Hacker News new | ask | show | jobs
by mtgx 2744 days ago
So the article's tl;dr is basically: "We're advocating for privacy, but we aren't going to try to offer you any. We never did, and we certainly won't now that this law passed. You're on your own."

Is this supposed to be a PR-positive announcement from FastMail, because I can't quite tell?!
5 comments
brongondwana 2744 days ago
We never offered, and never claimed to offer, a safe haven for people who have broken the law in both Australia and their own country to hide from the police. We don't place ourselves above law enforcement.

We don't have data trading agreements with anybody, and we don't sell or provide backdoor channels - we only provide data in response to lawful warrants.

That's the right amount of privacy and the right tradeoff with usability for just about everyone. Certainly storing your emails super encrypted in a concrete bunker on an island somewhere is theoretically safer along one axis - I wrote a whole series about Confidentiality, Availability and Integrity just over 4 years ago on this very topic: https://fastmail.blog/2014/12/02/security-confidentiality-in...

And the specific one on confidentiality here: https://fastmail.blog/2014/12/15/security-confidentiality/ (excuse the line wrapping, we moved to a new blog platform a while back and some of the older posts didn't import perfectly, but I don't want to look suspicious by editing it today!)

link
emptybits 2744 days ago
> We don't place ourselves above law enforcement.

Of course this is reasonable, but I'm curious what you think of companies who do put themselves above law enforcement when it's the right thing to do.

i.e. lawmakers do not always make laws that are right and law enforcement does not always do the right thing when interpreting and enforcing laws. A case to cite might be Apple vs. FBI in 2016. The company placed itself above law enforcement. They disagreed with law enforcement and would not cooperate when I am certain many companies would have cooperated. It was a gamble. As a user, I am glad they stood their ground and I was/am glad to give Apple my money. I've also set my businesses up on FastMail at least twice, which is why I ask.

Maybe only a company with Apple's resources can take a risk like this? Thoughts?

link
xyzzy123 2744 days ago
I think enlightenment values ultimately support the position that consenting adults should be able to say whatever they like to each other in private, and that should be a protected right.

This puts me in direct conflict with the way the law is going right now, where it is supposed to be acceptable for government and/or searches to be an invisible third party to all conversations.

Not sure where this goes but I feel like there is an MLK or electronic Jesus moment here somewhere.

link
rswail 2744 days ago
Apple did not place themselves about the law, they went to a properly constituted court and asked the judge to rule on whether what the FBI was asking was lawful.

During those proceedings, they also explained how complying with the FBI's request would lead to a highly damaging corruption of the privacy of their users data.

They asked the judge to make a judgement which was that Apple were right in saying that the FBI had over-reached in their warrant.

The case was headed to appeals when the FBI withdrew after finding another way to get the information they needed. Notably they did so without Apple having to compromise security or user data privacy.

link
emptybits 2744 days ago
> Apple did not place themselves about the law

Exactly. I didn't say they did. The comment was about being above law enforcement. See my other peer response here.

link
jacques_chester 2744 days ago
> I'm curious what you think of companies who do put themselves above law enforcement when it's the right thing to do ... A case to cite might be Apple vs. FBI in 2016. The company placed itself above law enforcement.

Apple did no such thing. They asserted their legal rights. They used the exact mechanism -- the law -- that you are saying they ignored or held themselves above.

link
emptybits 2744 days ago
I did not say they held themselves above the law. Law enforcement is what OP commented on and that's what I responded to. I think it's an important distinction.

When law enforcement takes a wrong turn (as the FBI did) it is, I believe, reasonable for a citizen to consider themselves above (read: "better than") law enforcement. Mechanisms to deal with this include constitutional principles (which may also be considered above the law) and, generally, the courts.

link
xyzzy123 2744 days ago
Funny how wanting to keep your personal correspondence private is now being conflated with “above the law”.

The concrete bunker thing is a ridiculous diversion. Why are you even bringing that up?

I understand that privacy is a difficult problem especially when subject to legislation but bunkers have nothing to do with it. You will obviously provide user information to government on request, you and your staff maintain the ability to access user information at all times, and you have some procedures in place to try and make sure none of this is misused.

That’s ok.

link
brongondwana 2744 days ago
"We don't place ourselves above the law" - AKA we don't believe we are better placed than a judge to know whether sufficient evidence has been presented to allow law enforcement access to data about a user of our platform.

Unless you're starting from a premise that bad actors don't exist, and the police never do anything of value, there needs to be a facility by which police perform the role we expect of them in a civilised society, which includes following chains of evidence and requesting assistance of third parties they find along the way. The warrant system is a check against abuse of that process, not a repudiation of the idea that police also have a job to do.

link
xyzzy123 2744 days ago
Sorry, I edited my comment a lot.

I guess if a judge wants they should be able to watch you poo, pity we don’t have mandatory poo cams yet.

The judge should according to the laws be able to hear what you say to your wife at night.

Just that technology hasn’t caught up with what the law dictates yet.

After all, who are we to say what’s right? That’s for the professionals like the people who passed the AAA bill.

link
brongondwana 2744 days ago
It's easy to create hypotheticals.

Who would you suggest should decide, when shown evidence that a spear phishing that stole thousands of dollars came from an email account, whether the provider should be requested to hand over data.

Policing isn't all poo cams.

I'd prefer that a judge tell me whether the police have sufficient evidence for a data request than have to make that call myself.

link
wav-part 2744 days ago
> a judge

Thats the problem here. Computers (smartphone/laptop/server/toaster/etc) are/will continue to hold most intimate and private data about a individual. Do you want all that disclosed on one person's word ? I dont. I dont think there can be any check-and-balance that absolutely prevent any person from giving a malicious order. One bad disclose order can be enough to ruin a life. Is that jurisdiction willing to be liable for the compensation (if compensation is even possible) ?

I believe Internet is a country of its own. Its a virtual world, it has no physical manifestation. There is no need to invade Internet to secure physical world.

link
brongondwana 2744 days ago
That's a nice theory - but computers exist in the real world. I have a sticker on the back of my laptop from our NYI datacentre which says "there is no cloud, it's just somebody else's computer".

There's also no check and balance the absolutely prevents somebody punching me in the face and ruining my life, but I still walk down busy streets.

If you have a problem with the concept of judges as the arbiter of limits on the powers of law enforcement, I am keen to hear your workable alternative that doesn't have worse downsides.

link
wav-part 2744 days ago
You can recover from a punch. You cant undelete your data once it falls on wrong hands and gets used against you (eg debt/purchase history).

As I said there are already enough physical measures (defence, surveillance etc) that can ensure public safety. However If I were to compromise: We can have multiple judges. An order should be vouched by more than one judge. It would be even better if the user can whitelist/blacklist judges to submit. Less bureaucratic liability for the state if data gets leaked/misused.

link
brongondwana 2744 days ago
On the bunker issue, many people seem to expect us to be like some Sealand with armed forces fighting off hostile government ships. No service actually works like that, and the aren't really jurisdictions where you can just tell the police to go jump. You'll get your uplinks disconnected and your payment systems frozen if there's a high enough value target in there. A Sealand-like service makes no sense as a product for regular people because the cost/benefit doesn't match their needs.
link
xyzzy123 2744 days ago
I’m genuinely sorry if I have been a bit rude, dismissive and sarcastic in my comments.

My point, I suppose is that there are ways to architect systems such that concrete bunkers are un-necesary and irrelevant.

The simplest such systems do involve trust in you. I suppose to a first order you are trustworthy since you have explained you will hand over user data upon request according to the laws you are subject to. This is a sane business decision.

Finally, a solid stance against at least business surveillance is a great start.

link
kortilla 2744 days ago
>That's the right amount of privacy and the right tradeoff with usability for just about everyone.

Just about everyone who agrees with Australian laws you mean?

link
raxxorrax 2744 days ago
Not a user and not an Australian but that sounds like a bad deal for customers. Especially since warrants will probably not be thoroughly checked in the future. So the invasion of privacy seems to be seen as a trifle.
link
pdimitar 2744 days ago
> We never offered, and never claimed to offer, a safe haven for people who have broken the law in both Australia and their own country to hide from the police.

You seem to be conflating the concept of "I don't want my emails read" with "I am a criminal".

Why?

link
mtgx 2744 days ago
> We never offered, and never claimed to offer, a safe haven for people who have broken the law in both Australia

So are you saying that just by offering end-to-end encryption yourselves would be "helping people who have broken the law"?

Well, at least it's good to know where you stand and to have this in the public record, in case someone mistakenly thinks that Fastmail is a good alternative to other end-to-end encrypted email service providers.

link
brongondwana 2744 days ago
We've never wanted to be an end-to-end encrypted service provider - there's purely routing blobs of opaque data around. It's not an interesting problem, and it's at direct odds with "email is your electronic memory".

https://fastmail.blog/2018/02/14/email-is-your-electronic-me...

End-to-end encryption is great for "this message will self destruct in 5 seconds" type instant messaging, but I have a friend who recently forgot her password on an "end-to-end encrypted" email service and lost all her emails. Not a great choice, though luckily she hadn't been using it long, so she didn't lose many memories.

An extreme black-and-white view on confidentiality vs the other parts of security is poor threat modeling, and we especially don't like the idea of selling snakeoil where we claim a level of confidentiality from ourselves which is not supportable by facts.

link
stephenr 2744 days ago
Not at all.

If you want to use PGP for encrypted email, and they supported it e.g. in their webmail - that would open them up to being a valid 'target' for the new bill, to provide access to your encrypted messages.

If they're just a conduit for your PGP (or even S/MIME) encrypted messages, the government can compel them all they like - there's literally nothing they can do to decrypt those messages.

Note: I am not a customer, or involved in FastMail at all (I am Australian though). This is just one of the facets of encrypted email IMO - if it's decrypt able somewhere between your laptop/phone/etc and the other persons laptop/phone/etc, it's not end-to-end encrypted, is it?

link
zAy0LfpBZLC8mAC 2744 days ago
The problem is simply that you expect the impossible.

Either you give the factual power to access your emails to some party, then whoever you give that power to can as a matter of fact access your emails, and in particular that means that they can be coerced into accessing your emails, or you don't give them the power, then they can't.

You are demanding that they offer a product where they have the power to access your emails (as an unavoidable technical necessity for what you expect from the product) while they at the same time can truthfully state that they can not access your emails. That is simply a logial contradiction that cannot exist, and any PR that pretends that it did would be simply marketing bullshit.

link
quickthrower2 2744 days ago
Not sure what you are getting at exactly, but you can provide browser based email where the browser using J.S. decrypts the email. Obviously need to figure a way to make that AA proof.
link
chrismorgan 2744 days ago
You now trust the provider’s JS not to be hijacked. I know of no good infrastructure at present for managing this risk; at the very least, you’ll need an independent browser extension for auditing all the code and ensuring that no unaudited code is permitted, and you’ll need the provider to support it in some measure as well, so that the service doesn’t break when new, not-yet-audited versions of the code are rolled out.
link
quickthrower2 2744 days ago
Yep it’s a tricky one. It has to be hosted on a domain you trust. Maybe if it’s on IPFS that’s kind of better but any registered domain name is at risk of being hacked or even DNS itself.
link
chrismorgan 2743 days ago
If the web app is served by your email service provider, your end-to-end encryption scheme is broken and you’ve lost, unless you have the facility to verify exactly what code it is that they’re serving up. The simplest attack model is that your email service provider is compelled to serve different code that exfiltrates the secret from your browser and sends it somewhere else, for your user account only (which would, I imagine, get around things like the AABill’s idea of not introducing systemic weaknesses). Next time you access the web app, you have unwittingly granted unfettered access to all your email.

It’s a similar deal on mobile apps; the situation is probably a little better if it’s truly a native app (by which I mean: all executable code comes from the app store, rather than executing arbitrary code fetched at runtime, as with websites) in that they probably can’t serve you specifically a different version to everyone else (I expect that’d need cooperation from the app store provider—not implausible, I caution) and so any vulnerabilities are more likely to be noticed in any auditing that others may do; but it’s also much worse because there you can’t lock it down with a browser extension that intercepts and verifies all the code.

link
zAy0LfpBZLC8mAC 2744 days ago
Yes, you can provide such a service. With such a service, you have the power to access the emails. Telling people that you can not access the emails would be marketing bullshit.
link
quickthrower2 2743 days ago
Nope because the user encrypts them using their own secret. No access to historical emails but possible to backdoor the JS later on.
link
chrismorgan 2743 days ago
If your code running on the user’s computer can use the secret provided by the user to access email, your code can steal the secret.

Running the encryption no the user’s computer instead of your own servers is not a panacea, because you still control the code.

link
zAy0LfpBZLC8mAC 2743 days ago
So, it is possible to backdoor the JS lateron, but it is impossible to use that for accessing the emails? Could you explain how that works?
link
my_first_acct 2744 days ago
> "We're advocating for privacy, but we aren't going to try to offer you any."

Your tl;dr is not quite accurate.

All companies, including FastMail, have to cooperate with local law enforcement. But there are different levels of cooperation. FastMail's level of cooperation, according to TFA, is, "Show us a valid warrant, and we'll show you exactly what you asked for, nothing more".

Certain other companies might be more cooperative, handing over user information in response to informal (warrantless) police queries, or handing over information to copyright-enforcement lawyers who write threatening (but not legally enforceable) letters, or handing over more information than is specified in a warrant. (I can't remember specific examples, but they get mentioned on HN now and then).

So FastMail is stating it will try to limit privacy violations as much as it can, without violating Australian law. This is not total privacy, but neither is it the same as "we aren't going to try to offer you any".

(Not affiliated in any way with FastMail, not even as a user)

link
intothemild 2744 days ago
I got the exact same feeling from reading this.

It almost feels like it’s written for the Aussie Police and not really for the users.

link