"It has been pointed out to us that since we have our servers in the US, we are under US jurisdiction. We do not believe this to be the case. We do not have a legal presence in the US, no company incorporated in the US, no staff in the US, and no one in the US with login access to any servers located in the US. Even if a US court were to serve us with a court order, subpoena or other instruction to hand over user data, Australian communications and privacy law explicitly forbids us from doing so."
"Australia does not have any equivalent to the US National Security Letter, so we cannot be forced to do something without being allowed to disclose it."
That's hilariously brilliant. Your infrastructure is in the US, so Australian law doesn't apply to it; but your staff are in Australia, so US law doesn't apply to them.
I'm glad jurisdictional conflict is being used for good.
Maybe. They'd have to issue that warrant to our datacentre operators though, not us, because there's nowhere to send the documentation. And then they can compel our datacentre not to talk about it, if they like, but they can't stop us talking about.
Really though, the point of all this isn't to say they can't take our servers - of course they can, via legal and illegal means. The point is more to say that they can't do it _quietly_, which greatly raises the bar, because now you've got a PR shitstorm to deal with.
But really, it's not going to happen, because we have good legal processes in place. There are proper channels from most countries in the world to the appropriate Australian authorities, and from there to us, and once that request comes in we service it and that's that.
If you want reasonably secure and private email, and you're not doing really dodgy shit, we're probably a safer choice that many. But we're not selling a privacy service, just an email service. If privacy is 100% non-negotiable for you, then you'll need to look elsewhere.
Sold. I've been on the fence about moving some of my most important addresses off of the cheap shared hosting Cpannel managed crap they are on at the moment. It's crap hosting but it's free.
Your Australian honesty, "not doing really dodgy shit" won me over. I'm going to move a few over and check your service out properly.
Nice to see another Australian company doing well :-)
Not only is their product good, but their service is first rate.
I was recently working with the developer of the ASynK contact synchronisation tool ( http://asynk.io/ ) to track down an issue I was having synchronising contact details from Fastmail using CardDAV.
It turned out to be a Fastmail issue; one of their developers was quickly on the GitHub issue chatting to the ASynK maintainer about it, and they had a fix in a couple of weeks.
> If you want reasonably secure and private email, and you're not doing really dodgy shit, we're probably a safer choice that many. But we're not selling a privacy service, just an email service. If privacy is 100% non-negotiable for you, then you'll need to look elsewhere.
Hot damn you should put that on your front page. Ok maybe not but to people like me that is without a doubt the best way to phrase your sell.
I use fastmail and I am happy with it, but you may never know if they access your servers and mirror them using the datacentre back end. Honestly, I would be surprised if they have not done so already, it's not like you are a low profile target.
Thank you for all of your and colleagues' replies in this thread. I'm sold. I've long been impressed with fm's engineering; just wasn't clear on what the US presence really meant.
When privacy is non-negotiable, I don't use SMTP email.
Those servers -- do they have Firewire Ports? USB3?
Other externally accessible DMA ports?
Drive encryption prevents offline data at rest, they keys will be in memory for a running server. If LEA is going to grab your servers, your keys are going to go with them.
Yeah, it's true - same for anyone. The main benefit of encrypting the drives (indeed, the only reason I was willing to do the tradeoff for something which is mostly theatre) is that we can RMA failed drives and discard old drives with no risk to customer data.
That alone is worth paying the slight overhead on modern CPUs for full disk encryption of all user-data partitions (the OS isn't encrypted - it's Debian with some open source packages on it, and we throw it away anytime - http://blog.fastmail.com/2014/12/07/automated-installation/)
tl;dr - We are Australian, so PATRIOT Act doesn't apply.
http://blog.fastmail.com/2013/10/07/fastmails-servers-are-in...
"It has been pointed out to us that since we have our servers in the US, we are under US jurisdiction. We do not believe this to be the case. We do not have a legal presence in the US, no company incorporated in the US, no staff in the US, and no one in the US with login access to any servers located in the US. Even if a US court were to serve us with a court order, subpoena or other instruction to hand over user data, Australian communications and privacy law explicitly forbids us from doing so."
"Australia does not have any equivalent to the US National Security Letter, so we cannot be forced to do something without being allowed to disclose it."