81 comments

[ 3.2 ms ] story [ 147 ms ] thread
"The circle of trust"

Please.

This is, of course, why they’ve qualified the association as being a personal one. “For us,” the circle represents…

Implying that this interpretation may/should be true for others comes across to me as self-serving, though. You can attach whatever meaning you wish to a circle, but unless you make an actual effort to convey that meaning, then a circle remains... a circle. And they haven’t made any effort to do so here.

IMO, They’re just serving up a big cup of hyperbole for anyone willing to take a sip. Par for the usual corporate course, I guess.

Indeed -- I'm a less-happy user now. The landing page of blog wastes the reader's time with big substance-free cartoons, a variable-column layout, and absence of any item date indicators. You'll need another click on the "Archives" button to get to a useful listing.

And how about this gob of drivel in the announcement:

> ... makes it easier to talk about why it's important to feel good about email.

Meanwhile, documentation of essential features has gone stale:

>Keep in mind that U2F is not enabled in Firefox by default. >Good if you want the best security and you're only using Chrome. https://www.fastmail.com/help/account/2fa.html?u=04c140b1

U2F 'security.webauth.u2f' is enabled by default, at least for the 67.0.4 Linux build, current on Ubuntu 16.04.

Instead of spending money on a redesign you don’t need, make your service cheaper. Now that’s something I’d celebrate.
Can you explain why you feel the service is overpriced? Do you feel the service is overpriced or would you rather pay the same price and get more features? If so, what features would you want?

Pricing can be a legitimate discussion but your original comment was rightfully downvoted for sounding like whining and not providing much substance.

I think it’s too expensive given its marginal cost, and I think it’s because they have no competition. (No, end-to-end encrypted services like Tutanota are not competition because I can’t use IMAP.)
How about Migadu? They even have a free plan if you can live with a promo signature.
Fastmail doesn't have enough competition. They have mail, contacts, calendaring, and lots of focus on UI/UX.

That last part costs but it makes a huge difference. I've used GMail, Outlook (including web), Yahoo, Fastmail, desktop clients, and more. I found myself using Fastmail more efficiently than the others. I was faster at email.

That UX/UI isn't a commodity. I wish it was.

Assuming FastMail’s revenue is $10MM and the rebranding marketing work cost $250k, and lasts three years, you could see a 4c/mo savings on an individual account. You’re probably better off hoping they can use their brand to achieve greater economies of scale to keep more substantial costs down.
Interesting, could you point me to the source of the $250k?
There isn’t a source. It’s just a rough estimate based on what agency work and their internal salaried time might cost.
So it's just a random number. Based on the CI projects I've been involved in its around $1M.
It’s based on projects I’ve been involved in, but yes, the potential amount could range a lot higher.
Fastmail is quite expensive for people who need several mailboxes (not aliases). For anyone with that kind of a need, the cheapest options I've found for emails are Migadu and mxroute. Both support unlimited domains and mailboxes for a reasonably low fixed price. Go check the prices and compare with Fastmail. You'd be surprised!

Migadu doesn't charge for storage space, but its pricing is based on the number of outgoing mails. Mxroute has tiers based on storage space.

Migadu has a free tier that you can use forever if you have minimal outgoing email requirements. It's also a good way to check its admin interface. Mxroute has no free tiers or free trials. There's no way to know how it is without paying and signing up.

Migadu is based out of Switzerland, with its servers in France (a Nine Eyes country). Mxroute is based out of the U.S. (a Five Eyes country).

Neither of these two providers come close to Posteo, Mailbox.org or Mailfence on their privacy statements or stance.

Considering the amount of changes this article is extremely light on details.

Does "new website" mean marketing website or a redesigned web based mail app? I'm assuming this is just marketing/branding changes given it's written by a marketing person.

After seeing this article, I reloaded my open Fastmail browser tab. I see a new logo in the upper left corner and a new favicon on the browser tab. Looks the same to me otherwise.
The webapp is still the same, at least for me
If the screenshots on the landing page are any indication, the overall design, both on the desktop and mobile, looks to be the same but with a new logo.

I can't check it myself because I closed my account with them a couple of weeks ago, so maybe a current user can confirm.

Out of curiosity, what lead you to close your account? I only switched to them fairly recently and I've genuinely been very, very pleased with their service.
I was quite happy with the service itself, but I'm not using email enough to justify its monthly price. They're a great company, and I hope they're around by the time I need their services again!
Will the app finally work with 2FA authentication? This really is annyoing if its impossible to use the mobile app.
Maybe I'm misunderstanding something, but I have been running the app for years now with 2FA turned on.
I'm talking about using security keys. Not TOTP.
I have been using fastmail with 2FA on the Android app for months now. I haven't had any problems.
Isn't Fastmail a Australian company?

You forgot to mention about new backdoors.

Yes it is. Backdoors are guaranteed.
Whoa. I hadn't heard anything about Fastmail's backdoor concerns [0]. Thanks for bringing it up!

[0] https://reclaimthenet.org/fastmail-australian-encryption-law...

Yikes. I hadn't heard of this either. Reconsidering my email host right now, and that's a shame because I really liked Fastmail.
This is the only reason why I did not go with fastmail. I am still looking for an alternative to gmail though...
I've been using posteo.de. I haven't heard anything negative about them, they're not terribly expensive, they support IMAP (unlike protonmail), and support is excellent (had issues syncing contacts to a BBOS10 device they solved immediately)
Making your decision based on that doesn't make sense, because it doesn't affect FastMail at all. They're not an end-to-end encrypted service. They can already access all of your data without a backdoor (and need to be able to, to provide features like search).

More info in this blog post, specifically under "The AABill doesn’t change your privacy or data security with FastMail": https://fastmail.blog/2018/12/21/advocating-for-privacy-aabi...

Is there any country left in the world where you could roll out a service like this without backdoors and with freedom of speech?
Fastmail could always have been compelled to give up the contents of their servers, just like any other company anywhere else. The new laws only change anything for end-to-end encrypted services where the servers never see the plaintext.
> The new laws only change anything for end-to-end encrypted services where the servers never see the plaintext.

That doesn’t sound like a small thing. “Nobody can read your private data, not even us” is a big selling point these days. Sounds like Australian companies can no longer do that, putting them at a disadvantage.

And let’s not forget there’s no such thing as “a backdoor for law enforcement”. A backdoor is a backdoor, and it will be exploited by malicious actors. And they’re mandatory? Black hats everywhere must be getting dehydrated from salivating so much.

“Nobody can read your private data” doesn’t really work with email though if you want search and if the emails are delivered in plain text anyway. If you want total security you’d have to use client side encryption anyway and all partners of the email conversation would need to do that.
> That doesn’t sound like a small thing. “Nobody can read your private data, not even us” is a big selling point these days. Sounds like Australian companies can no longer do that, putting them at a disadvantage.

It is a big selling point. So is being accessible via any standards-compliant MUA, as opposed to e.g. Proton Mail and Tutanota. I'd love for there to be a secure email service with my privacy protected both by law and cryptography which also has me in full control of my data; until then it's a hard choice but I'd prefer to stay out of the walled garden. FWIW I'm not worried about Fastmail acting against my best interest.

> And let’s not forget there’s no such thing as “a backdoor for law enforcement”. A backdoor is a backdoor, and it will be exploited by malicious actors. And they’re mandatory? Black hats everywhere must be getting dehydrated from salivating so much.

I'm aware there's no such thing as a secure backdoor. Also to my knowledge the law doesn't mandate them, only access to the requested data. Said access could require manual action.

I don't agree with the law, but again the law does not change anything wrt Fastmail's obligations; anything the government might ask of them now, the government could have asked of them before.

It's a shit world requiring shit tradeoffs and Fastmail is one of few companies that are working towards keeping the internet open and (somewhat) decentralized. Their reward? The implication that they are somehow worse than any other non-e2e email service in any other country.

"You can rely on Fastmail for service and support, and trust that your personal information is protected."

Not if I get into a dragnet by Australian security services.

Wanted to get away from Gmail. Evaluated Fastmail, Protonmail, Mailbox.org and Posteo. Posteo went out because it doesn't do custom domains on principle, Protonmail went out because search is an issue with encrypted mails at rest. I'm not using Email for something that is illegal (journalism, opposition, ...) in my country, so encryption at rest has only minor impact on my decision. Fastmail looked nice with features but keeping my mail in the EU weighted more. Now that I no longer run a large website, I like the GDPR ;-)

In the end migrated to Mailbox.org on my own domain, went smoothly and I'm quite happy now.

Minor gripe: I wish Mailbox.org would understand IMAP is an API like every other API and provide unique API keys for applications (like GMail does).

First time that I read about this scary Australian backdoor stuff. As a (very happy) client of Fastmail, I regret to have to look for other options.

Are Australian legislators really that clueless? There seems to be a very strong incentive against making business with Australian companies.

Do you think it's different in other countries? Everywhere, the email service will have to give your emails to the police when they come knocking...
> Everywhere, the email service will have to give your emails to the police when they come knocking

The Australian law is broader and contains fewer checks than anything comparable in the developed world. It lets law enforcement compel, with no oversight and in secret, any Australian "to re-engineer software and hardware under their control, so that it can be used to spy on their users" [1]. (Australia has no bill of rights [2].)

The American analog is an intelligence agency getting a national security letter [3] stamped by a FISA court [4]. The order can compel disclosure of information on hand, but cannot compel a product to be re-engineered [5].

[1] https://www.eff.org/deeplinks/2018/12/new-fight-online-priva...

[2] https://www.nytimes.com/2018/09/04/opinion/australia-encrypt...

[3] https://en.wikipedia.org/wiki/National_security_letter

[4] https://en.wikipedia.org/wiki/United_States_Foreign_Intellig...

[5] https://en.wikipedia.org/wiki/FBI–Apple_encryption_dispute

(comment deleted)
> "The order can compel disclosure of information on hand, but cannot compel a product to be re-engineered."

OTOH this could be unnecessary at large American companies because the needs of national security services may have been engineered in. Thinking of Room 641A [1], etc.

[1] https://en.wikipedia.org/wiki/Room_641A

> this could be unnecessary at large American companies because the needs of national security services may have been engineered in

That's voluntary co-operation. The situation is far from perfect in the United States, but Australia is an extreme case.

> Everywhere, the email service will have to give your emails to the police when they come knocking

Not if you’re Ladar Levison running Lavabit in 2013. He opted to shut down the service instead of complying: https://en.wikipedia.org/wiki/Lavabit#Suspension_and_gag_ord...

That service was worse than anything else because it failed to provide the crucial "availability" property. And in the end he gave the keys to the government anyways. So he failed on every count.
Notice that lavabit reopened again in 2017, and is now even open for new customers. I will try it, but I'm a bit scared of the likelihood that it will be closed again. Changing your email address is no small hassle, and I am already pretty happy with my fastmail one.
> Changing your email address is no small hassle

I moved my addresses over to my own domain (lyndsysimon.com) many years ago, way back when I was still using gmail as my provider. I've since switched a couple of times, and have never had to change my address.

These days I use Protonmail. I like it for what it is, and it checks all of my "privacy" boxes, but the search functionality leaves much to be desired. I understand the technical limitations that constrain that, but I still wish there were more options.

If you are pretty happy with fastmail, why switch? They will only access your email with a court order (fine with me). If you don't want this, I'd try ProtonMail, they encrypt the email, i.e. are unable to provide email content in clear text. The price is that email handling is (much) more painful.
> If you are pretty happy with fastmail, why switch?

I do not really care about my personal case, here. But I try to maintain a (some say exaggerated) consistency in "paying with my wallet" according to my principles. Since the Australian government provisions seem an unacceptable betrayal to its citizens, the only way that I can make some pressure in favor of them is by visibly boycotting Australian tech companies. If I were an Australian citizen concerned with the AABill I would certainly appreciate this gesture. My fastmail account is just a 80 EUR/year epsilon amount which will not affect the economy in the least. But it is symbolic gesture in the right direction.

I am still undecided on dropping my fastmail account. But if I do I'll try to make as much noise as possible regarding the reasons.

Two thoughts...

First, compare practical law impacts if you look elsewhere. For example, in the US the gov can get email from providers that's more than 180 days old without a warrant.

Second, Fastmail like Google, Microsoft, and most others has access to your email. They comply with court orders for email like other providers. Fastmail has noted the gov doesn't need a backdoor to get to email. Same with other companies in other countries.

Indeed. Not to mention, even if your own email isn't compromised, if you send email to someone else who's is, it's irrelevant.

Email shouldn't be used for things that are particularly private to begin with.

> Email shouldn't be used for things that are particularly private to begin with.

To begin with, governments should not be able to access your non-particularly private stuff without an explicit court order.

> in the US the gov can get email from providers that's more than 180 days old without a warrant

With a warrant signed by a judge. Also, if the keys are on your device the service has nothing to turn over. The court can't force the provider to engineer in a backdoor.

None of those checks or limitations apply in Australia.

In the US, FISA courts can authorize technical assistance orders to force compliance.

https://en.wikipedia.org/wiki/Protect_America_Act_of_2007#3....

(comment deleted)
Even if they don't technically call it a warrant the principle is the same, the executive branch doesn't have the authority by itself, they must get authorization from the judicial branch.

Most people don't include national security investigations in their threat model. The more general risk is a court allowing the executive to cast a broad net to collect information rather than accounts known to belong to targeted, named individuals or groups.

In the US email over 180 days old can be retrieved with a supeana. No warrant out judge required. See https://en.m.wikipedia.org/wiki/Stored_Communications_Act
If it isn’t encrypted. If the server doesn’t have the keys, not even a signed warrant can compel the re-engineering of the product.
Gmail, Office 365, and almost all the rest have the keys. Switching from Fastmail to a majority of mail providers doesn't provide added security from governments.

That was the point of this thread.

Why do you need to switch? That regulation is irrelevant for Fastmail and changes nothing for them, as they've explained multiple times: https://fastmail.blog/2018/12/21/advocating-for-privacy-aabi...
I appreciate your link, which I had not found by a fast scan of the fastmail docs. It certainly answers some of my questions. However the line of argument of this text is so-so. They say that the regulation is "irrelevant for them" because "it is highly unlikely that...".

The words "highly unlikely", however, do not really mean anything and the argument falls down.

Besides that part, most of their text seems quite honest, clear and compelling. Βut I would appreciate that they delve precisely into these "highly unlikely" cases.

I honestly don't understand what you're talking about. The word "unlikely" isn't even in the post I linked.

They could always decrypt your data. They don't need to add a backdoor, because they've always had full access. Nothing changes at all.

> I honestly don't understand what you're talking about. The word "unlikely" isn't even in the post I linked.

The crucial point of the post concerns the possibility that fastmail developers are forced to introduce secretly a government backdoor. This possibility is briefly dismissed as follows:

> There are also concerns that individual employees may be forced to build a backdoor, without being able to alert their employer. While frightening for anyone working in technology, we believe this fear is largely unfounded [1]. Most organisations have practices (pair programming, code reviews, risk evaluations) that would reveal such behaviour quickly.

The only reason given for the word "unfounded" is an article on zdnet [1], that explains the reasons why these backdoors are unlikely (but does not rule out the fact that they are possible). The word "unlikely" comes from the title of this article.

[1] https://www.zdnet.com/article/australias-encryption-laws-are...

That's talking about other Australian companies. Again, Fastmail has absolutely no need for a backdoor, and will never be requested to add one. They already have full access, a backdoor wouldn't do anything. They have a frontdoor.
Thanks, it is clear to me now. Of course fastmail do not explain this so clearly; instead they require a few pages of word salad to "decorate" this fact.
I know there's always the discussion when a new design comes around and everyone complains but I actually thought the old one looked way better and unique. The new one feels like a generic startup landing page.
Long time fastmail user. First exposure to this was an unfamiliar icon on my homescreen, was a bit confused/concerned. I'm sure I'll get used to it but echo your thoughts, it does feel very generic and while dated FastMail's brand was very recognisable.
A few weeks ago they canceled my Paypal payment subscription due to "technical reasons" and now it seems like only credit card payments are available anymore.

This is a little scary because credit cards are not that common here in Europe and having such sudden changes it not confidence-building.

Luckily, I use my own domain and if Fastmail turns too unreliable, I can just switch to an other provider and point my DNS entries over to them.

Where are credit cards not that common in Europe? I don’t think I no a single person that doesn’t have one and most banks even give you a free Visa card (prepaid) with your normal bank account in Germany.
Exactly. The modern aspect of bank cards is much more present on Europe than in the US (chip, contactless,...)

I would say however (from personal experience which may be biaised) that cards in Germany are less welcome than in other EU countries (for historical privacy reasons)

Pretty uncommon in the Netherlands. Yes you can get one, but most people here don't have one, possibly due to very few merchants accepting them, and when they do, they pass the CC fees to the consumer
> Nevertheless, around 55% of the Dutch population has at least one credit card, which they mainly use during holidays abroad or when shopping online.

Not as high as I expected it to be honest but the article is pretty interesting. Apparently people have them but don't use them because they are not widely accepted in stores and they are very debt averse.

Source: https://www.dutchnews.nl/features/2018/01/credit-cards-not-y...

Not quite, Fastmail does support PayPal. Fastmail no longer supports PayPal subscriptions. You can still manually make payments via the PayPal option, but if you want the convienence of automatic billing a credit card is required.

source: I work at Fastmail.

I have been looking at a number of the providers in SaaS consumer email including Proton, Tutanota, Soverin, Fastmail, etc.

It is striking how both Soverin and now Fastmail have a breezy abstract style with colorful illustrations. While the other providers feel like VPS hosting landing pages or enterprise sales pages.

I wonder if the consumer focused brand of Fastmail and Soverin is aspirational or where their customer base actually is.