
FastMail loses customers, faces calls to move over anti-encryption laws - qzervaas
https://www.itnews.com.au/news/fastmail-loses-customers-faces-calls-to-move-over-anti-encryption-laws-519783
======
Felz
If anyone's considering moving their email addresses over this, please take
the time to get your own custom domain to host email on. That way you can
switch providers more easily and actually own your email address.

As a shameless plug: Purelymail, the mail service I'm working on, could use
some more beta testers. It's (to my knowledge) the cheapest way to get email
on a custom domain right now.
[https://purelymail.com/](https://purelymail.com/)

~~~
brongondwana
As Fastmail, we also recommend that people get their own domain. Being able to
move is prudent regardless of how good any one host is! Own your own namespace
:) We would rather keep people because we're good, not because they're locked
in.

~~~
rswail
I really don't understand the criticism. Fastmail have said that they will
obey the law (all of it, not just this bit). The likelihood of them a) being
required to assist under this particular law, or b) be able to provide the
particular assistances required under this law are minimal.

The mail is encrypted at rest to protect against illegal access, not legal
access. Fastmail are transparent on what they will or won't do. Where's the
problem?

I'd be more worried about a programmer working on the bowels of OpenSSL or
LibreSSL etc and being seconded by ASIO/ASIS/DSD than about companies.

I'm a long time (and very happy) fastmail customer and I have no problem with
their position. Not because "I've got nothing to hide", but because if I did,
I'd know not to use their service.

I depply despise the telecommunications assistance act. I think it's badly
written and comes from an inherently uninformed and impractical idea that you
can legislate against people keeping secrets. I hope that the reviews in
Parliament right now, and, hopefully, the changes to be made under a new Labor
government, will remove a lot of the stupidity.

~~~
Spooky23
People built up unreasonable expectations about the security of the service,
and the legal changes attracted attention.

End of the day, if you have a scenario where a third party is the custodian of
your information, that custodian has control of it and will follow whatever
legal framework that they are obliged to follow.

------
anotherevan
Related: Mozilla may treat Aussie staff as 'insider threats' to code base

[https://www.itnews.com.au/news/mozilla-may-treat-aussie-
staf...](https://www.itnews.com.au/news/mozilla-may-treat-aussie-staff-as-
insider-threats-to-code-base-519793)

[https://news.ycombinator.com/item?id=19243630](https://news.ycombinator.com/item?id=19243630)

~~~
kkarakk
shouldn't all staff be treated as threats really? esp on projects with global
impact(and hence global interest in compromising)

~~~
Bartweiss
Given Yahoo's experience, yes.

The guy in charge of security and data access had a backbone and a reputation,
so when somebody wanted a backdoor they simply went around him and got other
people to hide it. (Which, of course, meant that the experts didn't review it
and the thing was insecure.) I don't think Mozilla is wrong to treat Aus staff
as a possible source for government privacy intrusion, but by that standard
they really ought to view US (et al) employees as risks too.

Of course, the Yahoo compromise was allegedly approved by Marissa Meyer and
corporate counsel. (Which suggests some ugly things about trusting behavior
_up_ the corporate ladder.) I guess that could mean Mozilla expects a US
intrusion to show up at the executive level, while an Australian intrusion
would be more likely to threaten random employees with legal consequences.

------
koenigdavidmj
The way you get this to end is by annoying the common people of Australia. The
Internet death penalty would be one way—have FAANG completely stop doing
business in Australia until this is repealed, and block Australians from their
services. No Facebook, no new copies of Windows, no new Macs, nothing that
runs on AWS. It’s a small enough country that it wouldn’t really be a dent in
their bottom lines. Congratulations, you just got most of a country to angrily
write their parliament-critters.

~~~
laurentl
> Congratulations, you just got most of a country to angrily write their
> parliament-critters.

Yes, and you also got every single other country in the world to take notice
and to wonder what would happen if the same happened to them... leading to ad
hoc legislation, actively looking for alternative providers, and a surge of
new, sometimes govt-backed competitors (you know, in the name of national
independence). Not to mention that all your existing competitors will start
yelling “we would _NEVER_ do that” at the top of their lungs.

The FANG may be as powerful as big nations, but event the biggest country
needs a _very_ good reason to declare war —and defending privacy isn’t it.

~~~
hguhghuff
There’s no alternative providers.

Countries don’t have the power to dethrone FAANG.

~~~
laurentl
There may be no global, credible alternatives _now_. There would most
certainly be local, semi-credible alternatives gaining ground shortly after
such a move. If the biggest, most entrenched provider suddenly disappears...
well that’s going to give some ideas to a lot of people.

There are other search engines (maybe not as powerful as Google, but if you
don’t have a choice...). There are other e-commerce platforms, and there are a
shitload of cloud providers. There are other high-end phone and laptop
manufacturers. There may not be a credible FB alternative (but I’m not
shedding any tears over that). The only real crazy-hard-to-replace
infrastructure IMO is the App Store duopoly.

As another poster pointed out, there are countries (Russia, China) where
credible alternative providers evolved because FAANG were not allowed to enter
the market. In time, the same would happen if they were to leave a market.

------
vikingcaffiene
It's amazing to me that the people who write these laws are the least capable
of understanding their impact.

If I am reading FastMails statement right, they have been forced to add
backdoors to their codebase and not been allowed to tell their team about it.
Only a lawmaker who has the technical acumen of say, my grandmother, would
decree something like that and think it was a good idea. Australia deserves
better than these clowns. Then again, I live in the US so...

~~~
brongondwana
We haven't been forced to add anything. The problem is that if the law says
that we __could__ be forced to add something and not allowed to tell our
customers, then there's no way for somebody to tell if we're telling the
truth.

We pride ourselves on telling the truth to our customers, and we're quite
clear that if we receive an Australian warrant for access to information about
one of our customers, then we respond. That's different from adding backdoors.

Our submission asks that the law be updated so we're allowed to talk about any
surveillance capabilities that we may be asked to add, but not about which
users are being surveilled. That way our customers know exactly what we are
capable of.

Right now we haven't received any capability requests (TCN) which is the bit
we're concerned about, because if they required us to add features to the
product without telling all staff about them, that would make it hard to
maintain and ensure security as things were refactored. And any staff who DID
know about it would have to be extra careful about what they say anywhere,
because they could inadvertently leak something about the capability.

We expect the law to be updated soon, and hopefully this will be addressed.
Until then - honestly, nothing has changed. We still operate under exactly the
same process - if we receive a warrant from Australian Federal Police we
respond. If we receive any other type of request, we point them to the AFP and
the mutual assistance treaties that are appropriate. But it's impossible for
you to verify that, because if something HAD changed, we'd have lie - and
that's frustrating to us.

~~~
tomputer
I was wondering, with these new laws, did FastMail consider to operate
(partly) in other countries?

For example if FastMail has servers in Amsterdam (NL). Would it be possible to
let customers decide on which servers they want to host their mail, so that it
falls under the local (or EU) laws?

Thank you in advance for taking the time to reply here.

~~~
mercer
With the caveat that I'm far from an expert in this domain, as I understand it
FastMail would have to comply with the laws of the country they're based in,
as well as any country they'd have as customer or hosting provider.

I imagine the only solution is to move the entire company to another country,
but I'd very much like to hear from people who _do_ know what they're talking
about.

------
markstos
I'm a long time Fastmail customer and will consider moving over this. I would
prefer Fastmail moved their servers and place of business incorporation to an
encryption and privacy-friendly country.

~~~
accatyyc
Why? Fastmail always complied with warrants to get your data, so nothing
changes because if this law. If you want to hide something, encrypt your
e-mails before they reach Fastmail (and do the same regardless of provider you
use, why trust anyone?)

~~~
jolmg
There is the change that warrants are apparently not needed anymore. The PDF
linked in the article says that there's now no judicial oversight over these
requests.

I haven't decided myself if I'll switch, but if I do, it's more of a matter of
principle. I just don't like how the world is becoming more authoritarian-
like, and I feel it will continue to move this way unless people demonstrate
their unwillingness to put up with such policies.

------
mrmondo
I’m sure Bron, Rob or Nigel will weigh in shortly. Fastmail is a damn fine
service, I now trust Australian internet privacy even less due to recent law
changes and this does concern me not just with Fastmail but as someone that
designs and hosts platforms for software the organisation I work with writes -
which is also in Australia.

~~~
goatsi
This is covered in the article.

>“Our particular service is not materially affected as we already respond to
warrants under the Telecommunications Act."

The new laws would apply to something like Whatsapp or Signal, which do not
have the ability to access the communications of users (thanks to end to end
encryption). Fastmail already has enough access that if a legal demand is
issued they can hand it over.

~~~
yarosv
I think point is, that with backdoor you don't need the warrant. Which opens
the possibility of the abuse.

~~~
caf
FWIW, as currently legislated, the "backdoor" scheme still requires warrants
to be issued for data captured under it.

~~~
brongondwana
Yes, that. The law allows for requiring new backdoors to be requested up-
front, but still requires warrants to activate those backdoors for specific
requests, and it still doesn't give firehose access. It's not as awful as it's
made out to be by some, but it's still pretty ham-handed in some of its
implementation, and that's what we're proposing they look at changing.

------
BFLpL0QNek
It saddens me when I’ve been a Fastmail customer for 4 years, happy with the
pricing, happy with the service as a temporary resident my only way to make a
stand about the laws is to move away from Australian service providers. I’ll
likely start migrating mail shortly after purchasing a .dev domain.

If it wasn’t for my Australian partner I’d likely of left by now as tech work
is limited here, severely behind places like London, currently feeling like
it’ll be difficult to progress beyond where I am now within the AU. A lot of
it is also now dubious big data, I.e what can we snoop on to sell you more or
sell the data collected for dubious purposes.

------
linux2647
Anyone know of a FastMail alternative? I was considering opening an account
with them, but after reading this, I am concerned with the privacy
implications, especially as I am trying to get off of Gmail.

~~~
PopeDotNinja
ProtonMail? It supposedly has encryption that prevents ProtonMail from reading
your email.

~~~
mirimir
If you believe that, yes. But that's not really novel. CounterMail had that a
decade ago. Tutanota does too.

Using Thunderbird plus Enigmail for GnuPG, I can use any email provider, and
be ~certain that they can't read my stuff.

~~~
askmike
> Using Thunderbird plus Enigmail for GnuPG, I can use any email provider, and
> be ~certain that they can't read my stuff.

Yes but no one can either :( In the last 5 years I received 2 encrypted
emails, and thousands of non encrypted emails. The problem with PGP is that
almost no one is using it.

Maybe the people you email with do use it though.

~~~
mirimir
As I understand it, ProtonMail basically uses PGP. It just does it in
Javascript or whatever.

But whatever. The ability to use GnuPG serves as a filter ;)

~~~
askmike
> As I understand it, ProtonMail basically uses PGP. It just does it in
> Javascript or whatever.

This means that maybe now the private keys are on your device, at any point in
time they can update their frontend javascript code to get your private key
and read all your emails.

> The ability to use GnuPG serves as a filter ;)

Yes definitely, I wouldn't get any emails at all anymore. Works great for
Inbox Zero I guess.

~~~
mirimir
> This means that maybe now the private keys are on your device, at any point
> in time they can update their frontend javascript code to get your private
> key and read all your emails.

That's the risk. By default, the filesystem isn't accessible to Javascript.
But here, you've authorized key access for encryption and decryption. I
suppose that Thunderbird and Enigmail could be modified to do much the same.
But arguably that would be discovered quickly.

~~~
askmike
The difference is that Enigmail is maintained by an open source community,
Thunderbird by Mozilla. Also the protocol your mail client uses to talk with
your email server (POP or IMAP) don't really support the flexibility to send
the keys over easily. As opposed to your clientside Protonmail client managed
by javascript that can AJAX the keys to the mothership.

------
rbritton
I understand the concern over the law in general, but I don't agree with the
sentiments about email in particular. Email is not and should not be
considered completely secure, so if that is a need, something else should be
used. In my opinion, the Australian law does not make it any more insecure or
less private -- everything that could have been obtained via warrant prior to
the law's passage is the same data that is accessible with it. If that's a
concern, set up your email in a different jurisdiction.

I am currently a FastMail customer because I like the product, and this does
not make me think I need to move. Unless something else changes, I'll keep it
where it is.

~~~
hedora
No technology is completely secure. Email is particularly bad, but there’s a
huge gap between what a secured system would allow, and what one without
encryption at rest allows.

Without encryption at rest, you can grab all non-deleted emails for the entire
population in one go.

With due process and encryption at rest, the most authorities can do is get a
warrant to sniff smtp relays to selectively catch emails involving a single
user while they are in transit.

In practice, unless the target is an ongoing criminal operation, the latter
option is more difficult and less likely to succeed than other investigative
options, so the fact that it’s possible is nearly a moot point for law abiding
citizens.

------
fvgs
"We won't release any data without the required legal authorisation from an
Australian court. As an Australian company, we do not respond to US court
orders." [1]

[1]
[https://www.fastmail.com/help/ourservice/security.html](https://www.fastmail.com/help/ourservice/security.html)

~~~
qbaqbaqba
But legal systems cooperate. Ask Kim dot Com.

------
password4321
I was surprised to learn last month that "you can impersonate other Fastmail
customers by just spoofing the email address".

[https://news.ycombinator.com/item?id=18996200#18997054](https://news.ycombinator.com/item?id=18996200#18997054)

------
dade_
Yes they are. I decided to leave O365 business and was ready to switch to
FastMail when this law was passed. I decided to keep looking and found German
mailbox.org and chose them instead. So far so good.

------
turok
I'm currently in Western Europe waiting for the delivery of forms to cancel my
Australian business number, this law has destroyed industry confidence in the
Australian government for customers and service providers.

Even if rolled back, the political and social environment that spawned it
remains, and committing to development resources in Australia now is a fool's
errand if you have any alternative.

------
webmobdev
Not surprised - I dumped Fastmail when Australi passed a lot of intrusive and
anti-privacy laws. And as it is a part of the 5 eyes program.

------
mescalito
If I may, I want to share my recently pleasant experience with MailU[1]. I am
in no way related to them, but it worked very nicely, it wasn't difficult to
setup, and it sorts a lot of things out that have always been a pain for me
when setting up my own mail server.

[1]: [https://mailu.io/](https://mailu.io/)

------
LinuxBender
I put a few domains on FastMail for family members to avoid using Google and
also avoid using my fascist BOFH mail servers.

They know that if anything is sensitive, they and their friends will need to
pgp or 7-zip encrypt the payload. I will gladly continue to use Fastmail if
that is the only way to keep people I care about from staying logged into
Google.

------
rawmodz
Gee, is almost like the political grubs had absolutely no idea about
encryption and how it works and how it will be virtually impossible to
implement these stupid laws. Who would have thought that's the case? So very
disappointed in all politicians at the moment, in my opinion, they're all scum
bags

------
aboutruby
Also I learned recently that Australia's internet is getting more censored
every year:
[https://en.wikipedia.org/wiki/Internet_censorship_in_Austral...](https://en.wikipedia.org/wiki/Internet_censorship_in_Australia)

------
lettergram
When I saw the most recent provacy stripping law pass (maybe 3 months ago?),
it pushed me to move everything to my own custom domain. I also signed up with
ProtonMail and have started the migration.

I’m not the only one, people I know who have used FastMail for years have
decided to jump ship.

------
lysp
Here is FastMail's response to the Government inquiry.

[https://www.aph.gov.au/DocumentStore.ashx?id=ec39b475-9559-4...](https://www.aph.gov.au/DocumentStore.ashx?id=ec39b475-9559-4fa4-94ca-d45294534200&subId=666615)
[pdf]

------
Ixiaus
I am a happy FastMail customer. The service is great, it is indeed fast and
they're a small company devoted to doing email and serving their customers.

I don't plan on leaving FastMail.

------
pmoriarty
So what's a good alternative to FastMail?

~~~
rishav_sharan
Protonmail is great in terms of feature/security balance. Personally, I like
using mail.disroot.org

~~~
fvargas
Protonmail has also given in and paid out thousands* to criminals who DDoS
their systems, no?

*In my original post I mistakenly wrote "millions"

~~~
tonyztan
(Note: The parent comment claimed that ProtonMail paid "millions" in ransom.
It appears to have been edited to say "thousands" now.)

I am not affiliated with ProtonMail, but the answer is no. ProtonMail has paid
a ransom exactly once, back in 2015 when it was just launched and suffered a
DDOS attack that caused a lot of collateral damage to third parties, who
pressured ProtonMail to pay the ransom.

ProtonMail has since committed to "never pay another ransom" and invested in
advanced DDOS mitigation capabilities, including by becoming its own ISP.

Sources:

[https://protonmail.com/blog/protonmail-ddos-
attacks/](https://protonmail.com/blog/protonmail-ddos-attacks/)

[https://protonmail.com/support/knowledge-base/email-ddos-
pro...](https://protonmail.com/support/knowledge-base/email-ddos-protection/)

------
fvargas
> Your 1-year Standard subscription expires on Sunday, February 24, 2019.

Good timing?

