FM's privacy policies inconsistent, insufficient

[Sherry]

Quote:

Originally Posted by mariner

This is particularly true when it comes to privacy: how many people would be involved in a gratuitous disclosure? Would those people ever even find out? And, of course, there are customers like Sherry, who seem as though they wouldn’t really mind.

I'm not sure how you feel I wouldn't mind dealing with people involved in gratuitous disclosure unless it's just because I don't completely agree with you??? I would mind that very much but I do want to do email so I needed to find someone to do it with. Some may sign up with a company that has very good TOS and Privacy policies. However that doesn't mean your private info won't get out "behind the scenes". They or their employees may be reading your email or they could suddenly go belly up leaving you stranded or reveal info to other companies for a profit all of that done behind your back in a way you may never know about it. Just because I feel FM will never do that doesn't mean I wouldn't mind it if they did!!! (but I had to trust somebody so, after some time, I chose FM)

Sherry

[mariner]

Quote:

Originally Posted by Sherry

I'm not sure how you feel I wouldn't mind dealing with people involved in gratuitous disclosure

I apologize: "mind" is a pretty low bar. I was referring to your remark that people shouldn't use email for relatively "vital" matters because they shouldn't reasonably expect privacy from it. I gathered that you don't entrust to email anything you you'd be too upset to find out had been disclosed.

Quote:

a company that has very good TOS and Privacy policies. […] They or their employees may be reading your email or they could […] reveal info to other companies for a profit all of that done behind your back

Yes, but this is much less likely to happen if there is a risk of a lawsuit. In some jurisdictions, if the contract is written properly, there would also be a risk of prison!

Let's not make the perfect the enemy of the good. For example, FM will never find somewhere to put its main servers that offers a 100% uptime guarantee: that's impossible!¹ But this doesn't mean they're just going to forget about the issue: they're going to insist on a guarantee that's as close to 100% as possible.

(Imagine if the company that manages FM's servers told Rob and Jeremy, "Well, in practice we have really great uptime, but we don't make any guarantees about it because someone might sue us"!)

No, there's no such thing as perfect privacy. But it's a long, long way between "perfect" and the situation for FastMail users.

________________
¹ Actually, on one page, the company FM uses does state that it "guarantees 100% uptime," but that's clarified by the words "near-perfect availability” lower down. The actual figure is probably 99.999%, as advertised on the front page — which is still "Almost perfect … but not quite"!

[aaronlawrence]

This is all nice in discussion and all, but I think there are a few good basic points, and I'm still waiting for Fastmail to respond. Have they done so to you personally, Mariner? Have you contacted them directly?

[mariner]

Quote:

Originally Posted by aaronlawrence

This is all nice in discussion and all, but I think there are a few good basic points, and I'm still waiting for Fastmail to respond.

I feel the same. In his reply, Jeremy seemed unaware that the issue under discussion is not the few added words: it's the policy as a whole, which is why this thread is eight months old and barely touches on the new text. I can maybe understand being too busy to read the whole thread — but to not even read the original post?

Quote:

Have they done so to you personally, Mariner? Have you contacted them directly?

No, I've heard nothing; and yes, I wrote them a message, a week ago today at the proper address. It was to the point, it was civil (though strongly worded, because after eight months I am frustrated) and it included a link to the start of the thread. Any paying customer should have gotten at least a brief personal reply, but the fact that I've been with FM for several years and have an Enhanced account makes the silence particularly off-putting.

I can't understand this. If it's not a priority for them, why not at least say so? What do they think happens to your customers when you blow them off?

Meanwhile, if they'd take a stand and adopt a strict privacy policy like some other service-providers have, I'd be pitching FastMail to everyone I meet. And I agree with downset, who supposes that “creating a strong and secure TOS like mariner suggested would bring them extra customers.” These days, that would be a real differentiator! For example, as a recent study has shown, young people do want their privacy — but they think they have more than they really do. Why not become the go-to email service for law-abiding citizens who value their privacy: with their fantastic security options, FastMail is halfway there!

(See? Even when I’m irritated at FastMail, I love FastMail. And yet, here I am about to switch providers.)

[tehsux0r]

Quote:

Originally Posted by hobbes

But, there's the irony. Such terms of service are required because there are some people who would sue the shirt off of Fastmail's back. If society was really based on trust, as you imply, such legal protection, enshrined in the TOS and Privacy Policy, would not be required.

At the risk of getting sidetracked... What do you think you're doing when you use money to pay for something? Money is just a piece of paper, but there's an agreement that it's worth a certain amount in terms of real goods or services, and that agreement leads everyone to trust that when they accept money in exchange for something, they'll be able to exchange that money for something else of equivalent real value later.

When you give your money to a bank, you also trust that you'll get it back at some point. You might not trust the bank entirely, but using a bank requires that you at least trust the overall system - even if the bank screws you, you have legal recourse to pursue it for the money. Society is therefore demonstrably and irrefutably built on trust - without it, exchange would break down and we'd all have to specialise in *everything* individually.

Quote:

Originally Posted by hobbes

Fastmail, unfortunately, cannot trust some members not to drag them through a court.

If someone really wants to take them to court, they'll have to defend themselves there or face a default judgement. There's no other choice. The best a hostile contract like this can do is expedite the litigation process, but it can never prevent it. Trying to eliminate absolutely any risk of court action through excessively protective contracts is an exercise in futility and bad PR.

Beyond a certain point, placing a contract further towards the hostile end of the spectrum doesn't significantly reduce actual risk, but can send unintended messages. A contract that uses language precisely and doesn't mix up separate issues like operation of the service for legitimate users with other things like terminating spammers would serve its purpose perfectly well without making honest customers feel like they have no assurances. Fastmail has an established business serving countless customers, and this kind of excessive aversion to perceived risk is neither appropriate nor proportional; worse, it smacks of a lack of confidence in the quality of their service.

I'm not arguing to eliminate all discretion from the TOS - that's not practical. Discretion needs to be in there, but in one or two specific places. You state legitimate reasons for termination or disclosure of information (e.g. "abuse") and you then define those terms with a hefty amount of discretion to cover yourself (e.g. "any action that affects the quality of service of our other customers or other Internet users").* The difference between the two is that actions taken under that kind of contract can be analysed by a reasonable observer, whereas the current TOS admits absolutely no analysis, because anything can be done for any (undisclosed) reason. For customers who care about their data, that kind of accountability matters.

* Please don't nitpick my example. It's there only to illustrate different approaches.

Edit: I appreciate hobbes and Sherry taking the time to defend Fastmail here, but I'm not here to argue hypotheticals with other customers - if you guys are happy with the TOS the way it is, great. I'm here to find out whether anybody else feels the same as I do, and try to get my message across to FM's management. If they're happy to let myself and other customers go because we can't accept terms like this, that's fine, but I'd like to hear it from them.

[mariner]

Oh, and this is an important question:

Quote:

Originally Posted by William9

I wonder about the authority of Australian Law when the data (evidence) exists on hardware in the United States.

If something is physically in America, the American government can go after it, no matter in the world the owners are. (Embassies excepted, obviously.)

What would happen if someone showed up at NYI, in New York, where FM's servers are located, and kindly asked to have a look? (I mean, as opposed to showing up with a subpoena.) I searched the website and could not find a relevant privacy policy; perhaps it differs depending on the client. Certainly, this should be made available to us. If their policy allows disclosure in the absence of legal compulsion, FastMail should see if NYI will modify their contract to forbid this.

(I was going to wait to bring this up until Rob & Jeremy had responded to more fundamental points, but, if we do get a reply from them, who knows if it'll be the last one or not!)

[Sherry]

Quote:

Originally Posted by tehsux0r

If someone really wants to take them to court, they'll have to defend themselves there or face a default judgement. There's no other choice. The best a hostile contract like this can do is expedite the litigation process, but it can never prevent it. Trying to eliminate absolutely any risk of court action through excessively protective contracts is an exercise in futility and bad PR.

FM's lawyers may not have written things the way they did to "eliminate" or prevent FM from being sued. Using your bank as an example, if I was unhappy with what they've done with my money I can hire a lawyer and sue them as, at least in the US, you can sue anyone for anything. While the legalities are being worked out other bankers can continue using the bank without interruption. With FM (and other types of services) the need to take "immediate" action may be necessary so the rest of the users can continue using the service without interruption to them. So it may be written that way just to make sure they can legally stop someone from using the service right away?

This is not a post to "nitpick" yours or to argue with you in any way. It's just to give another side for those reading this thread to consider and decide for themselves.

Quote:

Edit: I appreciate hobbes and Sherry taking the time to defend Fastmail here, but I'm not here to argue hypotheticals with other customers - if you guys are happy with the TOS the way it is, great. I'm here to find out whether anybody else feels the same as I do, and try to get my message across to FM's management.

Since you mentioned me personally I thought I'd respond to this. If those who feel differently than you do not post those feelings then this thread would be all negative and totally one sided. As it is, those who feel the same as you do post and I have a feeling FM is reading every word of every post so they probably do know how you and others feel about it? (but I could be very wrong on this point)

Sherry

[mariner]

Quote:

Originally Posted by Sherry

With FM (and other types of services) the need to take "immediate" action may be necessary so the rest of the users can continue using the service without interruption to them. So it may be written that way just to make sure they can legally stop someone from using the service right away?

Sounds reasonable to me — but this does not have to do with the Privacy Policy. It has to do with account cancellation and therefore the TOS. You might want to make your point in the thread devoted to the TOS (which is also waiting on a reply from Rob and Jeremy).

[Sherry]

Quote:

Originally Posted by mariner

Sounds reasonable to me — but this does not have to do with the Privacy Policy. It has to do with account cancellation and therefore the TOS.

Whoops, you're right. Sorry about that. I've got to keep the two threads separate in my mind so I don't respond in the wrong way again. Thanks for pointing that out.

(Just as a teeny weeny defense for the post I should say that it was in response to a point made by tehsux0r)

Sherry

[downset]

Quote:

Originally Posted by Sherry

After all, we're talking about "email", which I don't think has ever been concluded that anything in email is totally private.
Sherry

why not? who decided this?

The reasons companies like google and facebook can get away with violating users privacy, and the reason why FM is allowed to have such broad terms that it could violate our privacy for whatever reason it sees fit is because the laws are hopelessly behind modern times.

There is no reason whatsoever why digital service providing companies should have anymore or any less rights than the postal office or fed-ex

There is no difference between email or snail mail besides the technological implementation. In both cases i trust a third party to handle and deliver my mail, there is no good reason why one of them should be considered private and protected by law and the other "free for all" whenever the service provider feels like it.

Most people think of email as just as private as snail mail, and when people notice that it's not the outrage is usually pretty big (e.g. the google buzz fiasco).

There is an urgent need for laws that protect our digital privacy on an equal level to our non digital privacy, obviously companies can not be trusted with this responsibility as they will use the freedom to abuse users (like facebook does) or leave all options open like FM has right now.

I can hardly imagine that you would stick to your standpoint if someone would make your email public, i.e. all your contacts and conversations.
I cannot believe that everything in your email is so broad and innocent that it might as well be public. I know for a fact that my email contains medical stuff only my doctor should know, work related stuff only my company should know, private stuff that only my wife should know. If there is not one example like this in your case i wonder what you use email for?


i should add that this is in no way an attack against fm, but more a plea to fm to change there privacy policy so we are guaranteed the privacy we now only have as a promise.
I think non of us debating the pro privacy standpoint here would bother to do the same at google or facebook, i feel that fastmail is marketed as a quality alternative to google and they should go all the way in offering what google can't and won't.

[David]

Quote:

Originally Posted by downset

why not? who decided this?

It's a fact actually downset...... outright privacy is actually impossible (and a myth) with email (unless you encrypt your messages yourself) - while I would definitely prefer that Fastmail modify their privacy agreement (to insure fairness for all parties) I would never include in any email, information that could cause me any problems, or that might harm me personally (in any way shape or form) if it were released to anyone and all later on.

[mariner]

Quote:

Originally Posted by downset

The reasons companies like google and facebook can get away with violating users privacy, and the reason why FM is allowed to have such broad terms that it could violate our privacy for whatever reason it sees fit is because the laws are hopelessly behind modern times.

There is no reason whatsoever why digital service providing companies should have anymore or any less rights than the postal office or fed-ex.

Well, the Postal Service is a government entity, and the government can’t violate our reasonably expected privacy. (Obviously I’m speaking in terms of the American legal system.) That’s how the law needs to be updated: with respect to the government. FedEx, being private, is different. As far as I know — I’m no lawyer! — there is no specific law restraining a private shipper from opening your package. What would restrain them is the terms of their contract with you. And I think the reason for the poor attitudes of online businesses in this area is that we, the customers, have not insisted enough on better attitudes, codified in better contracts.

When it comes to Facebook and Google, customers can’t have their cake and eat it too: they want these companies’ services at no charge, but the companies aren’t charities. Something has to give, to some extent. FM’s business model, though, doesn’t depend on showing us targeted advertisements or telling Calvin Klein what music we like to listen to. After all, we’re paying them, with actual money. All that’s missing here, it seems, is will.

Quote:

Originally Posted by David

outright privacy is actually impossible (and a myth) with email (unless you encrypt your messages yourself)

True, but even PGP encryption could be called a myth, unless I (learn to program and) examine the code for myself; and each time I use it I checksum the software on a fresh system; and even then there are TEMPEST attacks …. Thus the name “Pretty Good” Privacy. Considering FM’s authentication options, and with connections protected by SSL — sometimes all the way through to the recipient — and considering the enormous number of messages passing over the wire: if FM had a top-drawer privacy policy, I’d feel almost as secure with them as I do with the Postal Service. You might say I’d feel Pretty Good about things. As it is, though, I don’t: to me, it’s as if they’ve barricaded the front door with the fridge but left the back door swinging open.

I don’t object to your caution, and to some extent I share it: bits are harder to retain control of than is paper, and who knows where my friend might accidentally forward my joke about the boss. But I think there’s a substantial difference between FM with and without a good policy.

[hobbes]

Quote:

Originally Posted by mariner

if FM had a top-drawer privacy policy, I’d feel almost as secure with them as I do with the Postal Service.

If you can't tell the difference between these two kinds of service, then you will never understand the need for TOS/Privacy Polices of FM and others.

I'm done with this thread, but it's been fun.

[mariner]

Hobbes,

I don't understand why you compose some of your messages as though the people you're replying to are idiots (when this is obviously not the case) and beneath your serious attention.

Quote:

Originally Posted by hobbes

If you can't tell the difference between these two kinds of service, then you will never understand the need for TOS/Privacy Polices of FM and others.

I can distinguish many differences. To be plain, I was positing an analogy in response to downset's comment; specifically, in response to his reference to "outright privacy." I'm sure you know that an analogy does not have to correspond the thing analogized in every aspect, but only in those aspects relevant to the discussion. In this case, the relevant aspects are that both email and postal mail transmit information, that neither one is secure "outright" (i.e. perfectly), and that I have an impression of each as far as its degree of security is concerned.

Quote:

the need for TOS/Privacy Polices of FM and others.

Privacy policies as permissive as FastMail's are not a need. The proof is that other serious service-providers operate under far more restrictive policies.

[tehsux0r]

Quote:

Originally Posted by Sherry

FM's lawyers may not have written things the way they did to "eliminate" or prevent FM from being sued. Using your bank as an example, if I was unhappy with what they've done with my money I can hire a lawyer and sue them as, at least in the US, you can sue anyone for anything. While the legalities are being worked out other bankers can continue using the bank without interruption. With FM (and other types of services) the need to take "immediate" action may be necessary so the rest of the users can continue using the service without interruption to them. So it may be written that way just to make sure they can legally stop someone from using the service right away?

That's a good point, but there are two flaws:

1. They can do anything they like anyway until a court determines otherwise, so a contract with reasonable terms certainly wouldn't restrain them from acting against spammers in the short term;
2. There are plenty of ways to word things, as I said before, in a way which gives FM discretion over what they define as abuse or spamming *without* conferring absolute power to make arbitrary decisions. A contract like that would still allow them to do anything necessary to stop abuse, but the logic behind a decision would have to be in some way justifiable. As it stands, the contract provides for any behaviour at all with no justification and no analysis.

Quote:

Originally Posted by Sherry

Since you mentioned me personally I thought I'd respond to this. If those who feel differently than you do not post those feelings then this thread would be all negative and totally one sided. As it is, those who feel the same as you do post and I have a feeling FM is reading every word of every post so they probably do know how you and others feel about it? (but I could be very wrong on this point)

Sherry

I really don't know! I sent an e-mail to the privacy address yesterday giving my forum user-name, and all I've had back so far is a brief reply to the effect that it's a long thread full of analysis by people not qualified in law. Apparently going through the thread looking for "tehsux0r" was more effort than anyone was willing to spend, so goodness knows whether anybody's read the whole thing.

Before I reply to your other points, I want to say that I really *don't* want you or anybody else who doesn't share my concerns to feel unwelcome or that your contributions aren't valued. That said, we're *not* on opposing sides here because what we're asking for can't possibly harm you, even if you don't agree the need for it. That's why I think it's inappropriate for us to argue back and forth too much, because it might lead FM's management to dismiss this on the basis that it's just a debate among customers.

My aim here is to communicate my concerns to FM management, and inspire anyone else who doesn't have an opinion to look more closely at the TOS and decide for themselves, not to take a side based on our exchanges.

If the thread is one-sided, it's because so far we *have* been almost completely ignored by FM. If our criticisms seem negative, it's only because FM have done nothing about them. I'm here to be constructive; if the people I'm addressing don't want to acknowledge what I'm saying, then the overall thread might well reflect negatively on them for ignoring their customers. That's only right and proper, regardless of one's stance on this issue. This is why the idea of other FM customers defending the status quo makes me uncomfortable: it waters down FM's duty to address our concerns by removing the negative consequences (bad PR) of failing to do so.

What matters is not whether people like mariner and myself are in the majority; this isn't a democratic process, because it's up to FM to decide how much they care about signing and retaining customers that feel this way. What matters is that *some* of FM's customers want the TOS to change, and that that number is sufficient to warrant a serious response.

I really hope I've communicated well here. I don't intend to be hostile, or censure you for being happy with things the way they are, but our needs aren't opposed, and I don't want your contentment to distract too much attention from my discontent.

P.S. As Sherry and mariner indirectly pointed out earlier, I'm conflating the TOS and the privacy policy a lot in this thread, even though there's technically a separate thread for the TOS. As I said earlier, though, the two documents cover a lot of the same ground with no indication as to which takes precedence in any one clause. For the purposes of my complaints, therefore, it makes no sense to speak of them separately: they jointly define FM's customer contract, so they might as well be a single self-contradictory document.