Submission regarding “The Assistance And Access Bill 2018”

Privacy & Security

Sent to the Australian Department of Home Affairs on September 8, 2018.
For more information around this submission, see our blog post about the bill.

To whom it may concern,

FastMail Pty Ltd is an Australian company, headquartered in Melbourne, and providing hosted internet email and related services to individuals and companies in over 100 countries. The bulk of our customer base is overseas, making us an Australian exporter.

FastMail directly employs 17 Australians, as well as contractors and overseas staff. We operate in a competitive marketplace, facing both free (advertising supported) and paid rivals. Our competitors range from the large (e.g. Google, Microsoft, Yahoo) to the niche confidentiality focused (e.g. ProtonMail, Tutanota, Hushmail).

The past few years have seen a dramatic increase in public awareness of how their data is being used (or misused) by companies they had entrusted to protect their interests, which has led to changing regulations such as the EU GDPR and the Australian Privacy Act.

Our customers trust us for a variety of reasons, but a large part of our appeal is our choice to provide service in exchange for money, instead of trying to monetise customer data and sell out their privacy. Australia’s privacy protections have always given our customers comfort that we will not be compelled to participate in dragnet surveillance by over-reaching law enforcement.

We have always obeyed lawful Australian subpoenas, and do not see ourselves as above the law. We are well aware of the challenges that law enforcement face in the communications space, and the ongoing tension – on the one hand everybody is safer if bad actors are stopped – on the other hand, there can be security failures inside law enforcement as well. Any change to increase lawful access to data is also opening a security risk for the non-criminals using a service.

We have two main concerns with the Assistance and Access Bill 2018:

Firstly, there is the question of jurisdictional differences. Australia is not considered to have adequate protection for consumers under the European law. With GDPR we were required to execute separate data protection addendum agreements with our customers and suppliers. To the extent that this bill takes us further out of alignment with protections expected by the rest of the world, it hurts the ability of all Australian companies to compete in the global market.

Secondly, the bill contains hedging words like “reasonable” and “proportionate”. While we appreciate the need for flexibility to interpret each situation on its merits, this leaves us with insufficient guidance to build effective and consistent policies at our end. FastMail wants to strongly protect our law-abiding customers, while still ensuring we are not providing a safe haven for bad actors.

We already suffer brain drain as a country, with many of our best technologists moving to San Francisco to join the startup world there. Laws that discourage forming technology startups in Australia by removing privacy safeguards on access to customer data will not help this situation.

Regards,
Bron Gondwana
CEO, FastMail Pty Ltd