Exactly correct. We already share customer emails under limited circumstances and for explicitly requested accounts only (we've never participated in dragnets and we don't believe this legislation will require us to either).
We have a standard process for verifying each request with the AFP and ensuring that they have followed due process to get a warrant for the data. We strongly support (also spelled out in that submission) keeping judicial oversight of requests - which this legislation does still require for the access requests themselves - hence saying that nothing has changed for us, since we have existing capabilities and we already respond to legal requests.
tl;dr: The law passed doesn't affect FastMail at all, and your data is at least as private with FastMail as it is with Gmail, which also responds to lawful government requests for your data.
I have heard back from our privacy team and I’d love to share their responce to your query:
Thanks for reaching out to us about the recent bill in Australia. We love that our customers care about their digital rights and want to find out more about how companies are looking after their information.
Your data is held in datacentres in the US, but we require all requests for access to customer content to be served through Australia where our company is headquartered.
The police can't intercept, access or modify your messages without us receiving a warrant, and we take our duty of care seriously. Fastmail responds to well formed warrants only and challenges requests for access that are inappropriate, either in scope (not adequately targeted), or depth (asking for information that seems out of proportion to what's being investigated). We will continue to do so, for any legislation that applies to us both now and in the future.
The new bill still doesn't allow 'trawling' for suspicious data: they can't request access to a wide variety of accounts hoping they'll come across something of interest. They need to have a particular account under suspicion and something that gives them grounds for that suspicion, and the offence in question needs to be suitably severe to be worth the intrusion.
Where we are permitted under a warrant, we will notify the accountholder of the access request, and due to our existing measures to help customers stay aware of any hackers compromising their account, police can't also enter your account without leaving evidence you can see.
What this means for you: Fastmail remains a privacy-first provider. We will comply with our legislated duties, while taking care to ensure that we do not act unless compelled by law and that all legislated preconditions have been properly satisfied. Your data remains under your control and you can rest comfortably knowing that your account won't get caught up in a surveillance net.
Please let me know if you have any other questions.
Sincerely,
Thanks for reaching out to us about the recent bill in Australia. We love that our customers care about their digital rights and want to find out more about how companies are looking after their information.
The police can't intercept, access or modify your messages without us receiving a warrant, and we take our duty of care seriously. Fastmail responds to well formed warrants only and challenges requests for access that are inappropriate, either in scope (not adequately targeted), or depth (asking for information that seems out of proportion to what's being investigated). We will continue to do so, for any legislation that applies to us both now and in the future.
The new bill still doesn't allow 'trawling' for suspicious data: they can't request access to a wide variety of accounts hoping they'll come across something of interest. They need to have a particular account under suspicion and something that gives them grounds for that suspicion, and the offence in question needs to be suitably severe to be worth the intrusion.
Where we are permitted under a warrant, we will notify the accountholder of the access request, and due to our existing measures to help customers stay aware of any hackers compromising their account, police can't also enter your account without leaving evidence you can see.
What this means for you: Fastmail remains a privacy-first provider. We will comply with our legislated duties, while taking care to ensure that we do not act unless compelled by law and that all legislated preconditions have been properly satisfied. Your data remains under your control and you can rest comfortably knowing that your account won't get caught up in a surveillance net.
Basically any company is going to turn over any data they are legally required to do so. The US is not that much different. Plus the US has a law that says any data older that 6 months does not need a warrant! I see a law was introduced to prevent that, but I could not tell if it passed the Senate and was signed.
> "We're advocating for privacy, but we aren't going to try to offer you any."
Your tl;dr is not quite accurate.
All companies, including FastMail, have to cooperate with local law enforcement. But there are different levels of cooperation. FastMail's level of cooperation, according to TFA, is, "Show us a valid warrant, and we'll show you exactly what you asked for, nothing more".
Certain other companies might be more cooperative, handing over user information in response to informal (warrantless) police queries, or handing over information to copyright-enforcement lawyers who write threatening (but not legally enforceable) letters, or handing over more information than is specified in a warrant. (I can't remember specific examples, but they get mentioned on HN now and then).
So FastMail is stating it will try to limit privacy violations as much as it can, without violating Australian law. This is not total privacy, but neither is it the same as "we aren't going to try to offer you any".
(Not affiliated in any way with FastMail, not even as a user)
I imagine they have to conform to those laws for their email service. And, given that they're a big company with plenty of lawyers, I have no doubt they are. However, this probably changes nothing about the core product.
Australian here. The law passed on Thursday is a massive concern, but in the case of an email provider there isn't as much of a change from what they could already do (TCNs aren't necessary -- they fundamentally already have collection capability unless you are using PGP for everything).
However there are some other worrying changes like the fact that TANs and TARs are secret and have no judicial review. Warrants (even the new computer access warrants that were passed in the same bill) have judicial review. But at the end of the day, they'd be serving a warrant to fastmail, not you.
Personally I use mailbox.org, and one of the really nice features is that you can give them a PGP public key and they'll encrypt everything you receive. So in the case of a warrant (though Germany has different laws on that matter) they could, at most, get the contents of new emails.
I understand the concern over the law in general, but I don't agree with the sentiments about email in particular. Email is not and should not be considered completely secure, so if that is a need, something else should be used. In my opinion, the Australian law does not make it any more insecure or less private -- everything that could have been obtained via warrant prior to the law's passage is the same data that is accessible with it. If that's a concern, set up your email in a different jurisdiction.
I am currently a FastMail customer because I like the product, and this does not make me think I need to move. Unless something else changes, I'll keep it where it is.
I have no illegal or incriminating emails. So I'm not worried about that. What bothers me is that overly broad requests would see all sorts of my personal life unrelated to the request. What pizza I ask my wife to order, private jokes I may share with my close friends, and things like that. Stuff that is my (and my family's) personal life.
None of that content is illegal or even unethical, but it's my personal data and I'm concerned that others will be looking over it or causing it to be some kind of public record because they are too lazy to filter out the unrelated stuff and just want to enter all of it as exhibit A.
I expect (hope) that strong laws will be introduced soon to address these issues. We're all in the same boat with cloud data and big corps being the gatekeepers.
So let me see if I have this right - Fastmail will give the Australian government access to your private correspondence, but only if said government proves to Fastmail that you've been involved in a crime?
So their default position is to give access - with checks and balances, but still to give access.
Why must the default be that governments get access? That's NEVER gone well in the past, why should now be any different?
Companies have to build tools that grants any law enforcement agency access to whatever data they want on whomever they want. For an email provider, these tools could include a search function that lets them look through every email on the platform. Or they could just ask them to mail them a daily dump of all new messages on a floppy disk. The point being, FastMail can’t tell the world what assistance and access their granting the government and there is no oversight or even transparency that could spark public debates on what is reasonable and what isn’t.
I was just using the sign in via FB or Google as an example of times where user might not know what they are consenting to. I wouldn’t assume this gives the 3rd party access to my emails.
This is exactly where we need congress to step in and regulate personal data.
I’ve built rest APIs at work and I almost always restrict this type of behavior. Why weren’t they only given access to create PMs and update PMs they create? No requests to pull all the PMs of a certain user.
Minor correction: I believe your case would require a technical capability notice the first time it was done. Assistance notices are “help us with the tools you already have” and regular warrant stuff, whereas capability notices are “you must develop the capability to help us”, and come from the Attorney-General with approval from the Minister for Communications. (A good summary of what this stuff means: https://www.homeaffairs.gov.au/nat-security/files/assistance....)
But I also don’t think that this stuff would actually apply to Apple or Google. It’s part of the Telecommunications Act, for carriers and carriage service providers, which, while broad definitions, probably exclude them. Back when I worked at Fastmail (2017–2020), Fastmail as an email service provider was considered subject to that act for data request purposes, but the footnote at https://www.fastmail.com/blog/advocating-for-privacy-aabill-... indicates that in 2021 they were able to change to using the Crimes Act and such instead, so I’m not sure if they’re even subject to the Telecommunications Act in this way any more (not that the A&A Bill affected them anyway since they don’t do E2EE), and Apple and Google’s app stores feel like they would be even more out of scope. But I don’t know; there’s quite a bit of legislation I’ve paid close attention to, but the Telecommunications Act isn’t among that collection. And even if these app store companies aren’t covered by this stuff now, there are probably other governments out there that can already insist on this sort of thing, and plenty of future prospects, the A&A Bill showing how easily this sort of thing can be shoved through.
Maybe. They'd have to issue that warrant to our datacentre operators though, not us, because there's nowhere to send the documentation. And then they can compel our datacentre not to talk about it, if they like, but they can't stop us talking about.
Really though, the point of all this isn't to say they can't take our servers - of course they can, via legal and illegal means. The point is more to say that they can't do it _quietly_, which greatly raises the bar, because now you've got a PR shitstorm to deal with.
But really, it's not going to happen, because we have good legal processes in place. There are proper channels from most countries in the world to the appropriate Australian authorities, and from there to us, and once that request comes in we service it and that's that.
If you want reasonably secure and private email, and you're not doing really dodgy shit, we're probably a safer choice that many. But we're not selling a privacy service, just an email service. If privacy is 100% non-negotiable for you, then you'll need to look elsewhere.
Definitely this only applies to government (esp law enforcement) requests.
Re: does it just protect US citizens or everyone's emails: dunno. That's a great question. My guess is that it's aimed at US citizens but I imagine agreements like privacy shield may extend those rights to some non citizens. IANAL though and am mostly speculating.
>“Our particular service is not materially affected as we already respond to warrants under the
Telecommunications Act."
The new laws would apply to something like Whatsapp or Signal, which do not have the ability to access the communications of users (thanks to end to end encryption). Fastmail already has enough access that if a legal demand is issued they can hand it over.
> After 180 days in the U.S., email messages lose their status as a protected communication under the Electronic Communications Privacy Act, and become just another database record.[6] This means that a subpoena instead of a warrant is all that's needed for a government agency to force email providers such as Google's Gmail to produce a copy.[6] Other countries may even lack this basic protection, and Google's databases are distributed all over the world. Since the Patriot Act was passed, it's unclear whether this ECPA protection is worth much anymore in the U.S., or whether it even applies to email that originates from non-citizens in other countries.
We have a standard process for verifying each request with the AFP and ensuring that they have followed due process to get a warrant for the data. We strongly support (also spelled out in that submission) keeping judicial oversight of requests - which this legislation does still require for the access requests themselves - hence saying that nothing has changed for us, since we have existing capabilities and we already respond to legal requests.
reply