> There are of course other avenues available to obtain your data. Our colocation providers could be compelled to give physical access to our servers. Network capturing devices could be installed. And in the worst case an attacker could simply force their way into the datacentre and physically remove our servers.
> These are not things we can protect against directly but again, we can make it extremely difficult for these things to occur by using strong encryption and careful systems monitoring. Were anything like this ever to happen we would be talking about it very publically. Such an action would not remain secret for long.
> Ultimately though, our opinion is that these kinds of attacks are no different to any other hacking attempt. We can and will do everything in our power to make getting unauthorised access to your data as difficult and expensive as possible, but no online service provider can guarantee that it will never happen.
This kind of frank disclosure should be highly rewarded. I provided similar frank disclosure text (elsewhere) only to have it whitewashed.
When everyone is underplaying the real limitations it's impossible for people to choose alternative tradeoffs— "Why should I use this slightly harder to use crypto thing when foo is already secure?"— because the risks have been misrepresented. Underplaying the limitations also removes the incentives to invent better protection— "Doesn't foo already have perfect security?".
"This kind of frank disclosure should be highly rewarded."
Yep, definitely. I think even more important than the information itself is the spirit of honesty and integrity that it demonstrates. This stands in stark contrast to the ambiguous slimeball statements issued by the likes of Google, Facebook, Apple, Microsoft, etc.
When Big Brother comes knocking, which companies are going to take a risk to stand up for you? It's as much a question of character as policy.
It's nice that they are frank about it, but it is also pretty clear that any company hosting in the US, even if they are based elsewhere, is less of an appealing option to the truly security conscious (or paranoid, depends on how you look at it). Sometimes these aren't necessarily the more technical people either.
The problem is that for most services, it is hard to tell where the company is from and where they are hosted, unless you're technical enough to run a traceroute. At StartHQ we've been trying to make that easier to find for non techies and the fact that FastMail host in the US became quickly apparent via their app profile page when we first added it: https://starthq.com/apps/fastmail - there was a pretty lively discussion on FB about it at the time as well.
"This kind of frank disclosure should be highly rewarded."
With all due, Im sorry but, no.
Had it come before the Snowden leaks, absolutely. But it didn't.
After the event, facing a danger of customer loss or loss of confidence, it can only be seen as too late and defensive move. All these companies must have known something about these risks, yet remained in a passive conspiracy of silence. Not one stood up until Snowden did. By then, too damn late.
The problem of this "disclosure" is that to the people writing the text the implications of Australian laws aren't clear, as seen in other thread here, started by westicle:
I agree that this is a nice gesture, but it's not a "frank disclosure". What did they disclose?
When they actually have a security breach and they promptly "[talk] about it very publicly", that will be something commendable. Right now we have words, not actions.
Though honestly I'd much rather have such words than not.
> Australia does not have any equivalent to the US National Security Letter, so we cannot be forced to do something without being allowed to disclose it.
This is not true. The Australian Crime Commission has some of the most extensive secret coercive powers in the Western world.
You don't need to even use the ACC, people for get that the 2005 counter-terrorism act[0][1] has provision for preventative detention without charge, and notably, made it a criminal act to tell anyone that you had been detained. Combined with a rather broad definition on what was terrorism and the ability of police to request information, documents and emails, this act seems to cover all of the functional aspects of the National security letters with even less oversight.
I would argue that section 29 is very narrow in its scope, and allows for disclosure once an investigation is completed, and allows for disclosure to an attorney, whereas my understanding of an NSL is that it can order pretty much anything it wants without limitation. That seems quite different to me.
But then, I'm not lawyer. You're probably not either. Which is why I keep telling people to get their own legal advice if they're concerned about it.
Hi, FastMail employee and author of (most of) that blog post here.
Just so we're clear, the point of this post was not that we don't think the rules don't apply to us. Instead we're trying to make it clear where position on these things are. The topic of this thread is a sensationalist sound-bite, nothing more.
I'm not going to go over the points again here because I'm pretty sure we said it all in the post (but ask questions if you like, I'll be here all week!).
The most important point to take away from this post is that your privacy is your responsibility. We're trying to provide you with as much information as we can to help you determine your own exposure, and to let you know what we will work to protect and where we can't help. Its up to you to determine if our service is right for you. No tricks, and no hard feelings if you'd rather take your business somewhere else!
Can you confirm you have never been contacted by US authorities (or Australian for that matter), and have never been placed under a non-disclosure order?
Has the headline on HN been updated? Because both you and brongondwana talk about it being sensationalist, where I see it as just being a summary of the most salient part of what you have to say.
Do you have Australian legal advice to back up your conclusions? (I agree with them, but would like to make sure we're talking more than the "gist" of the law)
"There are of course other avenues available to obtain your data. Our colocation providers could be compelled to give physical access to our servers. Network capturing devices could be installed. And in the worst case an attacker could simply force their way into the datacentre and physically remove our servers."
As the colocation providers are based in the U.S., they would be subject to the National Security Letters. FastMail claims this is no different from any other hacking attempt. But in a normal hacking attempt, colocation providers would be free to explain to FastMail the extent of any hacking on their end. Moreover, hackers typically do not have physical access to any data. Even with encryption, physical access opens up a lot of attack vectors that most sysadmins don't anticipate.
If they mount webcams and other sensors inside the cabinet, they could detect unexplained access to their servers. Not sure what it'd really accomplish. The colo provider would either say "tech mistakenly opened that cabinet" or "no comment". The only real defense is to assume any such access is a breach and have servers immediately overwrite FDE keys in RAM and power off - and if they were that committed, they wouldn't host in the US in the first place.
How likely is it that Fastmail data could be obtained without anybody at Fastmail noticing? And the key point is that Fastmail cannot be complied to keep such an attempt secret - which is not the case for a US company.
Anything that makes hard drives unreadable by thieves would probably also make them unreadable by any U.S. agency that seizes them. Unless of course NSA has already broken the algorithms used by the disk encryption software.
The personal location of the operators is probably the #1 most important security risk; location of customers, location of servers, and country of incorporation are also important.
It's much easier to compel operators to do something (through legal threats or potentially physical threats) than it is to do any active modifications to a complex system, undetectably. Passive ubiquitous monitoring is a concern because it's passive and thus hard to detect -- it's highly unlikely TAO can go after a large number of well-defended systems without getting caught. Obviously they'd be likely to hide their actions behind HACKED BY CHINESEEEE or something, but even then, it's relatively rare to have a complete penetration of a large site in a way which isn't end-user affecting, and rarer still for the site not to publicize it.
That said, if I wanted to compromise Fastmail, I'd either compromise a staffer or some of their administrative systems to impersonate staff.
As I said in a response on our forum, if the stakes are high enough, no datacentre in the world is safe.
Bruce Schneier recommends protecting against terrorist attacks by improving emergency response capabilities - with the side benefit that your measures also help against natural disasters:
Similarly, our main focus for security is protecting against all forms of attackers, including common theft or misplacement of our servers. We consider that to be more valuable for the overall security of our users (including security against denial of service) than fighting an impossible fight.
FACT: if the three letter agencies in the USA want your data desperately enough, they will get it. With FastMail, they have a legal way to obtain it which is quite a lot of effort, but (hopefully) less expensive to them than taking our servers offline.
What they can't do, by Australian law, is require our cooperation in blanket surveillance on all our users.
The point that they're trying to make, and which is true in the Megaupload case, is that they would know that this had happened and they would disclose the fact that it happened.
There's a difference between going after a company that is obviously facilitating copyright infringement and is mainly used for that purpose vs. going after a respectable service provider. The latter would raise hell in the international relations between countries.
Absolutely. It is a powerful tactic. Impede or shut down their business, destroy their reputation, and then even if you can't do anything to them legally, you have still achieved the same ultimate damage.
And, my initial response to seeing this headline: "Oh, _yes_ you do."
That's a very small part of a lot of what we have to say, most of which is:
* we can't be compelled (under current laws) to install blanket monitoring on our users
* we can't be compelled to keep quiet about penetration that we notice
* there are always risks, including the risk that any random group knows unpublished security flaws in the systems that we use
We have written some things about techniques we use to reduce those risks (physically separate internal network rather than VLANS on a single router for example) - these help protect against both government AND non-government threats. But we can't make those risks go away entirely.
What we're saying is - the physical presence in the USA only changes one low-probability/high-visibility threat, which is direct tampering with our servers.
Regardless of the physical location of servers, we would still comply with legally valid requests made through the Australian Government.
It is our belief and hope that this process is difficult enough to mean that US agencies only ask for data when they have good cause rather than "fishing" - but still easier than taking our servers and shutting us down, with all the fallout that would cause.
I found this article brutally honest. What they are saying is that (1) NSA snooping is more expensive for the NSA as they can't engage in blanket surveillance on all of their users, while keeping them silent, but on the other hand (2) you can't expect and shouldn't assume privacy, because if the NSA wants to listen on your traffic, they will.
This in combination with FastMail being acquired by its former employees, coupled with their investment in CardDAV and CalDAV, makes me really excited about them. I was actually looking for a good replacement to Google Apps and FastMail might be it. It's still a little expensive though, compared to Google Apps, I hope they'll bring those prices down just a little.
There's one question they haven't answered: Why do they even need to have their servers in the US? Their blog post admits that there's a big chance that the US is spying on their customers. Given the fact that FastMail is a Norwegian/Australian company, why don't they just move their servers to e.g. Norway?
I realize that even if the servers were in Norway, an email from a FastMail user to a gmail.com account would still be read by the NSA (because it would pass through American servers), but email sent from FastMail to other email hosts in relatively safe countries would not be read by the NSA.
The persuasive part of this is disclosure. It's a promise to be open about any breaches, plus an observation that the US lacks the legal clout to stop the promise from being kept.
I know that my word doesn't mean much, but I have had the chance to talk to several of the guys working at Fastmail during their years at Opera Software. They are -serious- about mail and they are -serious- about privacy.
Next time I'm out shopping for email services, I will give my moeny to them! (And, to give something back for all the Tim Tams brongondwana brought with him to Norway ever time he was on a visit ;) )
So they are saying that they can never get a NSL to turn over information, but where are these servers? Who has the keys to the door of the server room?
So maybe they don't get the NSL, but the people/group/company that is handling the servers might. This seems disingenuous. I could be wrong, but it feels like they are making claims that will dupe people into their service because they feel safe.
> There are of course other avenues available to obtain your data. Our colocation providers could be compelled to give physical access to our servers. Network capturing devices could be installed. And in the worst case an attacker could simply force their way into the datacentre and physically remove our servers.
The only real benefit I see here is that your IP won't be easily revealed. That is, given a fastmail account, the e.g. FBI cannot quickly get your login IP, like they can with e.g. Outlook or Gmail. So, for just low-level anti-surveillance, SSL to fastmail might suffice instead of using Tor with Gmail.
Unless you're using PGP or S/MIME, SMTP is still most often unencrypted.
Since the Silk Road bust we know the US LE is able to convince or force colocation providers to provide them with an image of a server. After that, pretty much any communication can be considered open to the NSA. I am not surprised that he does not clearly mentions this.
So FM should move their servers out of the US even if that's inconvenient.
"Our colocation providers could be compelled to give physical access to our servers."
But in the very next paragraph:
"These are not things we can protect against directly but again, we can make it extremely difficult for these things to occur by using strong encryption and careful systems monitoring. Were anything like this ever to happen we would be talking about it very publically. Such an action would not remain secret for long."
Its not hard for a skilled sysadmin to take an image of a running server. Its extremely difficult to do it without administrative access to the machine AND to do it without anyone noticing.
The legal situation in Norway is... in flux at the moment. The Snowden revelations might stop information sharing from coming in, but Norway is looking like leapfrogging Australia pretty much with data retention (along with much of Europe):
Norway isn't some magical safe haven from legal data requests. We receive law enforcement requests through the Norwegian system for mail.opera.com users (which, despite running on the same infrastructure, is operated under Norwegian law, not Australian - isn't life complex)
They don't need to seize the server. SMTP is plaintext and on a well known port number. I'm sure the NSA have a record of every email sent through the US in the last few years.
As far as I know, Australian law is common law and would allow a judge to seal a warrant. So, fastmail's asertion that there is nothing like an NSL where they couldn't disclose a search is incorrect. I'm sure it is just lack of awareness, rather than intentional deception.
(Ianal, ianaa, but I am pretty sure I am correct on this point.)
While some describe this as "frank", I think to have that quality TFA would need to specify where the decryption keys are stored. Are they in the USA colo's too? (I realize I could probably figure this out myself if I could be arsed to do so, but why not just tell us?)
[+] [-] nullc|12 years ago|reply
> These are not things we can protect against directly but again, we can make it extremely difficult for these things to occur by using strong encryption and careful systems monitoring. Were anything like this ever to happen we would be talking about it very publically. Such an action would not remain secret for long.
> Ultimately though, our opinion is that these kinds of attacks are no different to any other hacking attempt. We can and will do everything in our power to make getting unauthorised access to your data as difficult and expensive as possible, but no online service provider can guarantee that it will never happen.
This kind of frank disclosure should be highly rewarded. I provided similar frank disclosure text (elsewhere) only to have it whitewashed.
When everyone is underplaying the real limitations it's impossible for people to choose alternative tradeoffs— "Why should I use this slightly harder to use crypto thing when foo is already secure?"— because the risks have been misrepresented. Underplaying the limitations also removes the incentives to invent better protection— "Doesn't foo already have perfect security?".
[+] [-] danenania|12 years ago|reply
Yep, definitely. I think even more important than the information itself is the spirit of honesty and integrity that it demonstrates. This stands in stark contrast to the ambiguous slimeball statements issued by the likes of Google, Facebook, Apple, Microsoft, etc.
When Big Brother comes knocking, which companies are going to take a risk to stand up for you? It's as much a question of character as policy.
[+] [-] olegp|12 years ago|reply
The problem is that for most services, it is hard to tell where the company is from and where they are hosted, unless you're technical enough to run a traceroute. At StartHQ we've been trying to make that easier to find for non techies and the fact that FastMail host in the US became quickly apparent via their app profile page when we first added it: https://starthq.com/apps/fastmail - there was a pretty lively discussion on FB about it at the time as well.
[+] [-] alan_cx|12 years ago|reply
With all due, Im sorry but, no.
Had it come before the Snowden leaks, absolutely. But it didn't.
After the event, facing a danger of customer loss or loss of confidence, it can only be seen as too late and defensive move. All these companies must have known something about these risks, yet remained in a passive conspiracy of silence. Not one stood up until Snowden did. By then, too damn late.
[+] [-] acqq|12 years ago|reply
https://news.ycombinator.com/item?id=6506711
In short, don't expect that you can get any advantage from FastMail being Australian company -- you can even be worse off.
[+] [-] aroman|12 years ago|reply
When they actually have a security breach and they promptly "[talk] about it very publicly", that will be something commendable. Right now we have words, not actions.
Though honestly I'd much rather have such words than not.
[+] [-] westicle|12 years ago|reply
This is not true. The Australian Crime Commission has some of the most extensive secret coercive powers in the Western world.
http://www.austlii.edu.au/au/legis/cth/consol_act/acca200228...
I would suggest that either:
a) Fastmail is aware of this and is covertly spreading the word that it might be compromised; or
b) Fastmail needs better lawyers.
[+] [-] GreyZephyr|12 years ago|reply
[0]http://www.ag.gov.au/NationalSecurity/Counterterrorismlaw/Pa... [1]https://en.wikipedia.org/wiki/Anti-Terrorism_Act_2005
[+] [-] robn_fastmail|12 years ago|reply
But then, I'm not lawyer. You're probably not either. Which is why I keep telling people to get their own legal advice if they're concerned about it.
[+] [-] robn_fastmail|12 years ago|reply
Just so we're clear, the point of this post was not that we don't think the rules don't apply to us. Instead we're trying to make it clear where position on these things are. The topic of this thread is a sensationalist sound-bite, nothing more.
I'm not going to go over the points again here because I'm pretty sure we said it all in the post (but ask questions if you like, I'll be here all week!).
The most important point to take away from this post is that your privacy is your responsibility. We're trying to provide you with as much information as we can to help you determine your own exposure, and to let you know what we will work to protect and where we can't help. Its up to you to determine if our service is right for you. No tricks, and no hard feelings if you'd rather take your business somewhere else!
[+] [-] anologwintermut|12 years ago|reply
[+] [-] smegel|12 years ago|reply
[+] [-] lessnonymous|12 years ago|reply
Has the headline on HN been updated? Because both you and brongondwana talk about it being sensationalist, where I see it as just being a summary of the most salient part of what you have to say.
Do you have Australian legal advice to back up your conclusions? (I agree with them, but would like to make sure we're talking more than the "gist" of the law)
[+] [-] chuu1|12 years ago|reply
[+] [-] andrewfong|12 years ago|reply
"There are of course other avenues available to obtain your data. Our colocation providers could be compelled to give physical access to our servers. Network capturing devices could be installed. And in the worst case an attacker could simply force their way into the datacentre and physically remove our servers."
As the colocation providers are based in the U.S., they would be subject to the National Security Letters. FastMail claims this is no different from any other hacking attempt. But in a normal hacking attempt, colocation providers would be free to explain to FastMail the extent of any hacking on their end. Moreover, hackers typically do not have physical access to any data. Even with encryption, physical access opens up a lot of attack vectors that most sysadmins don't anticipate.
[+] [-] MichaelGG|12 years ago|reply
[+] [-] Vivtek|12 years ago|reply
[+] [-] kijin|12 years ago|reply
> We use encryption to make hard drives worthless if they are stolen or just misplaced. [1]
[1] http://www.emaildiscussions.com/showpost.php?p=561920&postco...
Anything that makes hard drives unreadable by thieves would probably also make them unreadable by any U.S. agency that seizes them. Unless of course NSA has already broken the algorithms used by the disk encryption software.
[+] [-] rdl|12 years ago|reply
It's much easier to compel operators to do something (through legal threats or potentially physical threats) than it is to do any active modifications to a complex system, undetectably. Passive ubiquitous monitoring is a concern because it's passive and thus hard to detect -- it's highly unlikely TAO can go after a large number of well-defended systems without getting caught. Obviously they'd be likely to hide their actions behind HACKED BY CHINESEEEE or something, but even then, it's relatively rare to have a complete penetration of a large site in a way which isn't end-user affecting, and rarer still for the site not to publicize it.
That said, if I wanted to compromise Fastmail, I'd either compromise a staffer or some of their administrative systems to impersonate staff.
[+] [-] sschueller|12 years ago|reply
Look at what they did to megaupload.com.
[+] [-] brongondwana|12 years ago|reply
http://www.listener.co.nz/commentary/the-internaut/kim-dotco...
As I said in a response on our forum, if the stakes are high enough, no datacentre in the world is safe.
Bruce Schneier recommends protecting against terrorist attacks by improving emergency response capabilities - with the side benefit that your measures also help against natural disasters:
https://www.schneier.com/essay-292.html
(edit: that's not a great version of his point actually, https://www.schneier.com/blog/archives/2005/09/katrina_and_s... is more on point)
Similarly, our main focus for security is protecting against all forms of attackers, including common theft or misplacement of our servers. We consider that to be more valuable for the overall security of our users (including security against denial of service) than fighting an impossible fight.
FACT: if the three letter agencies in the USA want your data desperately enough, they will get it. With FastMail, they have a legal way to obtain it which is quite a lot of effort, but (hopefully) less expensive to them than taking our servers offline.
What they can't do, by Australian law, is require our cooperation in blanket surveillance on all our users.
[+] [-] jmtulloss|12 years ago|reply
[+] [-] Confusion|12 years ago|reply
[+] [-] pstack|12 years ago|reply
And, my initial response to seeing this headline: "Oh, _yes_ you do."
[+] [-] brongondwana|12 years ago|reply
That's a very small part of a lot of what we have to say, most of which is:
* we can't be compelled (under current laws) to install blanket monitoring on our users
* we can't be compelled to keep quiet about penetration that we notice
* there are always risks, including the risk that any random group knows unpublished security flaws in the systems that we use
We have written some things about techniques we use to reduce those risks (physically separate internal network rather than VLANS on a single router for example) - these help protect against both government AND non-government threats. But we can't make those risks go away entirely.
What we're saying is - the physical presence in the USA only changes one low-probability/high-visibility threat, which is direct tampering with our servers.
Regardless of the physical location of servers, we would still comply with legally valid requests made through the Australian Government.
It is our belief and hope that this process is difficult enough to mean that US agencies only ask for data when they have good cause rather than "fishing" - but still easier than taking our servers and shutting us down, with all the fallout that would cause.
[+] [-] bad_user|12 years ago|reply
This in combination with FastMail being acquired by its former employees, coupled with their investment in CardDAV and CalDAV, makes me really excited about them. I was actually looking for a good replacement to Google Apps and FastMail might be it. It's still a little expensive though, compared to Google Apps, I hope they'll bring those prices down just a little.
[+] [-] workhere-io|12 years ago|reply
I realize that even if the servers were in Norway, an email from a FastMail user to a gmail.com account would still be read by the NSA (because it would pass through American servers), but email sent from FastMail to other email hosts in relatively safe countries would not be read by the NSA.
[+] [-] alfiejohn_|12 years ago|reply
http://blog.fastmail.fm/2013/09/25/exciting-news-fastmail-st...
[+] [-] CurtMonash|12 years ago|reply
[+] [-] Quai|12 years ago|reply
Next time I'm out shopping for email services, I will give my moeny to them! (And, to give something back for all the Tim Tams brongondwana brought with him to Norway ever time he was on a visit ;) )
[+] [-] robn_fastmail|12 years ago|reply
[+] [-] traeblain|12 years ago|reply
So maybe they don't get the NSL, but the people/group/company that is handling the servers might. This seems disingenuous. I could be wrong, but it feels like they are making claims that will dupe people into their service because they feel safe.
[+] [-] frenger|12 years ago|reply
well they do say explicitly that, near the bottom. Hardly disingenuous.
[+] [-] gelatocar|12 years ago|reply
> There are of course other avenues available to obtain your data. Our colocation providers could be compelled to give physical access to our servers. Network capturing devices could be installed. And in the worst case an attacker could simply force their way into the datacentre and physically remove our servers.
[+] [-] MichaelGG|12 years ago|reply
Unless you're using PGP or S/MIME, SMTP is still most often unencrypted.
[+] [-] rdl|12 years ago|reply
[+] [-] iSnow|12 years ago|reply
So FM should move their servers out of the US even if that's inconvenient.
[+] [-] robn_fastmail|12 years ago|reply
[+] [-] kryptiskt|12 years ago|reply
[+] [-] rplnt|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] frank_boyd|12 years ago|reply
Why would you do that, especially when you're not even a US company?
[+] [-] robn_fastmail|12 years ago|reply
[+] [-] Maximal|12 years ago|reply
This is why I use a email service in Norway (runbox.com), which, as far as I know, is not sharing information by default.
[+] [-] brongondwana|12 years ago|reply
http://theforeigner.no/pages/news/updated-parliament-passes-...
Norway isn't some magical safe haven from legal data requests. We receive law enforcement requests through the Norwegian system for mail.opera.com users (which, despite running on the same infrastructure, is operated under Norwegian law, not Australian - isn't life complex)
http://en.wikipedia.org/wiki/Telecommunications_data_retenti... tells a few interesting stories.
Australian law may indeed change, and we'll be compelled to update our policies to match. So far, we've avoided it.
http://www.smh.com.au/technology/technology-news/government-...
[+] [-] topbanana|12 years ago|reply
[+] [-] rdl|12 years ago|reply
(Ianal, ianaa, but I am pretty sure I am correct on this point.)
[+] [-] jessaustin|12 years ago|reply