Fastmail has always been an Australian company. Then they were bought by the Norwegian company Opera, who seem to have left them largely to their own devices. I haven't really noticed any changes from the acquisition. And yes the servers are in the New York, probably for latency reasons.
FastMail.FM's was started by Rob Mueller and Jeremy Howard in 1999. We are located in Melbourne Australia, we use IBM servers hosted by NYI in NYC US. FastMail.FM is now run by Opera Software Australia Pty Ltd, a whole owned subsidiary of Opera Software ASA of Norway.
Only S/MIME, PGP or similarly encrypted mail messages are secure. All other mail is routed through various servers which may or may not use an encrypted connection. It's like trusting the post office to never read your mail (which they have the authority to do if they perceive some kind of safety threat). Encrypt the message contents if you care for message privacy.
If you want sender/receiver privacy too, you can try using Tor hidden services direct to the individual. I can't think of any other way off the top of my head to send SMTP mail and completely conceal the recipient(s).
What is secure? If government sezies your key, in some jurisdictions they can compel you to release your passphrase (if one is required), then they can go back and decrypt absolutely everything you ever sent. (OTR gets around this but this is largely by leaving the network layer location privacy / initial authentication / key exchange problems out of scope.)
Finally, traffic analysis is pretty powerful. Even if Eve can't read your messages, she can see who they went to and when (and maybe who they in turn communicated with afterwards) and thus easily determine probable relationships - Tor based endpoint, or not. (Hrrm ... but two Tor based endpoints, on the other hand...)
I don't think we were discounting the rule of law. We were going with the 'currently some western governments will force you to reveal your password' legal reality.
Tor attempts to work around traffic analysis by using fixed-length records, and being a bridge helps hide your traffic with other people's. But nothing's perfect.
"Secure" in this context means "not readable by anyone but the recipient". Of course, if you have the recipient in custody, this is the easiest method to decrypt the messages: http://xkcd.com/538/
(OTR-style cryptography is nice, but sucks for store-and-forward communication; for a comporably difficult message to decrypt more than once, use one-time pads - but don't complain to be about distributing the pad dictionary, that's totally out of scope here ;)
It's certainly an option, but you must use a client like Thunderbird to do it, loosing the ubiquity of the web interface. Maybe when window.crypto will be standardized and with a good browser extension we will have security and easy of use.
Fastmail is hosted by NYI.net in Lower Manhattan, a major FreeBSD shop. The site lists Opera as one of their customers.
The very nature of e-mail leads me to conclude that it really doesn't matter where an e-mail provider is located, because it will always be intercepted at some point. One can use another e-mail service, but if the people you talk to still use gmail, then does it really matter?
Perhaps it's time to talk about new messaging systems, with encryption by default, and a new address and routing system coupled with Tor.
We've had anonymous remailers for about a decade. Maybe people will start caring.
Bitmessage is up and coming, but needs a lot more development.
You could use OTR with servers for offline support and contact management (jabber, etc), but this isn't as convenient as email.
OTR (instead of PGP) over email is a theoretically possible, but the problem is still the same: No money in open source encryption == No easy to use interface.
There are two ways the NSA can collect your email: fiber taps sucking up unencrypted SMTP connections, and "direct" collection from servers/FISA orders etc. Ironically if your email provider is in another country it's much more likely that emails to and from the US will be captured.
It would be interesting to setup a mail service with numerous SMTP relays around the world and attempt to connect the "closest" (least likely to be eavesdropped) relay to 3rd party SMTP servers. Communication between the relays and the main service (which stores your email in a friendly jurisdiction) would be strongly encrypted.
With our VPN thing we're doing "nearest hop to destination outroute" for traffic (essentially the opposite of most network providers who try to get shit off their net as fast as possible); doing the same thing for incoming for services is essentially what CDNs do. A CDN you could trust (for policy + technical reasons) to handle this kind of thing for all kinds of traffic, combined with DoS protection like CF or Prolexic, would be kind of baller.
> You said: Their servers are located in the US according to the article.
So, the servers location have nothing to do with whether the company is American or not. And while that might have a bearing on certain facets of the topic as a whole, it's meaningless in this context. Basically, what you said does not change anything.
You mean, not the first point brought up by the GP, was which to say wrongly that it was an American company?
Correct me if I'm wrong, but if Fastmail moved servers outside the US, then it would be in a better position as a non-US company than if it was a US company with servers outside the US?
Despite what some might believe, where a company operates from is actually important, regardless of where the servers are hosted.
So then why was it the first point in the GPs post? And the fact that it's not American means that it could offer hosting outside of America and provide better protection than an American company hosting outside of America.
Believing that it being an American company or not is not important is silly.
It's actually not a worthless comment. Norwegian ownership makes absolutely no difference to the privacy equation wrt the NSA if Fastmail's servers are colocated in the US.
It's a kind of worthless comment, but not for the obvious reasons. :)
People are operating on the equation of "hosted in America = possibly accessible via PRISM = compromised by the NSA," which is understandable given all the recent news. Perhaps you don't trust the assurances that the NSA's computers are only scanning metadata by default, only flagging suspicious keywords that then have to be processed by a human agent before they go ahead and actually start scanning your real email which of course they will usually only do with a warrant obtained in secret from a secret court that pretty much never turns down any warrant request!
Okay, but those very reassuring reassurances actually only apply to American servers. Communication going between servers in America and international servers is just as likely to be targeted and quite possibly more likely to be subject to deep scanning. We have to throw in "likely" and "possibly" because, as with all things NSA, we really don't know. But if you're concerned about data interception, it's very likely not relevant whether FastMail's servers are located in New York, Norway, Australia, or the Fortress of Solitude.
Can you please tell me where you think a server needs to be located were you would consider to be "safe." Please note that every European country also falls into the will be happy to spy on someone camp.
Another thing to note is that even if servers aren't located in US, data may be routed through there. Traceroute from my home connection (in India) to a Singapore IP looks like:
India -> US -> Japan -> US -> Japan -> Singapore
I'm not saying that the NSA has forced other countries to route their data through them. It could be due to several other reasons. But the main point is that it is hard to escape the NSA. Even if you do your best to keep your data away from the US, there are certain factors out of an individual's control (such as routing).
if I'm talking to my mailserver over HTTPS/IMAP TLS, I don't mind where the traffic is routed.
It's still not ideal (they can still see who you're talking to), but you'll never have 100% privacy. Just make as much of the data useless as possible.
> if I'm talking to my mailserver over HTTPS/IMAP TLS, I don't mind where the traffic is routed.
You do unless you're using PGP for all your emails, because SMTP can be easily intercepted in plan-text.
Of course, if you're using full end-to-end encryption (like PGP) for all your emails, you don't care so much about using HTTPS to fetch them, because you're using end-to-end encryption.
Not useful. You may be talking to your mail server using TLS, but it's highly unlikely that your mail server is talking to every other mail server (and vice versa) using TLS.
And then, even if all of the servers involved in delivering your mail communicate securely, the reciepent is going to reply in plain text, quoting your entire message...
No, I couldn't find about any direct fiber [1] between India and US. But somehow while tracerout'ing, the very next hop after my ISP is a Los Angeles based IP. Another thing to note is that there are three direct fiber connecting India and Singapore but it is not being used by my ISP (BSNL).
My Azure IP shows up in Seattle, yet the connection goes to Amsterdam. What you're seeing is where the owner of the IP is located; that is not necessarily the same as the server.
Please note that every European country also falls into the will be happy to spy on someone camp.
Privacy laws vary a lot within Europe - even within EU - and while I'm sure every country in the world is "happy to spy", as you put it, I can't think of any European country save for the UK whose spying is as intensive as NSA's.
If you're in the US and your data passes through a pipe outside of the country, to say go to an email server, they nab it too. It has to be encrypted locally to be secure.
I believe that Fastmail is a valid option if your main problem is with Ads and the fact that Google might be reading all your mails and companies are buying this big data to sell you better services / more targeted Ads around the web.
I'm currently switching to Fastmail because I don't believe in free lunch and I won't stand for it anymore.
If I want to make sure no one is reading my mails, then I have a problem. Most governments are doing this and we can't do much about. If I need privacy, then I use GPG.
Network protections are, as you pointed out, something they cannot control. At the legal policy level, they are somewhat less cooperative as an Austrialian company with US server assets.
"> I feel safe in speculating that if you will not pony up the emails to a US judge, the people who maintain the server farm here in the US will.
They can't - they have no access to the emails, because they can't login to the machines and they can't access the encryption keys for the data. All maintenance of the OS/software is done from Australia.
We've had a number of US-based law enforcement bodies over the year try to get hold of our data without going via the appropriate Australian bodies, and it doesn't work out for them. In the end, they have always ended up submitting a request for cooperation via the Australian Federal Police, as they are required to do, and we respond to that request in line with Australian law."
2009 Slashdot.org Interview with Howard Jeremy, Founder of Fastmail
"The contract was prompted by Telstra's undersea telecommunications joint venture called Reach. When it sought a cable licence from the US Federal Communications Commission, the DoJ and the FBI insisted on a binding security agreement.
"The contract does not authorise Telstra or law enforcement agencies to undertake surveillance. But under the deed, Telstra must preserve and 'have the ability to provide' wire and electronic communications involving any customers who make any form of communication with a point of contact in the US, as well as 'transactional data' and 'call associated data' relating to such communications."
. . . .
"The document was signed by Douglas Gration, a barrister who was then Telstra's company secretary and official liaison for law enforcement and national security agencies.
"He told the Herald he could not remember much about the agreement. 'Every country has a regime for that lawful interception,' he said. 'And Australia has got it as well.'"
This looks like a pattern of mutual agreements among governments that cooperate in routing and connecting cables for international telecommunications. The statement is NOT that every telephone call from Australia to another country is listened to, but that a data archive is maintained that might be accessible with court orders. Particularly significant is the statement that other countries ask for the same arrangement if a cable connects to or through that country.
Switching email providers has little to do with what governments have access to your data by mutual agreements among the governments.
Oh I see now, I always assumed they had their servers elsewhere since they aren't an American company. Hmm I'm going to ask them about that, I'd pay extra if they offered the option of running off non-US servers.
After the GP responded. So yeah, I don't see the point of pointing out worthless out-of-context crap. It happens far too often here. It's rubbish that should be called out so it hopefully stops.
Do Americans realize servers hosted in Europe will have more latency for you in North America? FastMail then becomes NotSoFastMail. I guess you all are okay with this trade off, in fear that the NSA is reading your super secret chain letter emails from your grandma.
I'm not bashing the USA in general, I'm sorry if it sounds like it (it's quite hard to write a catchy comment in this vein and get the tone right, perhaps I got the balance wrong this time.)
However, I am pointing out something that a lot of non-US citizens on HN have been saying lots over the past few weeks; setting up an email service that is outside the US (for the purpose of trying to avoid PRISM surveillance) is nontrivial, and while it would be great if this app were the answer to that, it sadly isn't.
I'm all for the US justice system doing what it's supposed to and having the supreme court rule on the constitutionality of PRISM! Then it will no longer be valid to generalise that all US-hosted services are bad news for privacy.
Also keep in mind, most of the people you'll want to send mail to will still be using email providers located in the US. So the messages will just be NSA'ed when they're delivered, instead of when they're sent.
On the other hand, if you have specific counterparties and you can get them to switch to the same thing you're using, just use TorMail, or run a VPS somewhere where you both have SSH keys and use it as a dead-drop, or whatever. "The solution must involve SMTP and POP/IMAP" is only relevant when you're communicating with unauthenticated peers... at which point, you'd better not say anything important anyway. ;)
Update: hmm, so Opera aren't american? interesting. All the servers are definitely in the US though:
> "we have standard servers and a high speed connection in the US." - https://www.fastmail.fm/help/overview_about.html