Hi, ███████.

Please do not simply send me boilerplate replies.

I have clearly tried using both potential forms of my account details — I gave you both of them in my previous email.

There seems to be some miscommunication at work here.

So ... I will try to make the situation clear once and for all, so that there cannot be any misunderstanding and you appreciate exactly what my issues are.


I had an account that I created on the very same day as I created this one that I am replying to you from now.

It was called either ███████ or ███████ — I can't remember which, but I tried both.

There are only two passwords that I could have used with it — I tried both.

I cannot log in to either of those accounts. and it is not possible for me to have misremembered or forgotten the passwords.

Just in case, I have also tried hyphenating both account names (███████-███████ / ███████-███████) — neither of those forms work either.

This is a problem for me and the only thing I can think of now is that the account has been hijacked, closed for some reason (inactivity possibly) or that I am simply misremembering its name.

What can ███████ do to help me?


I appreciate the niceties surrounding U.S./Verizon control of .com domains all too well ... which is why I brought the matter up in the first place.

My concern is not with having a .com address; nobody contacts me at ███████.com and I never contact anyone from ███████.com — I only ever ... and will only ever ... use ███████.███.

My concern is that the U.S. already has, on a number of occasions, seized information held on extrajudicial servers in extrajudicial territories simply because a .com business was the majority shareholder of the business that owned the server hardware — there was just such a case in Australia a few years ago.

So ...
If any aspect of the ███████.███ service is provided by .com elements, there is no guarantee that the U.S. will not feel entitled to intercept those elements and extract whatever data it likes.

So ...
As the U.S. has a record of using government espionage to the advantage of U.S. government and corporate entities alike, I have no guarantee that any such data will not end up in the hands of a U.S. business with which I neither have ... nor wish to have ... any dealings myself.

This is a concern because U.S. business entities do not have a good record of even recognising, let alone protecting, the privacy of those whose data they handle and ... having, myself, worked for, and with, U.S. businesses for some twenty-five years ... I can say, from my own, direct, experience, that they barely even recognise that other countries are not subject to U.S. law and are surprised when they find that U.S. business entities are not in fact entitled to rewrite legal statutes set out by other nations' governments — in fact, one of the principals behind the TTIP was/is that U.S. businesses should be able to take legal action against other nations for having the temerity to pass their own laws in their own territories!

As for the U.S. government ... see here: https://en.wikipedia.org/wiki/International_Safe_Harbor_Privacy_Principles#Patriot_Act's_reach

So ...
I do not, therefore, trust them with any of my data under any circumstances ... for the very reason that they cannot be trusted ... and, as a result, I use ███████.███.

So ...
I am, therefore, very disturbed not only to learn that the ███████.███ service incorporates elements of the .com service ... as can be seen here, for example ...

... but, furthermore, to learn that users of ███████.███ accounts are not informed that this is the case — the only reason I know myself is precisely because I use tools such as uMatrix and, if I didn't, I would be entirely unaware.

Images might not seem significant to you, but they are — tracking of metadata is possible from reference/call to them … which is what the web browser addon/extension Decentraleyes (https://decentraleyes.org) is designed to combat.

What can be done with metadata might surprise you — for instance, all I need to know is the physical location of two participants in a telephone conversation, what time of day they held the conversation and its duration, to tell you ... with 97% accuracy ... the topic of conversation.

There is no need for any elements of the ███████.███ service to be supplied by ███████.com ... certainly not the kinds of images in question here ... which will undoubtedly be simple button graphics and the like, not attachments of any kind, and could just as easily be delivered directly by the ███████.███ service ... and doing so provides U.S. entities (government and, potentially, businesses) with (at the very least) information about login dates and times to ███████.███ accounts.

I do not see why any U.S. entity should have access to that information. If I wanted a U.S. entity to know when I logged into my account, I would go to a U.S. service provider. I haven't though ... I've gone to a ███████ service provider ... and I do not, therefore, expect any U.S. entity to have access to that data ... under any circumstances ... for any reason ... ever — and there is no technical need for it on the part of ███████.███ either.

None of my concerns here should strike you as unusual — one of the core aspects of the ███████.███ service that is used to market it is the very fact that it is physically located in ███████ and subject to ███████ legal jurisdiction and data protection laws, not U.S. ones or the meaningless Safe Harbour ... or equally pointless Privacy Shield … agreement

So ...
Please do not forward me meaningless boilerplate replies that ███████ "gauge this risk to be quite low because ███████.███ is operating in compliance with international laws and regulations which protect the right to encrypt data" ... or that "Encryption is legal, even in the US and there can be no just cause for seizing our .com domain name."

The U.S. does not recognise any restriction upon its ability to seize data ... wherever and whenever it likes ... and it does not need just cause to do so, simply the desire — it already has done on many occasions (which is precisely why the Safe Harbour agreement was deemed invalid in Law) ... and will continue to do so (which is precisely why Privacy Shield is not worth the paper it is written on either).

So ... in summation ...
What is required is for the ███████.███ service, and all elements thereof, to be hosted and serviced by ███████ facilities and entities ... only by ███████ facilities and entities ... in ███████ and nowhere else; there should be no elements of the ███████.███ service that reference any other service nor should any of them be hosted anywhere outside ███████ itself — as much as anything else, there is no technical need for them to be so.

Otherwise, the service ███████ claims to offer is not real but merely an illusion — legally speaking, a lie, in fact.

At the very least ... the very least ... users of ███████.███ accounts should be made explicitly aware of the fact that elements of the service are supplied from a .com domain so that they may decide whether they wish to make use of the service and, if so, how — as I do myself, by simply denying access to them from my account, for instance.

Moreover, whilst I know, myself, that some images at least are supplied from the .com service, I do not know if there are any other elements because I only know what uMatrix is able to inform me of — what elements is it unable to inform me about?

Users of ███████.███ accounts should be made aware of every element that is not supplied by the ███████.███ service and/or is supplied by some service that might fall ... in part or in whole ... outside ███████ legal jurisdiction.


The ███████.███ service is marketed to its users as a secure service that can be trusted to protect their privacy in a way that many, if not most, other services do not. I would expect nothing less from a ███████ provider — that is, after all, one of the things for which ███████ is (rightly) famous.

To learn, therefore, that the support service is using ███████ software, is disquieting.

███████ is supplied by a U.S. based software OEM and, therefore, subject to the P.A.T.R.I.O.T. act — there can be, therefore, no guarantee made to ███████'s users that their support related data will not end up in the hands of a U.S. government agency.

Surely there is an EU (if not a ███████) solution that could could be used instead of ███████.

Again, this might seem like a nicety but, when it comes to the nature of the service ███████ claims to offer ... for the reasons it claims to offer it ... the very basis of its marketing campaign to its users ... it is as significant as elements of the ███████.███ service being supplied by ███████.com.

The users of the ███████.███ service are 'sold' (both figuratively and literally) a service that is free from the influence of any national governance than that of ███████ itself — that is what is marketed to them and the reason why they choose ███████.███ in preference to any other service in the entire World ... even in preference to ███████.com.

They are entitled, therefore, to expect that every aspect of that promise, including the support service, is actually kept ... and not broken in the background by even innocent oversight, never mind as the result of malice aforethought ... and, as I said in my previous communication with ███████, the revelations concerning the nature of the service that are coming to light are extremely concerning. They are not less so by virtue of their being unintentional; an insecure service offered by amateurs is not confidence inspiring simply because those supplying it are well-intentioned — ███████'s users are not interested in good intentions but in reliable service.

These are my concerns and, given that these are the very concerns that ███████.███ set out to assuage in the first place ... the very concerns its marketing seeks to address ... and, moreover, explicitly so with regard to the ███████.███ service specifically ... I do not think it unreasonable of me to have addressed them as I have, nor do I consider platitudinous boilerplate about how ███████ "gauge this risk to be quite low" sufficient response.

The thing about criminals is that they have no regard for the Law — that is, in fact, precisely why they are criminals.

The thing about the U.S. government and U.S. businesses is that they have no regard for the laws of other nations or the rights of their citizens (and if it weren't for their constitution they'd have absolutely none for their own citizenry).

So, the fact that ███████ is "operating in compliance with international laws and regulations which protect the right to encrypt data" ... or that "Encryption is legal, even in the US and there can be no just cause for seizing our .com domain name" ... is utterly meaningless — they're as meaningless as property rights are to burglars or human rights are to people-traffickers.

I have been evangelising ███████.███ since before I even had an account myself — even when I was waiting for the service to finally be public and not invitation-only, I was telling people about it and why I was so impatient to get an account myself.

I wasn't even satisfied with the prospect of a service from service providers in ███████ or ███████ ... both of which have good credentials vis a vis citizen's rights ... because they didn't match my stringent requirements for a privacy-orientated service.

As soon as it was possible, I leapt upon the opportunity to finally create my own ███████.███ account ... and have a number of them for different purposes (private, public/official, public/spam/filtering).

I have evangelised it to all and sundry since and, as I said, the result of that is that someone ... who finds my own concern with privacy incomprehensible (actually finds it seriously annoying) ... has, nevertheless, as a direct result, recently purchased a business account with ███████.███, instead of renewing their contract with their former provider.

it would, therefore, be a matter of sincere regret for me to find myself obliged to turn to everyone and say "I was wrong about ███████.███; ███████ don't provide the service they claim and can not be considered any more secure, private or trustworthy than any of the other providers making the same offer. They might be well-intentioned but they are, at best, complacent ... at worst, incompetent ... and I can't recommend that you place any more faith in the service than in any other— you might be better off looking at another provider."

Thankyou for your attention.

I hope this has clarified the three issues sufficiently for them to be addressed in a manner that does not mean I simply receive boilerplate copy replies (à la the, popularly referenced 'bedbug letter') or requests for information I have already supplied (e.g. "Could you please tell us if you are having issues logging in to a different ███████.███ account?")

Do we imagine that it will finally get through to them what my concerns are?

Or would it have been equally as effective to reply with

Here ... see what you can make of these letters:

Y, o, u', r, e, a, l, l, c, u, n, t, s, a, n, d, w, a, n, k, e, r, s

My guess is the latter <sigh>.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Where Angels Fear

Where Angels Fear


There he goes. One of God's own prototypes. A high-powered mutant of some kind never even considered for mass production. Too weird to live and too rare to die.