FM's privacy policies inconsistent, insufficient

[William9]

I wonder about the authority of Australian Law when the data (evidence) exists on hardware in the United States.

[mariner]

Thanks, Jeremy, for commenting on all this.

Quote:

Originally Posted by Jeremy Howard

In practice, we are under Australian jurisdiction, and therefore comply with Australian privacy law, which doesn't let us release emails to a 3rd party other than to Australian law enforcement after receiving a warrant

If this is how it is in practice, this is what the policy should say.

Right now it says, for example, that FM can “monitor, edit, or disclose any personal information” whenever FM “has a good faith belief that such action is necessary to ... (4) act to protect the interests of its members or others.”

Quote:

(or other more obscure situations such as under the UN charter).

I think all these situations should be listed in the policy, incidentally: when it comes to legalities, the devil’s in the details.

Quote:

Our own staff is allowed by law (and the policies) to view user data (including emails) if required for the operation of the service …. We also may need to sometimes change data …. These are examples of situations where we view or edit data in the interests of customers, and is why we specifically include that permission in our policies

That is why, as I proposed at the start of this thread, monitoring and disclosure should be spoken of separately.

Quote:

I have seen in the last 10 years many examples of service providers which haven't had broad enough language in their policies, and have ended up stuck in nasty situations where, for instance, they can't terminate spammers

This, however, has nothing to do with the privacy policy.

Quote:

FastMail's practical approach to user privacy has always been (as long-term customers will be well aware) to be extremely protective of customer privacy.

Do you understand why this informal assurance — particularly when it is directly contradicted by your official policies — is not good enough for many people? For example:

Quote:

Originally Posted by Sherry

As long as you and Rob are still owners I have no reason to worry as it's you guys I have learned to trust through the years.

FM might be sold. If the policy were guaranteed to only become more protective of our privacy (like rsync.com’s, as I mention at the top of the thread) — inasmuch as compliance with the law allowed it — then the new owners would be bound by that. If it merely guaranteed specific notification of any changes, this would be a valuable safeguard in itself.

Further, at present, any FM employee could use the absurdly broad rights the policy formally reserves to the company. (The fact that the person might get fired afterwards is of little comfort to me.) Finally — and most significantly — absolutely trusting someone’s ethics is not the same as absolutely trusting their judgement. FM’s policy shouldn’t ask users to rely on anyone’s judgement but that of the courts.

Again, the solution to this is simple: FM’s privacy policy should enshrine the excellent practices that Jeremy has discussed here.

[ReuvenNY]

All the issues Jeremy discusses here have to do with privacy. There is another thread discussing Term of Service, where we would welcome Jeremy's input- http://www.emaildiscussions.com/show...5&postcount=48
and the thread itself:
http://www.emaildiscussions.com/showthread.php?t=59173

[mariner]

Quote:

Originally Posted by ReuvenNY

All the issues Jeremy discusses here have to do with privacy.

Indeed, this thread is all about privacy. Yet, in justifying FM’s wide-open disclosure policies, Jeremy raises the issue of being able to “terminate spammers.” This is conflating separate issues.

I’m not accusing him of sneakiness! Instead, it makes me wonder if he and Rob are considering these legal matters with the thoughtfulness that they apply to the service itself.

Similarly, his comment that "Our own staff is allowed by law (and the policies) to view user data (including emails) if required for the operation of the service” is reasonable in itself — but it also shows how the privacy policy mixes up internal monitoring with disclosure to people outside of FM.

It seems careless, really — though in a way that’s perfectly fine from FastMail’s perspective. As I wrote earlier,

Quote:

Originally Posted by mariner

it is always easier to have a loose policy and try to be better than your word, as I assume FM has done, than to have a strict policy along with its attendant liability. But that approach isn't good enough these days, and it's far below the standard of quality that FM has set for itself generally

And that’s the issue. FM is so attentive and innovative when it comes to security issues, and yet its policy on disclosing customer data isn’t just too loose — it’s also a jumble. The solution is an easy one: if you only disclose data when you are legally required to do so, just say so!

[tehsux0r]

First, I'd just like to say that I agree 100% with mariner's sentiments and postings on this. There's nothing alarmist or unreasonable about his/her comments, and I'm seriously reconsidering my subscription for the reasons stated.

It seems a lot of people are happy to simply trust on an informal basis, and I think some of that has to do with how they use the service (e.g. whether or not they retain e-mail historically on FM's servers via IMAP).

I'd like to thank Jeremy for his post, and respond to a couple of his points:

Quote:

Originally Posted by Jeremy Howard

The only thing mentioned here that is new is the phrase "unless otherwise required or allowed by law" - this phrase was necessary because otherwise it could be argued that we were not permitted to respond to police requests (that we are legally required to respond to), which would put us in a no-win situation.

I don't see how the word "allowed" is necessary unless there's a distinction between the illegality of refusing a police request and the phrase "required by law". In any potential situation, surely you're either required by law to disclose (possibly because the police requested it), in which case the word "allowed" overreaches, or you're not, in which case it's unnecessary.

If "required" is too strong, then change it to "required by law or by a request from law-enforcement personnel". "Allowed" has no reason to be there, no matter what the local law.

Quote:

Originally Posted by Jeremy Howard

In practice, we are under Australian jurisdiction, and therefore comply with Australian privacy law, which doesn't let us release emails to a 3rd party other than to Australian law enforcement after receiving a warrant (or other more obscure situations such as under the UN charter).

Great! Put this in the TOS. By leaving this out, you're selling yourselves short by failing to tell us where you stand on this issue (except in postings to forums) and giving Australian law all the credit for your own ethics, as well as forcing your customers to be lawyers in order to interpret the TOS.

Quote:

Originally Posted by Jeremy Howard

Interpretation of the phrase "unless otherwise required or allowed by law" is only meaningful if you actually understand Australian law - and if you do you'll realise that the law here is very stringent. Further, it must be read in conjunction with the privacy policy, which adds additional limitations on how data can be used.

As I wrote above, I don't see a meaningful distinction between a legal requirement and a request that you're legally bound to obey, but maybe I'm ignorant here.

The point stands that there are plenty of other wordings that would work without being so far-ranging, and there's no harm in duplicating key provisions of the law in the TOS for clarity. Right now, your customers have to not only be lawyers, but synthesise *three* documents (TOS, privacy policy, the law) in order to understand their basic rights under the service. Doesn't this strike you as needlessly opaque?

Furthermore, even if one is a lawyer, it's not clear how to interpret a conflict between the TOS and the privacy policy, because they exist in isolation without clear rules of precedence. Where are the "unless prohibited by our privacy policy" phrases in the TOS?

Quote:

Originally Posted by Jeremy Howard

Our own staff is allowed by law (and the policies) to view user data (including emails) if required for the operation of the service. We sometimes have to do that, for instance where a customer asks us to look at their account to debug a problem. We also may need to sometimes change data - for instance if a bug caused a mailbox to become corrupt, or if someone asks us to restore from a backup. These are examples of situations where we view or edit data in the interests of customers, and is why we specifically include that permission in our policies (and have always done so, IIRC).

Of course - it would be ridiculous to try to operate a service without permission to operate that service! That's not at issue, and no-one ever suggested that it was. The problem is that these operational permissions are currently conflated by the TOS with a whole bunch of other unrelated things.

I would hope, for instance, that editing of my data for operational reasons would be notified to me in case it affects the meaning of an important message, or that disclosure for operational reasons would be minimal and to specific partners rather than just anyone.

I understand that you want to avoid redrafting the TOS and privacy policy too often, and the current wording achieves the aim of being relatively future-proof, but in doing so it also makes no overt assurances whatsoever about the safety and privacy of our data. As I said on the other thread, FastMail has enormous power over me by virtue of holding my e-mail history, and it's not unreasonable to expect formal assurances, in the TOS, that that power won't be abused.

Quote:

Originally Posted by Jeremy Howard

I have seen in the last 10 years many examples of service providers which haven't had broad enough language in their policies, and have ended up stuck in nasty situations where, for instance, they can't terminate spammers, due to the limitations of their policies. During this time, our policies (which have remained pretty much unchanged except for minor tweaking) have worked very well - we've been able to comply with Australian law enforcement requests, and have always denied international requests (as required by law).

FastMail's practical approach to user privacy has always been (as long-term customers will be well aware) to be extremely protective of customer privacy. The minor tweaks to the policy announced this week do not change this.

Indeed - I've been very pleased during my years of FM subscription so far. I understand your concerns about avoiding the problems you've seen elsewhere, but this is too far the other way.

Our relationship is too unequal for me to take *everything* on trust like this, and I do trust the current management and culture (as much as is possible with a contract worded this way). What happens if management or ownership changes, though? By agreeing to these terms now, I'm giving a future regime licence to irreparably abuse the TOS without giving me time to get my data off FM's servers.

[downset]

i strongly agree with tehsux0r and mariners statements

its not about what will happen, i am fairly confident fastmail will never abuse my private data, its about the principle of giving up control over my private data where there is no need to

the ultimate consequence of the people who keep repeating to not worry is that in the end nothing is private a trend that is actively developed and supported by two of the largest data-"herders" in the world google and facebook

they rely on two trends in society to achieve this goal. first there is the relative illiteracy of people when it comes to digital privacy (people would be more concerned if they understood the implications), and second there is the "if you have nothing to hide there is nothing to worry about" mantra

i don't believe fastmail have the same goals as google or facebook, i.e. they don't actively support and encourage these trends

i do believe like mariner said that they use a loose policy out of laziness, just to very broadly cover any problem that might arise so it would be more convenient for them to solve it

I can't possibly make fastmail's business case for them, but i would suspect a fair amount of their users pay for their email at fastmail because they don't like google's policies concerning privacy and use of our private data, i would think that creating a strong and secure TOS like mariner suggested would bring them extra
customers

I have been looking for a long time to replace my own email servers with a trustworthy solution (so i don't have to put in the effort to keep them running). And although fastmail is perfect from a technological pov, the above keeps me from changing over to them.

[hobbes]

Quote:

Originally Posted by downset

its about the principle of giving up control over my private data where there is no need to

If you want someone else to store and serve your private data, you by necessity give up control. Why can't you see this?

Quote:

I have been looking for a long time to replace my own email servers with a trustworthy solution (so i don't have to put in the effort to keep them running).

If you want control over your private data, keep putting in the effort to run your own mail servers.

[mariner]

Something that slipped by earlier:

Quote:

Originally Posted by Jeremy Howard

… Australian privacy law, which doesn't let us release emails to a 3rd party other than to Australian law enforcement after receiving a warrant (or other more obscure situations such as under the UN charter). [The addition] … is only meaningful if you actually understand Australian law - and if you do you'll realise that the law here is very stringent.

First, I don’t think a customer should have to “understand Australian privacy law” in order to understand even in a general way what privacy FM affords them.

But more to the point: you say the law is strict, but don’t you see that you and your customers have abrogated this strictness by means of private contract? You have explicit permission from all customers to disclose anything to anyone if you think it would be a good idea. Once the customer has given you that authority, why would the law forbid you from exercising it?

[mariner]

Quote:

Originally Posted by hobbes

If you want someone else to store and serve your private data, you by necessity give up control. Why can't you see this?

You give up some control. How much depends on the wording of your contract. And there are other providers (as I state at the end of the first post) that offer much more customer-friendly contracts in this regard than FM does.

[tehsux0r]

Quote:

Originally Posted by hobbes

If you want someone else to store and serve your private data, you by necessity give up control. Why can't you see this?

If you want control over your private data, keep putting in the effort to run your own mail servers.

This line of argument isn't really helpful to the discussion because it gets us nowhere. It's equivalent to "if you want a job done properly, do it yourself" or "if you don't want to be let down, never trust anyone". That attitude might be true in the strictest, most cynical sense, but it doesn't help us to draw boundaries of acceptable behaviour in a society *built* on trust relationships, a society where I don't have to become a specialist in car repair, electrical engineering, music, construction, waste disposal, computer programming, food farming, film production, and every other field the fruits of which I would like to enjoy once in a while.

I understand your reasoning, and it has validity up to a point, but it's not helpful in a commercial setting. If I'm expressing concerns about food hygiene in a restaurant, it's very easy to say "if you don't want your food poisoned, then don't eat out", but it's not helpful because the only general way to apply this philosophy is for us all to stop exchanging goods and services and go home.

Quote:

Originally Posted by downset

I can't possibly make fastmail's business case for them, but i would suspect a fair amount of their users pay for their email at fastmail because they don't like google's policies concerning privacy and use of our private data, i would think that creating a strong and secure TOS like mariner suggested would bring them extra
customers

I think this is true for me - I like using a mail client rather than Webmail where possible, but were Google's privacy not so bad, I would probably have made the effort to adapt by now.

[hobbes]

Quote:

Originally Posted by tehsux0r

This line of argument isn't really helpful to the discussion because it gets us nowhere. It's equivalent to "if you want a job done properly, do it yourself" or "if you don't want to be let down, never trust anyone". That attitude might be true in the strictest, most cynical sense, but it doesn't help us to draw boundaries of acceptable behaviour in a society *built* on trust relationships...

But, there's the irony. Such terms of service are required because there are some people who would sue the shirt off of Fastmail's back. If society was really based on trust, as you imply, such legal protection, enshrined in the TOS and Privacy Policy, would not be required. Fastmail, unfortunately, cannot trust some members not to drag them through a court.

[Sherry]

Quote:

Originally Posted by hobbes

But, there's the irony. Such terms of service are required because there are some people who would sue the shirt off of Fastmail's back. If society was really based on trust, as you imply, such legal protection, enshrined in the TOS and Privacy Policy, would not be required. Fastmail, unfortunately, cannot trust some members not to drag them through a court.

Well said hobbes. If a person understands the need of such terms from certain type businesses then the next step is if you feel you can trust the business. Either by referrals or taking a chance making sure you have the best backup you can think of on a just in case basis. Like if a company goes belly up you should have a full backup of all important email. Or if your email got into the hands of a third party I, personally, think it shouldn't be so vitally private that the results could be disastrous. After all, we're talking about "email", which I don't think has ever been concluded that anything in email is totally private. I would think that if it is necessary to be completely private a person wouldn't even use email for it but would use snail mail or phone or in person...

Sherry

[David]

Quote:

Originally Posted by hobbes

But, there's the irony. Such terms of service are required because there are some people who would sue the shirt off of Fastmail's back. If society was really based on trust, as you imply, such legal protection, enshrined in the TOS and Privacy Policy, would not be required. Fastmail, unfortunately, cannot trust some members not to drag them through a court.

The real irony is that although Fastmail does not trust its members, it demands (by way of it's privacy policy) that its members trust them.

[mariner]

Quote:

Originally Posted by hobbes

If society was really based on trust, as you imply, such legal protection, enshrined in the TOS and Privacy Policy, would not be required.

I do not really know most of the people I do business with. In business relationships, then, it is necessary to rely less on personal trust than on participants' enlightened self-interest. Contract law is a part of this: the threat of financial loss, through a lawsuit or some penalty provided for by the agreement, restrains the behavior of the participants.

Quote:

Fastmail, unfortunately, cannot trust some members not to drag them through a court.

This is what contracts are for. But contracts are supposed to provide for a balance of interests. What I object to is that FastMail has set forth a contract that is weighted entirely in its favor. I pay FastMail for a service — and then FastMail can either give me service or not, or hand over my email to anyone, or not, at whim.

Naturally, if FastMail treated lots of people badly, they’d receive poor publicity and their business would suffer. But there’s nothing to stop a good-sized business from severely letting down only certain people. It happens all the time. This is particularly true when it comes to privacy: how many people would be involved in a gratuitous disclosure? Would those people ever even find out? And, of course, there are customers like Sherry, who seem as though they wouldn’t really mind.

But some customers, as we see, do mind.

Rob and Jeremy are businessmen, providing a service: it is their responsibility to prepare a contract that both allows them to operate and also is satisfactory to their paying customers.

[mariner]

Quote:

Originally Posted by Sherry

Well said hobbes. If a person understands the need of such terms from certain type businesses

No, I don’t understand this need. In fact, this need doesn’t actually exist! If it did, companies with good terms, like HushMail, would be out of business.

Quote:

Or if your email got into the hands of a third party I, personally, think it shouldn't be so vitally private that the results could be disastrous.

That is indeed a personal opinion; and it’s one with which I, and a lot of other people, disagree. That includes businesspeople, NGOs, political dissidents, sexual minorities, and people who have a higher standard than “non-disastrous” when it comes to the security of their correspondence. Besides, plenty of people just plain like their privacy.

Quote:

I would think that if it is necessary to be completely private a person wouldn't even use email for it but would use snail mail or phone or in person

The reason you think of snail-mail and telephones as “completely private” — that is, private until the proper authorities make a lawful demand — is that this is what contracts and the law provide for! FedEx can’t just open your package at will and throw it in the lake: that’s in the contract. The postman won’t hand over your letters just because someone in a suit asks for them: they’d both go to jail.

There is no reason that our email could not be afforded similar privacy, at least as regards FastMail’s policies.

(The question of what governments may demand, when it comes to email, is separate — but it’s also a moot point, if we’ve already agreed with FastMail that they can show our email to anyone at all, with or without any lawful demand.)