I am proposing two major changes to this system. The first change is that users on the fergfam.org would move over to the ferguson.pw as their email domain. Depending on some other choices that also must occur, email addressed to you at fergfam.org would still be routed to you at ferguson.pw.
The second change could be considered more drastic. Currently, Google Apps is the platform we use for email, and also provides contact management, calendars, online documents storage, and Google Chat on the fergcorp.com and fergfam.org domain. For myriad of reasons, I am recommending moving to a different system that does not involve Google as intimately.
In particular, I believe the adage that if you aren’t paying for the product, you are the product. The current service level we have with Google is a since-discontinued no-cost plan. This level of service is almost identical to what is provided to users with regular Gmail accounts (vice Google Apps), which analyzes your email to provide targeted advertising.
Furthermore, over the last four years Google has been subject to thousands of government requests for data on accounts and provided some amount of data over 88% of the time ((http://www.google.com/transparencyreport/userdatarequests/US/)). With close to 500 million users ((http://techcrunch.com/2012/06/28/gmail-now-has-425-million-users-google-apps-used-by-5-million-businesses-and-66-of-the-top-100-universities/)), the number of accounts affected is small – just 0.016% over four years ((based on linear extrapolation of the data)). Still, the fact remains.
In light of programs such as PRISM, Google issued the following statement (emphasis added):
Google cares deeply about the security of our users’ data. We disclose user data to government in accordance with the law, and we review all such requests carefully.
In my opinion, simply submitting to the law falls significantly short in terms of protecting user privacy and data, especial for something as personal as email. When combined with all the other data Google is able to aggregate, the concern becomes larger: a one-stop shop for information on a person and their activities.
Indeed, there exists a notion in the corporate world that the least expensive solution is to capitulate to government requests for data. My hope is that this tide will turn. Only Yahoo! has shown that it actively tried to fend off the government when user data was requested:
In 2007, Yahoo received an order to produce user data under the Protect America Act (the predecessor statute to the FISA Amendments Act, the law on which the NSA’s recently disclosed Prism program relies). Instead of blindly accepting the government’s constitutionally questionable order, Yahoo fought back. The company challenged the legality of the order in the FISC, the secret surveillance court that grants government applications for surveillance. And when the order was upheld by the FISC, Yahoo didn’t stop fighting: it appealed the decision to the Foreign Intelligence Surveillance Court of Review, a three-judge appellate court established to review decisions of the FISC.
In order to address these overall privacy issues, I propose a replacement provider meet the following requirements:
- Pay per use
- Smaller customer base
- Implementation of effective security
- Adherence to standards
- Reasonable Service Level Agreement
It is my opinion that switching to a smaller provider and paying them to manage our email system is the best option to ensure our privacy.
Implementation of effective security is subjective measure, and there is single correct or best way to implement security. As a side note, I recommend reading anything by Bruce Schneier.
Adherence to standards is important to ensure continued interoperability with other systems. While Google has been championing open standards, they have since started to become more closed platform, in particular they recently replaced the “‘Talk’ platform with a new one called ‘Hangouts’ that sharply diminishes support for the open messaging protocol known as XMPP (or sometimes informally Jabber), and also removes the option to disable the archiving of all chat communications. These changes represent a switch from open protocols to proprietary ones, and a clear step backward for many users.” ((Source: https://www.eff.org/deeplinks/2013/05/google-abandons-open-standards-instant-messaging))
Finally, a reasonable Service Level Agreement (SLA) to ensure that services such as email are available when we want and need them. The number one reason I have decided to run my own mail server is that I would have concerns about being able to meet the minimum SLA.
I haven’t determined what that final solution might be, but I’m working on piecing it together.
The proposed transition plan for email would be as such:
- All users on fergfam.org would be given accounts on ferguson.pw
- All email from fergfam.org would be forwarded to the appropraite account on ferguson.pw
- All existing email from fergfam.org would be moved to your account on ferguson.pw
- Once all users have transitioned and all email has been migrated to ferguson.pw, the the Google system for fergfam.org would be shutdown (email would continue to be forwarded to from fergfam.org as long as we maintain the fergfam.org domain name).
In looking for an email replacement for Google, I considered several different providers and FastMail emerged as the lone company whom I believe is capable of meeting our requirements.
While FastMail is an Australian-based ((formerly owned by Norwegian-based Opera)), the actual data servers are in New York. This is ideal because FastMail is an Australian company and as such is subject to Australian law, which is notably more stringent than US law when it comes to email. Australia also does not have any equivalent to the US National Security Letter. ((http://blog.fastmail.fm/2013/10/07/fastmails-servers-are-in-the-us-what-this-means-for-you/))
However, the fact that their servers are in the US ensures that your data will generally only traverse within the borders of the US, which significantly reduces the likelihood of it being spied on.
FastMail is almost a drop in replacement for GMail with the following caveats:
- Google Documents is separate from Google Mail. FastMail does not, nor is it designed to, replace Google Documents. You do not need a Google Mail account to use Google Documents.
- While FastMail does have contacts lists, it does not support CardDAV yet (it should be available within a year). CardDAV is important if you want to sync contacts across devices or software (such as a phone or desktop mail application).
- FastMail does not have a calendar solution. However, CalDAV support is coming within a year.
Having said that, I have already started moving myself to FastMail servers. There are some limitations that I’m having to work around due to the lack of CardDAV and CalDAV support, but if you don’t use Google Calendar and don’t use a smartphone you would not be affected by these limitations.
New users (i.e. Courtney) have been put on the ferguson.pw domain (using FastMail) and I am recommending that users with email address at fergfam.org switch to using ferguson.pw (using FastMail) sooner rather than later.
When you would like to make the switch, please let me know and I’ll get you started. If you have concerns about moving or lack of functionality, let me know and we’ll get something figured out!