Fastmail refuses to comment about handing over keys to government agencies

communicant · 25 Jul 2013, 06:48 AM

A news story at cnet.com headed "Feds put heat on Web firms for master encryption keys" states that "Apple, Yahoo, AOL, Verizon, AT&T, Opera Software's Fastmail.fm, Time Warner Cable, and Comcast declined to respond to queries about whether they would divulge encryption keys to government agencies." The article can be found at http://news.cnet.com/8301-13578_3-57...cryption-keys/

Given that Opera/Fastmail has declined to comment, it is doubtful that any FM reps at EMD will have anything to say on the matter, but I thought the subject was worth raising here.

This is distressing news.

neilj · 25 Jul 2013, 02:05 PM

"Refuse to comment" is blogger speak for "we sent a request to some random email address we found, probably in the middle of the night Australia-time because we're US-centric, and didn't receive a response within an hour".

We haven't yet managed to find where they sent their request to, but needless to say of course we don't give anyone our encryption keys.

jchan · 25 Jul 2013, 03:42 PM

I saw the same article and came here looking for answers, as a Fastmail user for personal & business email. If Fastmail really does refuse to give anyone their encryption keys, that is very reassuring news. I am only worried about whether or not there might be some sort of gag order or legal threats in place.

bitflipper · 25 Jul 2013, 11:18 PM

I came here to post the same question as others have.

No offense to Neil, but can we get an official statement from FastMail?

Look, I am not a drug dealer or anything like that. What I am is someone who believes our founding father's of this country (USA) were onto something all those many years ago. I believe in supporting companies who have a similar belief.

When I initially heard that Google, Microsoft, Yahoo, and the rest were flagrantly cozying up to the NSA, I thought fine; I have have FastMail! Now, I am not so sure I should feel any different.

It is one thing for FastMail to comply with laws and proper due process. It is another thing if they are handing over the keys to the castle and not telling their customers what they have done (and don't tell me you didn't give anything up to the government when a third party proxy might be getting the data).

Again, I ask that FastMail come clean about this whole issue.

Thank you.

robert@fm · 26 Jul 2013, 01:17 AM

When I heard of this story, I felt it could have two different interpretations — "we dare not comment for fear the NSA will come down on us" vs. "this story is too silly to be worth the bother of us commenting on it". Now we learn from Neil that it's actually a third interpretation — "we have failed (not refused) to comment because those idiots sent the query to the wrong address, and we didn't even know we'd received it".

Doesn't sound to me as if there's any cause for panic, although this is another example of the "we are the world" syndrome...

robn · 26 Jul 2013, 07:07 AM

Interesting interpretation.

The point neilj was actually making is that the article is bunk because it tries to make out that FastMail did something that we didn't. That article says exactly nothing about anything we have or haven't done.

The other thing that neilj said is "we don't give anyone our encryption keys". That's about as clear and unambiguous as it can be. Of course you'll say that we can't be trusted because we might have been instructed to lie. In which case its kind of ridiculous even asking if you won't accept the answer anyway.

We take your privacy damn seriously. We work hard to keep things locked up tight. There are no backdoors in FastMail servers. We don't give out access. Whether you believe that or not is up to you.

(Yes, I sound a little cranky. Don't take it personally. I'm mostly just grumpy about being put in this position at all).

communicant · 26 Jul 2013, 07:21 AM

Quote:

Originally Posted by robn

Interesting interpretation.

The point neilj was actually making is that the article is bunk because it tries to make out that FastMail did something that we didn't. That article says exactly nothing about anything we have or haven't done.

The other thing that neilj said is "we don't give anyone our encryption keys". That's about as clear and unambiguous as it can be. Of course you'll say that we can't be trusted because we might have been instructed to lie. In which case its kind of ridiculous even asking if you won't accept the answer anyway.

We take your privacy damn seriously. We work hard to keep things locked up tight. There are no backdoors in FastMail servers. We don't give out access. Whether you believe that or not is up to you.

(Yes, I sound a little cranky. Don't take it personally. I'm mostly just grumpy about being put in this position at all).

1) I accept your statement at face value and I believe it. Great.

However...

2) It simply won't do for a corporation to whine that a request from a news outlet (a legitimate tech site like cnet, not some crank) arrived 'in the middle of the night' or without consideration for the time zone, etc. The cnet mention is precisely the sort of negative publicity that a well-run company seeks to avoid, by responding to queries and requests from legitimate news media. A reporter (or blogger) asks something, you answer (preferably in time to head off a negative mention in a news story), and the problem doesn't exist in the first place. So far, the reaction seems both peevish and amateurish. Is that how Opera/FastMail wishes to be perceived? Managing the flow of public information and reacting nimbly to perceived problems are surely important skills for any well-run company, is that not so?

robn · 26 Jul 2013, 07:48 AM

Again neilj: "We haven't yet managed to find where they sent their request to"

We can't reply to emails we don't receive. We still haven't seen this original email, and still don't know where it was sent to.

Had we received it, we would have responded as quickly as possible, as has been the case for the many queries on this subject we've received in the last few weeks. In this case we read the article and immediately contacted the author with a statement. The article has now been updated with that statement.

bitflipper · 26 Jul 2013, 08:07 AM

To Rob: I do believe you and I am sure you find it annoying that you have to keep defending your position. I am with communicant here though. I think given the current security issues that we now face and with Defcon coming up, this topic is very important to some of us.

I have been a FastMail customer for about 6 or so years now. Pre-Opera ownership era, I wouldn't have given it a second thought as to where FastMail's loyalties lie. Now that FastMail is owned by a larger company, there is some doubt as to what is going on and is one of the reasons why I asked.

I still think this is worthy of a blog post by senior level FastMail management saying what the companies position is on the matter. Use the fact that you don't give the keys to the castle away and only do what you have to as required by law as a selling point for your services.

I value the service I get from my FastMail subscription. It is nice to know that you value the same thing I value. I am sure others who don't frequent this forum would like to know your position as well.

kijinbear · 26 Jul 2013, 05:02 PM

It seems like FM did make a comment to another reporter:

http://news.cnet.com/8301-13578_3-57...unt-passwords/

Quote:

Richard Lovejoy, a director of the Opera Software subsidiary that operates FastMail, said he doesn't recall receiving any such requests but that the company still has a relatively small number of users compared with its larger rivals. Because of that, he said, "we don't get a high volume" of U.S. government demands.

drew · 26 Jul 2013, 10:25 PM

I see this from two aspects?
If there is an agreement then most likely they have promised to deny such access is granted. So we can not know it is set up in a way that they can not answer in a confirming way?

Another is that like when we asked about if Opera was going to accept an offer from Facebook to be their sole way to access Facebook on smartphones and FB kind of buy them for to have that exclusive ownership of that tech? Sorry confusing text.

Opera could not answer that if such negotiations at all had been going on or not because that would not be allowed to comment on.

but the most important is that NSA AFAIK can access all sent emails by having access to the servers that act as middle between the mail servers so there only cryptations can prevent them from knowing the content but maybe they know who initiated the email and to whom it was sent and that is very vital knowledge because that allow them to see patterns of communication and draw conclusions from that knowledge and then they can ask for to get out that communication decrypted if they can show a Judge that it is part of an investigation that they see as protecting the interest of US

I am not the sharpest knife in the drawer but is it not logical enough?

Chet · 27 Jul 2013, 05:13 AM

I wish Fastmail would provide a definitive, unequivocal answer as to how they would respond to a request and whether they could be legally bound not to disclose information about such requests or their policy with respect thereto going forward.

I have been a Fastmail member from the early days and I seem to remember one of the advantages they touted were that at the time their servers were not located in the US and therefore immune to US law.

William9 · 27 Jul 2013, 02:52 PM

Fastmail's main email servers are located in New York, and have been for many years -- possibly since the service's inception.

David · 27 Jul 2013, 03:12 PM

Quote:

Originally Posted by William9

Fastmail's main email servers are located in New York, and have been for many years -- possibly since the service's inception.

Agreed: Fastmail, although maintaining its head office in Australia, have always been a US based company - server wise, at least.

thymara · 28 Jul 2013, 12:53 AM

Quote:

Originally Posted by Chet

I wish Fastmail would provide a definitive, unequivocal answer as to how they would respond to a request and whether they could be legally bound not to disclose information about such requests or their policy with respect thereto going forward.

I have been a Fastmail member from the early days and I seem to remember one of the advantages they touted were that at the time their servers were not located in the US and therefore immune to US law.

Assume that any internet communication can be captured without FM knowledge / approval and act accordingly. What FM says is irrelevant.

25 Jul 2013, 06:48 AM	#1
communicant Cornerstone of the Community Join Date: Jul 2009 Posts: 879	Fastmail refuses to comment about handing over keys to government agencies A news story at cnet.com headed "Feds put heat on Web firms for master encryption keys" states that "Apple, Yahoo, AOL, Verizon, AT&T, Opera Software's Fastmail.fm, Time Warner Cable, and Comcast declined to respond to queries about whether they would divulge encryption keys to government agencies." The article can be found at http://news.cnet.com/8301-13578_3-57...cryption-keys/ Given that Opera/Fastmail has declined to comment, it is doubtful that any FM reps at EMD will have anything to say on the matter, but I thought the subject was worth raising here. This is distressing news.

25 Jul 2013, 02:05 PM	#2
neilj Cornerstone of the Community Join Date: Apr 2004 Location: Melbourne Posts: 971 Representative of: Fastmail.fm	"Refuse to comment" is blogger speak for "we sent a request to some random email address we found, probably in the middle of the night Australia-time because we're US-centric, and didn't receive a response within an hour". We haven't yet managed to find where they sent their request to, but needless to say of course we don't give anyone our encryption keys.

25 Jul 2013, 03:42 PM	#3
jchan Junior Member Join Date: Jul 2013 Posts: 1	I saw the same article and came here looking for answers, as a Fastmail user for personal & business email. If Fastmail really does refuse to give anyone their encryption keys, that is very reassuring news. I am only worried about whether or not there might be some sort of gag order or legal threats in place.

25 Jul 2013, 11:18 PM	#4
bitflipper Junior Member Join Date: Sep 2008 Location: /dev/null Posts: 16	I came here to post the same question as others have. No offense to Neil, but can we get an official statement from FastMail? Look, I am not a drug dealer or anything like that. What I am is someone who believes our founding father's of this country (USA) were onto something all those many years ago. I believe in supporting companies who have a similar belief. When I initially heard that Google, Microsoft, Yahoo, and the rest were flagrantly cozying up to the NSA, I thought fine; I have have FastMail! Now, I am not so sure I should feel any different. It is one thing for FastMail to comply with laws and proper due process. It is another thing if they are handing over the keys to the castle and not telling their customers what they have done (and don't tell me you didn't give anything up to the government when a third party proxy might be getting the data). Again, I ask that FastMail come clean about this whole issue. Thank you.

26 Jul 2013, 01:17 AM	#5
robert@fm The "e" in e-mail Join Date: Feb 2002 Location: London, UK Posts: 4,681	When I heard of this story, I felt it could have two different interpretations — "we dare not comment for fear the NSA will come down on us" vs. "this story is too silly to be worth the bother of us commenting on it". Now we learn from Neil that it's actually a third interpretation — "we have failed (not refused) to comment because those idiots sent the query to the wrong address, and we didn't even know we'd received it". Doesn't sound to me as if there's any cause for panic, although this is another example of the "we are the world" syndrome...

26 Jul 2013, 07:07 AM	#6
robn Master of the @ Join Date: May 2012 Location: Melbourne, Australia Posts: 1,007 Representative of: Fastmail.fm	Interesting interpretation. The point neilj was actually making is that the article is bunk because it tries to make out that FastMail did something that we didn't. That article says exactly nothing about anything we have or haven't done. The other thing that neilj said is "we don't give anyone our encryption keys". That's about as clear and unambiguous as it can be. Of course you'll say that we can't be trusted because we might have been instructed to lie. In which case its kind of ridiculous even asking if you won't accept the answer anyway. We take your privacy damn seriously. We work hard to keep things locked up tight. There are no backdoors in FastMail servers. We don't give out access. Whether you believe that or not is up to you. (Yes, I sound a little cranky. Don't take it personally. I'm mostly just grumpy about being put in this position at all).

26 Jul 2013, 07:48 AM	#8
robn Master of the @ Join Date: May 2012 Location: Melbourne, Australia Posts: 1,007 Representative of: Fastmail.fm	Again neilj: "We haven't yet managed to find where they sent their request to" We can't reply to emails we don't receive. We still haven't seen this original email, and still don't know where it was sent to. Had we received it, we would have responded as quickly as possible, as has been the case for the many queries on this subject we've received in the last few weeks. In this case we read the article and immediately contacted the author with a statement. The article has now been updated with that statement.

26 Jul 2013, 08:07 AM	#9
bitflipper Junior Member Join Date: Sep 2008 Location: /dev/null Posts: 16	To Rob: I do believe you and I am sure you find it annoying that you have to keep defending your position. I am with communicant here though. I think given the current security issues that we now face and with Defcon coming up, this topic is very important to some of us. I have been a FastMail customer for about 6 or so years now. Pre-Opera ownership era, I wouldn't have given it a second thought as to where FastMail's loyalties lie. Now that FastMail is owned by a larger company, there is some doubt as to what is going on and is one of the reasons why I asked. I still think this is worthy of a blog post by senior level FastMail management saying what the companies position is on the matter. Use the fact that you don't give the keys to the castle away and only do what you have to as required by law as a selling point for your services. I value the service I get from my FastMail subscription. It is nice to know that you value the same thing I value. I am sure others who don't frequent this forum would like to know your position as well.

26 Jul 2013, 10:25 PM	#11
drew The "e" in e-mail Join Date: Jan 2006 Posts: 2,626	I see this from two aspects? If there is an agreement then most likely they have promised to deny such access is granted. So we can not know it is set up in a way that they can not answer in a confirming way? Another is that like when we asked about if Opera was going to accept an offer from Facebook to be their sole way to access Facebook on smartphones and FB kind of buy them for to have that exclusive ownership of that tech? Sorry confusing text. Opera could not answer that if such negotiations at all had been going on or not because that would not be allowed to comment on. but the most important is that NSA AFAIK can access all sent emails by having access to the servers that act as middle between the mail servers so there only cryptations can prevent them from knowing the content but maybe they know who initiated the email and to whom it was sent and that is very vital knowledge because that allow them to see patterns of communication and draw conclusions from that knowledge and then they can ask for to get out that communication decrypted if they can show a Judge that it is part of an investigation that they see as protecting the interest of US I am not the sharpest knife in the drawer but is it not logical enough?

27 Jul 2013, 05:13 AM	#12
Chet Junior Member Join Date: Mar 2012 Posts: 3	I wish Fastmail would provide a definitive, unequivocal answer as to how they would respond to a request and whether they could be legally bound not to disclose information about such requests or their policy with respect thereto going forward. I have been a Fastmail member from the early days and I seem to remember one of the advantages they touted were that at the time their servers were not located in the US and therefore immune to US law.

27 Jul 2013, 02:52 PM	#13
William9 The "e" in e-mail Join Date: Nov 2005 Location: San Francisco Posts: 2,281	Fastmail's main email servers are located in New York, and have been for many years -- possibly since the service's inception.