news Australian email provider FastMail has claimed it will not be subject to the Data Retention law which is shortly scheduled to come into force in Australia, due to the fact that it is not a telecommunications carrier and does not operate hosting infrastructure in Australia.
The controversial Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015 passed in March this year. It broadly requires Australian telecommunications carriers to retain data about the activities of their customers, including records pertaining to telephone calls, text messages, emails and more. Much of this data is already retained and made available to law enforcement agencies; the legislation will significantly widen the scope of the scheme but limit the law enforcement agencies who can get access to it.
FastMail, a private Australian company which provides email services, first published an article in April stating it was not subject to the legislation. However, the article has garnered a great deal of attention this week due to Greens Senator Scott Ludlam having published it on his popular Facebook page, recommending FastMail for use by those seeking to avoid data retention laws.
“… if you don’t use your ISP email, the legislation doesn’t apply. if you use a free webmail provider that is not an ISP in Australia, the government won’t be collecting this information,” Senator Ludlam wrote, noting that FastMail was a “great choice if you’re looking for somewhere to switch to”.
For its part, FastMail’s article states that because it is not defined as a telecommunications carrier and does not host infrastructure in Australia — two key aspects of the law — then it is not required to retain customer data under the law.
“… the only equipment in Australia is employees and their work computers, there are no servers running any FastMail services or storing any email in Australia,” the company stated.
However, it appears that there are risks to using FastMail as your email provider, even though the company is not covered by Australia’s Data Retention legislation.
The company publicly states that its mail servers are located in New York City and Amsterdam. The US does not have the same precise data retention legislation as Australia, but US authorities do have wide-ranging powers to access data held by technology companies, and regularly access data held by similar companies providing email hosting services, such as Google and Microsoft.
It is not clear that FastMail is able to protect its email servers in the US from being accessed by the US Government, and that data passed back to Australian law enforcement agencies.
FastMail itself regards the Data Retention legislation as “poorly thought out”.
“There’s no evidence that large scale metadata retention will actually lead to improved policing, and in an insane situation, you actually have the communications minister for the government that’s passing this law recommending ways to work around the law!” the company wrote on its blog, referring to previous comments made by then-Communications Minister Malcolm Turnbull.
“All this bill does is impose excessive additional regulations and burdens on Australian businesses. It actively discourages us from investing in servers and infrastructure in Australia and encourages us to put them elsewhere in the world to ensure that the law continues to not apply to us. Forcing an Australian company to reduce IT infrastructure investment in Australia and creating an inferior experience for Australian customers, while providing no proven law enforcement benefit for anyone feels like a massive mistake to us.”
I’m sorry, but I must say that I regard FastMail as naive in its claim that its email servers are safe from Australia’s Data Retention legislation just because they are not hosted in Australia.
Revelations by Edward Snowden and others have documented just how porous technology infrastructure based in the US is to US law enforcement authorities.
Does anyone really think that the US Government would have a problem getting access to any US-based email server that it wanted to, or that it would hesitate before passing on data requested by Australian law enforcement authorities? We are one of the US’s closest allies and information is constantly passed back and forth.
I don’t particularly regard FastMail’s servers as being any more secure at this point than those of, for example, Google or Microsoft. I’m not being cynical here … just practical.