You're implying that you would make less money by trading in your US location for more security. That means that you believe not enough users care enough about their privacy to accept that (really light) trade-off.
It might also mean that many of our users believe in the same tradeoff that we do - that we're not overreacting to one low probability/high visibility risk by throwing out the incredibly good reliability we've had for years to shut everything down, ship it to a location with unknown reliability and spin it all back up again - complete with new IP addresses and all the headache that would cause tons of customers who have hard coded things on their own domains (annoying but true - recycling IPs is hard)
There are tons of downsides to shutting down everything that's working well in a knee-jerk reaction to one possible risk - never mind that the government of whatever country we choose could very well cooperate with the same agencies we're running from - or they could just corrupt an employee of the datacentre we're in - or...
So maybe if you're going to put words into our mouth you could put ones about how much we care about our users and our reliability that we don't jump on unproven setups just because of a single (unchanged, just more public) risk.
You're not representing your company very well. If you're going to be mean, you'd better be right. But in the scenario you describe, the solution is to move incrementally, one server at a time, not "shut everything down, ship it, then reboot everything simultaneously."
FYI you have about 1.5 hours to edit your post. You may want to do that, because otherwise it will probably scare off most informed potential customers who read it.
Do you have a realistic idea of how long that would take, and what the risks and costs involved are? How would we "move" the servers, without a significantly higher risk of the data being leaked? Assuming Europe, that's an 8 hour flight at the least.
I'm guessing people are assuming Europe as the bastion of all things good here. Certainly it's more affordable for hosting than Australia, and more reliably connected than anywhere else.
A more realistic scenario, if we had the budget for it, would be to buy a duplicate set of hardware, install it in the theoretical new location, duplicate all the data, grandfather everything running at NYI.
This would be a process that would take months or years of real time as well, plus quite a lot of admin time. Just duplicating all the email, well - I did it recently, I carried an almost full set of backups on encrypted hard disks from New York to Australia (the key was only ever in tmpfs on the host in New York, copied in over ssh inside a VPN link, and all copies nuked and the server rebooted and reinstalled before I left New York) Even filling those disks at the maximum IO rate we could sustain took over a week - and unpacking it at the other end would take as long again.
All this for theoretical security against one of very many risks we face. It is my considered opinion that we can get better return on our security investment (both time and money) in other ways than scrambling to get everything out of the USA.
And "emails being read by the US Government" is only one of very many security threats. We could make our users' emails VERY secure by putting all our servers in the shredder - it might reduce uptime and recoverability of data somewhat...
... so I'm hoping most informed potential customers understand that there are other risks in the world, and we balance our defenses amongst the various risks.
Throwing away everything that's good about our New York hosting in exchange for maybe being more secure against one particular risk is not a decision to make lightly, your assertions nonwithstanding.
You could also just create a second, completely separate setup in Europe running on a new domain. People who don't care about their @fastmail.fm domain or those use their own domain can move to the European setup.
> FYI you have about 1.5 hours to edit your post. You may want to do that, because otherwise it will probably scare off most informed potential customers who read it.
(The above post was, curiously, edited very slightly before I was able to reply.)
It's possible brongondwana is taking some of the discussion here personally, but most people invested emotionally in their company are going to feel some need to defend their decisions against criticism they see as invalid or misplaced. I can't help but feel that some of your post is also somewhat emotionally-charged. I apologize if I'm misreading it.
Regardless, to play devil's advocate, both of the FastMail employees have a point (I also fail to see how they're being "mean;" maybe it's a cultural difference?). While they may not be a huge company with a great deal of leverage with the right government officials, I think such criticism levied against them is indeed kneejerk and perhaps a touch myopic. It's ignoring the greater story at large, which is the souring of US policy abroad, particularly among our allies. As an example, an enterprising Australian politician who wanted to make a name for his or her self could certainly take any such incidents against FastMail and use them as political leverage.
I can only imagine just how incendiary such headlines might become: US Seizes Australian Servers in NSA/FBI/Scary-three-letter-name US Agency Sting Operation. That'd go over real well, especially among Commonwealth nations.
I would submit to you (and others) that the best means of debating this would be to research case law and find examples where US courts upheld government actions against foreign assets held or based in the US. IANAL, but I can't help myself from thinking that such a foundation would be much better than accusing one side in particular of being "mean."
"I can only imagine just how incendiary such headlines might become: US Seizes Australian Servers in NSA/FBI/Scary-three-letter-name US Agency Sting Operation. That'd go over real well, especially among Commonwealth nations."
I think if that were to happen, it would be another nail in the coffin for the "US cloud".
From www2.itif.org/2013-cloud-computing-costs.pdf
"The U.S cloud computing industry stands to lose $22 to $35 billion over the next three years as a result of the recent revelations about the NDA's electronic surveillance programs"
