Update from Fastmail on the Australian policing law and privacy
The police can't intercept, access or modify your messages without us receiving a warrant, and we take our duty of care seriously. Fastmail responds to well formed warrants only and challenges requests for access that are inappropriate, either in scope (not adequately targeted), or depth (asking for information that seems out of proportion to what's being investigated). We will continue to do so, for any legislation that applies to us both now and in the future.
The new bill still doesn't allow 'trawling' for suspicious data: they can't request access to a wide variety of accounts hoping they'll come across something of interest. They need to have a particular account under suspicion and something that gives them grounds for that suspicion, and the offence in question needs to be suitably severe to be worth the intrusion.
Where we are permitted under a warrant, we will notify the accountholder of the access request, and due to our existing measures to help customers stay aware of any hackers compromising their account, police can't also enter your account without leaving evidence you can see.
What this means for you: Fastmail remains a privacy-first provider. We will comply with our legislated duties, while taking care to ensure that we do not act unless compelled by law and that all legislated preconditions have been properly satisfied. Your data remains under your control and you can rest comfortably knowing that your account won't get caught up in a surveillance net.
25 comments
[ 2.9 ms ] story [ 58.4 ms ] threadUgh.
> The police can't intercept, access or modify your messages without us receiving a warrant
So, unlike virtually every other democracy, Australia has granted law enforcement power to surreptitiously modify data owned by others.[1]
> Fastmail remains a privacy-first provider
Does not seem possible unless they move operations to a more privacy-respecting country.
[1] https://news.ycombinator.com/item?id=28364140
As per the response from Fastmail, it does still require targeting; the intent of the law appears to be to 'take over' an account and use it to catch conspirators, e.g. "we caught Timmy red-handed planning a terror attack, let's log in as him and tell his co-conspirators to come meet us somewhere, then arrest them all".
Whether or not that's what it will be used for is another question, and a valid concern.
Because if it's got close to 1:1 feature parity (or better) I might consider a switch once my existing paid plan is up.
You don't own what you cannot protect. Your reputation certainly doesn't remain under your control under these laws, the combined power of assuming your identity means police can engineer your voice and send it on to someone else who has every right to publish it. This flies in the face of everything just if juries are asked to unravel multi levels of deepfakes tailor made by law officials to intimidate or incriminate.
A lot of the other media is owned by Fairfax-Nine, which again has ties to the Liberal party (e.g. Peter Costello) and similar remarks apply.
"can't intercept, access or modify your messages without us receiving a warrant" come on, they already can.
I cant imagine that they will phone up a data host and ask them to modify say an email.
So their default position is to give access - with checks and balances, but still to give access.
Why must the default be that governments get access? That's NEVER gone well in the past, why should now be any different?
Two big isues:
- Fastmail pays taxes to the Australian government. By supporting Fastmail, you are supporting this lunacy indirectly.
- Their rebuttal revolves around requiring a warrant for any of this, but what good is that if the process if flimsy and there is basically no friction/verification involved in obtaining a warrant?
I am a long time customer and I love Fastmail's service. But Australia has just gone nuts, and I think this is the last straw. I'll be working on a plan to slowly migrate elsewhere.
What is your threat model? What adversaries are you fighting against?
My adversaries are corporations. I don't want Google or Microsoft to know every service I register to, every bill I receive, my income, all my contacts, all my pictures. Fastmail works perfectly fine for this (up to the point where you contact someone who uses Google or Microsoft emails, etc...) and it's perfectly fine for them to advertise themselves as privacy focused.
Is your adversary the government? Unless you're a journalist or dissident you aren't doing what's necessary to protect yourself from the government anyway. Of course security isn't black and white so if you can have a secure-against-the-gov email provider that's good but let's be realistic the government is already recording all of your communications and has much easier access points to your confidential data than your email.
What I do have a problem with is anti-encryption laws weakening the security of my services. Hackers are getting better and better. Nation states are DDoSing services that I use, and leaking the details.
Police wanting backdoors means that real end-to-end encryption isn't even an option. This opens me up to vectors of attack from people I don't even know, who are desperate for my money or identity.
For that reason, my threat model includes corporations and government. Although, if asked to decrypt my data in person and hand it over, I will with no issues.
I've heard people saying that Australia is used as a test-bed for government policy. I've also heard the creep of China could be the cause of this trend.
I've seen how quickly a functioning country can dissolve (Syria, Ukraine, Hong Kong). Just how concerned should we be about this? And apart from voting, is there any kind of action that can be taken?
I can't imagine the warrant allowing account holder to be notified.