As a shameless plug: Purelymail, the mail service I'm working on, could use some more beta testers. It's (to my knowledge) the cheapest way to get email on a custom domain right now.
The mail is encrypted at rest to protect against illegal access, not legal access. Fastmail are transparent on what they will or won't do. Where's the problem?
I'd be more worried about a programmer working on the bowels of OpenSSL or LibreSSL etc and being seconded by ASIO/ASIS/DSD than about companies.
I'm a long time (and very happy) fastmail customer and I have no problem with their position. Not because "I've got nothing to hide", but because if I did, I'd know not to use their service.
I depply despise the telecommunications assistance act. I think it's badly written and comes from an inherently uninformed and impractical idea that you can legislate against people keeping secrets. I hope that the reviews in Parliament right now, and, hopefully, the changes to be made under a new Labor government, will remove a lot of the stupidity.
We've seen at least the US government have some fairly expansive requests in order to track down one single person, and they never delete the data once they obtain it. So a copy of those records will forever be outside of your control, potentially without you ever knowing it.
End of the day, if you have a scenario where a third party is the custodian of your information, that custodian has control of it and will follow whatever legal framework that they are obliged to follow.
We are on a grandfathered plan now and are putting off upgrading to a current plan as long as possible because it's a huge price jump to start paying for my kids to have 25 GB of storage which they are barely using.
As others have said, your pricing is unpredictable and hard to compute. As I’m evaluating you with competitors, I’m not going to invest the time. In my experience, when a company makes it hard to know what you’re actually going to end up paying, you usually end up paying more than you want (see: Verizon).
From a business perspective, it seems to me your value proposition is that you are striving to be the cheapest email provider. I think you should consider the kind of customer this attracts. The sort of person who thinks a few dollars a month per email address is too expensive is going to be high maintenance. If you want this to be sustainable, I think you need a different angle. Consider that all these other email providers basically charge around the same amount. That isn’t an accident. I don’t know the email business, but I assume it needs a certain margin to actually be sustainable and these guys have landed in the right ballpark.
If you’re looking for business customers, then your pricing is basically rounding error compared to the other guys. It’s not materially different enough to matter for a business of any reasonable size to be worth having as a customer. In fact, the lack of predictability is a major deterrent. Businesses need to create budgets and every variable cost adds to the complexity of the forecast.
I have to disagree with this. Any email service that costs several dollars per mailbox per month is way too expensive for most people who tend to have more than a few email addresses, including shared ones. In many cases these may not be conducive to be trimmed down using aliases.
Take a look at Posteo.de, mailbox.org and Runbox.com. All of them are highly privacy focused, been around for several years, and also provide email for a low price. With prices of hardware going down, even those prices sometimes look high when you see the storage quotas, the low number of aliases (except Runbox), etc. (I concede that hardware is just one part of the solution, but see what Migadu.com says on that front).
Setting up a family of users even on Fastmail’s lowest tier (without own domain support) would soon become quite expensive, not to mention the standard plan.
Side note: Posteo does not allow own domains (you can only choose from the list of Posteo.* domains that the company owns). The reason for that is mentioned in their FAQ (in short, the company doesn’t want to have or store customer identifying information wherever possible).
When you ask them about it they will lie and tell you that it's not technically possible.
Most people have no idea what a MX record is and that other providers support own domains, so they fall for it.
Obviously they depend on customer retention by customer lockin.
I hate people who directly lie like that for their monetary benefit. So I would never go anywhere near them.
> We do not offer domain services because we do not save any personal data
for any of our services. This is not possible with domains.
> Domains must be registered to a person’s name and address. As a
provider, we would be required to store inventory data for all customers
that use their own domains with us. As a result, we would have to
provide this information to government agencies when requested.
> Additionally, security reasons also play a role in this decision. With
customer domains, the owner of the domain is responsible for setting up
security features like DNSSEC (and as a result also DANE). Even things
such as SPF and other protocols for delivery would lie in the customer’s
hand and could not be guaranteed by us.
> Because of these reasons we have decided not to offer domain services
and instead to remain consistent with our focus on data economy.
See, that's just half-truths that amount to lies.
They claim they need to store personal information about you when you're using your personal domain.
That's untrue. Only if you registered the domain with them they would need to know about you.
It's also untrue, because unlike .de, many other TLDs don't require full names and addresses in WHOIS, or there are "privacy shield" services like the one nearlyfreespeech.net is operating.
Also untrue (although it's a reasonable business decision that they don't want to handle customers calling their support with the customer's own domain set up problems).
I continue to claim that there is exactly one reason they are refusing: A customer with a *@posteo.de address will pretty much never leave.
I wouldn't mind very much if they admitted that, it's certainly a geeky niche to serve, but this security-and-privacy bullshit really makes me mad.
Do you want to trust your privacy with a company that's lying, even if you wanted to argue that it's
a white lie?
Interesting - which products has this been an issue for? I'm on the same grandfathered GSuite deal and used to have this problem, but haven't in a while.
Even I'm put off by being charged based on the number of emails I receive - why should I pay extra if I get a lot of spam that should be caught by the spam filter?
You have up to 6 different types of fees you're going to charge and no easy way for me to figure out what my numbers would end up looking like (Your $7.72 amount means nothing to me since I have no easy way to compare your estimates vs my usage).
So we are looking at 14 + 4 +1 = $19 before you even send/receive emails.
I just did a quick look and it looks like I receive around 6000-7000 email a year. Most of it is advertising and notifications (that doesn't count SPAM emails which are countless and I hope you don't charge for). That's an extra 1.4 bucks.
I send around a thousand emails a year. That might seem much but it is actually very low. It is only 3 emails per day and you can do much more if you use email for personal and work. That's an extra 4 bucks.
So total is $24.4 assuming you stop your billing there. That's half of FastMail offering for a beta product which from the looks of it offer not interface.
I might come off as rude but I think you need to remove the pay-as-you-go billing and just bill something reasonable for a whole year. Plus offer something more than "Just Email"; like have a differentiating feature like security or privacy.
You're right that I need to add more value. My planned direction is more along the lines of utility than security/privacy, which I think Protonmail covers pretty well. There's a lot of interesting value-add to be done in email.
The pricing is more that we offer honest pay-as-you-go pricing, with caps to make sure you don't actually get a ruinous charge, in direct contrast to "billing something reasonable for a whole year". If you'd rather do the former, then yeah! You're really well covered in the email space already. But I think people are getting subscription fatigue, where every service imaginable wants its $5/month cut of the pie.
I'll sign up to your service shortly; it would be very economical with my current usage!
Except the users who already are storing 25GB of mail?
I have ten years of mail on FM. Even with multiple years of multiple heavy mailing lists, sending and receiving photos, etc., I'm at about 4.2GB.
- Offer a calculator so that people can estimate their own cost. A small improvement, probably not significant impact.
- Offer a customer to enter their current IMAP creds, give an accurate estimate based on past usage. A big improvement, but which would require significant trust from the prospective client. Hard sell.
- Offer a guarantee of some kind. "If you don't come off cheaper with Purely, we'll make up for the difference". Reassuring, but increases your risk.
- Up the price of storage, and eliminate the price of traffic. Storage is probably an imperfect but adequate proxy for total usage price, given that the pattern nowadays is to archive rather than delete (non-spam) email.
I actually just checked the storage price, and I notice that at some point I added a $2/10,000 charge to the equation at some point, which is almost all of the charge price. I'm going to remove that tomorrow, since it was probably just paranoia and not actual cost plus margin.
A huge majority of users use free webmail providers, and the biggest players in that space all allow Oauth access to email. Oauth can be scoped down to just the access you need, whereas if you give out IMAP creds those can be used to wipe somebody's email account.
Also, at least in Gmail's setup , the IMAP password seems to be your "Gmail password", which is the same thing as your Google account password. Don't ask for this. You don't want to have these passwords enter your company's infrastructure.
But I still don't think your offer is reasonable. I consume around 600mb of storage, so if you go above 25gb you'll probably get a 20-30usd bill from the send/receive billing.
> But I think people are getting subscription fatigue, where every service imaginable wants its $5/month cut of the pie.
Exactly, so your solution is to complicate the billing process?
Here is a better deal:
- $xx/year fix
- $0.xx/year for storage
No other fees. Sending/Receive emails should not add to your overhead that much (unless the user is abusing).
You're right that sending/receiving don't add to overhead much. The receipt is actually way overinflated right now, and should be down to a more reasonable number tomorrow (about $0.03/1000). I might just waive it completely if it complicates things too much.
Sending is much harder, because I need to deter spammers. I priced it significantly above Mailchimp's price for that reason. But the cost will definitely go down as my ability to detect and ban spammers improves, and we'll likely end up pretty much with a scheme like you're proposing.
Firstly, as others have stated, your pricing is way too complicated for anyone to understand and figure out how much they would be charged. It would be better to make some assumptions and go with pricing based on account, aliases, storage, etc. Your current pricing is almost like one of those cloud service pricing calculators. Very nice in theory for paying based on usage, but practically next to impossible to make any sort of cost estimates on.
On pricing, also compare with mailbox.org.
I did look at mailbox.org. It's about double for their lowest monthly plan, which is reasonable.
Where I hope Purelymail will shine is that it scales a lot more naturally (once you hit mailbox.org's 2 GB cap, you upgrade to a plan that's 2.5x more expensive), it enables use cases that'd get you frowny faces from other providers (because we charge appropriately), and there's no surcharge for things that don't actually cost more.
Want a dozen usernames? Sure, whatever. Need a hundred users? Sure. Store 2 TB of mail for some reason? We've got you covered.
The downside, as you point out, is that the pricing gets a bit scary and I need to work on making it feel safer.
Maybe a good idea would be posting a simple online calculator or a downloadable spreadsheet?
As a further side note, I don't understand (for an end user) the reference to:
>Emails sent: $4.03 (if sent externally) or $0.03 (if sent within the same account) per 1000 plus $0.18 per GB
I mean, while sometimes I talk to myself, I never wrote to myself, set aside internal company e-mails, which e-mails are not "sent externally"?
Or am I misunderstanding something?
However, I have no quarrel with the approach to pricing here. In order for a service like this to succeed with very established incumbents, it needs to differentiate itself enough to carve out its own niche.
I never thought about the idea of having a "family domain", it could be a nice idea, though I guess its naming could be a possible venue for in-family disputes?
My name is "Mark Stosberg" and my email is "email@example.com".
1) my mom won't have an e-mail address with the surname of her first husband (my dad, passed away)
2) my brother-in-law (brother of my wife) surely won't have it
3) my cousins all have different surnames
4) my wife may accept one, but I talk with her every day and when we don't meet or talk via phone we tend to communicate via post-its on the fridge or similar
Fastmail provides webmail that is faster to sync than gmail (seriously; I use fastmail for personal and gsuite for work all day); a calendar; and a nice little notes utility. Be warned it's fidgety to sync fastmail calendar on android because you'll have to use a 3rd party app. But again, worth it to de-google your personal life.
1. I don't see anything about DMARC (DKIM, SPF) setup for your users. Do you provide DMARC?
2. Do you use shared ip's for all your users? If yes, how do you make sure my emails don't land in spam-filters, because of other users behaving badly?
3. Do you have a system in place and already experience to behave differently to different email hosters (e.g. send emails differently to gmail, yahoo or gmx)?
4. Do you provide spam-filters for incoming emails?
5. Do you provide support for email encryption and signatures (might be trivial, because it's part of the client, not sure about this one)?
6. What are your availability and reliability guarantees? What is your average/90%/99% delivery time and how often do you eventually drop an email? Will you inform me, when that happens?
7. How do you store my emails? Is strong encryption in place?
These are questions that I would want to have answered before signing up for such a service and they are the things that distinguish you from simply self-hosting emails for that money. It's also the reasons why I sometimes have to get emails from friends using their own domain from the spam-filter.
Sending emails is way harder than most people think (source: have worked in email infrastructure of a company sending billions of emails per month). Problems come especially, because email response codes are used differently across email hosters and it gets especially tricky when multiple independent users send emails over the same ip.
2. Same way anyone does it, I'd assume. Shared IPs, rate limits on sending, banning users who send spam emails. I'll likely need to hone exact approaches more.
3. Not that I know of? The mailserver I'm using might handle that.
4. Yea, fairly generic Spamassassin setup that I'm tuning.
5. I think signatures work through Roundcube, and maybe clientside encryption too.
6. I don't have SLAs yet (it's a beta!). My architecture allows for continuous deployment with no planned downtime, though. Delivery from gmail -> my servers and back seems to take about a minute as far as I know, but I can't answer the delivery time metrics without more data. You should get a bounce email on final delivery failure, which should take a maximum of about 208 minutes.
7. They're stored encrypted and compressed in S3, with an encryption key based off of a derivative of your password. Specifically: The encryption is AES/GCM with a per-message key encrypted by a libsodium crypto box, whose private key can be retrieved with a derivative of the user's password. The bucket also has AES-256 encryption in place.
Good questions! I'm going to work on documentation tomorrow. And yea, I realize that sending emails is going to suck.
About DKIM: It adds another layer of authentication to the email by adding a signature. It being absent isn't really a bad indicator, because unfortunately email headers might change during delivery. This will invalidate the DKIM signature. But it being there is a strong positive that the email comes from the domain it says it does. From another perspective: An email that might be filtered as spam without DKIM is more likely to go through with a positive DKIM result.
SpamAssassin assigns small positive scores for valid SPF/DKIM/whatnot headers (and larger negative for lacking either), but it's not really an effective spam deterrant. Spammers can set up their own domains that pass all the checks (although I've heard they're having good times just sending from Gmail).
DMARC authorizes recipient servers to outright refuse email from your domain if it does not contain a valid DKIM signature, and/or comes from a non-authorized IP.
In short, SPF+DKIM+DMARC prevent email spoofing from your domain, protecting you from backscatter and reputation degradation.
If that IP is shared, what's stopping someone else from signing up with you and then sending email that purports to come from microsoft.com?
It's not that easy to find, but it's there. As long as you don't care about using third-party clients (free plan has IMAP/SMTP disabled), it's a viable option. I've used it for a year or two before I've switched to FastMail and it worked fine.
> We sell email.
You do what with my mail ?
I think that's entirely fair. This is a pretty new project, and trust is built over time.
> The attempt at monetization strikes me as extremely premature, given the competition.
Free email services leave a bit of a sour taste in my mouth, since you're not the customer. I'd also have to put more work into stuff like adding hard caps to prevent abuse, but my thinking so far is that email really isn't something you should fuss over storage caps on.
It might be ultimately necessary to attract people (although Fastmail doesn't have a free tier), but I'll get there when I get there. I'm content to take it slow for now.
Thank you! I love being able to just pay a (modest) fee and not have to worry (as much) about perverse incentives. It fixes or minimizes so many problems.
FastMail, et al, alternatively aren't primarily engaged in the advertising business so they'd see a very small return from violating that trust and massive losses, so the gain/loss relationship is inverted.
The strongest endorsement I’ve seen for GSuite is that even direct competitors to Google have no issues using it. They trust Google with their data that much.
Seconded. I'd also add make that domain a .com, .net, or .org.
Yes, some of the other TLDs are cheaper, especially since they started making TLDs for almost everything. But spammers have jumped all over those, using them in from and return addresses. I suspect that a fair number of people have black holed email from entire TLDs due to this.
I know I have. I'm currently dropping all email from domains under: accountant, bid, christmas, click, club, cricket, date, download, faith, gdn, gq, help, info, link, loan, men, party, press, pro, racing, review, science, site, space, stream, team, top, trade, uno, webcam, website, win, work, xyz, and zone.
I'm not sure it's a winning proposition to have variable rate email services aimed at individuals or small companies.
People prefer to know up front what something costs, and I imagine they even rather pay double or triple the "real cost" if it means they don't have to think about it any more.
> Up to five users.
> 5GB/User, 25MB attachment limit.
> Web access only. Email hosting for single domain.
That "Web access only" is pretty crippling.
I know that fastmail will be in business in two years, but I'm not so sure about you.
If you offered some sort of auto-backup option, so that even if you went down I could take my mail elsewhere, that would be more compelling.
The infrastructure I'm running on really is pretty cheap. The biggest expense by far are the databases, which run about $250/month for two. If I had to pay out of pocket to support even just a few users for a year, I'd do it.
Anyway I think the best paranoid option (no matter what mailhost you're using) is to set up automatic forwarding to a backup address. Or you can use imapsync  from time to time, which is a bit finnicky but gets the job done pretty well. (I actually might try putting up a quick web interface for imapsync sooner or later to cover import/export use cases.)
Misses sent mail though...
If the emails are deleted on the server doesn't the client just delete them too?
Is there any chance FastMail will implement this anytime soon?
I've done this for years, with it forwarding to my gmail account. I never actually send an email of the @gmail.com variety.
If you want, you can limit the hosts that are allowed to send mail coming from your domain using SPF. Google does not control your domain so they can’t force, forbid or give your the option to do anything, but they do have a supported way for you to add their servers to the list.
This is all legacy though, if you set up a new alternative address you have to allow Gmail to send the messages through your own SMTP server.
I was unaware gmail free has a supported way to add the correct SPF records. Though thinking about it, even unsupported might be as simple as regularly scraping them from gmail and hosting them on your domains DNS records.
But they probably don't support DKIM through that (now legacy?) hack, which granted, isn't that important if emails come from a gmail mail server.
It can forward to any email account/mailbox. e.g. Fastmail or ProtonMail or whoever.
I just happen to use to to forward to a gmail account. I think mentioning that was my mistake given the current sentiment as it distracted from the point I was trying to make.
@Sendotsh then pointed out what he thought was a limitation in using Gmail this way, which I responded to, and here we are. :-)
I have a `.la` but I'm unsure if I want to put my email behind it. Thoughts?
.com has legitimacy, it's not going to have hiccups (some country code domain names are pretty iffy, like .io had issues a while back), and contracts with ICANN ensure it's not going to extort a huge price out of you.
Am I missing something? The domain dropdown has no options and all usernames are taken.
It's fixed now, sorry.
>You can add more users (and any domains you own) later if you need them!
>If you later add custom domains, you can reset your account with those too!
Make sure, for starters, that if you use a custom domain for your email, you use a registrar with stellar security practices, as opposed to Namecheap, Godaddy, and many others that have shown deep flaws with vulnerabilities to social engineering. Otherwise, once someone has access to your domain, they have access to your email, which is the keys to the kingdom.
We have this weird dichotomy in services pricing that's either free or pretty expensive. If you're a free customer, you're not a customer. You're a potential customer in need of sales. And everyone is looking for the features they can put behind a pricing gate.
Let me know if you run into any issues!
Please don't change, even if you get much bigger.
I'll definitely try not to become full of bullshit :). I hope it's not as inevitable as it seems. (It probably helps that there's no VC funding involved, and I can stay small.)
The guy in charge of security and data access had a backbone and a reputation, so when somebody wanted a backdoor they simply went around him and got other people to hide it. (Which, of course, meant that the experts didn't review it and the thing was insecure.) I don't think Mozilla is wrong to treat Aus staff as a possible source for government privacy intrusion, but by that standard they really ought to view US (et al) employees as risks too.
Of course, the Yahoo compromise was allegedly approved by Marissa Meyer and corporate counsel. (Which suggests some ugly things about trusting behavior up the corporate ladder.) I guess that could mean Mozilla expects a US intrusion to show up at the executive level, while an Australian intrusion would be more likely to threaten random employees with legal consequences.
DO-178C also traces code to requirements to spot dead code or back doors.
Yes, and you also got every single other country in the world to take notice and to wonder what would happen if the same happened to them... leading to ad hoc legislation, actively looking for alternative providers, and a surge of new, sometimes govt-backed competitors (you know, in the name of national independence). Not to mention that all your existing competitors will start yelling “we would NEVER do that” at the top of their lungs.
The FANG may be as powerful as big nations, but event the biggest country needs a very good reason to declare war —and defending privacy isn’t it.
Not sure if this is worse or better than FAANG. I can see the appeal though.
So were they to coordinate - just as some big providers did around SOPA/PIPA, then they would have some impact. Otherwise of course no one will risk such a move.
Apple, though not a CSP is pretty much interested in keeping their privacy game going. (Which might not mean much outside the US for customers.)
Eh, if you build it, they won't necessarily come (e.g. google+).
Countries don’t have the power to dethrone FAANG.
There are other search engines (maybe not as powerful as Google, but if you don’t have a choice...). There are other e-commerce platforms, and there are a shitload of cloud providers. There are other high-end phone and laptop manufacturers. There may not be a credible FB alternative (but I’m not shedding any tears over that). The only real crazy-hard-to-replace infrastructure IMO is the App Store duopoly.
As another poster pointed out, there are countries (Russia, China) where credible alternative providers evolved because FAANG were not allowed to enter the market. In time, the same would happen if they were to leave a market.
Tell that to the countries that already block them.
AWS has a data center region in Sydney, AUS
AWS is is big, but there are a number of much bigger players.
If AWS outsources physical security to the DC operator, and doesn't enforce other kinds of operational isolation, then it's of course doesn't matter what else AWS does there.
If I am reading FastMails statement right, they have been forced to add backdoors to their codebase and not been allowed to tell their team about it. Only a lawmaker who has the technical acumen of say, my grandmother, would decree something like that and think it was a good idea. Australia deserves better than these clowns. Then again, I live in the US so...
We pride ourselves on telling the truth to our customers, and we're quite clear that if we receive an Australian warrant for access to information about one of our customers, then we respond. That's different from adding backdoors.
Our submission asks that the law be updated so we're allowed to talk about any surveillance capabilities that we may be asked to add, but not about which users are being surveilled. That way our customers know exactly what we are capable of.
Right now we haven't received any capability requests (TCN) which is the bit we're concerned about, because if they required us to add features to the product without telling all staff about them, that would make it hard to maintain and ensure security as things were refactored. And any staff who DID know about it would have to be extra careful about what they say anywhere, because they could inadvertently leak something about the capability.
We expect the law to be updated soon, and hopefully this will be addressed. Until then - honestly, nothing has changed. We still operate under exactly the same process - if we receive a warrant from Australian Federal Police we respond. If we receive any other type of request, we point them to the AFP and the mutual assistance treaties that are appropriate. But it's impossible for you to verify that, because if something HAD changed, we'd have lie - and that's frustrating to us.
I would be INCREDIBLY cautious about making statements like that. The penalty for discussing the existence or nonexistence of a notice under the new legislation is 5 years imprisonment. You can give 6-month statistical information, but you should have stated it that way if that's what you were doing.
I really, honestly hope you spoke with your legal council before making statements like that (I personally will not make statements like that until I get legal advice about how it should be stated to avoid a 5-year conviction).
In fact, I'm a little worried that they just said they have received no TCNs -- while you can provide aggregate statistical information over a 6-month window, if you get it wrong you're looking at a 5-year gaol sentence.
We have no real free speech laws (there is common law about it but that can be overridden by legislation). There is freedom of political speech, but that's a much weaker bar. Funnily enough, parliament has actual freedom of speech.
So we're not trying to pretend anything about the legal framework - when we said "nothing will change" up front, we meant it - and when we say "nothing has changed" now, we also mean it. But we can't pretend that we couldn't be forced to say that if things had changed either, because that would be dishonest.
For example if FastMail has servers in Amsterdam (NL). Would it be possible to let customers decide on which servers they want to host their mail, so that it falls under the local (or EU) laws?
Thank you in advance for taking the time to reply here.
I imagine the only solution is to move the entire company to another country, but I'd very much like to hear from people who do know what they're talking about.
Why not report the opposite on a regular basis?
"We're happy to report that we haven't been forced by authorities to implement a backdoor in our systems."
That way, when you stop writing that every week or month or what have you, everyone paying attention will know you've been forced to add a backdoor and might be gagged.
Lawmakers face the same problem in that they're barraged with constant problems from completely different fields that they're unlikely to be subject matter experts in. How do they learn about it? By consulting subject matter experts. Who are these subject matter experts? Well established businesses in their field. This can lead to laws that are incentivized towards large businesses. That's just considering a situation where everyone is working in good faith.
Now consider lawmakers having to cater towards what is currently trending with the populace, kickbacks from companies, pull from different governments/organizations/political parties etc. And it's easy to see why politics is the way it is.
Experts were consulted, and ignored. A lot of experts came right out and said these laws were insane. The Australian tech industry were not in favour, and the consulted experts were not favourable.
However, the experts that were listened to were the ones who worked for ASIO, who said that these laws were absolutely necessary just for the agency to continue operating, and it was urgent that they were deployed in the last few days of Parliament. So the laws got rushed.
After all, there have been major catastrophic failures because some IT tech followed the orders of a CEO to give them access to a mission-critical system from their insecure home PC. Isn’t that essentially what the whole “but her emails!” (and, it turned out later, his emails) was all about?
At best you have some independent experts with no stake in the game, but even then politics will often result in a compromise that is suboptimal for all involved.
Unfortunately, this was rushed through in a matter of days, and in fact the Parliament doors were locked to force an immediate decision, trying to make people throw caution to the wind.
(Probably didn’t actually help national security, but that’s a separate problem).
This led to my point, though I made it in a roundabout way. None of these laws are made in a vacuum. When you get a law that seems to cause undue harm to industries or to general consumers, it's unlikely the case that lawmakers wrote up something due to negligence of the issues, but because another entity specifically pushed to have these laws written in this way.
I'm reading that as "we don't encrypt customer emails, so we already had to share them." That's consistent with what they've said in the past.
E-Mail sucks, that's all. Fastmail is transparent about it and does a good job.
(PS: I still think that they encrypt their storage servers, but again, this will only protect against someone physically taking away their servers, not against a warrant or an intruder.)
We have a standard process for verifying each request with the AFP and ensuring that they have followed due process to get a warrant for the data. We strongly support (also spelled out in that submission) keeping judicial oversight of requests - which this legislation does still require for the access requests themselves - hence saying that nothing has changed for us, since we have existing capabilities and we already respond to legal requests.
They just put their own political skins ahead of good government and passed a law that they knew was flawed. There's been no mention of the touted amendments to fix it, as there is a federal election looming and if either side of politics proposes an amendment, the other will take the opportunity to manufacture a scare campaign and score political points.
No, that’s not what they said.
Such statements can hurt a business and in this case it would be a pity since the business in question is doing everything they can to serve their customers.
That is indeed not what we said - though we were pretty sure we would be taken out of context and the "there's a risk of somebody being asked to do this and that creates staff uncertainty" would be seen as "we've definitely already done this" :( Unsurprisingly, that's happened.
It’s interesting to me how a demographics like that of HN can fall for it.
Now it looks like if FastMail added that, they could be compelled by the government to break it anyway, without notifying the user.
The problem is that fundamentally email still provides them the plaintext -- so they wouldn't need to add a new capability or break the design of their at-rest crypto, they would simply have to stash away emails that were requested by a warrant.
The problem is that e2e messaging applications, where there is no way for the server to do this, are going to be in quite serious trouble. They would need to re-design their crypto so they can add additional "backdoor" device keys that let them access the messages, or provide backdoored binaries to the relevant target. And that's what TCNs will be used for -- to compel those kinds of backdoors.
But if this is a feature of a mail service rather than a mail client, then the service has the keys and, given GPG has no perfect forward secrecy, they have the ability to decrypt all emails you send and recieve.
Even then, GPG without Perfect Forward Secrecy means that when your key is brute forced or side channel attacked, which we assume will happen, you lose all your secrecy, so you need to think about this as a temporary state.
However, and this is key, a majority of email is sent and received unencrypted via their servers, because that's just how email works.
In other words, email at rest might be encrypted, but most of the email in transit is not. This means that a man in the middle (e.g. the NSA) can still intercept all your communications.
And even with PGP encryption, which is e2e, the meta data is still unencrypted because that's what the email protocol demands. Having the ability to see whom you're communicating with, that's enough in many cases.
Email is simply not a good solution for e2e encryption. If you have secrets to protect, there are now other solutions available, like Signal and even Signal has some issues (like its reliance on phone numbers for identification).
We also hear frequent arguments in favor of Australia's compulsory voting law as a way to combat the sort of voter apathy that led to the... unexpected outcome in our last Presidential contest.
Stories like this serve as good counterpoints for Americans to raise in those debates, I think. Yes, Australia has implemented a number of progressive electoral reforms... but those progressive electoral policies are obviously not getting them better leadership or better laws. So why should we, in the US, follow their example?
But to the point, I do agree that mandatory voting may be actively harmful as it values all degree of civic engagement the same. That being said here in the states we have actively installed barriers to make voting more difficult. We aren't really getting better leadership or better laws from it.
id say our government matches closer to our electorate than what the US government does, but we still have only 2 major parties which severely limits choice. there are ways to combat this (NZ, Germany for example)
this example is also a fairly poor one, because it’s possible this law came as a “test the waters” as part of 5 eyes, so it could be followed in other counties. where spying and secrets are concerned, we shouldn’t draw too many conclusions because we don’t know all the facts
Even more absurd is that it also mentions this regarding economic espionage purposes.
They legally could ask a developer to commit large scale theft of industrial secrets from say Germany for the benefit of Canadian enterprises. Anyone refusing faces penalties in secret court rooms.
The open ended nature of the wording is staggering.
National security policy has been used as a wedge issue here in the last 20 years, like in lots of other places. So the raft of security legislation that's been passed since the conservatives took office in 2013 has actually been as a result of both major parties voting together. If the Labor Party (centre-left) opposes security legislation, they're painted as soft on terror, weak on border security, etc.
Security agencies have given a shopping list to the Liberal (i.e. conservative) government - data retention, citizenship, and encryption amongst others. The Libs have put bill after bill forward in an attempt to generate opposition from Labor and thereby get an effective national-security wedge. Some of them have been 'genuine' reforms but some have been less so. Labor knows this of course. But it's ahead in the polls and wants to be a small target come the election, so it has refused to bite. The result has been a bunch of shitty new security laws.
It can be wonderfully disheartening to watch, especially given that lots of people on both sides of politics know perfectly well that they're bad laws but can't say it out loud due to the the politics of it. They're not all idiots who don't understand tech.
So while the electoral system here has delivered slim majorities for successive governments (or indeed minorities at times), it's not really relevant here. When the major parties vote together the laws are going to pass.
Sorry if that's off topic but I find it very interesting, albeit depressing sometimes.
It's borderline funny how inept the Australian government is with tech. NBN cost a fortune, and still sucks. My Health Record debacle. New anti-encryption laws, and leaders who think they can change the laws of math. ScoMo forgetting to set his domain on auto-renew... It's been a mess.
* Victorian couple quoted up to $1.2m to connect to NBN Co's fibre service - ABC News (Australian Broadcasting Corporation) || https://www.abc.net.au/news/2018-06-07/nbn-co-quotes-couple-...
* My Health Record: privacy, cybersecurity and the hacking risk | Australia news | The Guardian || https://www.theguardian.com/australia-news/2018/jul/16/my-he...
* Scotty Doesn't Know: prankster takes over Scott Morrison's website | Australia news | The Guardian || https://www.theguardian.com/australia-news/2018/oct/19/scott...
* Prime Minister Says The Laws Of Mathematics Are Trumped By Australian Law || https://www.buzzfeed.com/markdistefano/turnbull-war-on-maths
Add to this how messed up the visa situation is in Australia, and the crazy high taxes they put on immigrants, and they wonder why their economy can't keep up and homes have dropped 20% in the last 2 years...
They coasted on energy / natural resources for so long, but didn't invest any of the money correctly into tech training / startup scenes. Now that China took their foot off the gas, Australia will be in for a world of hurt.
So when the most predicable result on the planet happened and twenty million people all tried to fill out the online form on the "census" evening they claimed it was a denial of service attack.
The shame of it was, the ABS had a pretty good reputation up until that point (I believe). Now they're just another joke and have no good will left.
 And which today we discover they've cocked it up even more so. https://www.itnews.com.au/news/algorithm-flaw-meant-census-r...
I interpreted it as they could be forced to secretly add a backdoor, but I guess if they are sworn to secrecy on it, who knows. Maybe it’s time for me to switch from FastMail...
Kind of makes you wonder about the other laws they write that touch things you aren't as familiar with...
So yes, we do deserve better than these clowns.
Australia shirked responsibility during the Kyoto protocol, letting the rest of the world tackle this problem.
Australia's current government cannot be solely blamed for this.
But what I don't understand is the relevance of climate change to the topic at hand: the assistance and access legislation harming Australian tech companies. And I'm still not sure what your original point was ("Australia's abysmal record on climate change affords it no sympathy"). Were you saying saying that Australia's tech industry deserves to be destroyed because a slim majority of the country keeps voting for a party that is, among other things, hesitant to act to reduce emissions?
I haven't decided myself if I'll switch, but if I do, it's more of a matter of principle. I just don't like how the world is becoming more authoritarian-like, and I feel it will continue to move this way unless people demonstrate their unwillingness to put up with such policies.
I actually thought about switching over this, but I found no service that gives me the same features that FM has (fast web interface, calendar, fido u2f, aliases, send as aliases, custom domains, dmarc SPF and all those acronyms, good support) even if I would be willing to pay whatever (and I was grandfathered into the old $70/2 years plan on FM)
For a family of four, the annual cost would be about half of Fastmail's standard plan.
>“Our particular service is not materially affected as we already respond to warrants under the
The new laws would apply to something like Whatsapp or Signal, which do not have the ability to access the communications of users (thanks to end to end encryption). Fastmail already has enough access that if a legal demand is issued they can hand it over.
Don't get me wrong, mandating crypto backdoors is obviously a brazen breach of privacy and opens the doors to all sorts of abuses. But plaintext systems like Fastmail won't be affected by the new notices because a warrant was already sufficient to get access to your plaintext emails.
If it wasn’t for my Australian partner I’d likely of left by now as tech work is limited here, severely behind places like London, currently feeling like it’ll be difficult to progress beyond where I am now within the AU. A lot of it is also now dubious big data, I.e what can we snoop on to sell you more or sell the data collected for dubious purposes.
ProtonMail and the like do more to protect you from the government, if that's your threat model, but you're going to lose out on a lot of features as well, because a lot of common expectations in email don't work with end-to-end encryption.
Using Thunderbird plus Enigmail for GnuPG, I can use any email provider, and be ~certain that they can't read my stuff.
Yes but no one can either :( In the last 5 years I received 2 encrypted emails, and thousands of non encrypted emails. The problem with PGP is that almost no one is using it.
Maybe the people you email with do use it though.
But whatever. The ability to use GnuPG serves as a filter ;)
> The ability to use GnuPG serves as a filter ;)
Yes definitely, I wouldn't get any emails at all anymore. Works great for Inbox Zero I guess.
Ideal case is one end-to-end protected in a country with stronger, legal protections for customers. ProtonMail fits that bill but lacks maturity. Some of us want our mail to definitely be delivered with a provider that will stick around long time. FastMail has the edge there over ProtonMail.
i.e. I want paid G Suite to work like Office 365 Personal (which I do pay for), not Office 365 Business.