FM tries to challenge Hushmail security

zimmermanfan · 10 Feb 2013, 03:56 AM

From FM's security statement:

https://www.fastmail.fm/help/overview_security.html

We see this quote which FM copied from HM's site:

Quote:

when using Hushmail, users can be assured that no access to data, including server logs, etc., will be granted without a specific court order. Smith also says that it only accepts court orders issued by the British Columbia Supreme Court and that non-Canadian cops have to make a formal request to the Canadian government whose Justice Department then applies, with sworn affidavits, for a court order."

FM attempts to counter this by saying:

Quote:

A similar requirement applies to FastMail.FM, and as our terms of service state, we won't release any data without the required legal authorisation.

"Legal authorization" is essentially meaningless where FM's servers are based. So the protection in the two services are not similar in the slightest.

Moreover, HM's service requires substantially more effort on their part to disclose a clients email. HM staff must wait for a user to login next (and there's a chance that may never happen), and then they have to sniff the password. It would also be much easier for a rogue FM employee to read past messages.

kijinbear · 10 Feb 2013, 09:03 AM

IIRC there was a long thread a while ago where people talked about FM's definition of "legal authorisation" being too broad. I don't remember whether those particular concerns were resolved, but I do find "legal authorisation" rather vague compared to "court orders issued by the British Columbia Supreme Court". On the other hand, FM is a multinational company with headquarters in Norway, offices in Australia, and servers in the United States. Opera also has other offices in a lot of countries, including a few highly repressive regimes, where I believe they are subject to local laws to varying extents. So I doubt that they can specify a single court that they will obey to the exclusion of all others, unless they made major changes to their corporate and technical structure. In other words, FM is inherently more vulnerable to legal pressure than Hushmail is.

Also IIRC, I heard several years ago that FM's US servers are all encrypted and the keys are kept in Australia, so if anyone unplugged them and trucked them to a three-letter agency, their contents would be unreadable. But that was before the Opera acquisition, so I don't know whether that is true anymore.

hobbes · 11 Feb 2013, 05:49 PM

Quote:

Originally Posted by kijinbear

Also IIRC, I heard several years ago that FM's US servers are all encrypted and the keys are kept in Australia, so if anyone unplugged them and trucked them to a three-letter agency, their contents would be unreadable. But that was before the Opera acquisition, so I don't know whether that is true anymore.

This may be useful in cases of criminal activity, but FM will hand over those keys to three-letter agencies quicker than you can say "internet privacy is a myth".

10 Feb 2013, 09:03 AM	#2
kijinbear Cornerstone of the Community Join Date: Mar 2011 Location: ~$ Posts: 652	IIRC there was a long thread a while ago where people talked about FM's definition of "legal authorisation" being too broad. I don't remember whether those particular concerns were resolved, but I do find "legal authorisation" rather vague compared to "court orders issued by the British Columbia Supreme Court". On the other hand, FM is a multinational company with headquarters in Norway, offices in Australia, and servers in the United States. Opera also has other offices in a lot of countries, including a few highly repressive regimes, where I believe they are subject to local laws to varying extents. So I doubt that they can specify a single court that they will obey to the exclusion of all others, unless they made major changes to their corporate and technical structure. In other words, FM is inherently more vulnerable to legal pressure than Hushmail is. Also IIRC, I heard several years ago that FM's US servers are all encrypted and the keys are kept in Australia, so if anyone unplugged them and trucked them to a three-letter agency, their contents would be unreadable. But that was before the Opera acquisition, so I don't know whether that is true anymore.