FastMail's servers are in the US: what this means for you
As you may be aware, there have been many reports recently of secret data mining programs conducted by the US government. These reports have included mention of secret network interception and "backdoor" access to private email accounts. While we have no position on the veracity of these claims, we have had many queries about what, if anything, this might mean for us and for our customers, given that our primary servers are located in the US. This is our response to those questions.
There are some rare cases of overseas entities applying to Australian authorities for information under a Mutual Assistance treaty. In that case proper Australian documentation must be issued before we will do anything. These cases are particularly rare because the burden of proof required is very high, and the chain of events is very long (ultimately, each case currently requires sign off from the Australian Attorney General). The Mutual Assistance treaties also have (amongst other things) a test of whether the putative offense would be illegal in Australia, not just in their country of origin.
Australia does not have any equivalent to the US National Security Letter, so we cannot be forced to do something without being allowed to disclose it.
It has been pointed out to us that since we have our servers in the US, we are under US jurisdiction. We do not believe this to be the case. We do not have a legal presence in the US, no company incorporated in the US, no staff in the US, and no one in the US with login access to any servers located in the US. Even if a US court were to serve us with a court order, subpoena or other instruction to hand over user data, Australian communications and privacy law explicitly forbids us from doing so.
It might be possible for the US government to lean on the Australian government or other international legal body to compel us to hand over data but this likely to be an expensive, time-consuming and highly visible process. In our opinion those barriers make it extremely unlikely to happen.
There are of course other avenues available to obtain your data. Our colocation providers could be compelled to give physical access to our servers. Network capturing devices could be installed. And in the worst case an attacker could simply force their way into the datacentre and physically remove our servers.
These are not things we can protect against directly but again, we can make it extremely difficult for these things to occur by using strong encryption and careful systems monitoring. Were anything like this ever to happen we would be talking about it very publically. Such an action would not remain secret for long.
Ultimately though, our opinion is that these kinds of attacks are no different to any other hacking attempt. We can and will do everything in our power to make getting unauthorised access to your data as difficult and expensive as possible, but no online service provider can guarantee that it will never happen.
As a customer, you need to weigh the benefits of keeping your data with us against the risks of that data being disclosed. You may wish to obtain private legal advice to help you assess that risk. And if you come to the conclusion that keeping your data with us is too risky, then we respect that (though please do tell us why!)
If you have any further privacy concerns we haven't addressed, please email firstname.lastname@example.org.