FM Blog - comparison with Protonmail

[pjroutledge]

New post on the FM blog: Fastmail vs. ProtonMail: A Comparison

Reasonably objective.

To me, key missing bits are:

1. Jurisdiction in which emails and data are stored
2. Comparison of legal obligations that apply in those jurisdictions

I prefer to use a company that complies with local legal obligations, but these vary, of course, from jurisdiction to jurisdiction. Even though Fastmail emails and data may be stored overseas, I think that the Australian Assistance and Access Act would still apply to Fastmail, and it seems more intrusive than Swiss law. Besides, I object to some of the obligations of the Act in principle.

So, although I think Fastmail is in most ways a better service than Protonmail (and other email services), I find myself driven away by legislative rather than function and feature differences.

[ioneja]

Quote:

Originally Posted by pjroutledge

Reasonably objective.

To me, key missing bits are:

1. Jurisdiction in which emails and data are stored
2. Comparison of legal obligations that apply in those jurisdictions

I like Fastmail, and I've been with them for many years, through ups and downs (mostly ups), and I think they are good people and their motivations are good, but the blog post is -- at best -- a nicely written fluff marketing post. It is decoupled from the reality of the situation that they face in the very areas you mention re: jurisdiction, and their marketing IMO has become increasingly out of touch with what they can *realistically* provide with their service in terms of actual privacy. And since the word "privacy" is a vague term that means different things to different people, they are not being dishonest about what they are saying -- but IMO they have to increasingly define down what "privacy" means given their legislative situation, through no fault of their own.

And again, I like the company, I still have accounts with them, and I recommend them to certain subset of my own family and friends who are trying to get away from Google.

But Fastmail and ProtonMail are in totally different categories of email provider. The differences are relevant to not only ProtonMail, but Fastmail also differs in similar fashion to ProtonMail's more direct competitors such as Tutanota, Mailfence, StartMail, Mailbox.org, Posteo, CTemplar, and a handful of others, including even Hushmail to be honest, even though Hushmail still suffers from a serious jurisdiction issue and track record.

And again, just because Fastmail is not in the same category of provider as ProtonMail, doesn't diminish all the good things that Fastmail DOES do very well. All the things that the blog post mentioned about usability and features are generally true. Fastmail is indeed a far more "usable" and "flexible" provider with many more features that are great for lots of use-cases, including super flexible domain usage and technically, they even have built-in free simplistic web hosting (which they didn't mention in the blog post oddly, since that's a highly desirable feature that many people don't know about that deserves attention).

However, when it comes to the things you mentioned about jurisdiction, the differences actually go far deeper than that -- the differences go down to the whole infrastructure, back-end, engineering, purpose, development process and objective of what the companies are trying to do. ProtonMail is -- in theory -- building out an *open-source* *end-to-end encrypted* product that includes email, contacts, calendar, and filesharing. (Not to mention their own VPN network.) This is at the core of why this Fastmail blog post is at best a well-intentioned marketing fluff piece, and if one were to be a little cynical, one could say the blog post is actually misleading about the most important differences.

Now one could find much to fault with ProtonMail's approach and some of their decisions, technically and managerially, but that's a different discussion. The fact that ProntonMail is *attempting* to build such a system -- shortcomings and all -- is fundamentally different than what Fastmail is building. Nothing against either of them... they both serve their purposes well. But when one understands the core difference between the two companies, then it's clear that the overlap of users who might be interested in either platform is actually small, or simply don't understand, or are not aware of the real differences.

But both companies have to reach for the "middle" of the market so they appear in their marketing materials to be more similar than they are different. But in reality they are utterly different.

Now it doesn't help that FastMail is located in Australia with servers in the US and with some support as I understand it, in India. Not good jurisdictions at all. And that's nothing against FastMail's intentions and nothing against the fine people of Australia, the US, and India. It's just the reality. And I think they recently figured out their situation (over the last couple of years in particular) and they want to stay in business for the long haul, so they are coming to terms with Australia and the US, and have to differentiate themselves on features (which they have been doing thankfully by adding great user-friendly features) since they cannot realistically differentiate themselves on the kinds of things that ProtonMail (and ProtonMail's more direct competitors) are trying to do.

Again, I like Fastmail, but we have to see it for what it is, and the sad situation of the trajectory of overreaching, invasive jurisdictions. Given that reality and an understanding of the trajectories of these email services and what they are trying to do, they are not really competitors, except for the middle overlapping part of the market that doesn't understand the differences.

But Fastmail has a great place in the market, is a good provider, with friendly and decent people running it, and a great first consideration for someone wanting to try to escape the world of big tech email like Gmail. It's the first stop I recommend to people wanting to leave the giant metropolis of Google city and it might just be perfect for them.

A read through the terms of service and privacy policies of the two providers will highlight more of these differences.

Quote:

Originally Posted by pjroutledge

So, although I think Fastmail is in most ways a better service than Protonmail (and other email services), I find myself driven away by legislative rather than function and feature differences.

Agreed for the most part. I tend to think of different providers as providing the right tool for the right job, so Fastmail might be the right tool for what someone needs, but it's not the same tool as ProtonMail (and other providers more similar to ProtonMail).

[BritTim]

My own way of looking at this is a little different. I am not one who says "if you have nothing to hide, you have nothing to worry about". Privacy is a valid concern. However, the government having over broad powers to seize you emails seems to me a relatively minor concern if you are neither an Australian citizen nor resident. The Australian agencies are very unlikely to have a motive to search your email account improperly or at all. There will be no political motive except in the very unlikely event that you are friends with certain categories of Australian figures, notably journalists. True, your own country's law force can ask the Australian authorities for assistance, but they need a pretty strong reason to do so.

As a UK citizen who has rarely even visited Australia, I feel any privacy exposures due to Australian legislation are pretty theoretical, and do not worry me. My only major concern with Fastmail is the uncertainty around support, and especially the fact that there is no way (for any amount of money) to talk to a human in the event of an urgent problem.

[TenFour]

Unless you only correspond with people who also use the same encrypted email service there is no gain in privacy, and I have found that exactly zero people I interact with give a fig about this stuff. Just for kicks I tried ProtonMail at one point and it seemed fine as an email service, but I couldn't find anyone willing to even bother trying out encrypted communications. The average person just doesn't care. Look at what they post about themselves on Facebook, Instagram, and TikTok. The average person provides enough information about themselves to social media that it is rather silly to then worry about the theoretical problem that their emails might be read by some government entity.

[ioneja]

Quote:

Originally Posted by BritTim

However, the government having over broad powers to seize you emails seems to me a relatively minor concern if you are neither an Australian citizen nor resident. The Australian agencies are very unlikely to have a motive to search your email account improperly or at all. There will be no political motive except in the very unlikely event that you are friends with certain categories of Australian figures, notably journalists. True, your own country's law force can ask the Australian authorities for assistance, but they need a pretty strong reason to do so.

I totally understand your POV, and given most people's lives, you're right, it won't matter much in a practical sense, at least not right away, they don't follow the issues that are actually impacting their freedoms, which is really the larger question behind why these more privacy-oriented encrypted products were launched, and we can go back 9 years to Snowden for waking some people out of their slumber. A lot of what's happening with these products these days is the marketing stage right now, building market share, using the tools of marketing to get more customers, etc., but most of them started with real concern for what is happening in the profound sense of erosion of certain liberties and invasiveness of even democratically-elected governments.

Some folks bristle at the principle of what these jurisdictions are able to impose on service providers now, or at the mere thought of the chance of getting swept up in a dragnet like so many have here in the US in the last year+. Without getting political, guilty or not guilty, certain groups have been targeted in the US extensively with overly broad warrants and gag orders, and it's very sad IMO to see the erosion of basic rights and due process, doesn't matter which party, which side of the political spectrum to me. Too many examples to share where a warrant, a gag order, and suddenly all your data is sitting in some lawyer's or investigator's (or worse!) database without you knowing about it, and you had nothing to do with anything except be in the wrong place at the wrong time... or even *near* the wrong place at the wrong time. Not to mention people in the media/press/whatever who have their email watched with a gag order for months/years before they find out. If the ACLU and Project Veritas (to reference the most recent example) can have a sense of alarm and/or outrage over the same issues of press freedom, you know something is very wrong. But for most people it doesn't matter, they don't care, or don't know what's happening, and they are perfectly happy as things are, and they go about posting all their brilliant selfies on social media. And so the trend will continue with ever more encroachment. And if some of them feel they need to get away from Google for whatever reason, Fastmail is a good first step for them. It's a good starting point to begin the exit of some of the madness.

Quote:

Originally Posted by TenFour

Unless you only correspond with people who also use the same encrypted email service there is no gain in privacy, and I have found that exactly zero people I interact with give a fig about this stuff. Just for kicks I tried ProtonMail at one point and it seemed fine as an email service, but I couldn't find anyone willing to even bother trying out encrypted communications. The average person just doesn't care. Look at what they post about themselves on Facebook, Instagram, and TikTok. The average person provides enough information about themselves to social media that it is rather silly to then worry about the theoretical problem that their emails might be read by some government entity.

Sad but true. If you don't have people you can correspond with, all that extra "privacy" doesn't mean much! And so true about the amazing amount of personal stuff they post on social media. You're 100% right, and those people are NOT the market for a service like ProtonMail. Or frankly even Fastmail. They're mostly Gmail users.

Not trying to be fatalistic, but obviously for those of us that feel these issues are very important, it can be discouraging to keep on running into the natural tendency of people to carry on as they always have, and not pay attention to the real erosion of certain liberties in some democratic countries, and what that means in the larger sense. And it's easy to just give up and not deal with it. Just accept it, as they say. It's the way that it is. So that's really a different discussion about how one deals with what feels like the inevitable... and does anything really matter, lol. That's a discussion for another forum, probably.

[BritTim]

Quote:

Originally Posted by ioneja

Sad but true. If you don't have people you can correspond with, all that extra "privacy" doesn't mean much!

I have been willing to use PGP with any correspondents who care about privacy for over 20 years, in spite of drawbacks like making it very difficult to search old emails. I can tutor people into doing so very quickly, if they have an ounce of technical appreciation, and it can easily be done while using Fastmail. I have almost never found anyone who wants to take the trouble.

It is worth pointing out that making obvious efforts to encrypt your communications has a bit of a tendency to draw a target on your back. It is liable to invite scrutiny from the intelligence agencies who will wonder why you are one of the rare people who feels the need to hide their communications. Today, in a very high percentage of cases, people who are doing this are up to no good.

[ioneja]

Quote:

Originally Posted by BritTim

I have been willing to use PGP with any correspondents who care about privacy for over 20 years...<snip> I have almost never found anyone who wants to take the trouble.

One of the advantages of the "newer" encrypted services is that they make it even more simple, so if you are a ProtonMail user and can get someone on ProtonMail, for example, it's already taken care of automatically, zero extra effort. The "old" way of doing things had too much of a curve for more casual users to bother.

Quote:

Originally Posted by BritTim

It is worth pointing out that making obvious efforts to encrypt your communications has a bit of a tendency to draw a target on your back. It is liable to invite scrutiny from the intelligence agencies who will wonder why you are one of the rare people who feels the need to hide their communications. Today, in a very high percentage of cases, people who are doing this are up to no good.

I disagree with this, haven't seen any definitive evidence of this, and it's easy to work around the potential concerns. But who really knows? I think it might be an issue depending on your service provider(s) and recipient(s), but if your service provider is flagging you for whatever reason, then you have other problems to be worrying about.

Also, and besides, since most major email providers are using SSL/TLS/etc in between sender and recipient (depending on the services involved), the actual contents of your email are encrypted in transit (regardless of whether or not you're using PGP, for example), so there's no obvious "red flag" to draw attention while in transit, except once the email shows up in an inbox, and again, if your provider is flagging all your PGP-encrypted emails on arrival, you already have a target on your back.

Some services have great little tools built-in to tell if the recipient's email server will receive the email via TLS/SSL, etc. Mailbox.org is the perfect example. When you type in a recipient's email address, Mailbox.org will go and check the recipient's server and tell you BEFORE you hit send -- for example, if you send to Fastmail, it will give you a green thumbs up with the message "SSL ok." If you send an email to a fellow Mailbox.org user, then you'll get an even better thumbs up with "DANE ok".

Also, if you're emailing people in the same service provider (ProtonMail to ProtonMail), your email never goes outside that system anyway, so there's nothing to raise a flag about. And if you're using ProtonMail to send to an external provider in a reasonably decent jurisdiction, like StartMail or Mailbox.org or whatever similar outside the US or other invasive jurisidictions, that email never crosses into the US jurisdiction, for example, and remains encrypted in transit as well, not to mention whatever encryption you've added to the message itself...

And on top of all that, if you're using a good VPN, etc., all your traffic to your email server is one more level removed from potential flagging.

So whatever level of target you might be getting painted on your back can be minimized or eliminated depending on who/where your recipient is and how you connect to your email service.

But yeah, if you're sending PGP encrypted emails to someone using a big-tech US server and someone somewhere in the pipeline or that jurisdiction has reason to believe you or your recipient is up to no good, then it would be easy to flag.

[Terry]

It does not have a lot of the Fastmail features.....also not much storage.

encrypted services.....personally that really does not excite me.

[hadaso]

Quote:

Originally Posted by ioneja

... that email never crosses into the US jurisdiction, ....

Of course this just means a pipeline where the NSA works under much looser regulation...