> There are of course other avenues available to obtain your data. Our colocation providers could be compelled to give physical access to our servers. Network capturing devices could be installed. And in the worst case an attacker could simply force their way into the datacentre and physically remove our servers.
> These are not things we can protect against directly but again, we can make it extremely difficult for these things to occur by using strong encryption and careful systems monitoring. Were anything like this ever to happen we would be talking about it very publically. Such an action would not remain secret for long.
> Ultimately though, our opinion is that these kinds of attacks are no different to any other hacking attempt. We can and will do everything in our power to make getting unauthorised access to your data as difficult and expensive as possible, but no online service provider can guarantee that it will never happen.
This kind of frank disclosure should be highly rewarded. I provided similar frank disclosure text (elsewhere) only to have it whitewashed.
When everyone is underplaying the real limitations it's impossible for people to choose alternative tradeoffs— "Why should I use this slightly harder to use crypto thing when foo is already secure?"— because the risks have been misrepresented. Underplaying the limitations also removes the incentives to invent better protection— "Doesn't foo already have perfect security?".
"This kind of frank disclosure should be highly rewarded."
Yep, definitely. I think even more important than the information itself is the spirit of honesty and integrity that it demonstrates. This stands in stark contrast to the ambiguous slimeball statements issued by the likes of Google, Facebook, Apple, Microsoft, etc.
When Big Brother comes knocking, which companies are going to take a risk to stand up for you? It's as much a question of character as policy.
Note that G, FB, A and MS are not in a position where they can write such disclosure. I am not arguing with your main point, I applaud FastMail for taking a stand - it's just that USA companies must use "ambiguous slimeball statements" to at least appear clean (because they are not).
I would argue that if FastMail were an USA company their statements (if any) would be just as ambiguous as those of G, FB, A and MS.
I understand your viewpoint, but I don't accept that as an excuse.
Remember how quickly SOPA sank after the Silicon Valley establishment turned against it? Do you think the government is going to put the CEOs of some of America's most popular and profitable companies in jail for an act of civil disobedience that the majority of the country and the world would support wholeheartedly?
SV is more powerful than it realizes, and has little to fear in the current climate. The American national security state, on the other hand, is weakened and vulnerable. Now is the time to take a stand. Not doing so is equivalent to complicity.
SOPA was easy to turn against and I would argue, didn't cost anything to oppose. Fighting the NSA on warrantless wiretaps is a completely different animal in that there will be real money involved in fighting it. Potentially millions of dollars duking it out in court(s).
I think it's already been established that the NSA has HUGE financial resources (from the part that we can tell) and to top it all off, fighting the NSA on it's grounds would most likely pass through the FISA court. A court which in and of itself, is shrouded in secrecy.
The NSA has financial resources but it's short on political capital. If all the big tech companies were to collectively and publicly decide as a matter of principle to stop adhering to gag orders and cooperating with wholesale monitoring regardless of what FISA says, what is the administration going to do? Shut down Facebook? Shut down Google? Could you imagine? Public opinion is already firmly against them on these issues. Actions like those would make them utterly despised.
I strongly agree with you. It is not clear to me how a billionaire like Larry Page is being forced into anything. It is not conceivable that he personally would be jailed if Google were to defy the US government.
It would be interesting to see what would actually happen if one of the big American internet companies just said the truth. "We have received 35 NSL's and we gave them your data."
What would actually happen? Would their stock go up or down? Would they gain or lose customers? Would anyone be prosecuted and jailed?
> Do you think the government is going to put the CEOs of some of America's most popular and profitable companies in jail for an act of civil disobedience
If you support the rule of law, you should expect and demand that if it comes to legal consequences that's exactly what will happen. You can fight the law in parallel and use the trial to challenge it, but expect the consequences anyway. Otherwise you're calling for the rich and powerful to be held to a different, weaker standard just because in this case you might like the outcome.
You can treat it as the lesser evil, acknowledging that they're already held to weaker standards and that happens to be useful here, but you'd still be helping to entrench a system which is ultimately bad for you unless you're also very rich.
Unfortunately, Mark Zuckerberg, Eric Schmidt, and all of those other guys are surveillance poster boys. It's best just to not use their services, and vote with dollars.
Your vote is worth about five bucks a year to Facebook. Not really a huge deal, considering most people aren't concerned about surveillance and a very tiny fraction is concerned enough to give up social networks.
At the moment it is weakened and vulnerable compared to how it was a few years ago. It has not been destroyed or dismantled by Snowden's revelations, far from it, but it is a definite factor the NSA cannot ignore. Five years ago, no one would even think of shutting the NSA down over their abominable deeds, because their abominable deeds were not widely known.
At the moment, there are many people shouting for them to be shut down. Will it happen? Probably not. But at the moment, that is something for the NSA to worry about and to try to do damage control over. In that sense, they are certainly in a quite worse position.
I dunno, if the US government can't figure out if it wants public healthcare by the end of this month, they are gonna have to sell off some of those datacentres to pay the national debt...
The US Government operates on an extralegal basis (ie they're willing to cross any line), and roughly 85%+ of all new debt is purchased by the Federal Reserve. What very specifically is not going to happen, is the shut down of the military industrial complex of which the NSA is such an integral part.
So long as the dollar (Federal Reserve Note I should say) remains the global reserve currency, the national debt is a trivial problem (as is paying the interest on it). The dollar is the real linchpin, to everything. All else is a sideshow of political gamesmanship.
Dollar being the global reserve currency is the real linchpin to everything, but right now US Government seems ready to undermine that with their squabbles over healthcare. I mean, the upcoming default wouldn't destroy the dollar, but it would somewhat reduce the role of dollar reserves and treasury bonds in global markets.
If a credit card company refuses to raise your limit, that is not a default. A default is when you stop making payments on your debt. As long as the government has enough tax income to pay interest on its debt, there is no default. Calling it a default is a scare tactic to get their credit card limit raised.
The solution is for governments to spend only the tax revenue they receive - no more. Not only should the debt ceiling not be raised, it should be slowly lowered to zero over the next 10 years. If the government had to explain to everyone how much their taxes would need to be raised in order to invade Syria, etc., people might actually pay attention. Just my opinion.
This is a bit confused. The US needs to pay about 0.5 trillion interest a year, or 1/5th of tax revenue. They borrow about 0.5 extra per year (which is why the budget ceiling needs to go up).
If the US wanted to instantly achieve a balanced budget, they would have to spend 3/5ths the current amount. When a government cuts the amount it spends, it shrinks the economy, and reduces tax take.
In the UK, a limited form of this strategy seems to be working, but in Southern Europe, a strong 'austerity' strategy is creating a spiral of reducing tax take (requiring ever greater cuts).
So the sharp reduction in the deficit you mention is not possible. It would need to be gradual.
The elephant in the room is that, in the US, China, and Europe, the aging population is coming. As the proportion of contributors to consumers of public spending shifts, more debt is inevitable. It's going to suck pretty bad for everyone, but if we (all of us) can't achieve a balanced budget before that hits, then things are not going to be as gentle.
The best solution might be to spend only the tax revenue they receive; however, the idea is purely theoretical because they are not going to do that.
Currently government isn't able to pass a "normal budget" much less a very radically changed budget + huge and rapid changes in government agencies - if USA doesn't rise the debt ceiling, the actual effect will be not paying the interest due which is called a default.
I never understood this rationalization for what is essentially a corrupt behavior. People find excuses to keep the corrupt system going. I see it as a collective madness.
Those companies, being a huge influence on the internet culture and economy, a trend-setter, one might even say the internet gatekeepers - I think they not only should disclose and vehemently oppose any attempts on user rights, but it is their moral obligation to do so.
How is it that individuals and small parties are scrutinized and put down for a single misstep or a character flaw, while enterprises are forgiven, or worse - go unnoticed, for systematic violations of our rights.
Also, keep in mind, that being a big business like Google, inevitably puts you in a close proximity to government and politics. One thing is certain, they do not lobby on our behalf. Though they could. If Google and other giants had a moral compass resembling one of Lavabit or FastMail, perhaps PRISM would fail or never happen.
True, but that obligation is often misinterpreted. The legally binding definition of "shareholder value" includes more than the short-term stock price. Since bad corporate behavior carries a risk, with potential consequences up to and including a catastrophic loss of custom, it's a liability even when it's perfectly legal and boosts near-term profits. Corporate officers who take on such risk without adequate disclosure or contingency plans can be removed and/or sued for it.
Keep in mind that these companies' only obligations are to their shareholders
Your statement is mostly true but completely hollow. Just because your primary obligation is to your shareholders doesn't mean you go along with (arguably) illegal acts committed by your government that run counter to your users. Because if you do that long enough, your users will leave and you will have screwed your shareholders in an attempt to look out for your shareholders.
This is why your comment is hollow. Because it attempts to excuse any behavior that provides short-term gain regardless of mid-term or long-term pain.
I don't think so, as the NSLs are received and acted upon by Google US. Of course, when operating in a country, you have to respect the legislation of that country. However, companies like Google are in a really tough spot on this one, which is why the NSA spying is so poisonous to US businesses and why you should fight against it.
Definitely. I am actually really worried about the effect of NSA Surveillance and data collection on industrial espionage. How does a small and growing company know that a big company/interest group that feels threatened by it won't get access to NSA data on the company by using their connections?
If Snowden, an individual contractor, can dive deep into the data how do we know that others are not doing the same for other purposes?
It's nice that they are frank about it, but it is also pretty clear that any company hosting in the US, even if they are based elsewhere, is less of an appealing option to the truly security conscious (or paranoid, depends on how you look at it). Sometimes these aren't necessarily the more technical people either.
The problem is that for most services, it is hard to tell where the company is from and where they are hosted, unless you're technical enough to run a traceroute. At StartHQ we've been trying to make that easier to find for non techies and the fact that FastMail host in the US became quickly apparent via their app profile page when we first added it: https://starthq.com/apps/fastmail - there was a pretty lively discussion on FB about it at the time as well.
I don't understand what you're trying to say with the Russian example.
You can for example trust the Finnish government not to look at your data or let other governments do the same. A number of companies here in Finland are emphasizing that point in their marketing nowadays.
"This kind of frank disclosure should be highly rewarded."
With all due, Im sorry but, no.
Had it come before the Snowden leaks, absolutely. But it didn't.
After the event, facing a danger of customer loss or loss of confidence, it can only be seen as too late and defensive move. All these companies must have known something about these risks, yet remained in a passive conspiracy of silence. Not one stood up until Snowden did. By then, too damn late.
How could they have talked about it if they never knew about because they were never in bed with the NSA?
You are assuming they were cooperating with the NSA behind the scenes like Google et al, but they are saying they were not and could not be compelled to do so by Australian Law.
The problem of this "disclosure" is that to the people writing the text the implications of Australian laws aren't clear, as seen in other thread here, started by westicle:
I agree that this is a nice gesture, but it's not a "frank disclosure". What did they disclose?
When they actually have a security breach and they promptly "[talk] about it very publicly", that will be something commendable. Right now we have words, not actions.
Though honestly I'd much rather have such words than not.
> Australia does not have any equivalent to the US National Security Letter, so we cannot be forced to do something without being allowed to disclose it.
This is not true. The Australian Crime Commission has some of the most extensive secret coercive powers in the Western world.
You don't need to even use the ACC, people for get that the 2005 counter-terrorism act[0][1] has provision for preventative detention without charge, and notably, made it a criminal act to tell anyone that you had been detained. Combined with a rather broad definition on what was terrorism and the ability of police to request information, documents and emails, this act seems to cover all of the functional aspects of the National security letters with even less oversight.
I would argue that section 29 is very narrow in its scope, and allows for disclosure once an investigation is completed, and allows for disclosure to an attorney, whereas my understanding of an NSL is that it can order pretty much anything it wants without limitation. That seems quite different to me.
But then, I'm not lawyer. You're probably not either. Which is why I keep telling people to get their own legal advice if they're concerned about it.
Actually I am a lawyer. In the past I have even advised clients who received ACC notices (they are more common than most people would think).
Needless to say I was staggered at the scope of the powers granted. Forget about transparency, justice and the rule of law. If you receive one of these you can be compelled to give evidence or documents in secret, without judicial oversight or public scrutiny.
I just checked upstairs. The advice we have is roughly:
- ACC has judicial oversight
- its unclear how this interacts with the Telecommunications (Intercept and Access) Act
With my boss throwing in:
- law is a giant mess
- until you have two extremely well-funded parties disagreeing vehemently about the interpretation, you'll never get a final answer
We're still happy with our publicly-stated position. You might disagree, and I'm not really in a position to argue with you. Its my corporate masters with their necks on the line, and they seem relaxed about it. That's good enough for me :)
Fair enough, I agree that these laws are a mess and you'll never get the final answer unless a disputed application of the Act is determined by the High Court.
But these laws have been active and in common use for over 10 years without a single public challenge. I also know that the ACC's interpretation of their own powers has been used to prevent suspects disclosing certain matters even to their own lawyers.
The fact that no high-profile judicial decisions have placed limits on what the ACC does indicates to me that the law is fairly settled in this area.
I just wanted to point out that the original statement "Australia does not have any equivalent to the US National Security Letter, so we cannot be forced to do something without being allowed to disclose it." does not seem well-founded.
I read the blog post and was nearly persuaded that fastmail might be better in than US providers on some level of privacy.
But now reading this exchange I now see that your company doesn't actually know the Australian law any better than it knows the US law, and now I feel that fastmail might actually be WORSE than a US company in terms of privacy. Thanks for letting us know.
The title of this post should be changed to:
FastMail’s servers are in the US – what this means for you -> absolutely nothing.
Either way, it makes your service completely vulnerable to the government's interpretation of the law. If they force you to disclose your customers' data in secret tomorrow, or face jail time, I have no doubts what your choice will be.
I'm not calling you a liar, btw, I just think you're naive/oblivious, and considering you just now discovered what ACC is and had to check with your lawyer (who isn't even sure how it interacts with other laws), I wouldn't use your service to send any critical information. Ever.
> If they force you to disclose your customers' data in secret tomorrow, or face jail time, I have no doubts what your choice will be.
We have no doubts either. The privacy policy clearly states we will give your data to the Australian authorities if supplied with the proper supporting documentation.
I didn't just find out about the ACC, though I wasn't aware of the details. But I'm not a lawyer, just a sysadmin, so I don't need to be. The "its not clear" bit is simply that there are two laws that appear to be in contradiction with each other. Its never been tested in court. And thus, its not clear. But we have confidence that what our position is legally supportable or we wouldn't be here.
When you say "compelled", do you mean "divulge at the threat of guaranteed jail time" as in the UK's RIPA-based mandatory key disclosure law? Wikipedia seems to indicate it'll cost you 6 months in jail: https://en.wikipedia.org/wiki/Key_disclosure_law#Australia
A year of incarcerating someone is only worth $3,400 to the government? Strange, considering that if you're going to be pedantic about money, the cost of incarceration is surely at least one order of magnitude more than that.
We're talking about a particular subset of criminal/person that can afford a computer, has the knowledge and forethought to encrypt it, and is committing a type of crime/action which makes the state want to see the encrypted contents of said computer badly enough to invoke that law. I would think that someone in that subset could easily afford $3,400.
I wouldn't say this is the same as the NSL letters. You're allowed to get legal assistance and there are multiple independent bodies you can disclose to, including two that seem to have the power to fight it. Plus, disclosure is allowed after 5 years.
It seems to me that this kind of thing is for investigations where they don't want suspects to know they're being investigated, which is fair enough. It doesn't seem like they're doing it to keep secrets for "National Security".
Hi, FastMail employee and author of (most of) that blog post here.
Just so we're clear, the point of this post was not that we don't think the rules don't apply to us. Instead we're trying to make it clear where position on these things are. The topic of this thread is a sensationalist sound-bite, nothing more.
I'm not going to go over the points again here because I'm pretty sure we said it all in the post (but ask questions if you like, I'll be here all week!).
The most important point to take away from this post is that your privacy is your responsibility. We're trying to provide you with as much information as we can to help you determine your own exposure, and to let you know what we will work to protect and where we can't help. Its up to you to determine if our service is right for you. No tricks, and no hard feelings if you'd rather take your business somewhere else!
Can you confirm you have never been contacted by US authorities (or Australian for that matter), and have never been placed under a non-disclosure order?
We have been contacted by US authorities in the past, and have referred them to the appropriate Australian authorities.
We have been contacted by Australian authorities in the past, and have worked with them in accordance with Australian law and our privacy policy, which you can read here: https://www.fastmail.fm/help/overview_privacy.html
Has the headline on HN been updated? Because both you and brongondwana talk about it being sensationalist, where I see it as just being a summary of the most salient part of what you have to say.
Do you have Australian legal advice to back up your conclusions? (I agree with them, but would like to make sure we're talking more than the "gist" of the law)
> Has the headline on HN been updated? Because both you and brongondwana talk about it being sensationalist, where I see it as just being a summary of the most salient part of what you have to say.
To my mind it was one of the least interesting parts of what we had to say. "Non-US company not bound by US law" - its hardly earth-shattering news. Would "Non-Senegalese company not bound by Senegal law" be as interesting?
EDIT: Sorry, it just occurred to me that it was changed already and you might have posted this afterwards. The original post headline was "FastMail claims they do not have to comply with National Security Letters". That's what we were referring to when we said it was "sensationalist".
> Do you have Australian legal advice to back up your conclusions? (I agree with them, but would like to make sure we're talking more than the "gist" of the law)
We've made our position public, and we're satisfied that its an accurate reflection of our position and our understanding of Australian law. You must not rely on it as a legal basis for anything though - get your own legal advice that applies specifically to your own circumstances!
Just a tangential thought, but I can't imagine seizing Australian assets based in the US would make for a particularly comfortable diplomatic position to be in (although I suspect our current government doesn't care). To say nothing about the fact that we've already shown our hand (and upset most of our allies) by way of the Manning leaks, the Assange manhunt brought about largely by US political pressure, and, more recently, the NSA scandal.
I've mentioned it elsewhere but it's worth repeating here. Finding established case law dealing with foreign assets seized (possibly illegally) on US soil and the repercussions would make for an interesting exercise. I feel like there's one instance in particular that was especially noisome that happened recently, but I can't for the life of me remember what it was.
If you don't mind my asking, what contingencies do you have in place in the event of a seizure of hardware assets? It's unlikely, but the FBI has been known to take anything that vaguely looks like a server...
We currently have a complete copy of all user data in a secondary (non-US) data centre. In the event of a loss of our US-based servers, we would get this secondary copy up and running as quick as possible (likely in a reduced capacity) while sourcing new equipment and getting a new primary centre up as quickly as possible.
This would be a catastrophic event, no doubt about it, and there would be significant disruption for our users. But it wouldn't mean the end of FastMail.
We also have a second (1-2 week old at this point) backup set of most users' data sitting in boxes on my loungeroom floor. Encrypted of course. It came back in my suitcases from New York a week ago.
Bootstrapping from that would be significantly more painful though, and a lot more "gappy".
NSA eagerness to intercept personal emails of Brazilian president and EU citizens shows that noone cares about comfortable diplomatic positions, they'd just do it anyways.
"We've made our position public, and we're satisfied that
its an accurate reflection of our position and our
understanding of Australian law. You must not rely on it as a legal basis
for anything though"
I'm not sure if I see the value of you saying it, then. Why not get a lawyer to provide you with a position that can be relied upon?
Because its our advice. It was developed for us, taking our concerns into account. You need to get your own legal advice relevant to your own situation.
Or put another way, I don't think "Your Honour, FastMail's lawyer said it was ok" is valid defense for anyone except us.
Who said that that would be a defense we would use?
My point is that you have given advice, with the implication that it would soothe some of our concerns. And then, in the very next sentence, you've said, in effect, it's legally worthless.
So, how exactly does your own advice to us help in any way whatsoever?
It's as useful as the degree to which you trust the company giving this advice. And that's always going to be the case regardless of who the company is and what they say.
"There are of course other avenues available to obtain your data. Our colocation providers could be compelled to give physical access to our servers. Network capturing devices could be installed. And in the worst case an attacker could simply force their way into the datacentre and physically remove our servers."
As the colocation providers are based in the U.S., they would be subject to the National Security Letters. FastMail claims this is no different from any other hacking attempt. But in a normal hacking attempt, colocation providers would be free to explain to FastMail the extent of any hacking on their end. Moreover, hackers typically do not have physical access to any data. Even with encryption, physical access opens up a lot of attack vectors that most sysadmins don't anticipate.
If they mount webcams and other sensors inside the cabinet, they could detect unexplained access to their servers. Not sure what it'd really accomplish. The colo provider would either say "tech mistakenly opened that cabinet" or "no comment". The only real defense is to assume any such access is a breach and have servers immediately overwrite FDE keys in RAM and power off - and if they were that committed, they wouldn't host in the US in the first place.
There is some historical precedent for such methods. I believe one popular CDN (possibly Akamai?) has its nodes set up with sensors of some variety to discard sensitive data if the hardware is exposed to light.
Yeah, that is just bar room banter between nerds. I've stood next to unprotected racks of Akamai servers and nothing happened.
Nobody really builds systems where an HVAC engineer walking into your cage to move a cooling tile will cause an outage, they just love to talk about how they would build them.
Full disk encryption would be another option, with the key being obtained over a secure channel from servers hosted remotely before booting to the real system. Then, as long as they can detect whether the server asking for the key has been compromised, I think it should be pretty safe. (Not a security researcher though, I wouldn't bet money on it.)
Remotely detecting if the server is not compromised when you don't trust the physical surroundings is probably unsolvable. If your attackers are very motivated and have lots of resources, what's to prevent them from installing a ram bus signal analyzer during a scheduled/unscheduled downtime. This would be pretty hard to detect (absent an elaborate video monitoring setup), as a good analyzer should not impact the system being monitored.
Hardware Security Modules (HSMs) are supposed to be able to resist that kind of attack, but given we currently have a duopoly of fairly government (US and EU/UK) connected HSM manufacturers, and they devices aren't suitable (price and capabilities) for general purpose computing, we're kind of out of luck.
A Free/Open HSM design would go a long way, along with more host-based trusted computing security (Intel SGX, etc.). But just physically controlling the surroundings is probably the only feasible option today.
Sure, they might be, but what do I care what the Chinese govt knows about me? They're 10,000 miles away and I have no foreseeable plans to travel there. My own government, who I want to be free to criticize when they do something I disapprove of, that's something else.
And we'd want to turn that off every time we got them to replace a hard disk...
I wonder how many "sorry, the hairtrigger anti-intrustion systems took the site down" outages it would take before people begged us to turn the sensitivity down.
How likely is it that Fastmail data could be obtained without anybody at Fastmail noticing? And the key point is that Fastmail cannot be complied to keep such an attempt secret - which is not the case for a US company.
Anything that makes hard drives unreadable by thieves would probably also make them unreadable by any U.S. agency that seizes them. Unless of course NSA has already broken the algorithms used by the disk encryption software.
That was what my comment was addressing: What will they do if that happens? Suppose a machine goes offline for a minute then comes back. Datacenter says nothing or says "we have no records of a power issue" or something to that effect. Now what? If Fastmail's software didn't wipe the key from RAM, it may be already compromised. Do they shutdown that colo facility? If so, why are they in the US in the first place?
The personal location of the operators is probably the #1 most important security risk; location of customers, location of servers, and country of incorporation are also important.
It's much easier to compel operators to do something (through legal threats or potentially physical threats) than it is to do any active modifications to a complex system, undetectably. Passive ubiquitous monitoring is a concern because it's passive and thus hard to detect -- it's highly unlikely TAO can go after a large number of well-defended systems without getting caught. Obviously they'd be likely to hide their actions behind HACKED BY CHINESEEEE or something, but even then, it's relatively rare to have a complete penetration of a large site in a way which isn't end-user affecting, and rarer still for the site not to publicize it.
That said, if I wanted to compromise Fastmail, I'd either compromise a staffer or some of their administrative systems to impersonate staff.
As I said in a response on our forum, if the stakes are high enough, no datacentre in the world is safe.
Bruce Schneier recommends protecting against terrorist attacks by improving emergency response capabilities - with the side benefit that your measures also help against natural disasters:
Similarly, our main focus for security is protecting against all forms of attackers, including common theft or misplacement of our servers. We consider that to be more valuable for the overall security of our users (including security against denial of service) than fighting an impossible fight.
FACT: if the three letter agencies in the USA want your data desperately enough, they will get it. With FastMail, they have a legal way to obtain it which is quite a lot of effort, but (hopefully) less expensive to them than taking our servers offline.
What they can't do, by Australian law, is require our cooperation in blanket surveillance on all our users.
The point that they're trying to make, and which is true in the Megaupload case, is that they would know that this had happened and they would disclose the fact that it happened.
There's a difference between going after a company that is obviously facilitating copyright infringement and is mainly used for that purpose vs. going after a respectable service provider. The latter would raise hell in the international relations between countries.
Absolutely. It is a powerful tactic. Impede or shut down their business, destroy their reputation, and then even if you can't do anything to them legally, you have still achieved the same ultimate damage.
And, my initial response to seeing this headline: "Oh, _yes_ you do."
That's a very small part of a lot of what we have to say, most of which is:
* we can't be compelled (under current laws) to install blanket monitoring on our users
* we can't be compelled to keep quiet about penetration that we notice
* there are always risks, including the risk that any random group knows unpublished security flaws in the systems that we use
We have written some things about techniques we use to reduce those risks (physically separate internal network rather than VLANS on a single router for example) - these help protect against both government AND non-government threats. But we can't make those risks go away entirely.
What we're saying is - the physical presence in the USA only changes one low-probability/high-visibility threat, which is direct tampering with our servers.
Regardless of the physical location of servers, we would still comply with legally valid requests made through the Australian Government.
It is our belief and hope that this process is difficult enough to mean that US agencies only ask for data when they have good cause rather than "fishing" - but still easier than taking our servers and shutting us down, with all the fallout that would cause.
I found this article brutally honest. What they are saying is that (1) NSA snooping is more expensive for the NSA as they can't engage in blanket surveillance on all of their users, while keeping them silent, but on the other hand (2) you can't expect and shouldn't assume privacy, because if the NSA wants to listen on your traffic, they will.
This in combination with FastMail being acquired by its former employees, coupled with their investment in CardDAV and CalDAV, makes me really excited about them. I was actually looking for a good replacement to Google Apps and FastMail might be it. It's still a little expensive though, compared to Google Apps, I hope they'll bring those prices down just a little.
I am more than willing to give FastMail twenty USD per year, so it is not expensive in that regard, but it is expense for what you get. 1GB of space? Give me a break. All of the tiers need to shift down a notch while keeping the price the same. $20 for 10 GB would be reasonable.
Well, that's what I meant. I pay something like $50 / user account yearly in Google Apps and I get 30 GB of space, plus Contacts, Calendar, Google Hangouts, Drive and all the other goodies. Paying $60 per year for email with 15 GB of storage seems kind of expensive.
I think there's reason to believe that a targeting a person like Snowden would cause the U.S. to use the most extreme measures discussed in the post, such as seizing the servers.
The point is, they wouldn't need to, because the Australian Government would order us to turn over the data, and we would. Everybody wins (except theoretical-Snowden)
Mind you, theoretical-Snowden is already screwed at this point, regardless of where his mail is. No reason to believe any European country would be susceptible to pressure:
Which comes back to the point I've been trying to make all along here. In the most serious extreme, nowhere in the world is "safe". In a less serious case, nobody's going to invade NYI with jackboots on. The window between those two cases is where being not-in-USA could theoretically save us from having our servers snatched (assuming said jackboots weren't willing to just wait for the Australian Government to order us to hand the data over)
There's one question they haven't answered: Why do they even need to have their servers in the US? Their blog post admits that there's a big chance that the US is spying on their customers. Given the fact that FastMail is a Norwegian/Australian company, why don't they just move their servers to e.g. Norway?
I realize that even if the servers were in Norway, an email from a FastMail user to a gmail.com account would still be read by the NSA (because it would pass through American servers), but email sent from FastMail to other email hosts in relatively safe countries would not be read by the NSA.
'Which comes back to the point I've been trying to make all along here. In the most serious extreme, nowhere in the world is "safe"'
Do you have any suggestions for countries that have excellent data connectivity, would successfully resist pressure from US/UK/X authorities to hand over our servers, and at the same time would not themselves want access to?
As for whether or not they want access to data: There's nothing wrong with governments accessing data if there's a court order in place and their request is part of an investigation. It's the automatic surveillance of everyone that NSA does that's a problem, and it's certainly not all countries that do that.
In the most serious extreme, nowhere in the world is "safe"
Sure, but there are levels of safety, and the US has turned out to have a low degree of safety for a Western country. The fact that you probably can't find a perfect country shouldn't be an excuse to pick a notoriously unsafe one.
"We have a complete live-spare datacentre in Iceland. Eventually it will be a fully operational centre in its own right, but for now it’s running almost 100% in replica mode."
I'm not so sure about the safe-haveness of Switzerland these days. They already caved to the US, giving them access to banking info (what they're famous for... which leaves me wondering what Switzerland got in return):
We have a complete live-spare datacentre in Iceland. Eventually it will be a fully operational centre in its own right
Let me know when that happens and I'll gladly sign up for your service :)
I'm not so sure about the safe-haveness of Switzerland these days. They already caved to the US, giving them access to banking info (what they're famous for... which leaves me wondering what Switzerland got in return):
I don't see how bank secrets have anything to do with Internet surveillance. There's a general tendency now both in the US and the EU to pressure tax havens such as Switzerland, Andorra, the Bahamas, etc. to give up their bank secrets so that corporations and rich individuals can't hide their income and avoid paying taxes. That seems fair enough, and I don't see a direct link between that and Internet surveillance.
The persuasive part of this is disclosure. It's a promise to be open about any breaches, plus an observation that the US lacks the legal clout to stop the promise from being kept.
I know that my word doesn't mean much, but I have had the chance to talk to several of the guys working at Fastmail during their years at Opera Software. They are -serious- about mail and they are -serious- about privacy.
Next time I'm out shopping for email services, I will give my moeny to them! (And, to give something back for all the Tim Tams brongondwana brought with him to Norway ever time he was on a visit ;) )
So they are saying that they can never get a NSL to turn over information, but where are these servers? Who has the keys to the door of the server room?
So maybe they don't get the NSL, but the people/group/company that is handling the servers might. This seems disingenuous. I could be wrong, but it feels like they are making claims that will dupe people into their service because they feel safe.
> There are of course other avenues available to obtain your data. Our colocation providers could be compelled to give physical access to our servers. Network capturing devices could be installed. And in the worst case an attacker could simply force their way into the datacentre and physically remove our servers.
The only real benefit I see here is that your IP won't be easily revealed. That is, given a fastmail account, the e.g. FBI cannot quickly get your login IP, like they can with e.g. Outlook or Gmail. So, for just low-level anti-surveillance, SSL to fastmail might suffice instead of using Tor with Gmail.
Unless you're using PGP or S/MIME, SMTP is still most often unencrypted.
Since the Silk Road bust we know the US LE is able to convince or force colocation providers to provide them with an image of a server. After that, pretty much any communication can be considered open to the NSA. I am not surprised that he does not clearly mentions this.
So FM should move their servers out of the US even if that's inconvenient.
"Our colocation providers could be compelled to give physical access to our servers."
But in the very next paragraph:
"These are not things we can protect against directly but again, we can make it extremely difficult for these things to occur by using strong encryption and careful systems monitoring. Were anything like this ever to happen we would be talking about it very publically. Such an action would not remain secret for long."
Its not hard for a skilled sysadmin to take an image of a running server. Its extremely difficult to do it without administrative access to the machine AND to do it without anyone noticing.
But maybe most of your users are from the US because the servers are there? I'm from Europe and was a FastMail customer once, but I switched away because I didn't trust the US-based servers (and that was even before the NSA scandal).
Also because Australian bandwidth is hella-expensive, power isn't great either.
Why New York rather than West Coast - that's a trickier one. I'd certainly appreciate the slightly faster pingtimes, but it would be slower for Europe.
I think a major consideration is that we found a really good datacentre with NYI, and we're sticking with them because they're incredibly reliable. Reliability matters in this business.
What about European users? That market should be roughly equal in size.
As others have noted, I would consider Fastmail if servers were located in a country with greater respect for privacy, judicial oversight and rule of law.
You're implying that you would make less money by trading in your US location for more security. That means that you believe not enough users care enough about their privacy to accept that (really light) trade-off.
It might also mean that many of our users believe in the same tradeoff that we do - that we're not overreacting to one low probability/high visibility risk by throwing out the incredibly good reliability we've had for years to shut everything down, ship it to a location with unknown reliability and spin it all back up again - complete with new IP addresses and all the headache that would cause tons of customers who have hard coded things on their own domains (annoying but true - recycling IPs is hard)
There are tons of downsides to shutting down everything that's working well in a knee-jerk reaction to one possible risk - never mind that the government of whatever country we choose could very well cooperate with the same agencies we're running from - or they could just corrupt an employee of the datacentre we're in - or...
So maybe if you're going to put words into our mouth you could put ones about how much we care about our users and our reliability that we don't jump on unproven setups just because of a single (unchanged, just more public) risk.
You're not representing your company very well. If you're going to be mean, you'd better be right. But in the scenario you describe, the solution is to move incrementally, one server at a time, not "shut everything down, ship it, then reboot everything simultaneously."
FYI you have about 1.5 hours to edit your post. You may want to do that, because otherwise it will probably scare off most informed potential customers who read it.
Do you have a realistic idea of how long that would take, and what the risks and costs involved are? How would we "move" the servers, without a significantly higher risk of the data being leaked? Assuming Europe, that's an 8 hour flight at the least.
I'm guessing people are assuming Europe as the bastion of all things good here. Certainly it's more affordable for hosting than Australia, and more reliably connected than anywhere else.
A more realistic scenario, if we had the budget for it, would be to buy a duplicate set of hardware, install it in the theoretical new location, duplicate all the data, grandfather everything running at NYI.
This would be a process that would take months or years of real time as well, plus quite a lot of admin time. Just duplicating all the email, well - I did it recently, I carried an almost full set of backups on encrypted hard disks from New York to Australia (the key was only ever in tmpfs on the host in New York, copied in over ssh inside a VPN link, and all copies nuked and the server rebooted and reinstalled before I left New York) Even filling those disks at the maximum IO rate we could sustain took over a week - and unpacking it at the other end would take as long again.
All this for theoretical security against one of very many risks we face. It is my considered opinion that we can get better return on our security investment (both time and money) in other ways than scrambling to get everything out of the USA.
And "emails being read by the US Government" is only one of very many security threats. We could make our users' emails VERY secure by putting all our servers in the shredder - it might reduce uptime and recoverability of data somewhat...
... so I'm hoping most informed potential customers understand that there are other risks in the world, and we balance our defenses amongst the various risks.
Throwing away everything that's good about our New York hosting in exchange for maybe being more secure against one particular risk is not a decision to make lightly, your assertions nonwithstanding.
You could also just create a second, completely separate setup in Europe running on a new domain. People who don't care about their @fastmail.fm domain or those use their own domain can move to the European setup.
> FYI you have about 1.5 hours to edit your post. You may want to do that, because otherwise it will probably scare off most informed potential customers who read it.
(The above post was, curiously, edited very slightly before I was able to reply.)
It's possible brongondwana is taking some of the discussion here personally, but most people invested emotionally in their company are going to feel some need to defend their decisions against criticism they see as invalid or misplaced. I can't help but feel that some of your post is also somewhat emotionally-charged. I apologize if I'm misreading it.
Regardless, to play devil's advocate, both of the FastMail employees have a point (I also fail to see how they're being "mean;" maybe it's a cultural difference?). While they may not be a huge company with a great deal of leverage with the right government officials, I think such criticism levied against them is indeed kneejerk and perhaps a touch myopic. It's ignoring the greater story at large, which is the souring of US policy abroad, particularly among our allies. As an example, an enterprising Australian politician who wanted to make a name for his or her self could certainly take any such incidents against FastMail and use them as political leverage.
I can only imagine just how incendiary such headlines might become: US Seizes Australian Servers in NSA/FBI/Scary-three-letter-name US Agency Sting Operation. That'd go over real well, especially among Commonwealth nations.
I would submit to you (and others) that the best means of debating this would be to research case law and find examples where US courts upheld government actions against foreign assets held or based in the US. IANAL, but I can't help myself from thinking that such a foundation would be much better than accusing one side in particular of being "mean."
"I can only imagine just how incendiary such headlines might become: US Seizes Australian Servers in NSA/FBI/Scary-three-letter-name US Agency Sting Operation. That'd go over real well, especially among Commonwealth nations."
I think if that were to happen, it would be another nail in the coffin for the "US cloud".
From www2.itif.org/2013-cloud-computing-costs.pdf
"The U.S cloud computing industry stands to lose $22 to $35 billion over the next three years as a result of the recent revelations about the NDA's electronic surveillance programs"
The legal situation in Norway is... in flux at the moment. The Snowden revelations might stop information sharing from coming in, but Norway is looking like leapfrogging Australia pretty much with data retention (along with much of Europe):
Norway isn't some magical safe haven from legal data requests. We receive law enforcement requests through the Norwegian system for mail.opera.com users (which, despite running on the same infrastructure, is operated under Norwegian law, not Australian - isn't life complex)
They don't need to seize the server. SMTP is plaintext and on a well known port number. I'm sure the NSA have a record of every email sent through the US in the last few years.
It is possible to encrypt SMTP connections with standard SSL/TLS technology.
FastMail has been using opportunistic encryption on their incoming and outgoing SMTP servers for years. If you send an email to another service that does opportunistic encryption, and if both the sender and recipient uses SSL to access their mailboxes (as FastMail requires), the email will never be transmitted in plain text over the Internet.
The problem with such opportunistic encryption, is that you could insert a man in the middle which basically intercepts the traffic and modifies the handshake to exclude the STARTTLS extension.
With opportunistic SMTP encryption this will cause things to proceed in plain text.
The sinister thing about this is that e-mails still flow, so it still works.
There exists some Cisco network gear that intentionally breaks STARTLS commands in it's default configuration (and wasn't debugging _that_ on a piece of network gear a client owned but didn't know about a fun waste of several weeks…)
Meanwhile, does SMTP have something like HTTP Strict Transport Security? It would be nice for an impartial party to compile a list of mail servers that pledge to accept encrypted connections, and for sending MTAs to treat it as a connection failure if the destination is on that list but doesn't appear to support encryption.
A very naive estimate based on one day of logs from one server says over 75% of our incoming port 25 connections are encrypted. Although that says nothing about the quality of the cipher in use and the type of messages that come through, its still significantly higher than I would have expected.
I can see I'll be spending some time on this in the next few days!
Thanks for that. They're useful numbers for me, because I've got this plan…
My current side-project involves a RaspberryPi (sitting in my loungeroom on my home ADSL connection), iRedMail, full disk encryption, a handful of inexpensive VPS providers with APIs that allow automated provisioning (DigitalOcean, NineFold, and Hetzner – to spread out the jurisdictions) – with the RasPi opening a reverse SSH tunnel for ports 25 and 465. Add in a DNS provider with a useable API so the 'Pi can spin up and shut down VPSes itself and update MX records to suit, and VPS images configured to not log anything mail-related, and I think I've gone as far as I can to secure my end of all my email. Having physical control of the hardware/storage that my email relies on won't protect me against NSA level targeted-at-me snooping, or even local law enforcement with sufficient "probable cause" to get a judge to sign a search warrant, but at least I'll _know_ if someone grabs my server hardware. (Hmmm, I wonder if there's some NSL-type coercion that could be used against my partner to force her to let someone take/image my 'Pi while I'm not home, and not be allowed to tell me?)
Possible over-paranoid ideas include refusing port 25 smtp connections that wont negotiate a secured connection in response to a STARTLLS command, and possibly blacklisting mail originating from any of the 8 known PRISM collaborators. I like the _idea_ of ensuring none of my mail arrives from known-intercepted sources, but reality dictates otherwise since way too many of the people I really do want to communicate with are exclusively using gmail/yahoo for email (or worse still, have migrated largely to Facebook messaging instead of email).
As far as I know, Australian law is common law and would allow a judge to seal a warrant. So, fastmail's asertion that there is nothing like an NSL where they couldn't disclose a search is incorrect. I'm sure it is just lack of awareness, rather than intentional deception.
(Ianal, ianaa, but I am pretty sure I am correct on this point.)
While some describe this as "frank", I think to have that quality TFA would need to specify where the decryption keys are stored. Are they in the USA colo's too? (I realize I could probably figure this out myself if I could be arsed to do so, but why not just tell us?)
Despite that they just stated that your data will be owned by the US government in a raid on the US-based fastmail servers? And with no apparent way for US-based users to avoid that?
> These are not things we can protect against directly but again, we can make it extremely difficult for these things to occur by using strong encryption and careful systems monitoring. Were anything like this ever to happen we would be talking about it very publically. Such an action would not remain secret for long.
> Ultimately though, our opinion is that these kinds of attacks are no different to any other hacking attempt. We can and will do everything in our power to make getting unauthorised access to your data as difficult and expensive as possible, but no online service provider can guarantee that it will never happen.
This kind of frank disclosure should be highly rewarded. I provided similar frank disclosure text (elsewhere) only to have it whitewashed.
When everyone is underplaying the real limitations it's impossible for people to choose alternative tradeoffs— "Why should I use this slightly harder to use crypto thing when foo is already secure?"— because the risks have been misrepresented. Underplaying the limitations also removes the incentives to invent better protection— "Doesn't foo already have perfect security?".