FastMail is not required to implement the Australian metadata retention laws

Company

Oct 7, 2015 Welcome new readers arriving from Senator Scott Ludlam's recent Facebook post or Tweet. FastMail is a paid service, which means that you pay money in exchange for us running the service purely for you, the customer, rather than for advertisers.

While we don't provide a free service, we do offer a free trial so you can try out our service before you commit. Do head over to the signup page and see email, calendar and contacts done right. Or keep browsing through this blog to see how an email service runs behind the scenes.


Summary: We have reviewed the recently passed Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015 and have received additional legal advice confirming that the new metadata retention regime will not apply to FastMail. This means that FastMail is not obligated to retain metadata relating to email sent/received by our users, nor are we required to provide Australian law enforcement agencies with access to such metadata without a warrant. As such, there are no changes to our privacy policy.

For those interested, there are significantly more details below.


Some users have asked us what the recently passed metadata retention laws mean for FastMail, and in particular the privacy of their data. We’ve now reviewed the new laws as passed in the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015 and worked with a lawyer to get a confirmed interpretation.

The most important provision in the Bill for our purposes is the new section 187A(3) which defines who the laws actually apply to. There are 3 separate parts that must all apply for an entity to be subject to the metadata retention requirements. Quoting the actual bill:

(3) This Part applies to a service if:

   (a) it is a service for carrying communications, or enabling communications to be carried, by means of guided or unguided electromagnetic energy or both; and

   (b) it is a service:

      (i) operated by a carrier; or

      (ii) operated by an internet service provider (within the meaning of Schedule 5 to the Broadcasting Services Act 1992); or

      (iii) of a kind for which a declaration under subsection (3A) is in force; and

   (c) the person operating the service owns or operates, in Australia, infrastructure that enables the provision of any of its relevant services;

but does not apply to a broadcasting service (within the meaning of the Broadcasting Services Act 1992).

We do meet the requirements for (a), however none of (b) nor (c) apply to us, so the laws as a whole to not apply to us.

Digging into these into more detail:

Section 187(3)(a)

As an email service, FastMail clearly enables "communications" to be "carried" (as those two terms are defined in the Telecommunications (Interception and Access) Act 1979 ("TIAA").

Section 187(3)(b)

(i) FastMail is not a "carrier" as defined in section 5 the TIAA because:

  • we are not the holder of a "carrier licence" as defined in section 7
    of the Telecommunications Act
    1997

    ("TA"); and
  • we are not a "carriage service provider" as defined in section 87 of
    the TA because:
    • the definitions in sections 87(1), (2), (4) and (5) require a
      carriage service provider to be a person supplying a "listed
      carriage service", which is defined in section 16 of the TA to
      mean a "carriage service" between two or more points where at
      least one point is in Australia - as none of FastMail's servers
      are physically in Australia, we only ever connect our servers to
      a network outside of Australia, and therefore only ever carry
      communications between non-Australian locations;
    • the definition in section 87(3) applies to carriage services
      that are supplied as a secondary purpose for a network whose
      principal use is by a defence organisation, transport or
      electricity providers, or similar - none of these uses are
      relevant to FastMail's services;

(ii) FastMail is not an "internet service provider" within the meaning of Schedule 5 to the Broadcasting Services Act 1992, because we do not supply an "internet carriage service" (meaning a listed carriage service (as defined in the TA) that enables end-users to access the internet) to the public; and

(iii) no declarations made under subsection (3A) are in force.

Although the argument regarding FastMail only ever carrying communications between non-Australian networks is quite technical, we’ve not been able to find any cases or commentary which support nor contradict that argument. However, having reviewed the rest of the wording in section 87 (including the definitions of "network unit", "line link", "line" and "designated radiocommunications facility", none of which FastMail seem to have in Australia), it seems unlikely that FastMail could be defined at a "carriage service provider".

In any event, an analysis of part (c) as discussed below, it's of little consequence whether 3(b) applies or not.

Section 187(3)(c)

The biggest question here is what "infrastructure" means. Section 5 of the TIAA (see page 29 of the Bill) includes a definition as follows:

infrastructure means any line or equipment used to facilitate
communications across a telecommunications network

We don't have any lines or equipment (servers) in Australia, and therefore do not have "infrastructure" in Australia.

As an additional confirmation, the explanatory memorandum for the Bill makes this point even clearer:

Definition of ‘infrastructure’

417.           This item inserts a definition for the term
infrastructure into subsection 5(1) of the TIA Act. It defines
infrastructure, as it is used in paragraph 187A(3)(c), to mean any
line or equipment used to facilitate communications across a
telecommunications network.

418.           The term infrastructure is used as part of the three
limb test in paragraphs 187A(3)(a), (b) and (c) which defines a
relevant service. ‘Equipment’ is defined in section 5 of the Act,
which states equipment means any apparatus or equipment used, or
intended for use, in or in connection with a telecommunications
network, and includes a telecommunications device but does not include
a line. Section 5 of the Act, defines ‘line’ by reference to the
definition in the Telecommunications Act. Section 7 of the
Telecommunications Act states a line is a wire, cable, optical fibre,
tube, conduit, waveguide or other physical medium used, or for use, as
a continuous artificial guide for or in connection with carrying
communications by means of guided electromagnetic energy.

419.           Servers used to operate an ‘over the top’ service such
as VoIP would fall within the definition of infrastructure. However,
‘infrastructure’ is not intended to include business premises. For
example the headquarters of a company, taken in isolation, would not
satisfy the definition of ‘infrastructure.’

420.           Importantly, a piece of equipment or line meeting the
definition of infrastructure does not automatically satisfy paragraph
187(3)(c). For instance, a computer used by an employee in a company’s
headquarters or marketing office is not directly involved in the
provision of a relevant service and therefore does not satisfy
paragraph 187(3)(c).

421.           This item implements recommendation 11 of the 2015
PJCIS Report by defining the term ‘infrastructure’ in greater detail
for the purposes of paragraph 187A(3)(c).

Therefore, it's clear that part (c) does not apply to FastMail, as the only equipment in Australia is employees and their work computers, there are no servers running any FastMail services or storing any email in Australia.

Therefore section 187A(3), which imposes the metadata retention obligations, does not apply to FastMail.

We had some additional queries regarding the wording of “owns or operates, in Australia”. Since that’s two separate parts, if you take the "own in Australia" part, does that mean "the infrastructure is physically in Australia" or does it mean "the infrastructure is legally owned by an entity in Australia"? It has been made clear to us that the wording of part (c) of section 287(3) applies to the location of the infrastructure, rather than whether the person or entity that owns the infrastructure is Australian. If this wasn't the case, part (c) would need to phrased so that the reference was to an "Australian person" or "Australian entity" owning infrastructure (or there'd be a definition to bring in this connection). By using the words "in Australia", the reference can only be to the physical location of the lines and equipment

As an aside from actually determining if the law applies to us, we regard the actual need for this law as poorly thought out. There’s no evidence that large scale metadata retention will actually lead to improved policing, and in an insane situation, you actually have the communications minister for the government that’s passing this law recommending ways to work around the law! All this bill does is impose excessive additional regulations and burdens on Australian businesses. It actively discourages us from investing in servers and infrastructure in Australia and encourages us to put them elsewhere in the world to ensure that the law continues to not apply to us. Forcing an Australian company to reduce IT infrastructure investment in Australia and creating an inferior experience for Australian customers, while providing no proven law enforcement benefit for anyone feels like a massive mistake to us.