Hi, FastMail employee and author of (most of) that blog post here.
Just so we're clear, the point of this post was not that we don't think the rules don't apply to us. Instead we're trying to make it clear where position on these things are. The topic of this thread is a sensationalist sound-bite, nothing more.
I'm not going to go over the points again here because I'm pretty sure we said it all in the post (but ask questions if you like, I'll be here all week!).
The most important point to take away from this post is that your privacy is your responsibility. We're trying to provide you with as much information as we can to help you determine your own exposure, and to let you know what we will work to protect and where we can't help. Its up to you to determine if our service is right for you. No tricks, and no hard feelings if you'd rather take your business somewhere else!
Can you confirm you have never been contacted by US authorities (or Australian for that matter), and have never been placed under a non-disclosure order?
We have been contacted by US authorities in the past, and have referred them to the appropriate Australian authorities.
We have been contacted by Australian authorities in the past, and have worked with them in accordance with Australian law and our privacy policy, which you can read here: https://www.fastmail.fm/help/overview_privacy.html
Has the headline on HN been updated? Because both you and brongondwana talk about it being sensationalist, where I see it as just being a summary of the most salient part of what you have to say.
Do you have Australian legal advice to back up your conclusions? (I agree with them, but would like to make sure we're talking more than the "gist" of the law)
> Has the headline on HN been updated? Because both you and brongondwana talk about it being sensationalist, where I see it as just being a summary of the most salient part of what you have to say.
To my mind it was one of the least interesting parts of what we had to say. "Non-US company not bound by US law" - its hardly earth-shattering news. Would "Non-Senegalese company not bound by Senegal law" be as interesting?
EDIT: Sorry, it just occurred to me that it was changed already and you might have posted this afterwards. The original post headline was "FastMail claims they do not have to comply with National Security Letters". That's what we were referring to when we said it was "sensationalist".
> Do you have Australian legal advice to back up your conclusions? (I agree with them, but would like to make sure we're talking more than the "gist" of the law)
We've made our position public, and we're satisfied that its an accurate reflection of our position and our understanding of Australian law. You must not rely on it as a legal basis for anything though - get your own legal advice that applies specifically to your own circumstances!
Just a tangential thought, but I can't imagine seizing Australian assets based in the US would make for a particularly comfortable diplomatic position to be in (although I suspect our current government doesn't care). To say nothing about the fact that we've already shown our hand (and upset most of our allies) by way of the Manning leaks, the Assange manhunt brought about largely by US political pressure, and, more recently, the NSA scandal.
I've mentioned it elsewhere but it's worth repeating here. Finding established case law dealing with foreign assets seized (possibly illegally) on US soil and the repercussions would make for an interesting exercise. I feel like there's one instance in particular that was especially noisome that happened recently, but I can't for the life of me remember what it was.
If you don't mind my asking, what contingencies do you have in place in the event of a seizure of hardware assets? It's unlikely, but the FBI has been known to take anything that vaguely looks like a server...
We currently have a complete copy of all user data in a secondary (non-US) data centre. In the event of a loss of our US-based servers, we would get this secondary copy up and running as quick as possible (likely in a reduced capacity) while sourcing new equipment and getting a new primary centre up as quickly as possible.
This would be a catastrophic event, no doubt about it, and there would be significant disruption for our users. But it wouldn't mean the end of FastMail.
We also have a second (1-2 week old at this point) backup set of most users' data sitting in boxes on my loungeroom floor. Encrypted of course. It came back in my suitcases from New York a week ago.
Bootstrapping from that would be significantly more painful though, and a lot more "gappy".
NSA eagerness to intercept personal emails of Brazilian president and EU citizens shows that noone cares about comfortable diplomatic positions, they'd just do it anyways.
"We've made our position public, and we're satisfied that
its an accurate reflection of our position and our
understanding of Australian law. You must not rely on it as a legal basis
for anything though"
I'm not sure if I see the value of you saying it, then. Why not get a lawyer to provide you with a position that can be relied upon?
Because its our advice. It was developed for us, taking our concerns into account. You need to get your own legal advice relevant to your own situation.
Or put another way, I don't think "Your Honour, FastMail's lawyer said it was ok" is valid defense for anyone except us.
Who said that that would be a defense we would use?
My point is that you have given advice, with the implication that it would soothe some of our concerns. And then, in the very next sentence, you've said, in effect, it's legally worthless.
So, how exactly does your own advice to us help in any way whatsoever?
It's as useful as the degree to which you trust the company giving this advice. And that's always going to be the case regardless of who the company is and what they say.
Just so we're clear, the point of this post was not that we don't think the rules don't apply to us. Instead we're trying to make it clear where position on these things are. The topic of this thread is a sensationalist sound-bite, nothing more.
I'm not going to go over the points again here because I'm pretty sure we said it all in the post (but ask questions if you like, I'll be here all week!).
The most important point to take away from this post is that your privacy is your responsibility. We're trying to provide you with as much information as we can to help you determine your own exposure, and to let you know what we will work to protect and where we can't help. Its up to you to determine if our service is right for you. No tricks, and no hard feelings if you'd rather take your business somewhere else!