So let’s talk about this Fastmail post. Read the whole thing, but the summary version is that they say that as an Australian company, they aren’t subject to US National Security Letters, so they can’t be compelled to give user information without disclosing it, or in a broad way. They then discuss the possibility of physical access by the US government, given that their servers are in the US.
Fastmail’s hearts are clearly in the right place. But these kinds of positions are easy talk, and their safety can prove illusory. A few points:
- A commenter on HN (a lawyer) asserts and a Fastmail representative basically concedes that, in fact, Australia does have a non-disclosable warrant thing.
- The US government could issue a NSL against the hosting company of Fastmail and then do a variety of fairly sneaky things to Fastmail that a typical hacker could not because they are impossible without cooperative physical access.
- But most importantly, it’s all well and good for Fastmail to advance this legal theory, but if the US government decides it really, really wants the data that’s on Fastmail’s servers, it may advance a different theory, and it has a variety of ways to put pressure on Fastmail — and we don’t know, until and unless this does happen, how good Fastmail is at standing up to pressure.
Lavabit’s decision to shut down their service rather than compromise their user data (further) was brave and probably atypical. If the US presented something like the following to Fastmail:
“We believe that you are subject to US National Security Letters on the basis that you do business in the US and have servers in the US. If you do not comply, we will, say, seize your servers physically and add you to the list of organizations that provide material support to terrorists, and put US arrest warrants out on all of your company officers, and completely shut down your ability to ever access your largest market,”
then it is true that Fastmail might defy the US. And the Australian government might back them up. And everyone might learn about the fracas, and justice might be served. Or Fastmail might fold and hand over user information.
Fastmail probably is safer (to the depredations of the US government — and less safe to the depredations of the Australian government) than a US company. But their attitude of “basically, everything’s fine and in the event of extraordinary situations, you’ll at least know that your data is compromised” is, at best, unproven.