Fastmail privacy policy: theory & practice

janusz · 18 Dec 2015, 03:16 AM

Quote:

We hold all of our employees to the highest ethical standards, and this includes not accessing anyone's account without their permission

So far so good & noble.... But I received an email today from a senior FM developer, stating

Quote:

we're reviewing the use of some special personality types at FastMail. I'm emailing you because you appear to be using at least one personality of the special *@* form in your FastMail account.

To make it absolutely clear: I wasn't asked for a permission to access my account, and I did not submit a personality-related support ticket.

There is a potential conflict here. I appreciate that FM staff may want to know e.g. how many folks use this or other facility, and the simplest way to do that is to go through all accounts and count :-) On the other hand, such an investigation, BTW quite likely beneficial to the service and users, contradicts the self-imposed privacy rules.

My first, and so far only, conclusion is that in some circumstances sticking to the letter of T&C would cause more harm than good.

cptlo306 · 18 Dec 2015, 03:55 AM

It may depend on how you define 'account'. They may define it as the actual mail storage, not the account configuration settings.

David · 18 Dec 2015, 04:15 AM

The fact that Fastmail took the trouble to inform you, that they were poking around in your account settings, is good.

Most companies (imho) would likely not have bothered

robn · 18 Dec 2015, 05:30 AM

I see your point.

What we usually mean by "account" there is your mail/calendar/contact/note/file data, that is, the actual content of your account that you own. The stuff you would want to move in or out when you join or leave FastMail. The stuff you've be most upset about if it ever leaked out.

What isn't as clear is where other data related to your account fits in. This includes logs that record the activity around your account (logins, mail delivery, notifications), config and and settings that define how your account works (which your aliases are), and even more grey things like message headers, which are stored in the same file as the actual message content and contain loads of important and useful information created by us, by you, by your mail client and by every mail server in between.

In your case, it could be argued that there wasn't an "account access". We ran a query against the central alias database, which maps email addresses to numeric user IDs. Your user ID would have been in the output of that query. Did we access your account? Is the distinction at all important?

There's operational concerns here too. Certain header information (From, To, Subject) is logged while mail is in transit for various reasons, mostly to track a messages's movement through the system. If I read those logs, is that "account access"? Another fun one that we're dealing with at the moment is mail store replication. We're having to add support for folders with unusual characters so we can move Pobox Mailstore customers onto our infrastructure. That broke a few times (it's been good for a couple of days) which meant we had to find the unusual folder name and figure out how to support it. That was done with logs, but does it count as an "account access", since it's user-created data?

For any given task, if I know there's data available somewhere that can help me complete my task, should I use it or not? What if it's in a message header in a user's account? If it's a task that I do a lot, and I decide to create automated tools to do the work for me, is that then an "account access" by an admin user? What if I go half way and set up an auto-updating index of information I need for this task, and I only look at that?

I'm asking a lot of rhetorical questions. I think I'm trying to make the point that for the most part, it comes down to intent. We've got to keep a service running; you've don't want us to touch your data. It's not always possible to satisfy both. Our goal is to minimise those cases as much as possible.

But, all that said, the privacy policy is supposed to be easily understandable by normal people, not a legal definition, so it's important to consider what most people would mean by "account access". If you want the legal definition , then you want the Terms of Service. I would argue that section 2 allows access for this purpose (but then, I'd argue it allows us to do pretty much anything to keep the service working the way it's supposed to. That's legalese for you

)

I'll will mention this to the team today to see if there's anything we can do to make the privacy policy clearer without making it harder to understand. Thanks for bringing it up!

BritTim · 18 Dec 2015, 06:05 AM

@Rob
I am perfectly happy with your explanation and the privacy policy in general. For Fastmail's own protection, I would suggest a link labeled "small print" that takes people to an explanation like yours above. This covers you against claims of deception while still retaining the clarity of the policy itself.

janusz · 18 Dec 2015, 03:34 PM

Thank you, Rob, for your detailed explanation.

IMHO, this extract from your posting

Quote:

Originally Posted by robn

We've got to keep a service running; you've don't want us to touch your data. It's not always possible to satisfy both. Our goal is to minimise those cases as much as possible.

perfectly summarises the point of the thread.

18 Dec 2015, 03:55 AM	#2
cptlo306 Essential Contributor Join Date: Sep 2008 Posts: 260	It may depend on how you define 'account'. They may define it as the actual mail storage, not the account configuration settings.

18 Dec 2015, 04:15 AM	#3
David Ultimate Contributor Join Date: Dec 2001 Location: Canada. Posts: 10,355	The fact that Fastmail took the trouble to inform you, that they were poking around in your account settings, is good. Most companies (imho) would likely not have bothered

18 Dec 2015, 05:30 AM	#4
robn Master of the @ Join Date: May 2012 Location: Melbourne, Australia Posts: 1,007 Representative of: Fastmail.fm	I see your point. What we usually mean by "account" there is your mail/calendar/contact/note/file data, that is, the actual content of your account that you own. The stuff you would want to move in or out when you join or leave FastMail. The stuff you've be most upset about if it ever leaked out. What isn't as clear is where other data related to your account fits in. This includes logs that record the activity around your account (logins, mail delivery, notifications), config and and settings that define how your account works (which your aliases are), and even more grey things like message headers, which are stored in the same file as the actual message content and contain loads of important and useful information created by us, by you, by your mail client and by every mail server in between. In your case, it could be argued that there wasn't an "account access". We ran a query against the central alias database, which maps email addresses to numeric user IDs. Your user ID would have been in the output of that query. Did we access your account? Is the distinction at all important? There's operational concerns here too. Certain header information (From, To, Subject) is logged while mail is in transit for various reasons, mostly to track a messages's movement through the system. If I read those logs, is that "account access"? Another fun one that we're dealing with at the moment is mail store replication. We're having to add support for folders with unusual characters so we can move Pobox Mailstore customers onto our infrastructure. That broke a few times (it's been good for a couple of days) which meant we had to find the unusual folder name and figure out how to support it. That was done with logs, but does it count as an "account access", since it's user-created data? For any given task, if I know there's data available somewhere that can help me complete my task, should I use it or not? What if it's in a message header in a user's account? If it's a task that I do a lot, and I decide to create automated tools to do the work for me, is that then an "account access" by an admin user? What if I go half way and set up an auto-updating index of information I need for this task, and I only look at that? I'm asking a lot of rhetorical questions. I think I'm trying to make the point that for the most part, it comes down to intent. We've got to keep a service running; you've don't want us to touch your data. It's not always possible to satisfy both. Our goal is to minimise those cases as much as possible. But, all that said, the privacy policy is supposed to be easily understandable by normal people, not a legal definition, so it's important to consider what most people would mean by "account access". If you want the legal definition , then you want the Terms of Service. I would argue that section 2 allows access for this purpose (but then, I'd argue it allows us to do pretty much anything to keep the service working the way it's supposed to. That's legalese for you ) I'll will mention this to the team today to see if there's anything we can do to make the privacy policy clearer without making it harder to understand. Thanks for bringing it up!

18 Dec 2015, 06:05 AM	#5
BritTim The "e" in e-mail Join Date: May 2003 Location: mostly in Thailand Posts: 3,095	@Rob I am perfectly happy with your explanation and the privacy policy in general. For Fastmail's own protection, I would suggest a link labeled "small print" that takes people to an explanation like yours above. This covers you against claims of deception while still retaining the clarity of the policy itself.