
Confidentiality at FastMail - brongondwana
http://blog.fastmail.com/2014/12/15/security-confidentiality/
======
sgentle
In security it doesn't make sense to ask "is it compromised?" but rather "can
it be compromised?"

For that reason, I don't think "we don’t participate in blanket surveillance"
and equivalent statements are even worth the pixels they take up on your
screen. It may as well say "our security is endorsed by His Holiness The Dalai
Lama"

The Australian government has the power under the recently passed National
Security Legislation Amendment [0] to issue a secret warrant compelling access
to any number of computers or networks for anything that will "assist" in
"obtaining intelligence related to security". The warrant allows surveillance,
as well as "addition, deletion or alteration of data". Disclosing that
warrant's existence is punishable by up to 10 years in jail. This is without
even considering the reciprocal spying possibilities of the Five Eyes network.

There is no equivalent in Australia to the US fourth amendment. Even illegally
gathered evidence can be used in a trial depending on the discretion of the
judge. [1]

If you think "we don't participate in blanket surveillance" is an acceptable
response to that legal reality, I ask you to consider what you would think of
a company that, when asked if they store passwords in cleartext, respond "yes,
but we don't look at them."

[0]
[http://parlinfo.aph.gov.au/parlInfo/download/legislation/bil...](http://parlinfo.aph.gov.au/parlInfo/download/legislation/bills/s969_first-
senate/toc_pdf/1417820.pdf;fileType=application%2Fpdf) [1]
[http://scholarship.law.wm.edu/cgi/viewcontent.cgi?article=12...](http://scholarship.law.wm.edu/cgi/viewcontent.cgi?article=1245&context=facpubs)

~~~
kaffee
This is exactly the right perspective. If the US has secret warrants in the
form of NSL (National Security Letters) or similar, it's easy to imagine
Australia having precisely the same thing. I've enjoyed being a user of
fastmail for some time but I'll be switching to one of the new projects (e.g.,
LEAP) or self-hosting in the future.

~~~
vog
_> I'll be switching to [...] or self-hosting in the future_

I can really recommend self-hosted email. This is not as hard as it sounds. Of
course, you should have the following abilities:

1) find some good documentation (or friend) that explains a clean setup with
spam filter, correct DNS/SPF and HELO entries, such that you don't get on the
blacklists. Note that this is almost a one-time effort, you'll have to adjust
things every 5-10 years, I guess. [1]

2) be able to administrate a Linux/BSD machine, i.e. to keep it simple and up-
to-date in the long term.

I really hope that Tuxevara will finish his series about a modern email setup.
This is his first part:

[http://www.tuxevara.de/2014/11/mailserver-reloaded-
step-1/](http://www.tuxevara.de/2014/11/mailserver-reloaded-step-1/)

[1] For example, I had to add SPF entries since my mailserver also had an IPv6
address, otherwise Google and others blocked me - for understandable reasons.

~~~
goblin89
> I can really recommend self-hosted email. This is not as hard as it sounds.

For me the biggest hurdle is absolutely not the manual setup process or the
need to adjust things from time to time. Rather, it’s the fact that there
doesn’t seem to be a simple, quick and reliable way to tell if my setup
actually works.

How can I be sure that my email actually reaches its destination? That there’s
no error in my DNS entries? That an obscure email service used by one of my
clients doesn’t whitelist only major email providers? Can I be sure that
things fail loudly when they don’t work?

I really hope I’m wrong and it’s possible to implement some kind of monitoring
that tests my self-hosted setup and alerts me by SMS if something’s wrong with
it.

~~~
vog
_> That an obscure email service used by one of my clients doesn’t whitelist
only major email providers? Can I be sure that things fail loudly when they
don’t work?_

These are simply symptoms of FUD. Using that line of argument, you'll always
end up with the biggest players, even though there is no technical reason to
do so.

 _> to implement some kind of monitoring that tests my self-hosted setup and
alerts me by SMS_

On the other hand, how would you check that $BIGPLAYER's mail setup works with
any other email service? You can't. Could you blame anybody at $BIGPLAYER? In
a free service: No.

So why would you want do put so much higher standard on your own setup than on
$BIGPLAYER's setup? Just to be able to say: "Oh no, available technology is
not good enough, I'm staying with $BIGPLAYER."

This doesn't make any sense to me.

~~~
goblin89
Obviously I trust $BIGPLAYER’s setup. To name a few reasons: 1) their large
user base makes it simply more probable that a given bug will be discovered by
someone else than me; 2) they have a dedicated team with more experience and
resources to spend on testing and fixing bugs; 3) their setup has been working
for me for many years now.

------
na85
>We follow due process when dealing with law enforcement, providing individual
data in response to the appropriate Australian warrant, so there is no
justification to attempt wholesale surveillance of all our users.

Except if Fastmail can decrypt user's data, then they can be compelled to
backdoor their system, and also compelled to keep it quiet. Australia is part
of the "5 eyes", after all, and from an outsider perspective their government
seems particularly hostile/authoritarian.

Failing that legal avenue, would Australia's intelligence services refuse to
simply hack their way into Fastmail's servers if the NSA asked them to? Would
the NSA refuse to just do it themselves, if it came to that? Surely not.

The president (or whomever) of NYI would certainly not refuse entry to federal
agents wanting to install an implant. NYI just has to report an outage,
meanwhile Fastmail's servers have grown a new rootkit. And failing _that_ ,
then it's time to bribe a security guard in the middle of the night.

To me this reads as nothing more than Fastmail trying to provide a false sense
of security.

~~~
rayiner
> Except if Fastmail can decrypt user's data, then they can be compelled to
> backdoor their system, and also compelled to keep it quiet. Australia is
> part of the "5 eyes", after all, and from an outsider perspective their
> government seems particularly hostile/authoritarian.

If you don't expect the government to follow any rules, then most of these
discussions are moot. But what we've been seeing with the Snowden leaks is
that the governments are at least attempting to walk the tightrope of
legality. Here in the U.S., that means having at least plausible procedures to
filter out non-foreigner communications, and going through legal processes
like subpoenas instead of simply breaking into computer systems.

These facts have practical concerns. Unless you hypothesize that the U.S. and
Australia are putting citizens in prison using secret courts, the government
still has to present evidence in a court proceeding, and that has to comport
with the 4th amendment in the U.S., and whatever the equivalent is in
Australia.

The law in this area is rapidly evolving, but in my opinion as someone with
both a legal and technical background, encryption like what Fastmail has gives
4th amendment arguments a lot more teeth. When your data is in an e-mail
service that's readily accessible to the service provider, or even data-mined
for advertising purposes, it's susceptible to the charge that it's not private
information, because after all you're allowing someone else to rummage through
it. But if there are protections in place, even if they can be circumvented if
needed, that's different. Now you're talking about something that's more like
a safe deposit box at a bank or a rented storage unit, which do have 4th
amendment protection. They're locked, and only the owner accesses what's
inside as a matter of course. The lock can be broken, in an emergency, but
that doesn't change the fact that the owner of the facility does not access
the contents as a matter of course.

~~~
sinak
> Unless you hypothesize that the U.S. and Australia are putting citizens in
> prison using secret courts, the government still has to present evidence in
> a court proceeding, and that has to comport with the 4th amendment in the
> U.S., and whatever the equivalent is in Australia.

rayiner, how about the reports of "parallel construction" by the NSA? While
it's true that the government still has to present evidence in a court,
according to recent reports [1] the NSA "tips off" organizations like the DEA.

1 - [http://www.washingtonpost.com/blogs/the-
switch/wp/2013/08/05...](http://www.washingtonpost.com/blogs/the-
switch/wp/2013/08/05/the-nsa-is-giving-your-phone-records-to-the-dea-and-the-
dea-is-covering-it-up/)

------
moe
_We have spelled out in our privacy policy and public communications that we
don’t participate in blanket surveillance. We are an Australian company, and
to participate in such programs would be in violation of Australian law._

Are you really this naive?

Australia is a member of Five Eyes[1]. Your local laws don't apply to
intelligence agencies.

[1]
[http://en.wikipedia.org/wiki/Five_Eyes](http://en.wikipedia.org/wiki/Five_Eyes)

~~~
robn_fastmail
You've completely misunderstood the line you quote. FastMail as a company do
not participate in blanket surveillance. We can't control the actions of any
one else, governments or otherwise.

~~~
moe
You say "FastMail as a company do not participate in blanket surveillance".
And then, _in your next sentence_ , you admit that this is actually not under
your control.

Why do you keep trying to make it sound as if FastMail had a choice in the
matter even though you know that it doesn't?

~~~
robn_fastmail
I said governments and other third-party actors are not under our control. I
never ever said that FastMail was not under our control.

We do not participate in blanket surveillance.

I am not sure how to make it any clearer than that. Perhaps you could tell me
what you'd like us to say, and then I can tell you whether or not that's
something we agree with?

~~~
moe
_Perhaps you could tell me what you 'd like us to say_

I'd just like you to not use phrases like "We do not participate in blanket
surveillance" in your marketing. It's dishonest and misleading. It's an empty
promise.

FastMail _will_ participate in blanket surveillance if and when the right
papers are served to you.

And what then? Will you, personally, risk your ass to tell us the bad news,
even if you are under gag order?

~~~
robn_fastmail
Our current advice is that we are bound by the provisions of the Privacy Act
1988 and the Telecommunications (Interception and Access) Act 1979. Neither of
these contain provisions that would allow indiscriminate capture of
communications. You can read more about how we understand and apply this in
our privacy policy:

    
    
      https://www.fastmail.com/help/legal/privacy.html
    

If you're talking to the proposed amendments to the TIA Act that are currently
before Parliament then I can't really offer you much since the bills have not
been passed and if they are passed, what's before Parliament might not be the
final text.

So given that there is no legal means by which we can be asked to participate
in blanket surveillance, it is entirely accurate to say that we do not.

If the legal situation changes then naturally we will make any necessary
changes to our privacy policy and inform our customers of this.

If you're looking for us to commit to never ever doing something even if the
law changes in the future to make that thing a requirement, then I'm afraid
you're out of luck. But I hope you also see that that would be a rather silly
commitment to make given its entirely hypothetical nature.

------
artichokeheart
The whole protetcion under Australian law is a nice marketing spin. But that's
all it is: [https://www.eff.org/deeplinks/2014/09/australian-
government-...](https://www.eff.org/deeplinks/2014/09/australian-government-
scrambles-authorize-mass-surveillance)

------
sandstrom
I wish they would setup servers in another country, say Iceland (since they
have some there already).

Also, I'm thinking that Australia may not be an ideal jurisdiction if you want
to run an email company that cares about privacy. The offering will never get
any better than the worst of national laws [weakest link argument].

[https://www.eff.org/deeplinks/2014/09/australian-
government-...](https://www.eff.org/deeplinks/2014/09/australian-government-
scrambles-authorize-mass-surveillance)

[http://theconversation.com/sweeping-security-law-would-
have-...](http://theconversation.com/sweeping-security-law-would-have-
computer-users-surrender-privacy-30041)

~~~
alfiedotwtf
Why do you think Iceland is safe from government access (even safe from the US
government)?

[http://www.theverge.com/2013/10/14/4836994/dont-host-your-
vi...](http://www.theverge.com/2013/10/14/4836994/dont-host-your-virtual-
illegal-drug-bazaar-in-iceland-silk-road)

~~~
sandstrom
That may be a valid point, I'm not that familiar with Iceland.

My hunch though, is that they'll probably cooperate in criminal cases, but
that it will go through some judge. Also, I think there is much lower risk of
dragnet surveillance or secret court orders.

------
jpsim
> We recently had respected independent security firm Matasano do a security
> audit

Strangely, they don't mention the results of this audit, which struck me as
odd, but then I found this:

> Our most recent security audit, conducted by Matasano in October 2014, found
> no significant issues. (Source[0])

I just thought I'd share in case anyone else was wondering.

[0]
[https://www.fastmail.com/help/ourservice/security.html?domai...](https://www.fastmail.com/help/ourservice/security.html?domain=fastmail.fm)

~~~
brongondwana
Yeah, I figured that was kinda self evident. We wouldn't leave any security
holes open. I guess I can edit the blog post to clarify this without changing
the meaning any.

~~~
breakingcups
I'm curious about the insignificant issues.

~~~
brongondwana
Things like insecure SSL options (we knew that, but wanted to support older
devices for a little longer - we've bitten the bullet and switched to SHA256
certs now, and turned off RC4)

They recommended a bcrypt hashing factor which isn't realistic for fast
responses, it would have pegged a core for over a second.

A few things that were just testbed specific, and a couple of rate limits we
had missed.

Some "internal details leaked in errors" \- in two minds about that. Sometimes
it helps debug. We mostly log the verbose error internally now and give the
user a unique key that makes log grepping easy. Harder to self-help if you hit
an error we didn't make a nice error code for yet though and you have tech
clue.

------
Derbasti
Basically, you need to use an email provider in your own country. Each country
(hopefully) has laws to protect the privacy of its citizens. Such laws usually
don't extend to non-citizens.

Either that, or encrypt everything you do.

~~~
danieldk
False. The safe harbor agreement between the US and the EU also gives EU
citizens rights:

[http://europa.eu/rapid/press-
release_SPEECH-14-27_en.htm](http://europa.eu/rapid/press-
release_SPEECH-14-27_en.htm)

So, ironically, it may be safer to store your data with a US company than an
Australian company. Also, the EU believes (see linked page) that the NSA
dragnet may be a violation of the safe harbor agreement.

~~~
junto
Correction - Wouldn't it be better as an EU citizen to store your data with an
EU provider (I.e. a non-NSA partner)?

The safe harbor agreement has been demonstrated to be patently false. The data
wasn't ever safe. Every major US tech company has participated either
willingly or forced through secret courts under threat of prison for non-
compliance by individual employees. That's not 'safe'.

It's a joke. It's a kangaroo court. It's non-democratic. It's anti-privacy.
It's a conflict of EU basic human rights. I could go on.

The EU has a responsibility to prevent EU citizen's data from leaving the EU,
period. I hope they see it through and the safe harbor agreement is the first
thing I'd rip up and throw in the the face of whichever kangaroo US President
you have now or next time.

Then Microsoft need to win their upcoming court case against the USG, which
will demonstrate clearly to everyone that the USG cannot open the electronic
equivalent of a private sealed letter stored in a bank safe in Ireland,
because they damn well feel like it.

The US constitution needs another amendment to protect the privacy rights of
all, regardless of whether they are US citizens or not. It is time the
citizens of the US started pushing for it. These three letter agencies with
their massive black budgets funded by narcotics are your mess and it is time
you sorted them out.

I'll leave this here:
[http://en.wikipedia.org/wiki/Buridan%27s_ass](http://en.wikipedia.org/wiki/Buridan%27s_ass)

------
johnpowell
Isn't it just common sense to assume email is in no way secure?

If the government wants it they will torture you in Egypt to get all your keys
and so on.

I personally use fastmail but that is because I don't want google tying my
email to browsing. I am pretty sure that if the NSA wants my stuff they will
strap some 120V to Rob Mueller's testicles in a cave.

~~~
robn_fastmail
Nah. If they want your stuff, they'd work through the appropriate Mutual
Assistance Treaty to get an Australian court to issue a warrant, and then we'd
comply with it and hand over your mail because we follow the law.

Making a phone call is way easier and cheaper than giving RobM a free
Mediterranean holiday :)

------
brohoolio
Fastmail is a great company. We worked with them when we were a cyrus mail
shop.

------
hso1
All this goes away when we exchange messages with other providers (eg: Gmail).

------
patronagezero
Don't play this game unless you're not really interested in full
confidentiality. Some people are willing to increase security to the point of
protecting their financial interests without concerning themselves with
security against nation-states, I think the future, if not the history as we
already know it, will prove this to be foolish.

