Aussie email provider FastMail says it is exempt from Data Retention law


news Australian email provider FastMail has claimed it will not be subject to the Data Retention law which is shortly scheduled to come into force in Australia, due to the fact that it is not a telecommunications carrier and does not operate hosting infrastructure in Australia.

The controversial Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015 passed in March this year. It broadly requires Australian telecommunications carriers to retain data about the activities of their customers, including records pertaining to telephone calls, text messages, emails and more. Much of this data is already retained and made available to law enforcement agencies; the legislation will significantly widen the scope of the scheme but limit the law enforcement agencies who can get access to it.

FastMail, a private Australian company which provides email services, first published an article in April stating it was not subject to the legislation. However, the article has garnered a great deal of attention this week due to Greens Senator Scott Ludlam having published it on his popular Facebook page, recommending FastMail for use by those seeking to avoid data retention laws.

“… if you don’t use your ISP email, the legislation doesn’t apply. if you use a free webmail provider that is not an ISP in Australia, the government won’t be collecting this information,” Senator Ludlam wrote, noting that FastMail was a “great choice if you’re looking for somewhere to switch to”.

For its part, FastMail’s article states that because it is not defined as a telecommunications carrier and does not host infrastructure in Australia — two key aspects of the law — then it is not required to retain customer data under the law.

“… the only equipment in Australia is employees and their work computers, there are no servers running any FastMail services or storing any email in Australia,” the company stated.

However, it appears that there are risks to using FastMail as your email provider, even though the company is not covered by Australia’s Data Retention legislation.

The company publicly states that its mail servers are located in New York City and Amsterdam. The US does not have the same precise data retention legislation as Australia, but US authorities do have wide-ranging powers to access data held by technology companies, and regularly access data held by similar companies providing email hosting services, such as Google and Microsoft.

It is not clear that FastMail is able to protect its email servers in the US from being accessed by the US Government, and that data passed back to Australian law enforcement agencies.

FastMail itself regards the Data Retention legislation as “poorly thought out”.

“There’s no evidence that large scale metadata retention will actually lead to improved policing, and in an insane situation, you actually have the communications minister for the government that’s passing this law recommending ways to work around the law!” the company wrote on its blog, referring to previous comments made by then-Communications Minister Malcolm Turnbull.

“All this bill does is impose excessive additional regulations and burdens on Australian businesses. It actively discourages us from investing in servers and infrastructure in Australia and encourages us to put them elsewhere in the world to ensure that the law continues to not apply to us. Forcing an Australian company to reduce IT infrastructure investment in Australia and creating an inferior experience for Australian customers, while providing no proven law enforcement benefit for anyone feels like a massive mistake to us.”

I’m sorry, but I must say that I regard FastMail as naive in its claim that its email servers are safe from Australia’s Data Retention legislation just because they are not hosted in Australia.

Revelations by Edward Snowden and others have documented just how porous technology infrastructure based in the US is to US law enforcement authorities.

Does anyone really think that the US Government would have a problem getting access to any US-based email server that it wanted to, or that it would hesitate before passing on data requested by Australian law enforcement authorities? We are one of the US’s closest allies and information is constantly passed back and forth.

I don’t particularly regard FastMail’s servers as being any more secure at this point than those of, for example, Google or Microsoft. I’m not being cynical here … just practical.

Image credit: Intel Free Press, Creative Commons


  1. The main difference here is that US wil have access to the metadata that fastmail keep and can pass that back to Aus government depts (not just law enforcement have access to the data) but in the US there is no law that they have to keep it.. so they collect and remove after 24-48 hours (so it’s retained for error checking/debugging if they want) and then delete it so it can’t be accessed later. The Aus law requires that the get it and keep it. So by not being subject to them there is the opportunity to have significantly less personal data for Aus government to get access to.

  2. It seems FastMail have not heard of the U.S.’s Stored Communications Act, its been around for a long time and was/is more dangerous than the now defunct Patriot Act.

    The U.S. also has far less privacy protections than Australia does.

    And the confliction about Service Provider under the Act will very quickly be clarified by Govt ammendments I think in hte not too distant future,

    The Telco Act declares a WebHost as a Service Provider which is an ISP (not in traditional sense as we know it, but it is under the Telco Act), but in their haste to get this crap forced onto everyone in a hurry (who said govts dont work fast when they want to), they legislated it as, as determined under the Broadcast Services Act, which calls ISP’s are we know them to be, meaning a Webhost could argue that because the AGD messed it up and allowed the BSA to determine whos who and not the governing Telecommunications Act, that they are not bound by it.

    Either way you can be your @ss the technoincompitants in Govt will soon realise that the vast majority of Email logs in this country wont legally be required to be kept, so they will have NFI, a simple loophole to close I’m sure they already know about.

    And they aren’t too worried about you having mail stored here, since if you use or traverse cables to the U.S. or through U.K to use mail, the spooks over there will be able to give ASD all the goodies they want anyway with all their taps.

  3. If you talk to any local email or Web hosting providers they will all tell you the same thing – the advice we have given the current legislation is that the data retention legislation does not apply to us because we are not telecommunications carriers. The legislation is directed at ISPs, not data centres or email hosts. If they want to capture those businesses they will have to change the legislation, which will decimate the sector.

    As for Fastmail’s offshore hosting situation, being subject to US law is potentially worse than Australia’s data retention law, yes – see the ruling last week from the EU suggesting that simple transmission between companies registered in the USA, irrespective of whether that communication happens within the USA or whether or not any data is stored within the USA, is enough to allow US agency interception and access, which fundamentally undermines EU privacy law and means that any US based company operating in the EU with EU citizen data is likely to be in breach of EU privacy law. Also note that there are no privacy laws in the USA protecting foreigners, only US citizens. So Fastmail customers have no legal barriers from total access by US security agencies. If Fastmail uses encrypted channels for all commications and encrypts everything on those servers then they will have a technical barrier to interception and access, but operating within the USA still means they must provide access to security agencies upon request, making the whole encryption thing a moot point. Unless you encrypt it from yourself and only give the decryption keys to your customers, but that’s not what they’re doing.

    In summary, you’re right about Fastmail, but the point about local mail hosting companies being exempt stands – unless they’re an ISP or other form of communications carrier the data retention legislation doesn’t capture them.

  4. Thats rubbish, how will it decimate the industry? Chances are your webhost is *already* keeping your email server logs for a LOT longer than you imagine. most end-user-access SP’s likely too.

    Lets look at some FACTS..

    from the AGD CAC:

    “In Web hosting there are two services we treat as separate

    The first service is the server hosting. Assuming that you are carrier, carriage service or
    internet service provider, this service is a ‘relevant service’.

    This means that the service has data retention obligations unless there is a valid exclusion.

    The second service is the email service. While you offer this service as a product in combination
    with web hosting, we consider the two as separate services for the purpose of data retention.

    The email service also has data retention obligations.

    So, now it comes down to what is carrier, carriage service, or internet service provider.

    Data retention obligations apply only to ‘relevant services’. A service is a ‘relevant service’ if:
    (a) It is a service for carrying communications, or enabling communications to be carried,
    (b) It is a service operated by a carrier, carriage service provider or internet service provider, and
    (c) The person operating the service owns or operates, in Australia, infrastructure that enables the provision of any of its relevant services.

    Based on the information you have provided, including the knowledge that you offer an email service, it is likely that you are a CSP.

    The definition of a carriage service provider (CSP) is contained within s87 of the Telecommunications Act 1979. Carriage services include services for carrying communications, for example telephone services, email services, Internet access services and Voice over Internet Protocol (VoIP) services.

    The email server you have described will likely be captured by data retention obligations unless an exemption is sought and agreed to.

    END official quote from CAC – charged with managing and enforcing this nightmare.
    so those webhosts playing blind will eventually be in for a shock, but hey dont take my word for it, see Telco Act s87, and, if my memory serves me correctly, s187A 3b (or somewhere round there)

    • Sorry Nobby, according to everyone I’ve spoken to who provide much larger services than us, just providing Web hosting or email hosting does not categorise them as a ‘carriage service provider’ and the legislation is not relevant to them. Some very experienced legal firms have come to that conclusion – how many years have you been practicing law, particularly representing datacentre operators?

      I think what you’re doing is confusing those points as being ‘or’ clauses when they are ‘and’ requirements. That is, you must provide communications services, you must be a carrier or ISP *and* you must be providing email storage services.

      As for your question about ‘decimating the industry’, the costs of compliance would bankrupt our business if we continued it, even considering hosting is only about 1% of our business – it is merely an ancillary service for us. But the costs of the software, storage, maintenance and backup, management interface and compliance documentation would mean we would have to drop hosting completely. You need economies of scale to make compliance costs viable.

      Also consider every business with an Exchange server. Are they ‘carriers’ because they host their own email? That’s a ridiculous proposition, but by extension so is the idea that anyone providing email hosting can be considered a carrier.

      • Case in point, if I run an email server for myself, and effectively provide a service to myself – am I required to retain records?

        This would be a logistical nightmare to police, let alone legislate; so I cannot see how the terms could be so broad.

        The legislation appears to be squarly aimed at ISPs and carriers, as they are considered the “gatekeepers” (indeed, it’s the same people copyright enforcers chase); it’s no surprise the government would target the same points.

        It’s a case of “and”, rather than “or”, surely. I would tend to think your response is bang on.

        • when you read the Telco Act, no, you wouldnt so long as it is yourself and say family/housemates etc, if you provide a service to just one person outside your immediate circle, then you likely would be required to comply.

          If in doubt email the CAC (email on AGD website), to avoid delays outline your situation completely and they should tell you for sure.

      • @UninvitedGuest

        The whole problem is most hosts are getting different information from unofficial sources, many of the most vocal opponents of this law have brought out some far flung arguments, many of them you are referring to are likely from same said group that are running around telling people DNS queries must now be logged and kept for two years – which is utter rot, many of them saying they dont need to comply because they have it on good authority blah blah blah, who’s the good authority you ask, the same internet industry group thats been fighting the law, not from any actual legal source.

        Think about it, why else would they make it a requirement that they need a warrant for journo’s data? Do you think every journo uses their end access provider for company email? if so, do you think every ISP knows that joe blogs is a journo? no, of course they dont, but they know damn well that is a journo and would have that hosted somewhere, so that adds further to support whats the CAC has told many.

        I dont see any of these people saying we dont need to keep it actually produce in full or in part any of the correspondence from the AGD confirming what they are saying, I’m on a number of industry mailing lists and not one has ever shown the proof , oh one did, from an auditor, LOL someone whos not a lawyer, or from the AGD.

        As for costs, thats chicken feed, I commented on here what the costs would be for an ISP the size of Exetel, most webhosts are far far smaller with much less retention requirements, remember, for webhosts, its just customer account/billing data and email logs, hell they dont even want ftp logs, it s a pittance, unless your melbIT there you would need a fair bit more.

        The major costs are for Telcos, most of the storage even their will be in cell data, because its all data for the cell, not just call/SMS info – but again, Telstra and Optus already keep this for 7 years anyway, just Vodafone AU that kept it for a lot less from memory of their appearance before the pjc.

        All you have to do is read the legislation in the Act, its pretty clear, so if you run a webhost, I suggest you talk to real ICT lawyer who knows how to read govt nonsense rather than replying on he said this they said that.

Comments are closed.