Secure email service Fastmail has made the bold claim that it is ‘NSA proof’, and that it ‘does not co-operate with blanket surveillance’, based mainly on the fact that, despite their primary servers being located in the US, they are ‘an Australian company subject to Australian law’.
From a legal point of view they may be right, as Robert Norris, leading technician at Fastmail argued in a blog post yesterday,
‘Australia does not have any equivalent to the US National Security Letter, so we cannot be forced to do something without being allowed to disclose it.
‘It has been pointed out to us that since we have our servers in the US, we are under US jurisdiction. We do not believe this to be the case. We do not have a legal presence in the US, no company incorporated in the US, no staff in the US, and no one in the US with login access to any servers located in the US. Even if a US court were to serve us with a court order, subpoena or other instruction to hand over user data, Australian communications and privacy law explicitly forbids us from doing so.
‘It might be possible for the US government to lean on the Australian government or other international legal body to compel us to hand over data but this likely to be an expensive, time-consuming and highly visible process. In our opinion those barriers make it extremely unlikely to happen.’
Norris also acknowledges that its US based providers could be compelled to allow access to servers, and that servers could be physically seized, although he assures us that strong encryption and robust monitoring systems would ‘make it extremely difficult for these things to occur’, and that FastMail would make big song and dance about it if they were.
However, an important consideration that we feel is missing from Norris’s assessment is the well-known fact that the NSA monitors traffic upstream of internet providers, syphoning all data that passes through the US internet backbone to its data centers:
‘Upstream collection… occurs when NSA obtains internet communications, such as e-mails, from certain US companies that operate the Internet background [she meant “backbone”], i.e., the companies that own and operate the domestic telecommunications lines over which internet traffic flows.’ Senator Diane Feinstein.
Strong encryption may prevent the NSA from reading the contents of emails (or at least slow them down), but it cannot stop the collection email headers, data about who sent who to who, when it was sent, and how often emails were exchanged. This metadata is extremely valuable to the NSA, and its power should not be underestimated. It is for this reason that Mike Janke, co-founder of Silent Circle, the firm who closed its secure email service rather than wait for it to be compromised by the NSA, called email ‘fundamentally broken’.
It should also be remembered even if both the sender and recipient of an email are outside the US, internet traffic is generally routed via the quickest way possible, which means that it will likely pass through the US backbone where it can be snooped on by the NSA.
Having said all this, we do think that a move away from major US internet giants (who we know are being monitored) is a good thing, and will likely make the NSA job of spying on everything anybody does everywhere that much more difficult, but we strongly advise against relaying on any email service, particularly one with a large number of servers located in the USA, to protect you against NSA snooping.
If you need to communicate securely, then encrypted chat services such as any IM client that supports OTR messaging, or RedPhone are to be preferred over email, and if you do have to use email, then encrypting the contents of a message (remember that header information cannot be hidden) yourself using PGP is preferable to relying on any email provider (even one as well intentioned as we are sure FastMail is), to keep your communications secure.