It's amazing to me that the people who write these laws are the least capable of understanding their impact.
If I am reading FastMails statement right, they have been forced to add backdoors to their codebase and not been allowed to tell their team about it. Only a lawmaker who has the technical acumen of say, my grandmother, would decree something like that and think it was a good idea. Australia deserves better than these clowns. Then again, I live in the US so...
In any protracted discussion of US politics, it's pretty common for someone to raise the point that other countries have better voting systems than the one we use, where a winner-take-all paradigm inevitably devolves to a contest between only two dominant parties, and where there is little incentive for the victorious party to form a working coalition with the other. Australia's use of ranked-choice voting is frequently cited as one area where our first-past-the-post system is behind the curve, and in fact we're starting to consider adopting ranked choice voting in some limited areas [1].
We also hear frequent arguments in favor of Australia's compulsory voting law as a way to combat the sort of voter apathy that led to the... unexpected outcome in our last Presidential contest.
Stories like this serve as good counterpoints for Americans to raise in those debates, I think. Yes, Australia has implemented a number of progressive electoral reforms... but those progressive electoral policies are obviously not getting them better leadership or better laws. So why should we, in the US, follow their example?
well, australian voting systems aren’t exactly progressive (it’s just a few steps above the worst case), and neither is the voting populace
id say our government matches closer to our electorate than what the US government does, but we still have only 2 major parties which severely limits choice. there are ways to combat this (NZ, Germany for example)
this example is also a fairly poor one, because it’s possible this law came as a “test the waters” as part of 5 eyes, so it could be followed in other counties. where spying and secrets are concerned, we shouldn’t draw too many conclusions because we don’t know all the facts
It doesn't necessarily have to be enacted in other 5 eyes countries. The specific wording of the law said they can enlist citizens to put in backdoors at the request of other Governments.
Even more absurd is that it also mentions this regarding economic espionage purposes.
They legally could ask a developer to commit large scale theft of industrial secrets from say Germany for the benefit of Canadian enterprises. Anyone refusing faces penalties in secret court rooms.
The open ended nature of the wording is staggering.
That's an interesting notion. Not to follow this tangent to far, but I think that most likely it is a more representative democracy. If you were to ask the people in the US if they want a bill that would allow law enforcement to "read the private messages of terrorist", I'd guess that most people would say yes, not knowing or understanding the ramifications of what the law would mean, or what a clear definition of what terrorist are.
But to the point, I do agree that mandatory voting may be actively harmful as it values all degree of civic engagement the same. That being said here in the states we have actively installed barriers to make voting more difficult. We aren't really getting better leadership or better laws from it.
Actually the political logic on national security legislation here is a little more complicated and not really related to the electoral system or compulsory voting.
National security policy has been used as a wedge issue here in the last 20 years, like in lots of other places. So the raft of security legislation that's been passed since the conservatives took office in 2013 has actually been as a result of both major parties voting together. If the Labor Party (centre-left) opposes security legislation, they're painted as soft on terror, weak on border security, etc.
Security agencies have given a shopping list to the Liberal (i.e. conservative) government - data retention, citizenship, and encryption amongst others. The Libs have put bill after bill forward in an attempt to generate opposition from Labor and thereby get an effective national-security wedge. Some of them have been 'genuine' reforms but some have been less so. Labor knows this of course. But it's ahead in the polls and wants to be a small target come the election, so it has refused to bite. The result has been a bunch of shitty new security laws.
It can be wonderfully disheartening to watch, especially given that lots of people on both sides of politics know perfectly well that they're bad laws but can't say it out loud due to the the politics of it. They're not all idiots who don't understand tech.
So while the electoral system here has delivered slim majorities for successive governments (or indeed minorities at times), it's not really relevant here. When the major parties vote together the laws are going to pass.
Sorry if that's off topic but I find it very interesting, albeit depressing sometimes.
I'm not sure what you are trying to say here. The party that pushed for these news laws is the same party that has been opposing real action on climate change for years.
Of those 20 years you mentioned, the party we're discussing has been in power for around 14 of them - and the 6 years preceding that. I'd say the party that has been in power for over 75% of the last 25 years - and has actively campaigned against acting to reduce emissions - is somewhat responsible.
But what I don't understand is the relevance of climate change to the topic at hand: the assistance and access legislation harming Australian tech companies. And I'm still not sure what your original point was ("Australia's abysmal record on climate change affords it no sympathy"). Were you saying saying that Australia's tech industry deserves to be destroyed because a slim majority of the country keeps voting for a party that is, among other things, hesitant to act to reduce emissions?
> If I am reading FastMails statement right, they have been forced to add backdoors to their codebase and not been allowed to tell their team about it
I interpreted it as they could be forced to secretly add a backdoor, but I guess if they are sworn to secrecy on it, who knows. Maybe it’s time for me to switch from FastMail...
If I remember correctly from their statement on this issue before they were baaically unaffected by the new laws as they do not off end-to-end encryption, so they were already open to lawful intercept requests.
But if this is a feature of a mail service rather than a mail client, then the service has the keys and, given GPG has no perfect forward secrecy, they have the ability to decrypt all emails you send and recieve.
If you go down the road of the mail service owning a mail client that promises e2e, then the issue moves to worrying about the code that runs on your device. If it's webmail, the JavaScript can easily be changed, so you really want a thick client. Then you need to worry about the thick client sending data that it's really not supposed to i.e. can it read your key and send it to $vendor?
Even then, GPG without Perfect Forward Secrecy means that when your key is brute forced or side channel attacked, which we assume will happen, you lose all your secrecy, so you need to think about this as a temporary state.
Note that the key could be client side and the email service could encrypt the email in a way as to not find out your private key.
However, and this is key, a majority of email is sent and received unencrypted via their servers, because that's just how email works.
In other words, email at rest might be encrypted, but most of the email in transit is not. This means that a man in the middle (e.g. the NSA) can still intercept all your communications.
And even with PGP encryption, which is e2e, the meta data is still unencrypted because that's what the email protocol demands. Having the ability to see whom you're communicating with, that's enough in many cases.
Email is simply not a good solution for e2e encryption. If you have secrets to protect, there are now other solutions available, like Signal and even Signal has some issues (like its reliance on phone numbers for identification).
Mailbox.org has a feature like that, where all incoming messages are PGP encrypted to your public key when they're received so there's only a small window where they have the plaintext (and the plaintext isn't stored long-term nor is it stored in a way where they can decrypt it).
The problem is that fundamentally email still provides them the plaintext -- so they wouldn't need to add a new capability or break the design of their at-rest crypto, they would simply have to stash away emails that were requested by a warrant.
The problem is that e2e messaging applications, where there is no way for the server to do this, are going to be in quite serious trouble. They would need to re-design their crypto so they can add additional "backdoor" device keys that let them access the messages, or provide backdoored binaries to the relevant target. And that's what TCNs will be used for -- to compel those kinds of backdoors.
Exactly correct. We already share customer emails under limited circumstances and for explicitly requested accounts only (we've never participated in dragnets and we don't believe this legislation will require us to either).
We have a standard process for verifying each request with the AFP and ensuring that they have followed due process to get a warrant for the data. We strongly support (also spelled out in that submission) keeping judicial oversight of requests - which this legislation does still require for the access requests themselves - hence saying that nothing has changed for us, since we have existing capabilities and we already respond to legal requests.
Due process is not the only question though. FastMail users will also be wondering whether the content of their email has to comply with other laws made by the very same lawmakers that have just shown their complete disregard for privacy and a shocking level of technical incompetence.
To be fair, they also explicitly point out in their docs that encryption on their end is pointless (since they have the keys) and that you should encrypt your e-mails on the client side with something like PGP (where you control the keys).
E-Mail sucks, that's all. Fastmail is transparent about it and does a good job.
(PS: I still think that they encrypt their storage servers, but again, this will only protect against someone physically taking away their servers, not against a warrant or an intruder.)
Australia is significantly behind the US in terms of tech, and Australian lawmakers are also significantly behind. Ignorant, and draconian. Not a good mix. With no Bill of Rights to protect people.
It's borderline funny how inept the Australian government is with tech. NBN cost a fortune, and still sucks. My Health Record debacle. New anti-encryption laws, and leaders who think they can change the laws of math. ScoMo forgetting to set his domain on auto-renew... It's been a mess.
Add to this how messed up the visa situation is in Australia, and the crazy high taxes they put on immigrants, and they wonder why their economy can't keep up and homes have dropped 20% in the last 2 years...
They coasted on energy / natural resources for so long, but didn't invest any of the money correctly into tech training / startup scenes. Now that China took their foot off the gas, Australia will be in for a world of hurt.
You forgot the last national census, where they decided our privacy was not that important[1], and they were liberally threatening everyone with severe fines if they didn't fill it out anyway.
So when the most predicable result on the planet happened and twenty million people all tried to fill out the online form on the "census" evening they claimed it was a denial of service attack.
The shame of it was, the ABS had a pretty good reputation up until that point (I believe). Now they're just another joke and have no good will left.
Our Bill of Rights is just about dead here in the states. The .gov ignores it wholesale constantly. We're just about out of time with a lot of things, it seems.
I don't think these governments are inept, I think it is all by design. Breaking crypto is just one of the bludgeons they want to utilize. Government is not eloquence, it is simply force.
To be fair, this is basically the software developer's dilemma in reverse. You're building out systems for areas of business with no domain expertise. End users constantly wonder why the developers built the software in such profoundly stupid ways.
Lawmakers face the same problem in that they're barraged with constant problems from completely different fields that they're unlikely to be subject matter experts in. How do they learn about it? By consulting subject matter experts. Who are these subject matter experts? Well established businesses in their field. This can lead to laws that are incentivized towards large businesses. That's just considering a situation where everyone is working in good faith.
Now consider lawmakers having to cater towards what is currently trending with the populace, kickbacks from companies, pull from different governments/organizations/political parties etc. And it's easy to see why politics is the way it is.
I would expect anybody worth their salt to consult experts from said field they with to bridge into. Otherwise, why the hell are you blindly passing out laws? Sheer incompetence.
Experts were consulted, and ignored. A lot of experts came right out and said these laws were insane. The Australian tech industry were not in favour, and the consulted experts were not favourable.
However, the experts that were listened to were the ones who worked for ASIO, who said that these laws were absolutely necessary just for the agency to continue operating, and it was urgent that they were deployed in the last few days of Parliament. So the laws got rushed.
This led to my point, though I made it in a roundabout way. None of these laws are made in a vacuum. When you get a law that seems to cause undue harm to industries or to general consumers, it's unlikely the case that lawmakers wrote up something due to negligence of the issues, but because another entity specifically pushed to have these laws written in this way.
If I had two experts, one of whom was security and one of whom was business, and they disagreed with each other, I would also be listening to the security expert first.
After all, there have been major catastrophic failures because some IT tech followed the orders of a CEO to give them access to a mission-critical system from their insecure home PC. Isn’t that essentially what the whole “but her emails!” (and, it turned out later, his emails) was all about?
Expert shouldn’t be counted in number of votes for/against... If you have FastMail and Atlassian, biggest and most successful startup of Australia who relocated to UK, telling you off with the CEO taking a public stance that the government is crippling progress, then it’s not hard to listen: Your economy will lose big.
It shouldn't work like this either. If two major chemical companies threatened with relocation and their CEOs told the government it is crippling progress unless it seriously relaxes environmental protection laws you wouldn't want the government to just back down.
At best you have some independent experts with no stake in the game, but even then politics will often result in a compromise that is suboptimal for all involved.
You're right. You'd want the government to approach with extreme caution when you have two largely conflicting opinions emerging. You'd want amendments to try and balance need and impact.
Unfortunately, this was rushed through in a matter of days, and in fact the Parliament doors were locked to force an immediate decision, trying to make people throw caution to the wind.
I’m not counting votes either. I’m saying that for all the flaws in how this law was made, the one thing that wasn’t wrong was putting national security over business interests.
(Probably didn’t actually help national security, but that’s a separate problem).
They just put their own political skins ahead of good government and passed a law that they knew was flawed. There's been no mention of the touted amendments to fix it, as there is a federal election looming and if either side of politics proposes an amendment, the other will take the opportunity to manufacture a scare campaign and score political points.
> If I am reading FastMails statement right, they have been forced to add backdoors to their codebase and not been allowed to tell their team about it.
No, that’s not what they said.
Such statements can hurt a business and in this case it would be a pity since the business in question is doing everything they can to serve their customers.
That is indeed not what we said - though we were pretty sure we would be taken out of context and the "there's a risk of somebody being asked to do this and that creates staff uncertainty" would be seen as "we've definitely already done this" :( Unsurprisingly, that's happened.
We haven't been forced to add anything. The problem is that if the law says that we __could__ be forced to add something and not allowed to tell our customers, then there's no way for somebody to tell if we're telling the truth.
We pride ourselves on telling the truth to our customers, and we're quite clear that if we receive an Australian warrant for access to information about one of our customers, then we respond. That's different from adding backdoors.
Our submission asks that the law be updated so we're allowed to talk about any surveillance capabilities that we may be asked to add, but not about which users are being surveilled. That way our customers know exactly what we are capable of.
Right now we haven't received any capability requests (TCN) which is the bit we're concerned about, because if they required us to add features to the product without telling all staff about them, that would make it hard to maintain and ensure security as things were refactored. And any staff who DID know about it would have to be extra careful about what they say anywhere, because they could inadvertently leak something about the capability.
We expect the law to be updated soon, and hopefully this will be addressed. Until then - honestly, nothing has changed. We still operate under exactly the same process - if we receive a warrant from Australian Federal Police we respond. If we receive any other type of request, we point them to the AFP and the mutual assistance treaties that are appropriate. But it's impossible for you to verify that, because if something HAD changed, we'd have lie - and that's frustrating to us.
Given that you're able to inform us currently that you've not received any capability requests, would it be legal and feasible for you to set up a warrant canary? I don't know if Australia has the same protections against compelled speech as the US [1, 2] which theoretically allow one to function, but if so, it might help encourage people to stay.
Warrant canaries are explicitly disallowed under this legislation (you cannot comment on the existence or non-existence of a notice and there are strong restrictions on what sort of statistics you can provide).
In fact, I'm a little worried that they just said they have received no TCNs -- while you can provide aggregate statistical information over a 6-month window, if you get it wrong you're looking at a 5-year gaol sentence.
We have no real free speech laws (there is common law about it but that can be overridden by legislation). There is freedom of political speech, but that's a much weaker bar. Funnily enough, parliament has actual freedom of speech.
Yeah, I know - that's pretty much what we said. There's no way to distinguish between the two as an outsider. We're really strong on not doing security theatre nonsense:
So we're not trying to pretend anything about the legal framework - when we said "nothing will change" up front, we meant it - and when we say "nothing has changed" now, we also mean it. But we can't pretend that we couldn't be forced to say that if things had changed either, because that would be dishonest.
I was wondering, with these new laws, did FastMail consider to operate (partly) in other countries?
For example if FastMail has servers in Amsterdam (NL). Would it be possible to let customers decide on which servers they want to host their mail, so that it falls under the local (or EU) laws?
Thank you in advance for taking the time to reply here.
With the caveat that I'm far from an expert in this domain, as I understand it FastMail would have to comply with the laws of the country they're based in, as well as any country they'd have as customer or hosting provider.
I imagine the only solution is to move the entire company to another country, but I'd very much like to hear from people who do know what they're talking about.
Unfortunately "mercer" below is right - we need to comply with the laws of Australia regardless of where our servers are. The "Amsterdam server" idea is a red herring that doesn't change the legal landscape.
> The problem is that if the law says that we __could__ be forced to add something and not allowed to tell our customers, then there's no way for somebody to tell if we're telling the truth.
Why not report the opposite on a regular basis?
"We're happy to report that we haven't been forced by authorities to implement a backdoor in our systems."
That way, when you stop writing that every week or month or what have you, everyone paying attention will know you've been forced to add a backdoor and might be gagged.
They are illegal, but you're posting the wrong link (that's about journalist warrants). The legislation in question explicitly states that you cannot comment on the existence or nonexistence of a TCN, TAN, or TAR.
> Right now we haven't received any capability requests (TCN) which is the bit we're concerned about
I would be INCREDIBLY cautious about making statements like that. The penalty for discussing the existence or nonexistence of a notice under the new legislation is 5 years imprisonment. You can give 6-month statistical information, but you should have stated it that way if that's what you were doing.
I really, honestly hope you spoke with your legal council before making statements like that (I personally will not make statements like that until I get legal advice about how it should be stated to avoid a 5-year conviction).
I’m sure Bron, Rob or Nigel will weigh in shortly. Fastmail is a damn fine service, I now trust Australian internet privacy even less due to recent law changes and this does concern me not just with Fastmail but as someone that designs and hosts platforms for software the organisation I work with writes - which is also in Australia.
>“Our particular service is not materially affected as we already respond to warrants under the
Telecommunications Act."
The new laws would apply to something like Whatsapp or Signal, which do not have the ability to access the communications of users (thanks to end to end encryption). Fastmail already has enough access that if a legal demand is issued they can hand it over.
Yes, that. The law allows for requiring new backdoors to be requested up-front, but still requires warrants to activate those backdoors for specific requests, and it still doesn't give firehose access. It's not as awful as it's made out to be by some, but it's still pretty ham-handed in some of its implementation, and that's what we're proposing they look at changing.
No, the new legislation's notices only are allowed to be exercised in order to fulfil the requirements of a warrant (or similar instruments that have judicial oversight).
Don't get me wrong, mandating crypto backdoors is obviously a brazen breach of privacy and opens the doors to all sorts of abuses. But plaintext systems like Fastmail won't be affected by the new notices because a warrant was already sufficient to get access to your plaintext emails.
The way you get this to end is by annoying the common people of Australia. The Internet death penalty would be one way—have FAANG completely stop doing business in Australia until this is repealed, and block Australians from their services. No Facebook, no new copies of Windows, no new Macs, nothing that runs on AWS. It’s a small enough country that it wouldn’t really be a dent in their bottom lines. Congratulations, you just got most of a country to angrily write their parliament-critters.
Why "of course"? At one point in time (and this is probably still true), AWS was a client of various wholesale (and even wholesale/direct to consumer) in some regions. Equinix, Tata, Digital Realty Trust, ...
AWS is is big, but there are a number of much bigger players.
Operations can mean anything. If Amazon has staff at the location and exclusive cage access, and only dark fiber and electricity coming in, then it doesn't really mean who owns the physical site.
If AWS outsources physical security to the DC operator, and doesn't enforce other kinds of operational isolation, then it's of course doesn't matter what else AWS does there.
> Congratulations, you just got most of a country to angrily write their parliament-critters.
Yes, and you also got every single other country in the world to take notice and to wonder what would happen if the same happened to them... leading to ad hoc legislation, actively looking for alternative providers, and a surge of new, sometimes govt-backed competitors (you know, in the name of national independence). Not to mention that all your existing competitors will start yelling “we would NEVER do that” at the top of their lungs.
The FANG may be as powerful as big nations, but event the biggest country needs a very good reason to declare war —and defending privacy isn’t it.
There may be no global, credible alternatives now. There would most certainly be local, semi-credible alternatives gaining ground shortly after such a move. If the biggest, most entrenched provider suddenly disappears... well that’s going to give some ideas to a lot of people.
There are other search engines (maybe not as powerful as Google, but if you don’t have a choice...). There are other e-commerce platforms, and there are a shitload of cloud providers. There are other high-end phone and laptop manufacturers. There may not be a credible FB alternative (but I’m not shedding any tears over that). The only real crazy-hard-to-replace infrastructure IMO is the App Store duopoly.
As another poster pointed out, there are countries (Russia, China) where credible alternative providers evolved because FAANG were not allowed to enter the market. In time, the same would happen if they were to leave a market.
Cloud Service Providers have an intrinsic, shared/common interest in maintaining the easy cross-border operations and transactions.
So were they to coordinate - just as some big providers did around SOPA/PIPA, then they would have some impact. Otherwise of course no one will risk such a move.
Apple, though not a CSP is pretty much interested in keeping their privacy game going. (Which might not mean much outside the US for customers.)
(Note: The parent comment claimed that ProtonMail paid "millions" in ransom. It appears to have been edited to say "thousands" now.)
I am not affiliated with ProtonMail, but the answer is no. ProtonMail has paid a ransom exactly once, back in 2015 when it was just launched and suffered a DDOS attack that caused a lot of collateral damage to third parties, who pressured ProtonMail to pay the ransom.
ProtonMail has since committed to "never pay another ransom" and invested in advanced DDOS mitigation capabilities, including by becoming its own ISP.
I switched from ProtonMail after a few months (despite having paid up front for a year) because the UX is so bad. You are forced to use their client apps, which are full of annoying bugs and design flaws. They ignored my support requests. Eventually I switched to MailFence, which has even worse UIs, straight out of the 90s, but you can use any IMAP client so it doesn’t really matter. (ProtonMail does have a bridge tool so you can use IMAP, but only on a desktop OS.) Still on the lookout for something better.
I'm probably going to go to Migadu, since Lavabit support is proving to be annoyingly silent. I requested a custom domain a week ago, set up SPF/DKIM according to instructions, but have heard nothing since.
Anyone know of a FastMail alternative? I was considering opening an account with them, but after reading this, I am concerned with the privacy implications, especially as I am trying to get off of Gmail.
> Using Thunderbird plus Enigmail for GnuPG, I can use any email provider, and be ~certain that they can't read my stuff.
Yes but no one can either :( In the last 5 years I received 2 encrypted emails, and thousands of non encrypted emails. The problem with PGP is that almost no one is using it.
> As I understand it, ProtonMail basically uses PGP. It just does it in Javascript or whatever.
This means that maybe now the private keys are on your device, at any point in time they can update their frontend javascript code to get your private key and read all your emails.
> The ability to use GnuPG serves as a filter ;)
Yes definitely, I wouldn't get any emails at all anymore. Works great for Inbox Zero I guess.
> This means that maybe now the private keys are on your device, at any point in time they can update their frontend javascript code to get your private key and read all your emails.
That's the risk. By default, the filesystem isn't accessible to Javascript. But here, you've authorized key access for encryption and decryption. I suppose that Thunderbird and Enigmail could be modified to do much the same. But arguably that would be discovered quickly.
The difference is that Enigmail is maintained by an open source community, Thunderbird by Mozilla. Also the protocol your mail client uses to talk with your email server (POP or IMAP) don't really support the flexibility to send the keys over easily. As opposed to your clientside Protonmail client managed by javascript that can AJAX the keys to the mothership.
As long as they never silently introduce a backdoor in to the js app you are running. These new laws are purely to give the legal power for the government to request that.
Yeah, I was just about to open an account with them as well but I don't think I'm gonna be doing that anymore. It's unfortunate because they seemed to have exactly what I was looking for.
Not the person you're asking, but I don't "switch" to paid Gmail because there isn't exactly "paid Gmail". I would pay for the features of G Suite if I could get them to apply to my @gmail.com account - I don't want to set up a new account at a different domain. Said payment would eliminate advertisements from any Google service (exempting YouTube) where I'm logged in with my primary Google account.
i.e. I want paid G Suite to work like Office 365 Personal (which I do pay for), not Office 365 Business.
If you pay for GSuite as much as you would for Fastmsil ($5/month) you get the same privacy protections as Fastmail, along with better features (e.g. unlimited IMAP keywords per mailbox instead of just 128, better spam detection, etc.)
We only allow 100 these days... though I'm hoping that limit disappears once Cyrus IMAP internal datastructure changes happen. I bet Google aren't a fan of you having hundreds of keywords on emails either - but their data model at least supports it.
Well, one is a surveillance company that's always trying to get more data on people. One is a privacy-focused company with no stated interest in that. Both are in surveillance states with cooperation agreements. FastMail has the edge here short- and long-term.
Ideal case is one end-to-end protected in a country with stronger, legal protections for customers. ProtonMail fits that bill but lacks maturity. Some of us want our mail to definitely be delivered with a provider that will stick around long time. FastMail has the edge there over ProtonMail.
Posteo.de, run by a group of treehuggers so they make a big deal about how their data center is run by renewable energy, but they also care about privacy too. One down side is that you can't use your own custom domain.
In my knowledge, among paid email services, only Runbox doesn't recycle email addresses. Fastmail, Posteo.de and mailbox.org recycle your address within a few months. I don't know what Mailfence's policy is on this. Are there any other paid and privacy focused services that do not recycle email addresses on their domains?
The law has no privacy implications regarding FastMail: They always could, and had to, comply with legal orders for data. This is also true of Gmail and most other email providers. The primary difference here is that FastMail will only hand over your data in that scenario, but will never use your data for ad targeting or other corporate abuses of privacy.
ProtonMail and the like do more to protect you from the government, if that's your threat model, but you're going to lose out on a lot of features as well, because a lot of common expectations in email don't work with end-to-end encryption.
Fastmail does offer any services that are affected by this law. Existing laws allow the government to get your data. Email is unencrypted so the government can get it. The law only affects things like proton mail because now the government can request you backdoor the encryption.
The new legislation does have implications for FastMail and privacy. Being spied on without any ability to review or intercede against the government's action via court is a serious loss to privacy.
I have successfully migrated to mailbox.org over Christmas and I am very happy with them so far. Excellent quality applications and web app, very reliable service and they use & support a lot of open source projects. They have a heavy emphasis on encryption and privacy.
"We won't release any data without the required legal authorisation from an Australian court. As an Australian company, we do not respond to US court orders." [1]
If anyone's considering moving their email addresses over this, please take the time to get your own custom domain to host email on. That way you can switch providers more easily and actually own your email address.
As a shameless plug: Purelymail, the mail service I'm working on, could use some more beta testers. It's (to my knowledge) the cheapest way to get email on a custom domain right now.
https://purelymail.com/
Yandex offers custom domains similar to G Suite, for free. So if people want a free option, even just to try this concept out, I can say that is a formidable option.
Valid concern, but I'm mostly pointing this out in the context of the parent comment. Emphasis on the fact that it's free, and may be a decent stepping stone for those interested in custom domain email.
I only took a brief look, but I like the premise. The service seems far from something I would trust with handling my email. I still trust Fastmail (for reference). But I strongly welcome more alternatives to Gmail and services which prioritize user privacy. The attempt at monetization strikes me as extremely premature, given the competition. But I hope to see more.
The problem is the level of trust. I don't trust Google, as an advertising company with a side business of technology, to keep its paws off of user data even in "anonymous" form. That's not malice; it's just temptation. There's way too much to gain, from Google's perspective, and comparatively little to lose by not keeping that wafer-thin wall intact.
FastMail, et al, alternatively aren't primarily engaged in the advertising business so they'd see a very small return from violating that trust and massive losses, so the gain/loss relationship is inverted.
Do you think that Google would intentionally violate their contracts with various huge companies (Broadcom, BBVA, Colgate-Palmolive, etc) gain a little bit more advertising revenue? If nothing else the personal lawsuits for securities fraud against executives would be a huge deterrent.
I strongly doubt that they would, but it should be noted that them doing so would be extremely difficult to prove, and even harder to identify in the first place.
I see no reason why Google would treat various huge companies the same as my one person setup even if we all nominally use the same product (and anyway I'm pretty sure Broadcom et al. haven't signed up using the same web interface I would use).
Google, Amazon, Microsoft and all the other major SaaS providers certainly have strict controls to prevent misuse of customer data. Pretty much all companies end up signing up for products the same way, at least with the companies I've worked for.
You are vastly overestimating how much that information is worth to Google. Their average revenue per user is a pittance compared to the $5 per user per month you’re paying as a GSuite customer. They’re strongly incentivised to make sure your data isn’t misused in any way. It’s not worth jeopardising hundreds of millions in future revenue to show slightly more relevant ads to a handful of folks.
The strongest endorsement I’ve seen for GSuite is that even direct competitors to Google have no issues using it. They trust Google with their data that much.
What scares me most about gmail is the fear that one day an algorithm will decide I'm doing something wrong and terminate my account and no prospect of appealing the decision.
> The service seems far from something I would trust with handling my email.
I think that's entirely fair. This is a pretty new project, and trust is built over time.
> The attempt at monetization strikes me as extremely premature, given the competition.
Free email services leave a bit of a sour taste in my mouth, since you're not the customer. I'd also have to put more work into stuff like adding hard caps to prevent abuse, but my thinking so far is that email really isn't something you should fuss over storage caps on.
It might be ultimately necessary to attract people (although Fastmail doesn't have a free tier), but I'll get there when I get there. I'm content to take it slow for now.
> Free email services leave a bit of a sour taste in my mouth, since you're not the customer. I'd also have to put more work into stuff like adding hard caps to prevent abuse, but my thinking so far is that email really isn't something you should fuss over storage caps on.
Thank you! I love being able to just pay a (modest) fee and not have to worry (as much) about perverse incentives. It fixes or minimizes so many problems.
Some DNS providers, along with things like HTTP forwarding, provide email forwarders as well. To you can set-up yourname@yourdomain.com to forward to your 'real' mailbox address.
I've done this for years, with it forwarding to my gmail account. I never actually send an email of the @gmail.com variety.
Yes you can. You have to jump through a couple of hoops to get there, but you can. Look for "Send Mail As" under "Accounts and Import". If you have to put in SMTP details, put in gmail's own SMTP server.
Sigh. I think we're drifting off topic. Back to my original comment, some DNS providers offer mail forwarding as a service for your domain.
It can forward to any email account/mailbox. e.g. Fastmail or ProtonMail or whoever.
I just happen to use to to forward to a gmail account. I think mentioning that was my mistake given the current sentiment as it distracted from the point I was trying to make.
@Sendotsh then pointed out what he thought was a limitation in using Gmail this way, which I responded to, and here we are. :-)
This is the exact same setup I have. Main downside is if I use a third-party email client like Outlook or iPhone’s built-in mail app, I can’t select the from address. Which means I have to use Gmail‘s horrible iOS app which doesn’t seem to work offline or cache anything locally. Still the best overall setup I’ve found, but far from perfect.
That sounds pretty much like spoofing to me and not as actually sending from that address. Or does Gmail also give you the option to add the necessary DKIM and SPF records to your domain?
‘Actually sending from an address’ is a concept that doesn’t exist.
If you want, you can limit the hosts that are allowed to send mail coming from your domain using SPF. Google does not control your domain so they can’t force, forbid or give your the option to do anything, but they do have a supported way for you to add their servers to the list.
This is all legacy though, if you set up a new alternative address you have to allow Gmail to send the messages through your own SMTP server.
I was just paraphrasing the concept of authentication for email domains. That's what DMARC is doing and why I mentioned DKIM and SPF.
I was unaware gmail free has a supported way to add the correct SPF records. Though thinking about it, even unsupported might be as simple as regularly scraping them from gmail and hosting them on your domains DNS records.
But they probably don't support DKIM through that (now legacy?) hack, which granted, isn't that important if emails come from a gmail mail server.
Yup, I completely messed up there. I just bought a couple of cute domain names, but apparently completely forgot that the production database is not the development database.
POP3 is tricky when you use server-side rules to file emails into multiple folders. You can use + login to fetch each folder individually, but IMAP is definitely nicer to work with. And of course JMAP is coming!
Bron, I do (kinda) take backups of my FastMail account via an Outlook sync occasionally, but I'd really much rather you also had a Takeout-esque "one and done" download that included calendar and contact data and all. For my major online accounts, I like keeping an archive of these, compressed and dated.
Is there any chance FastMail will implement this anytime soon?
I really can't imagine shutting down with anything less than 6 months notice. Do people really do that?
The infrastructure I'm running on really is pretty cheap. The biggest expense by far are the databases, which run about $250/month for two. If I had to pay out of pocket to support even just a few users for a year, I'd do it.
Anyway I think the best paranoid option (no matter what mailhost you're using) is to set up automatic forwarding to a backup address. Or you can use imapsync [0] from time to time, which is a bit finnicky but gets the job done pretty well. (I actually might try putting up a quick web interface for imapsync sooner or later to cover import/export use cases.)
As Fastmail, we also recommend that people get their own domain. Being able to move is prudent regardless of how good any one host is! Own your own namespace :) We would rather keep people because we're good, not because they're locked in.
Another happy customer here! Incidentally this does not worry me as I don't use email for any secure or private communications and I don't think anyone ever should. At best any warrants will get a list of crap I've bought on Amazon and Aliexpress.
I get that email was not originally designed to be secure, but do you really not want to keep your amazon account, with your credit card number and home address, secure and private?
Me too. Custom domain on FastMail. I'm not (too much) worried about AU's search warrants. My original move from gmail was because I got annoyed by the Google approach to everything. This said, if you happen to move the servers in a more privacy-friendly country I'd not complain.
I really don't understand the criticism. Fastmail have said that they will obey the law (all of it, not just this bit). The likelihood of them a) being required to assist under this particular law, or b) be able to provide the particular assistances required under this law are minimal.
The mail is encrypted at rest to protect against illegal access, not legal access. Fastmail are transparent on what they will or won't do. Where's the problem?
I'd be more worried about a programmer working on the bowels of OpenSSL or LibreSSL etc and being seconded by ASIO/ASIS/DSD than about companies.
I'm a long time (and very happy) fastmail customer and I have no problem with their position. Not because "I've got nothing to hide", but because if I did, I'd know not to use their service.
I depply despise the telecommunications assistance act. I think it's badly written and comes from an inherently uninformed and impractical idea that you can legislate against people keeping secrets. I hope that the reviews in Parliament right now, and, hopefully, the changes to be made under a new Labor government, will remove a lot of the stupidity.
- Backdoors can be used by hackers to steal money from you
- A tyrannical government can use your private emails to blackmail or leverage you
- A jilted lover working for the government can track you.
These are just the things that immediately come to mind. It's a huge problem. The government thinks it has a right to access speech between citizens. This is an incorrect notion. If Australian citizens choose not to fight this, they are enabling a turnkey totalitarian regime.
I guessing people are concerned about the width and breadth of the potential searches.
We've seen at least the US government have some fairly expansive requests in order to track down one single person, and they never delete the data once they obtain it. So a copy of those records will forever be outside of your control, potentially without you ever knowing it.
People built up unreasonable expectations about the security of the service, and the legal changes attracted attention.
End of the day, if you have a scenario where a third party is the custodian of your information, that custodian has control of it and will follow whatever legal framework that they are obliged to follow.
Just wanted to say Thanks for the good service. I'm a happy customer and I'm not planning to move. In particular I really liked recent iOS app updates. Good job!
I have a domain for my family with Fastmail. I miss the old family plan. The parents and children in our family have wildly different levels of email usage. A family plan would allow us to share pool resources instead of paying full price for barely-used children's account.
We are on a grandfathered plan now and are putting off upgrading to a current plan as long as possible because it's a huge price jump to start paying for my kids to have 25 GB of storage which they are barely using.
It’s awesome that you’re providing an affordable service for custom email domains, but it’s worth pointing out that Zoho has free email for custom domains. There’s plenty of good reasons people choose different email providers, but if cost is your main concern, then you’re competing with free.
Scroll a bit down and you'll see a "free plan" (above the FAQ).
It's not that easy to find, but it's there. As long as you don't care about using third-party clients (free plan has IMAP/SMTP disabled), it's a viable option. I've used it for a year or two before I've switched to FastMail and it worked fine.
I once spent an evening trying to establish an account on Zoho. It never worked. Free is not free if it requires hours of your time and causes frustration.
I'm a little bit skeptical, because you present very little information. Maybe it's all in the signed-in area?
1. I don't see anything about DMARC (DKIM, SPF) setup for your users. Do you provide DMARC?
2. Do you use shared ip's for all your users? If yes, how do you make sure my emails don't land in spam-filters, because of other users behaving badly?
3. Do you have a system in place and already experience to behave differently to different email hosters (e.g. send emails differently to gmail, yahoo or gmx)?
4. Do you provide spam-filters for incoming emails?
5. Do you provide support for email encryption and signatures (might be trivial, because it's part of the client, not sure about this one)?
6. What are your availability and reliability guarantees? What is your average/90%/99% delivery time and how often do you eventually drop an email? Will you inform me, when that happens?
7. How do you store my emails? Is strong encryption in place?
These are questions that I would want to have answered before signing up for such a service and they are the things that distinguish you from simply self-hosting emails for that money. It's also the reasons why I sometimes have to get emails from friends using their own domain from the spam-filter.
Sending emails is way harder than most people think (source: have worked in email infrastructure of a company sending billions of emails per month). Problems come especially, because email response codes are used differently across email hosters and it gets especially tricky when multiple independent users send emails over the same ip.
1. We require SPF, but don't have DKIM/DMARC yet. DKIM as far as I can tell doesn't actually... do... anything, but I need to look closer.
2. Same way anyone does it, I'd assume. Shared IPs, rate limits on sending, banning users who send spam emails. I'll likely need to hone exact approaches more.
3. Not that I know of? The mailserver I'm using might handle that.
4. Yea, fairly generic Spamassassin setup that I'm tuning.
5. I think signatures work through Roundcube, and maybe clientside encryption too.
6. I don't have SLAs yet (it's a beta!). My architecture allows for continuous deployment with no planned downtime, though. Delivery from gmail -> my servers and back seems to take about a minute as far as I know, but I can't answer the delivery time metrics without more data. You should get a bounce email on final delivery failure, which should take a maximum of about 208 minutes.
7. They're stored encrypted and compressed in S3, with an encryption key based off of a derivative of your password. Specifically: The encryption is AES/GCM with a per-message key encrypted by a libsodium crypto box, whose private key can be retrieved with a derivative of the user's password. The bucket also has AES-256 encryption in place.
Good questions! I'm going to work on documentation tomorrow. And yea, I realize that sending emails is going to suck.
About DKIM: It adds another layer of authentication to the email by adding a signature. It being absent isn't really a bad indicator, because unfortunately email headers might change during delivery. This will invalidate the DKIM signature. But it being there is a strong positive that the email comes from the domain it says it does. From another perspective: An email that might be filtered as spam without DKIM is more likely to go through with a positive DKIM result.
Don't SPF/SSL also provide proof that email comes from where it says it does? As far as I can tell, DKIM's advantage is to allow for direct message forwarding (not remailing), which is a fair use case, but pretty specific. In return it introduces a fair chunk of complexity to do right, with signing and message key rotation and keeping track of who you gave keys to.
SpamAssassin assigns small positive scores for valid SPF/DKIM/whatnot headers (and larger negative for lacking either), but it's not really an effective spam deterrant. Spammers can set up their own domains that pass all the checks (although I've heard they're having good times just sending from Gmail).
SPF authenticates the envelope-from domain, while DKIM authenticates the header-from domain. They're both useful, specially coupled with DMARC.
DMARC authorizes recipient servers to outright refuse email from your domain if it does not contain a valid DKIM signature, and/or comes from a non-authorized IP.
In short, SPF+DKIM+DMARC prevent email spoofing from your domain, protecting you from backscatter and reputation degradation.
For shared IPs -- suppose I am microsoft.com and I send official email through your service. I set my SPF record to the IP address you give me, from which all my email gets sent.
If that IP is shared, what's stopping someone else from signing up with you and then sending email that purports to come from microsoft.com?
For $50, FastMail gives you 25 Gb. That would cost $14 on your service. But they do not charge for sending/receive emails (which I think is stupid).
So we are looking at 14 + 4 +1 = $19 before you even send/receive emails.
I just did a quick look and it looks like I receive around 6000-7000 email a year. Most of it is advertising and notifications (that doesn't count SPAM emails which are countless and I hope you don't charge for). That's an extra 1.4 bucks.
I send around a thousand emails a year. That might seem much but it is actually very low. It is only 3 emails per day and you can do much more if you use email for personal and work. That's an extra 4 bucks.
So total is $24.4 assuming you stop your billing there. That's half of FastMail offering for a beta product which from the looks of it offer not interface.
I might come off as rude but I think you need to remove the pay-as-you-go billing and just bill something reasonable for a whole year. Plus offer something more than "Just Email"; like have a differentiating feature like security or privacy.
The thing about actually using Fastmail's 25 GB for $50 is that if you go even slightly over, you're going to need a $90 plan. Most users aren't going to use anything near that amount, especially since our compression is pretty good. (I'm not sure if Fastmail's 25 GB count is compressed or not.)
You're right that I need to add more value. My planned direction is more along the lines of utility than security/privacy, which I think Protonmail covers pretty well. There's a lot of interesting value-add to be done in email.
The pricing is more that we offer honest pay-as-you-go pricing, with caps to make sure you don't actually get a ruinous charge, in direct contrast to "billing something reasonable for a whole year". If you'd rather do the former, then yeah! You're really well covered in the email space already. But I think people are getting subscription fatigue, where every service imaginable wants its $5/month cut of the pie.
Hi Felz, I hope my reply didn't come as rude :) I was just suggesting. If you found customers interested in that kinda scheme good for you (the money does the talk after-all).
But I still don't think your offer is reasonable. I consume around 600mb of storage, so if you go above 25gb you'll probably get a 20-30usd bill from the send/receive billing.
> But I think people are getting subscription fatigue, where every service imaginable wants its $5/month cut of the pie.
Exactly, so your solution is to complicate the billing process?
Here is a better deal:
- $xx/year fix
- $0.xx/year for storage
No other fees. Sending/Receive emails should not add to your overhead that much (unless the user is abusing).
I didn't take it as rude! I appreciate your input. And I agree that the billing will seem more complicated until and unless I can win enough trust that users realize the costs don't matter, because they'll come out ahead.
You're right that sending/receiving don't add to overhead much. The receipt is actually way overinflated right now, and should be down to a more reasonable number tomorrow (about $0.03/1000). I might just waive it completely if it complicates things too much.
Sending is much harder, because I need to deter spammers. I priced it significantly above Mailchimp's price for that reason. But the cost will definitely go down as my ability to detect and ban spammers improves, and we'll likely end up pretty much with a scheme like you're proposing.
As a less technical user, the number of sent emails is a little not straightforward to me. Like if I'm in a group email with 50 other people and I reply all, is that 50 separate emails or just one email charged?
I'm trying to think about how you could offer more reassurance. Off the top of my head,
- Offer a calculator so that people can estimate their own cost. A small improvement, probably not significant impact.
- Offer a customer to enter their current IMAP creds, give an accurate estimate based on past usage. A big improvement, but which would require significant trust from the prospective client. Hard sell.
- Offer a guarantee of some kind. "If you don't come off cheaper with Purely, we'll make up for the difference". Reassuring, but increases your risk.
- Up the price of storage, and eliminate the price of traffic. Storage is probably an imperfect but adequate proxy for total usage price, given that the pattern nowadays is to archive rather than delete (non-spam) email.
All good ideas. I think it'll also help a lot if in a year or so I'm able to say "99% of our customers only spend $X a year".
I actually just checked the storage price, and I notice that at some point I added a $2/10,000 charge to the equation at some point, which is almost all of the charge price. I'm going to remove that tomorrow, since it was probably just paranoia and not actual cost plus margin.
> Offer a customer to enter their current IMAP creds
A huge majority of users use free webmail providers, and the biggest players in that space all allow Oauth access to email. Oauth can be scoped down to just the access you need, whereas if you give out IMAP creds those can be used to wipe somebody's email account.
Also, at least in Gmail's setup [0], the IMAP password seems to be your "Gmail password", which is the same thing as your Google account password. Don't ask for this. You don't want to have these passwords enter your company's infrastructure.
I have a currently very low usage domain that I feel I'm paying Fastmail a fair bit for. I wouldn't mind if I was using it a bit more actively but presently I'm not.
I'll sign up to your service shortly; it would be very economical with my current usage!
> Fastmail's 25 GB for $50 is that if you go even slightly over, you're going to need a $90 plan. Most users aren't going to use anything near that amount
Except the users who already are storing 25GB of mail?
I have ten years of mail on FM. Even with multiple years of multiple heavy mailing lists, sending and receiving photos, etc., I'm at about 4.2GB.
Zoho Mail is free, thus a "cheaper" custom domain email provider than your "cheapest" paid service, which charges per email received (wtf?!) and sent (i guess..).
As someone else pointed out here, Zoho Mail is web access only on the free tier. So you cannot move your emails to another provider unless you pay. So it's not really free in every sense.
I've heard so many arguments against this, I don't know where to start.
Make sure, for starters, that if you use a custom domain for your email, you use a registrar with stellar security practices, as opposed to Namecheap, Godaddy, and many others that have shown deep flaws with vulnerabilities to social engineering. Otherwise, once someone has access to your domain, they have access to your email, which is the keys to the kingdom.
Google will not throw away any chance at regaining their lost product (you). So certainly, they are the exception. Without user data, Google would no longer provide email. If someone else starting using your identity, then their tracking, big-data and stats would be less useful.
Well, thanks. Feel free to let me know if you come across any issues.
I'll definitely try not to become full of bullshit :). I hope it's not as inevitable as it seems. (It probably helps that there's no VC funding involved, and I can stay small.)
Your pricing, while fairly transparent, is too complicated for most people to figure out what they would be paying.
Even I'm put off by being charged based on the number of emails I receive - why should I pay extra if I get a lot of spam that should be caught by the spam filter?
You have up to 6 different types of fees you're going to charge and no easy way for me to figure out what my numbers would end up looking like (Your $7.72 amount means nothing to me since I have no easy way to compare your estimates vs my usage).
THANK YOU for this, I will definitely check it out. The pricing of most email platforms, including FastMail, is simply ridiculous. And if you complain they'll tell you that, well, all other platforms cost rougly the same! It's basically an oligopoly.
Yea, that was my reaction too some months ago when I was looking to move away from gsuite, which was beginning to get ridiculously slow and expensive. (Seriously, what is gmail _doing_?)
We have this weird dichotomy in services pricing that's either free or pretty expensive. If you're a free customer, you're not a customer. You're a potential customer in need of sales. And everyone is looking for the features they can put behind a pricing gate.
Fastmail provides webmail that is faster to sync than gmail (seriously; I use fastmail for personal and gsuite for work all day); a calendar; and a nice little notes utility. Be warned it's fidgety to sync fastmail calendar on android because you'll have to use a 3rd party app. But again, worth it to de-google your personal life.
I'm always on the lookout for email providers who protect privacy and are cheap. I have three suggestions for you.
Firstly, as others have stated, your pricing is way too complicated for anyone to understand and figure out how much they would be charged. It would be better to make some assumptions and go with pricing based on account, aliases, storage, etc. Your current pricing is almost like one of those cloud service pricing calculators. Very nice in theory for paying based on usage, but practically next to impossible to make any sort of cost estimates on.
Secondly, your privacy policy is very short and doesn't give a lot of comfort. Take a look at Posteo.de to see how privacy is handled. It's one of the best that I know of.
Sign up is in the header bar (Button named "Sign Up") and a second option is in about the middle of the start page. Pricing is mentioned both on the signup page and on the start page, starts at 1 EUR/month.
Thanks for the suggestions! I'll look at the privacy policy again and see how I can make it more clear that we're not abusing users' trust.
I did look at mailbox.org. It's about double for their lowest monthly plan, which is reasonable.
Where I hope Purelymail will shine is that it scales a lot more naturally (once you hit mailbox.org's 2 GB cap, you upgrade to a plan that's 2.5x more expensive), it enables use cases that'd get you frowny faces from other providers (because we charge appropriately), and there's no surcharge for things that don't actually cost more.
Want a dozen usernames? Sure, whatever. Need a hundred users? Sure. Store 2 TB of mail for some reason? We've got you covered.
The downside, as you point out, is that the pricing gets a bit scary and I need to work on making it feel safer.
Yep, that's why I specified "end user" and "set aside internal company e-mails".
I never thought about the idea of having a "family domain", it could be a nice idea, though I guess its naming could be a possible venue for in-family disputes?
Rather than having in-family disputes, I've had relatively poor luck giving way vanity email addresses to family members. There's a lack of understanding and interest in how the email address would work in combination with an existing email account.
My name is "Mark Stosberg" and my email is "mark@stosberg.com".
1) my mom won't have an e-mail address with the surname of her first husband (my dad, passed away)
2) my brother-in-law (brother of my wife) surely won't have it
3) my cousins all have different surnames
4) my wife may accept one, but I talk with her every day and when we don't meet or talk via phone we tend to communicate via post-its on the fridge or similar
The pricing would definitely be much easier to understand with a calculator.
However, I have no quarrel with the approach to pricing here. In order for a service like this to succeed with very established incumbents, it needs to differentiate itself enough to carve out its own niche.
Sent externally means to a different account or provider. So basically, sending email to yourself or other users using your account is much cheaper. (There's no spam worries there.)
I am paying for personal email, internet connectivity, virtual servers and other services, and I don't think I would ever use such a service for personal purposes that isn't flat-rate. I don't actually use a lot of resources; I just wouldn't want abuse, security issues or other irregularities to threaten my ability to eat.
I'm not sure it's a winning proposition to have variable rate email services aimed at individuals or small companies.
People prefer to know up front what something costs, and I imagine they even rather pay double or triple the "real cost" if it means they don't have to think about it any more.
I am on google’s grandfathered free tier for my domain. Recently it has gotten annoying with new google products since they have to be supported by g-suite for you to use them. So I recently was shopping around for a new host. Basically I’m a non-business user who is probably in your target market.
As others have said, your pricing is unpredictable and hard to compute. As I’m evaluating you with competitors, I’m not going to invest the time. In my experience, when a company makes it hard to know what you’re actually going to end up paying, you usually end up paying more than you want (see: Verizon).
From a business perspective, it seems to me your value proposition is that you are striving to be the cheapest email provider. I think you should consider the kind of customer this attracts. The sort of person who thinks a few dollars a month per email address is too expensive is going to be high maintenance. If you want this to be sustainable, I think you need a different angle. Consider that all these other email providers basically charge around the same amount. That isn’t an accident. I don’t know the email business, but I assume it needs a certain margin to actually be sustainable and these guys have landed in the right ballpark.
If you’re looking for business customers, then your pricing is basically rounding error compared to the other guys. It’s not materially different enough to matter for a business of any reasonable size to be worth having as a customer. In fact, the lack of predictability is a major deterrent. Businesses need to create budgets and every variable cost adds to the complexity of the forecast.
> Recently it has gotten annoying with new google products since they have to be supported by g-suite for you to use them
Interesting - which products has this been an issue for? I'm on the same grandfathered GSuite deal and used to have this problem, but haven't in a while.
When I setup a Chromebook (without enterprise activation) about 18 months ago, I ended up with an individual Google account for my free-tier GSuite email address. I'm not sure if it was a Chromebook thing, a Chrome profile thing, or a problem between by Chromebook and my chair!
I was flat out unable to use the family sharing feature of YouTubeTV. Support from gooogle was helpful but they didn’t have much to offer in the way of a workaround. They researched it and basically told me to get gmail accounts for everyone in my family or share my google account with my kids (!!!). Interestingly, I asked if I switched email providers if my account would revert to one that would allow family sharing. They couldn’t guarantee it.
> The sort of person who thinks a few dollars a month per email address is too expensive is going to be high maintenance.
I have to disagree with this. Any email service that costs several dollars per mailbox per month is way too expensive for most people who tend to have more than a few email addresses, including shared ones. In many cases these may not be conducive to be trimmed down using aliases.
Take a look at Posteo.de, mailbox.org and Runbox.com. All of them are highly privacy focused, been around for several years, and also provide email for a low price. With prices of hardware going down, even those prices sometimes look high when you see the storage quotas, the low number of aliases (except Runbox), etc. (I concede that hardware is just one part of the solution, but see what Migadu.com says on that front).
Setting up a family of users even on Fastmail’s lowest tier (without own domain support) would soon become quite expensive, not to mention the standard plan.
I checked out Posteo and noticed on the sign-up page it does not allow certain symbols in passwords. I get the error message: "[password] is invalid (must have at least one lower case and one upper case letter as well as one number or symbol - diacritics and exotic symbols are not allowed)"
Wonder why that is.
I have no idea why they disallow those. But you could email them and ask. They usually respond in a day or two.
Side note: Posteo does not allow own domains (you can only choose from the list of Posteo.* domains that the company owns). The reason for that is mentioned in their FAQ (in short, the company doesn’t want to have or store customer identifying information wherever possible).
I asked them (Posteo) about this 2 weeks ago and below is the response I received. I'm not an expert in this area, but the response sounded reasonable to me:
> We do not offer domain services because we do not save any personal data
for any of our services. This is not possible with domains.
> Domains must be registered to a person’s name and address. As a
provider, we would be required to store inventory data for all customers
that use their own domains with us. As a result, we would have to
provide this information to government agencies when requested.
> Additionally, security reasons also play a role in this decision. With
customer domains, the owner of the domain is responsible for setting up
security features like DNSSEC (and as a result also DANE). Even things
such as SPF and other protocols for delivery would lie in the customer’s
hand and could not be guaranteed by us.
> Because of these reasons we have decided not to offer domain services
and instead to remain consistent with our focus on data economy.
I got the same mail two years ago, I think (haven't kept it, but the "reasoning" sounds familiar).
See, that's just half-truths that amount to lies.
They claim they need to store personal information about you when you're using your personal domain.
That's untrue. Only if you registered the domain with them they would need to know about you.
It's also untrue, because unlike .de, many other TLDs don't require full names and addresses in WHOIS, or there are "privacy shield" services like the one nearlyfreespeech.net is operating.
Security reasons.
Also untrue (although it's a reasonable business decision that they don't want to handle customers calling their support with the customer's own domain set up problems).
I continue to claim that there is exactly one reason they are refusing: A customer with a *@posteo.de address will pretty much never leave.
I wouldn't mind very much if they admitted that, it's certainly a geeky niche to serve, but this security-and-privacy bullshit really makes me mad.
Do you want to trust your privacy with a company that's lying, even if you wanted to argue that it's
a white lie?
I’m not arguing that there aren’t people who have legit reasons to want to pay less for email services. I’m arguing that if the OP wants to run a profitable business, targeting that particular demographic is unwise. Hobbyist/tinkerer types have high quality expectations and will absolutely suck more support time and energy than, say, a busy dentist’s office who just wants to pay money and have their email work for 20 employees.
Can anyone comment on good/bad domain extensions? Ie, aren't some domain extensions bound by odd nation specific rules? Namely, the ones that represent countries that we like.
I have a `.la` but I'm unsure if I want to put my email behind it. Thoughts?
I generally recommend .com. You can still get a pretty decent domain name if you try a bunch of options and put some thought into it. (It has to be 5 letters or above; I recently confirmed that every 4 letter or fewer domain name is taken.)
.com has legitimacy, it's not going to have hiccups (some country code domain names are pretty iffy, like .io had issues a while back), and contracts with ICANN ensure it's not going to extort a huge price out of you.
Yea, perhaps I'll snag the .com version of me .la - I'm keeping my .la for naming reasons, but I just don't know if I want to bet email on it. Appreciate the comments, thanks.
You need to make the pricing much much simpler - less math acrobatics = less friction in the decision process for the customer. Take a look at Migadu as an example of simple pricing - how many emails do you need to send per day? Many of your pricing components are items that most users will simply not know at the onset of the signup process to make a valid comparison.
> If anyone's considering moving their email addresses over this, please take the time to get your own custom domain to host email on. That way you can switch providers more easily and actually own your email address.
Seconded. I'd also add make that domain a .com, .net, or .org.
Yes, some of the other TLDs are cheaper, especially since they started making TLDs for almost everything. But spammers have jumped all over those, using them in from and return addresses. I suspect that a fair number of people have black holed email from entire TLDs due to this.
I know I have. I'm currently dropping all email from domains under: accountant, bid, christmas, click, club, cricket, date, download, faith, gdn, gq, help, info, link, loan, men, party, press, pro, racing, review, science, site, space, stream, team, top, trade, uno, webcam, website, win, work, xyz, and zone.
Don't know why this got downvoted; it's difficult and expensive to build systems that require multiple coordinated actors for critical changes, so few companies do, but that doesn't mean it's not a risk.
The guy in charge of security and data access had a backbone and a reputation, so when somebody wanted a backdoor they simply went around him and got other people to hide it. (Which, of course, meant that the experts didn't review it and the thing was insecure.) I don't think Mozilla is wrong to treat Aus staff as a possible source for government privacy intrusion, but by that standard they really ought to view US (et al) employees as risks too.
Of course, the Yahoo compromise was allegedly approved by Marissa Meyer and corporate counsel. (Which suggests some ugly things about trusting behavior up the corporate ladder.) I guess that could mean Mozilla expects a US intrusion to show up at the executive level, while an Australian intrusion would be more likely to threaten random employees with legal consequences.
Yes. It was part of why certain assurance activities were in TCSEC at B3/A1 levels. It's why they had to model every behavior, every information flow, allow independent replication, and allow building from source locally. Leaves little room to hide backdoors.
It saddens me when I’ve been a Fastmail customer for 4 years, happy with the pricing, happy with the service as a temporary resident my only way to make a stand about the laws is to move away from Australian service providers. I’ll likely start migrating mail shortly after purchasing a .dev domain.
If it wasn’t for my Australian partner I’d likely of left by now as tech work is limited here, severely behind places like London, currently feeling like it’ll be difficult to progress beyond where I am now within the AU. A lot of it is also now dubious big data, I.e what can we snoop on to sell you more or sell the data collected for dubious purposes.
Gee, is almost like the political grubs had absolutely no idea about encryption and how it works and how it will be virtually impossible to implement these stupid laws. Who would have thought that's the case? So very disappointed in all politicians at the moment, in my opinion, they're all scum bags
I'm a long time Fastmail customer and will consider moving over this. I would prefer Fastmail moved their servers and place of business incorporation to an encryption and privacy-friendly country.
Why? Fastmail always complied with warrants to get your data, so nothing changes because if this law. If you want to hide something, encrypt your e-mails before they reach Fastmail (and do the same regardless of provider you use, why trust anyone?)
It's a signal to Australia as well as to Fastmail. I like Fastmail. American companies invert their corporate structure to avoid taxes. They become Irish companies with an American subsidiary. Fastmail can become a Dutch company with remote employees in Australia. If the law is seen has having negative economic impact on the tax base, perhaps it will change. Undermining encryption for some weakens security for all.
There is the change that warrants are apparently not needed anymore. The PDF linked in the article says that there's now no judicial oversight over these requests.
I haven't decided myself if I'll switch, but if I do, it's more of a matter of principle. I just don't like how the world is becoming more authoritarian-like, and I feel it will continue to move this way unless people demonstrate their unwillingness to put up with such policies.
Because, at least to articles I've seen, this could be read as the requirement to implement backdoors. And that would be different than what FM did before.
I actually thought about switching over this, but I found no service that gives me the same features that FM has (fast web interface, calendar, fido u2f, aliases, send as aliases, custom domains, dmarc SPF and all those acronyms, good support) even if I would be willing to pay whatever (and I was grandfathered into the old $70/2 years plan on FM)
Their servers are at the New York Internet (NYI) in Bridgewater, New Jersey, USA, with secondary sites in Seattle and Amsterdam. Should it instead be the country where the company is registered that ought to be changed? (How do you move a business across country lines?)
If I may, I want to share my recently pleasant experience with MailU[1]. I am in no way related to them, but it worked very nicely, it wasn't difficult to setup, and it sorts a lot of things out that have always been a pain for me when setting up my own mail server.
When I saw the most recent provacy stripping law pass (maybe 3 months ago?), it pushed me to move everything to my own custom domain. I also signed up with ProtonMail and have started the migration.
I’m not the only one, people I know who have used FastMail for years have decided to jump ship.
I understand the concern over the law in general, but I don't agree with the sentiments about email in particular. Email is not and should not be considered completely secure, so if that is a need, something else should be used. In my opinion, the Australian law does not make it any more insecure or less private -- everything that could have been obtained via warrant prior to the law's passage is the same data that is accessible with it. If that's a concern, set up your email in a different jurisdiction.
I am currently a FastMail customer because I like the product, and this does not make me think I need to move. Unless something else changes, I'll keep it where it is.
No technology is completely secure. Email is particularly bad, but there’s a huge gap between what a secured system would allow, and what one without encryption at rest allows.
Without encryption at rest, you can grab all non-deleted emails for the entire population in one go.
With due process and encryption at rest, the most authorities can do is get a warrant to sniff smtp relays to selectively catch emails involving a single user while they are in transit.
In practice, unless the target is an ongoing criminal operation, the latter option is more difficult and less likely to succeed than other investigative options, so the fact that it’s possible is nearly a moot point for law abiding citizens.
I put a few domains on FastMail for family members to avoid using Google and also avoid using my fascist BOFH mail servers.
They know that if anything is sensitive, they and their friends will need to pgp or 7-zip encrypt the payload. I will gladly continue to use Fastmail if that is the only way to keep people I care about from staying logged into Google.
Yes they are. I decided to leave O365 business and was ready to switch to FastMail when this law was passed. I decided to keep looking and found German mailbox.org and chose them instead. So far so good.
I am a happy FastMail customer. The service is great, it is indeed fast and they're a small company devoted to doing email and serving their customers.
I'm currently in Western Europe waiting for the delivery of forms to cancel my Australian business number, this law has destroyed industry confidence in the Australian government for customers and service providers.
Even if rolled back, the political and social environment that spawned it remains, and committing to development resources in Australia now is a fool's errand if you have any alternative.
If I am reading FastMails statement right, they have been forced to add backdoors to their codebase and not been allowed to tell their team about it. Only a lawmaker who has the technical acumen of say, my grandmother, would decree something like that and think it was a good idea. Australia deserves better than these clowns. Then again, I live in the US so...
reply