmail redacts such data?).

On the updated Privacy Policy as a whole, this must be one of the clearest, most cogent and plain English policies I have read for ages. We really should have a 'thumbs-up' emoticon here.

Ed