I've ranted here before about the complexity of email and the difficulty of even existing as a startup in the email space (see my bio). The single team that has navigated the insanity of the email space well as a small company is Fastmail. They are brilliant, ethical, and pragmatic. I sincerely hope the folks at Google who are behind this AMP-for-email idea will take the time to chat with the Fastmail team about it before pulling the trigger.
Having lived through the last DOJ/Google 10-month battle royale (the sale of ITA Software, now called Google Flights), I think this is an absolutely terrible idea for Google from an antitrust standpoint. The upside for them, while obvious, pales in comparison to the downside they face by leveraging their email and search dominance to create a new walled garden. I'm amazed this got past legal.
Not unique to Google: I think many legal departments have realized that the FTC is currently basically disabled, as far as the United States goes. It's likely most companies feel like if they do something right now, it'll probably be accepted/standard practice before the FTC remembers it has a job to do.
Only on HN would someone describe FTC as "disabled".
I think we are living in a time when companies are being frequently trusted. Because when they claim that mergers reduce costs, the automatic thought is the cost will trickle to the consumer.
The other outcome we are eager to see is the innovation that occurs at the extra large scale level. Do we see the more robots make it in to industry? Or intensive AI? The opportunities and imaginations have exploded after Facebook and Google utilized their dominance for the greater good.
Lastly, enforcement against unethical illegal behavior has become easier. Reducing the need of cynical and paranoid reasons to prohibit mergers. Only when there is actual concern of legal unethical actions negatively causing market consolidation and preventing startup incubation, the FTC will not be doing any of the things the paranoid want it to do.
“It’s extremely odd for the FTC to operate with only two commissioners for this long,” antitrust attorney Reed Freeman told the National Law Journal. And even more so when the two commissioners are essentially lame ducks.
“The Justice Department’s antitrust division is doing stuff,” said Matt Stoller, a fellow with the Open Markets Institute, a leading antagonist of the tech platforms. “Ajit Pai is a bad man, but the [Federal Communications Commission] is doing stuff. The FTC’s silence is embarrassing.”
“The FTC really hasn’t used its authority in decades and has tried to rein in its own authority,” said Sandeep Vaheesan, a regulatory counsel for the Consumer Financial Protection Bureau.
> Lastly, enforcement against unethical illegal behavior has become easier. Reducing the need of cynical and paranoid reasons to prohibit mergers. Only when there is actual concern of legal unethical actions negatively causing market consolidation and preventing startup incubation, the FTC will not be doing any of the things the paranoid want it to do.
Let me just reply instead of downvoting.
It is clear from a slew of radical movements by the new US administration that it has contempt for consumers and has zero interest in enforcing existing laws against big corporations. It's all about growth at all costs, and government agencies that have explicit charters to protect consumers, the environment, and the marketplace, have been or are in the process of being gutted.
You're being downvoted because you labeled everyone who offers resistance to mergers as paranoid and cynical. That's perjorative and unhelpful. Very many people have valid reasons for being distrustful of big, unrestrained corporations. Reasons based on a long track record of them stomping on consumers and their employees.
> It is clear from a slew of radical movements by the new US administration that it has contempt for consumers and has zero interest in enforcing existing laws against big corporations. It's all about growth at all costs, and government agencies that have explicit charters to protect consumers, the environment, and the marketplace, have been or are in the process of being gutted.
You reply to a comment and say it is pejorative and unhelpful but then politicize your own response as well. Your paragraph here is equally unhelpful.
Email is a foundational technology within the business space. It exists in common formats, with slow-changing protocols widely compatible with their forbears, and similar across the marketplace. It is the deep, slow-moving tectonic plate on which we build a myriad of other business. It is a (largely) immutable record agreed to across a range of servers. Sure we can resend an email to a customer, but we can't edit the email they have already received. It is trusted, and it is shared.
I have no problem with an app that makes reading emails easier, something which combines long threads of back and forth argument into a simple list of shared understanding, but it is important that all that back-and-forth exists because, years from now, we might want to know how we reached that consensus. We might want to know those rationalisations.
With AMP-for-email we might just need to rely on Google's slick design and their simple response of "Don't worry about why you agreed, just trust us that you did."
> It is the deep, slow-moving tectonic plate on which we build a myriad of other business.
I agree. I think it is worth considering the concept of Shearing Layers [1] - where successful artefacts (buildings, systems, organisations) tend to be composed of layers that change at different rates, and this confers stability and adaptability. Layers that change rapidly (tech-mediated culture, web technology, etc) need lower layers that move slower (net infrastructure, http, email, etc.)
> The single team that has navigated the insanity of the email space well as a small company is Fastmail. They are brilliant, ethical, and pragmatic.
I'm curious to know if you have also examined Posteo, Mailbox, Tutanota and ProtonMail in this respect. At least the first two of those seem to be handling things quite well while charging a fraction of what Fastmail charges (per mailbox). Posteo has many other things going for it on the social responsibility, privacy and ethical angles. I haven't seen another email provider match that.
I understand why Posteo doesn‘t allow you to use your own domain (customer lock-in), but I don‘t find it particularly ethical how they lie about it („technically impossible“).
OTOH, I like that Posteo is not a corporation, but actually run by a natural person with full personal liability.
I don't know where you got that "lie" from. Posteo doesn't allow custom domains in order to have as less information about the customer as possible (what it calls "data economy", meaning it doesn't want to store data wherever it can be avoided). I have seen the FAQ multiple times, where Posteo has had this answer for not allowing the use of one's own domain. [1] I don't like that Posteo doesn't offer custom domains, even if someone is willing to make the tradeoff that Posteo believes it to be. But I don't see anything wrong in its ideological position.
_____
> Can I use Posteo with my own domains?
> No. We are an email provider with a particular, privacy-oriented model – and this is not compatible with incorporating own domains. One of our emphases is data economy: we do not collect any user information (names, addresses, etc) of our customers. We always answer requests from authorities for user information in the negative. On the other hand, own domains need to be registered to the name and address of a person. If you were able to use own domains with us, this would affect the entire concept of Posteo: we would need to start saving user information for all customers who use their own domains with us – and to provide these to the Federal Network Agency to be provided on request to the authorities.
> Even if only the MX record pointed to us, we would still need to store the assignment of the domain in your Posteo account as user information. Thus we would possess your user information and be required to give it out. For this reason, we have decided not to offer this possibility and instead to use data economy. We certainly understand that having your own domain is very important in the commercial industries, but from our privacy-oriented perspective, the disadvantages prevail. It is, however, possible to add various other email addresses with external domains as senders in the webmail interface and thereby to send emails with Posteo using external domains. In order to be able to read replies to these messages, you need to set up forwarding to Posteo for the external address.
_____
Also please see its stance on privacy [2], where it emphasizes minimizing the data collected from the customer.
> We always answer requests from authorities for user information in the negative.
This has got to be bollocks, right? Always?
If they're served a warrant or subpoenaed or whatever the correct legal procedure is called, they're going to have to comply, right? And all they need is an IP address and you're hosed... unless you're taking multiple other steps to hide.
If I put my TFH (Tin Foil Hat) on, anyone who uses language that strongly is probably a CIA front.
WITPOUAAOSATSWISFWYAOGTUIO? (What is the point of using an acronym of something and then saying what is stands for when you are only going to use it once?)
> On the other hand, own domains need to be registered to the name and address of a person. If you were able to use own domains with us, this would affect the entire concept of Posteo: we would need to start saving user information for all customers who use their own domains with us – and to provide these to the Federal Network Agency to be provided on request to the authorities.
That sort-of makes sense for why they do not offer you domains, but not why they do not have a "bring your own domain" plan (like e.g. mailbox does). There somewhere being a registrar knowing who I am doesn't change what they have to do, they do not need to have or look at that data in any way.
I think they're arguing that, if you bring your own domain, they still know what domain they're storing email for (by checking the reverse lookup) and they could look up the name behind it in the registry.
They don't want to be put in the position where they know what natural person a certain email belongs to.
They could also put the e-mail address in Google and find out who I am...
I get and respect that they want to provide a way to use their service without identifying yourself, but stopping a customer from voluntarily identifying themselves is fairly futile, and counter to how many people intend to use e-mail. (Indeed, they offer payment by bank transfer or paypal, so clearly they do not insist on full privacy)
Well, luckily they have direct competitors that offer the full range, so while I'd love more players in this segment I'm not directly affected by them not wanting such customers (and I find the argument questionable enough to reconsider recommending them in the future)
Even the payments part is addressed in the FAQ link I shared previously [1] and in a separate page about payments. [2]
While I'm sure that we would have to take certain things with a pinch of salt, since Germany is a Fourteen Eyes country, for me this amount of attention is something I haven't seen elsewhere (and not at this price). As I mentioned above, the social responsibility and other factors also heavily influenced me when I did the switch to Posteo.
From the FAQ: [1]
> "How can Posteo be anonymous, when I’m paying by bank transfer or PayPal?
> Credit is always added to your Posteo account anonymously – regardless of whether you pay by bank transfer, PayPal, credit card or in cash. We do not attach the data we receive with payments to the email accounts. We developed our own system for this in 2009, with which all payment processes are anonymised.
> The payment system is the core of our concept of data reduction, above all, because we keep payment information strictly separate from our customers' email accounts, we do not attach any user information to the accounts – and can thereby ensure the fundamentally anonymous use of our email service. You can find out in detail how the anonymisation of payment processes occurs at Posteo on our payment info page."
Of course it's their right to decide the features. Just as it is my right to talk about how their given reasons for their decisions don't seem to make sense and let that influence my view of the company. Which is all we're doing here: talking about the companies to inform each other.
What on earth gives you the impression it's appropriate for you to prevent other users from wanting a company to have/build certain features?
It's neither the user's wish, nor the company as the company most certainly wants user feedback. Your post quite literally is only there to satisfy yourself.
Not sure I got what your rhetorical question is about. You don't have to provide any first name or last name or a real name. I've also linked to the FAQ and the payments explanation in another comment above, which go into more detail about what information they avoid collecting, storing and processing.
>I don't know where you got that "lie" from. Posteo doesn't allow custom domains in order to have as less information about the customer as possible (what it calls "data economy", meaning it doesn't want to store data wherever it can be avoided).
Could you explain what you mean by the "complexity" you're talking about?
I've been using the same email address with my provider from Berlin, Germany for the past 20 years and there has never been any problem with it . They also have a working webmail interface, and I doubt they're very exceptional. There are also reliable free email providers that work very well for the past 20 years or longer, e.g. German gmx comes to my mind.
Hosting your own email server is maddening. There are so many new things on top for validating that your email server is legit and does not send spam. On top of that, some email providers will derivate from the "standard" way of doing things right now and proceed to block you for mundane reasons. The only way you find out is one of your customers frantically telling you that their emails are not received by the other party.
It will take you a few months to fix all those problems and even then it could be that some email provider decides to put new requirements in place.
I agree with you in practice, though there's no reason that it has to be this way. Email, like other protocols of its age, is simple. What's difficult is navigating the forest of roadblocks set up by the big email providers to excuse them not accepting your mail (or not sending their users' mail to you).
Most of these are alleged to have some purpose in preventing spam, but I think experience doesn't bear that out. They may prevent Joe jobs[1], and it may be reasonable to use the suspicion they create of a message being forged as one factor in deciding if a message is spam. But nothing really deals with spam except statistical analysis of messages.
The real point is that the major providers are anticompetative, and that's not really the fault of email as such.
But they are not all the same! I'm not even sure this cryptographic signed sender stuff is a good idea for email.
But good look getting through to postmaster@gmail|outlook etc.
But they'll hold you to some arbitrary standard that's supposed to mean "less spam" when they should have more than enough traffic to get by with statistical/ml methods anyway... /rant
Yeah well. It's email. Either the postcard is (cryptographically) signed by a personally trusted sender, or it's unsigned.
It's not like impersonation is dead. When I signed up for the Gmail roll-out, security@gmail.com was reserved, but you can email me at sikkerhetsansvarlig@gmail.com - a poor Norwegian translation equivalent. More importantly, I can email you from that address, and tell you there's a problem with your account, could you please verify that your password is "hunter2", if not email your current password so we can verify that your account is secure (not that I ever have, or will, I got the account for a laugh).
Federated trust (s/mime) or Web of trust/direct trust(gpg) secures email. All this domain pseudo secure dns nonsense... I'm not sure I accept it's better than static analysis.
The point isn't to verify the account, the point is to validate that the account belongs to a certain server.
If I get email from alice@example.tld, then I now know it's from example.tld. If the mail is spam, I can ask example.tld to block alice, or I can simply blacklist example.tld.
The important part in this is spam prevention, and that if I get an email from @paypal.com, knowing that it's real.
What you're complaining about is another question, but not really relevant. Google always uses @google.com for employees, and if you get an email from that, it's real.
This is about enforcing identification, not verification, security, trust, or anything else.
> If I get email from alice@example.tld, then I now know it's from example.tld. If the mail is spam, I can ask example.tld to block alice, or I can simply blacklist example.tld.
Is this better than graylist+whitelist? Is it better than content based filtering? I'm not convinced.
Is it better than requiring tls with valid cert for smtp? I can't see how.
Rather than all this mess, I think I'd prefer we start at tls/ssl required for smtp...
Yeah I'm talking more about how every other mail provider has their own rules and you have to set it all up. Like one requires your mail domain to me an AAAA record (where I've used a CNAME) and other things.
That's not just one, most require AAAA or A records.
With SPF, DKIM, DMARC correctly set up, correct IPv4 and IPv6 reverse DNS, only A or AAAA or NS or GLUE records used in the entire resolution path, correct from and reply-to addresses, you should usually be good to go, though.
If you think RFC822 based mail is complex you obviously haven't worked with x.400 and x.500.
Though your right Google is having delusions of grandeur and the board should have stopped this for anti trust reasons and also I am not sure Googles developers have the required mind set to properly implement this
> I sincerely hope the folks at Google who are behind this AMP-for-email idea will take the time to chat with the Fastmail team about it before pulling the trigger.
Why would they? Surely AMP for Gmail is a sweet revenue opportunity for Google, who are answerable to shareholders?
In case it's news to others, as it was to me, Fastmail routinely acquires SSL certificates for its customers' domains without their knowledge or consent.
Not routinely, it was done once as part of the plan to support SSL for all websites, and when we hit some limits with letsencrypt, we shelved the plan for a bit. There are currently 4 unsolved issues, which the team are looking in to.
We still need to find a way to provide automatic SSL for customer domains though - because we allow our customers to create arbitrary websites inside either their domains or their personal subdomain on our domains (username.fastmail.com).
The alternative of NOT doing something with SSL certificates is having insecure websites for customers by default, which will be more and more punished (and rightfully so) by browser interfaces. Setting up SSL for the domains which are hosted with us is the right thing to do.
You either trust them or not. I believe most customers wouldn't even know what a domain is, but still need it. It's kinda ironic that you want control, privacy and security but give away control of your domain to a 3rd-party. I get your point and I agree that anything involving this kind of behavior should be opt-in with clear red text warnings.
This seems largely practical/beneficial, and not of a significant downside. If you are pointing your domain at them for DNS, they are arguably canonically "that server" until you sent it somewhere else, and they're securing the connection for you.
The short-term nature of Let's Encrypt also works out well for this, because if you take your domain elsewhere, FastMail loses the certificate to claim to be that domain very quickly due to rapid expiration.
Having lived through the last DOJ/Google 10-month battle royale (the sale of ITA Software, now called Google Flights), I think this is an absolutely terrible idea for Google from an antitrust standpoint. The upside for them, while obvious, pales in comparison to the downside they face by leveraging their email and search dominance to create a new walled garden. I'm amazed this got past legal.