View Single Post
Old 18 Apr 2018, 09:23 PM   #46
Join Date: Nov 2014
Posts: 39
Originally Posted by brong View Post
To the consent extremists here - if you're a FastMail customer - have you gained consent from every one of your correspondents to share their details with FastMail?

They could know you use FastMail by resolving the MX servers, and confirming that their emails are going to FastMail. Do you believe you have the right to leave FastMail and take your email to a different email provider without confirming explicit consent from every person who's emailed you?

Because that's what we're talking about here. Is FastMail allowed to use a third party to send email on our behalf, having assessed that third party's privacy policy and confirmed that it's compatible with the privacy guarantees we offer to our customers. I absolutely MUST reserve the right to do that in the future, because the alternative would be placing unreasonable constraints on our ability to do our jobs by using third party tools if that's the best choice at the time.
If even a 70+ grandma can quickly pinpoint what the problem was in the situation made known to us by @ferrety (I actually tested this with one), I have no reason to suspect that you can't, so I see little point in disecting strawmen and other hyperbole. I don't even know how this is supposed to relate to you sharing data the person had not shared with anyone.

People tend to draw a line between technical sharing, often essential to provide services to customers (hosting your servers at a provider like I mentioned, monitoring error reports like you mentioned, etc.), and sales/marketing/advertising-related sharing, which has acquired a bad name due to various unscrupulous actors abusing it and causing various problems to people whose information has been shared. Neither you nor I can do much to change this difference in perception, and I don't see how its existence can come as a suprise to you. Even if your selected survey company is the most honest one on Earth, using their services is hardly essential for providing services to your customers; and I think we've already established that you had the option to use them without disclosing email addresses, and elected to do what you did the way you did out of convenience, not real need.

You can bemoan "consent extremism" as much as you like, but you're likely still going to have to comply with the GDPR at least as far as your European customers go. I'm reasonably certain that what you did in this case runs counter to what you're allowed to do with personal information under those regulations, and people's email addresses are classified as personal information.

What I have promised is that we will document which third parties we're using and inform customers in advance about which data is processed by those third parties. An example of a fairly recently added third party is that we're using a company called Sentry ( to process and monitor error reports, allowing our dev team to more easily see clusters of errors and collaborate over fixes. Sometimes crash traces include usernames and other personal data, so we rely on their privacy policy about how they act as a data processor on our behalf.

The only alternative would be to become experts in everything and build everything in-house. Over time, that has become less and less tenable as we found we were spending a lot more maintaining our own half-baked tooling than it would cost to use a solution run by experts in that space. This is exactly the same way our customers use FastMail rather than running their own mail server and writing their own webmail system.
You "have promised" or are promising this now? I'm not saying you haven't, I just don't know where this promise has been made (not in this thread, as far as I can tell). I'm not in the habit of continuing to press for an answer that has already been given.

If there's something in your officially published policies that already covers the case of making people's log-in addresses available to third parties in marketing context, then I think you should probably hilight that section so people don't miss it. If you want to be your run-of-the-mill "we reserve the right to share everything we know about you with our partners so that we can make more money" company, that is obviously your choice. I, personally, would like your company more (and remain a customer longer) if I saw you giving all this a bit more due diligence. EDIT: I do actually appreciate the fact that you're going to document what you share, I just don't know why you have to frame this as a concession to "extremists" rather than simply a good idea in general.

Last edited by walpurg : 18 Apr 2018 at 09:51 PM.
walpurg is offline   Reply With Quote