[simfoo]

One thing to keep in mind about Fastmail is that all their servers are hosted in the US and they have no plan about changing this (I asked). Post-Snowden this means you can be quite sure that all mails will end up being analysed by the US authorities

[bad_user]

I'm an European, but I don't mind.

First of all when making such a choice, you have to identify who the enemy is.

If you're talking about global enemies, like the NSA, then IMO without end-to-end encryption you're screwed. And if you're targeted directly, you're screwed regardless, given they have the capability to use whatever vulnerabilities they can find in your router, your phone, your OS, your browser, etc. If it's connected to the Internet, especially if you're being targeted, you're screwed.

Also many European countries have signed on joint cooperation agreements with US intelligence agencies. If for example you're using servers in the UK, it's in no way safer, see: https://en.wikipedia.org/wiki/Five_Eyes

So back to who is the enemy?

For me it's not the NSA or our local intelligence agencies. If I'm being wronged, I've got legal ways to fight back and I don't really care about the NSA.

What I care about is being _profiled_ by unscrupulous companies that may end up selling that data to other actors that may harm my well being. For example insurance companies could deny insurance if they discovered you smoked cigarettes 10 years ago. Or banks changing your credit score based on who your friends are. Or supermarket chains discovering that your daughter is pregnant before everybody else does. This shit is already happening!

I think the general discourse doesn't go in the direction that it should go. Organizations like EFF have been historically anti-government, but very pro corporate and private companies. Which is why I don't trust them fully.

Identify that enemy. If you're an European for example, that enemy is probably not the NSA.

I do prefer non-US alternatives btw, whenever I get that choice. I do so out of a desire to encourage competition and to reward EU companies that do well, as a "voting with your wallet" thing.

But choosing to reject non-US companies for the reason that some of their servers are located in the US, that's frankly childish. Servers located in the US are cost effective. Either provide better alternatives, or otherwise these services will not be able to compete on the global market from a price or latency perspective.

[ryukafalz]

>Organizations like EFF have been historically anti-government, but very pro corporate and private companies.

I don't think I'd call EFF either anti-government or pro-corporate. Rather, they have a set of positions around surveillance, the public domain, etc. and side with or against governments or private companies based on those positions.

I donate to them, and in my experience they've been pretty consistent on their positions, but if you've noticed otherwise I'd be curious to know how.

[bad_user]

I don't want to attack EFF, I think they are on the right side, but it's just a general feeling I've got.

For example when the Facebook and Cambridge Analytica scandal broke loose, that was the perfect opportunity for them to go out against private surveillance, guns blazing. Their reaction was late and with an article like "here's how to protect against Facebook tracking", advising people to opt out in their Settings and to install Privacy Badger, this happening when everybody else was freaking out and doing #DeleteFacebook pieces.

I donated to EFF modest amounts in the past and probably will do so again, because the fights they are fighting are good for us. Maybe they pick their battles, I don't know. But I'm seeing a general pattern in their attacks, which is that they go very light on companies, compared with how they deal with governments.

Maybe it has to do, as always, with their source of funding. I can imagine that they received significant donations from the philanthropists of Silicon Valley. I don't care much though. My general point being that there's too much emphasis lately on government surveillance and control from privacy organizations and less on Google/Facebook surveillance.

I'm glad that there's now mindfulness about it in this community though.

[cosinetau]

> guns blazing

Yeah, but what good would it have done? The privacy battle they're fighting with Facebook and social was lost a long time ago.

[splintercell]

> For example when the Facebook and Cambridge Analytica scandal broke loose, that was the perfect opportunity for them to go out against private surveillance, guns blazing.

This is a very American thing which I can imagine our European counterparts not like, that is govt (USG) is treated as an enemy because it is the most powerful entity in the world. For Europeans, it would Govt AND these mega corporations (because the European govts do not have as much power as the US govt).

This is why in the US, corporations are ignored because they are insignificant on the US soil. And this isn't even a new thing, this opposition of the govt is as old as the founding of the nation.

This is why ACLU will not speak out against censorship of right wing media on Facebook and other companies. Keep in mind ACLU would not have any problem defending the latter against the govt, so it isn't about what the latter represents. It's simply, ACLU is a first amendment right based organization and their focus is preventing govt encroaching on our civil liberties (which is defined by what govt can't do, and not what a person is allowed to do in any circumstances).

Similarly NRA wouldn't care if you got kicked out of a movie theater for being concealed carry, but if a local city tries to ban guns in movie theaters, then NRA would step in.

[eswoo]

> Similarly NRA wouldn't care if you got kicked out of a movie theater for being concealed carry, but if a local city tries to ban guns in movie theaters, then NRA would step in.

Well, this isn't entirely accurate. They definitely do chafe at even private restrictions on anything gun. While I don't have time to research this right now, a quick search of "concealed carry in businesses" certainly returns some people complaining that businesses shouldn't be allowed to restrict that. And, if you dug a little deeper, I imagine the NRA would be weighing in there somewhere.

[splintercell]

Are you just guessing or do you know for sure? I know it for sure because we want NRA to speak up, but they don't.

[aidenn0]

They do see government surveillance as a greater threat than private surveillance, particularly if the private surveillance is disclosed. This makes sense as it is much harder to opt-out of your government than a contract with a private company.

[patrec]

I'd be surprised if it weren't easier for you personally to relocate to a different country than to opt out of any interaction with google.

[topbanana]

I would like to go on record to say that the NSA aren't my enemy either. Definitely not. Especially the analyst reading this - great suit!

[simfoo]

Thanks for you comment.

I agree that the NSA is not _my_ enemy and I am probably not being targeted. However, as more people start thinking like that, those that _are_ targeted (journalists, lawyers, activists etc.) will have less options to hide among users of more privacy-aware service providers.

In a way, by using these providers you shield those who need their services the most

[infogulch]

This strikes me as a kind of herd-immunity argument but for privacy.

[vezycash]

People won't speak the truth or do the right thing if the environment makes it hard, or risky to do so.

>I am probably not being targeted. However, as more people start thinking like that, those that _are_ targeted (journalists, lawyers, activists etc.) will have less options to hide among users of more privacy-aware service providers.

If only child porn / drug peddlers, journalists, lawyers... use tor and other privacy tools at minimum, 3 things WILL happen.

1. Tor, fastmail, ipfs, pgp, full disk encryption... WILL become illegal

2. Anyone using encryption / privacy tools will be raided. Arrest first, find crime later

3. Authorities imprisoning lawyers, journalists... who reveal wrong doings will be too easy. "He used privacy tools" would be enough to pacify the public after-all, "Only criminals have something to hide."

Consequently:

We'll lose the right to keep pins/passwords. Because refusal - privacy = admission of guilt.

I'm a teacher and I know how difficult it is for a kid to speak the truth when the entire class is lying. Adults are not much different.

If people have to choose between their freedom, means of livelihood and doing the right thing, telling the truth or exposing wrong things by the government most wont.

"It is difficult to get a man to understand something, when his salary depends upon his not understanding it!" -Upton Beall Sinclair, Jr.

[flyGuyOnTheSly]

>If I'm being wronged, I've got legal ways to fight back and I don't really care about the NSA.

I believe a National Security Letter would prevent you from ever doing such a thing. [0]

[0] https://en.wikipedia.org/wiki/National_security_letter#Conte...

[bogomipz]

>"Organizations like EFF have been historically anti-government ..."

Can you provide a citation or examples of this? Being pro-civil liberties does not imply anti-government. Those aren't mutually exclusive.

In the US civil liberties are basic freedoms identified in the Bill or Rights and the Constitution. And the Constitution is what established the government in the first place. How is it possible to be pro-civil liberties and anti-government?

[bad_user]

> Being pro-civil liberties does not imply anti-government.

You're right, that's bad phrasing on my part.

I explained what I meant here: https://news.ycombinator.com/item?id=18058240

[drngdds]

The Bill of Rights is a set of restrictions on what the government can do. Of course you can support it and be anti-government.

[bogomipz]

The Bill Rights are amendments "to" the Constitution, the very document that establishes the legitimacy of the government in the first place. How can you accept the legitimacy of the government and be anti-government at the same time?

Even the Anti-Federalists, the group that advocated for the establishment of a Bill of Rights were not anti-government.

[gknoy]

I take "anti-government" to mean that one is opposed to the actions that the government takes, in some situations, rather than being against the idea of the government. One can believe that a government is legitimate, while also believing that the government's power should be limited. One might argue that this idea is one of the core ideas of American government.

[bogomipz]

>"I take "anti-government" to mean that one is opposed to the actions that the government takes, in some situations, rather than being against the idea of the government."

That's silly, by that definition everyone would be anti-government then. Nobody agrees with the actions the government takes in all situations, not even within the same political party.

[frockington]

What are the non-US alternatives you prefer? As a US citizen its always interesting to see what is popular an ocean away and check it out

[Timmah]

I'm not your enemy. I don't even know you. So please send me your passwords to your online accounts. And I'd like to take a look at your home computer. So please install VNC and open your ports on the router so we don't waste too much time setting it up.

[mscasts]

Good user.

[ahje]

While you're absolutely right, details that are sensitive in nature should be encrypted using end-to-end encryption. Otherwise you won't be safe regardless of email provider, as the other correspondents will often be using a US email provider anyway.

If your threat model includes an actual threat from organizations like the NSA, then I'd say you have bigger problems than the choice of email provider.

EDIT: I self host.

[brongondwana]

Interestingly, as a self-hoster your email is much more prone to metadata analysis than anybody who is hosted at one of the big providers and has most of their email transferred to other big providers down TLS-protected port 25 streams.

[ahje]

Absolutely! Everyone has their own usage case, and one has to adapt accordingly -- even me! :)

My point was that simply selecting an email provider outside the US does not make email safe in any way and that end-to-end encryption is the only way to prevent providers from accessing the content.

[brongondwana]

Absolutely. Our argument (and to be fair, we are a provider) is that if you don't trust your provider then they're basically just a dumb blob transit pipeline. There's not much value add you can do there.

So we have focused on building the best thing we can for people who _do_ trust their provider, and also on having a business model which means that we can be a trustworthy provider because we have no secondary "customer" who is actually paying the bills. We don't have split loyalties.

[lsh]

This would be a privacy Vs anonymity tradeoff, right?

[bunderbunder]

They're not cleanly separable. You can tell a lot about a person by simply looking at what's written on the outsides of the envelopes in their mail. No need to actually open them up and read the insides.

[bonestamp2]

Agreed. Anonymity and privacy come from lots of little actions, none of which provide much value on their own.

For example, our return mail address labels don't have our names on them... and I use them on the back of the envelope to seal the envelope.

Our trash and recycling is emptied into our bins loose, so all our trash is not isolated to its own bags, it mingles with the rest of the trash.

Neither of these provide a lot of value on their own, but they're easy to do and provide a little value.

[your-nanny]

would you expand on this please?

[ahje]

Quite simple: If someone were to sniff the encrypted traffic between Hotmail and Gmail then they wouldn't have any idea who was talking to whom.

If someone sniffs the traffic between Hotmail and my server, it's trivial to see that a Hotmail user talked to me or one of the few others using my email server.

[catwell]

> all their servers are hosted in the US

Not true, they have a lot of servers in Europe (Amsterdam).

That doesn't make the issue less valid though, since I think they have a full copy of all the data on both sides of the ocean.

[brongondwana]

We are moving away from Amsterdam - so it will be full copies on both sides of the USA, and nothing in Amsterdam any more.

[ersiees]

Why isn’t it actually possible to just encrypt saved emails on server? So that government does not have access. Couldn’t one use a hash of the password as key for the data for the data and not save that hash to check password but another one. This way (practically), at least if the password is not eavesdropped and saved by the mail provider, it would be much harder to give away emails.

[brongondwana]

Apart from the "users lose their passwords all the fricking time" problem (seriously, before we implemented https://fastmail.blog/2017/12/06/security-account-recovery/, lost password was always in the top 3 most common support requests of the week report)

Impementing per-message-encryption would turn us into a dumb blob store. The whole point of FastMail is the value add - fast search, ability to deal with a lot of email quickly, etc.

That and people's devices are basically always on these days, and fetch new email immediately on a push when messages arrive. So if your provider get a subpoena or gets hacked, then a push request will make your device connect with the password, and boom - access granted.

Finally, we don't let people store master passwords on their devices any more, because they get leaked due to hacked devices, so we require people to create app passwords. This would be in direct opposition to many of the other safety things that are done.

(extra finally: phishing protections and antispam solutions are in pretty much direct opposition to the idea of the server not being able to see the content of emails)

[forapurpose]

Thanks; it's very helpful to know the ins and outs from a practitioner. I am confused by a couple of them:

> if your provider get a subpoena or gets hacked, then a push request will make your device connect with the password, and boom - access granted

If the message is decrypted only on my device, then that wouldn't matter. I'm guessing endpoint decryption is not what you (or maybe the GP) are talking about, but I don't know what you mean.

> we don't let people store master passwords on their devices any more, because they get leaked due to hacked devices, so we require people to create app passwords. This would be in direct opposition to many of the other safety things that are done

What is an "app password"? If it's just a password stored in an app (and then what is a non-app password? one in a text file?), why wouldn't it be as vulnerable to device hacking?

.....

Also, a couple of genuine questions about what's possible:

> Impementing per-message-encryption would turn us into a dumb blob store. The whole point of FastMail is the value add - fast search, ability to deal with a lot of email quickly, etc.

Email messages arrive in the clear, unavoidably; new messages are always vulnerable. Why not do the processing then - spam filtering, build a search index of hash values, etc.? Then permanently (from the server's perspective) encrypt the old, stored messages, and give endpoint/user the only means of decryption.

> users lose their passwords all the fricking time

> we don't let people store master passwords on their devices any more, because they get leaked due to hacked devices

How do the end-to-end secure messaging applications, such as Signal, handle those issues, if anyone knows?

[brongondwana]

> If the message is decrypted only on my device, then that wouldn't matter. I'm guessing endpoint decryption is not what you (or maybe the GP) are talking about, but I don't know what you mean.

Oh yeah, sure - if you only decrypt on your device, then that's reasonable. We could encrypt to a public key on delivery. There's services that do that, but FastMail isn't interested in being one of those services. The tradeoffs mean we could do very little. Certainly not a webmail service.

> what's an app password

https://www.fastmail.com/help/clients/apppassword.html

It's a password that's created by the server and used on only one app. So if you lose your device, you can disable that one password only. Also, there's no chance that you'll reuse it across sites, so it can't leak from other services because you won't be using it there.

It's also limited to just the protocols that are used on that device, so can't be used to reset your password or payment details or install forwarding rules, etc.

> Why not do the processing then - spam filtering, build a search index of hash values, etc.? Then permanently (from the server's perspective) encrypt the old, stored messages

If you can search for keywords and find maching message blobs, that's nearly as good as having plaintext access. If was encrypted to only the endpoint, the usual issues of "you need to download the entire database to search your email" apply, and of course we're doing very little.

> How do the end-to-end secure messaging applications, such as Signal, handle those issues, if anyone knows?

They're not designed to be your long term memory, which simplifies things a lot. You basically lose access to your history. Which might be find if you don't care about the past, but that's not how I see email. Email is your electronic memory, and encryption+lost password means that nobody can get at your memories, not even you!

[bachmeier]

> we require people to create app passwords

I like that, because it at least feels more secure to have a password that can only be used once, combined with the ability to go into the settings and shut off any device if it gets lost.

[brongondwana]

Yeah, it's by far the best of the options that use standard username/password authentication support. Basically make the password be another server-provided factor rather than user-chosen.

[ashelmire]

Without saving a hashed password, you can’t authenticate users. End to end encryption like what you really want requires the data to be decrypted by the recipient (using a key or password).

[geofft]

Because the service provider receives the unencrypted email and can choose to save a copy, encrypt it to a different key, etc. This was the scam Lavabit pulled, and the government called them on their bluff and asked for a copy of the key and Lavabit had no legal ability to refuse.

If the threat model does not include a government with the ability to use legal process, it needs to be defined more precisely. In general the US government can use legal process in the US and just straight-up hack into things elsewhere (who's going to raise a diplomatic incident over it? Russia is literally poisoning people, nobody cares, and their military is less powerful than the US's). If your threat model is other governments or just unrelated attackers like advertisers, there are more straightforward approaches.

[SturgeonsLaw]

Calling Lavabit a scam is a bit of a stretch. They, by all appearances, genuinely tried to offer email as secure as it could be, given the limitations of the protocol, and when pressured to give up the keys chose instead to inform their users and fold the business.

[geofft]

They made promises that they should have known were impossible to keep. In my books, that's a scam. Sure, they tried very hard to keep them, but that doesn't change the fact that they could not deliver on their promises and anyone could have told them that.

Also, no, they did not inform their users. They handed over the key and waited for users to notice court documents.

See my previous comment: https://news.ycombinator.com/item?id=13447340#13448609

[etix]

What a sad news. I was expecting more servers in EU in a near future and maybe an option to select the location of our primary DC (US or EU). I've been a happy customer since 2013 and for the first time since I joined I'll be considering other options.

[dijit]

This makes me sad, but I'm sure there are reasons for this.

Would it be possible to explain them (or link me to a document explaining them)?

[brongondwana]

Basically the problem was datacentre network reliability, power reliability, and the pointlessness of having one EU datacentre which isn't reliable enough to run production out of. We'd still need to replicate to a second datacentre for multi-site safety.

At that point, why bother? We'd have to run two EU datacentres to have data only in EU, and we'd still be under the same actual legal jurisdiction (Australia) either way, so it would be security theater rather than an actual change in risk. We haven't ever given data to US authorities directly, we point every single request from anyone to the Mutual Assistance Treaty with Australia, and that would be the same regardless of where servers are.

In summary, having servers in the EU is 99% security theater, and the other 1% is pointless unless we had two datacenters who were as reliable as NYI have been for us. We haven't found such partners.

[microtonal]

We haven't ever given data to US authorities directly, we point every single request from anyone to the Mutual Assistance Treaty with Australia, and that would be the same regardless of where servers are.

The EU is outside the jurisdiction of FISA courts, whereas New York is not. I am definitely not an expert or lawyer, but I would think this is not just security theater.

I was always hoping that Fastmail offer hosting that is fully in the EU. To me being affected by the Australian, EU, and US jurisdictions is worse than just the Australian and EU jurisdictions. Of course, I would prefer EU-only.

I am extremely happy with Fastmail. But if there was an EU e-mail provider with feature parity, I would probably switch. Not that I expect that that'll happen anytime soon (subdomain addressing and iPhone push notifications are killer features).

[brongondwana]

For sure if we had two separate EU datacentres and no US datacentre contained a copy of the emails that would be not security theater. While there's copies in both jurisdictions, having a copy be outside the US really is security theater though.

The financials of running up two full EU-only datacentres don't make sense for us at the moment given the demographic distribution of our customers. And we haven't had any run-ins with the FISA courts in the nearly 20 years we've been operating.

Of course the past isn't a 100% predictor of the future, but US authorities have always been happy (or at least willing) to accept that our data is under Australian jurisdiction.

[bluGill]

But fastmail and the admins are under Australia law. This makes all attempts to do anything an international incident. FISA cannot do anything directly, they need to contact Australia for help. FISA can order NYI to put in a wiretap - but why bother when we already know there are wiretaps in all the major peering points on the internet.

[simfoo]

Their primary servers are exclusively US-based (see https://twitter.com/FastMail/status/981284247284559872)

[bookofjoe]

All their servers are belong to us. I know humor here is frowned upon, but I couldn't resist. Sorry.

[jsmeaton]

I dont think this is true. I don’t believe there is any evidence that the US government is analysing all emails hosted by all US companies.

Rather, if the US government asks for a particular individuals emails the provider must grant the request provided there is a valid (possibly secret) warrant.

[danesparza]

There is evidence that they certainly have the capability of analyzing much (if not all) communications in the world: https://www.infoworld.com/article/2608141/internet-privacy/s...

[fps_doug]

Post Snowden I wouldn't safely assume that the govt/three letter agencies don't do something just because there is no evidence. Snowden was years ago, the NSA surely didn't sit on their hands in the meantime, especially now with SSL being deployed everywhere. "Oh right what we did was evil and wrong, let's stop everyone"

[jsmeaton]

The claim made was that they do. You don’t get to say that without providing evidence. You can say they might be, but that’s a different claim.

Also, capabilities matter. I have no doubt if they could they would. The Snowden revelations mainly revealed partnerships between service providers and gov agencies. Simply existing in the US does not mean your data is automatically available to 3 letter agencies. It could, but there is no evidence to suggest that it is.

[daxorid]

> You don’t get to say that without providing evidence

Put a parakeet in a windowless room and close the door. I can reasonably make the statement that the parakeet is perching, looking around, and/or preening its feathers, because that's what parakeets do. I wouldn't need direct observational evidence to make this statement.

Panopticon-level spying is what intelligence agencies do. It's what they've striven to do, as much as possible, without getting caught. The Binney and Snowden leaks corroborate this, and there's no reason to believe they've suddenly stopped trying to. OP doesn't need evidence to make the reasonable claim that intelligence agencies spy on us, and likely do it by hoovering up our data for analysis.

[jsmeaton]

Yes agencies like to spy. Do they have a camera in every house in America?

Again, I’m not saying they wouldn’t or wouldn’t like to. But saying “they do EVERYTHING post-Snowden” isn’t a very good argument, and definitely isn’t a fact.

And if the claim is “spy agencies spy” then the country of origin for your data probably doesn’t matter. Invoking “post-Snowden” usually relates to Prism, which was a partnership with specific providers.

[doubt_me]

Meta data is more than enough. They don't even care about the contents.

[jsmeaton]

That wasn’t the claim made.

[eldridgea]

The US government doesn't need a warrant for emails older than 180 days that are still on the server.

Emails older than that are considered abandoned[0] and treated the same as an abandoned storage unit, due to an old law from the time when email was regularly downloaded and purged from the server by local email clients.

[0] https://www.businessinsider.com/when-can-the-government-read...

[raffael-vogler]

> mails will end up being analysed by the US authorities

I read somewhere that servers located in the US are actually safer from drag net eavesdropping b/c a judicial order is required.

[mikejb]

IIUC, no judicial order is required for collecting. Only for looking at collected data; but agencies get creative around these processes, so I wouldn't count on legal protection from snooping.

[lallysingh]

But there's nothing to circumvent if the host isn't in the USA.

[naravara]

Unless you're sticking to countries that hang their hat on digital privacy, hosts outside the USA are also likely to be snooping with varying levels of competency. "Not USA" isn't a good enough filtering criterion.

[rovr138]

That’s assuming the wires aren’t tapped, it’s all encrypted and doesn’t pass through the US, they’re not cooperating regardless with the US.

If the US puts enough pressure, they could still cave and comply.

[lallysingh]

My point was that in some cases, it's easier for the NSA to snoop when the target is outside of the USA.

[bonestamp2]

Many countries have reciprocal agreements for sharing intelligence. Unless you go to a country that is known for its privacy values at the highest level then you're likely not going to maintain you privacy from the government of your country or most other powerful governments.

[JoeyTawadrous]

I build a privacy-first minimalist Google Inbox, located at https://inboxzeroemail.com

Sign in with your Gmail account & get the same functionality as Google Inbox.

It's hosted on Linode and our servers are load balanced across the world.

Please let me know if you have any questions :)

[eslaught]

How is their security? Maybe people like to forget, but security breaches are a thing, and when they occur you get the privilege of opening up your data to the entire world, not just to the NSA.

Google, for whatever else you want to say about them, have first-class security.

[SSLy]

Yeah, but on the other hand it's also a feature of Gmail. So it's not strictly worse.

[simfoo]

Correct, but since the reason this question popped up is due to privacy concerns regarding Chromium, I think it's even more important for people to know about these things to make an informed choice.

By the way, I really like Fastmail - they are very competent. But mail/calender is such an important part of online identity and life, I think people should be careful about who to trust

[mda]

Except that gmail is hosted on a much better and secure infrastructure with very good SREs.

[brongondwana]

Our SREs are pretty good too!