The risk being discussed here is losing access to your data, services, or software in the long term. I think the factors can be boiled down to the following, and should be evaluated and presented to readers of the site:
- Data liberty
- Software/service liberty
- Upstream business model
Let’s evaluate these points:
Data liberty
If a service or program upholds data liberty (e.g. by providing an option to mass export your data in an open format) there’s little risk in something going wrong down the road. It may be an inconvenience, but your data won’t be lost. For example, ProtonMail lets you mass export your mail as EML files, while Tuta still has this on their roadmap. PrivacyGuides readers should probably be informed of such distinctions.
Software/service liberty
If a piece of software is licensed as free/libre software, the risk of problems occuring down the road are reduced. For example, after Simple Mobile Tools sold out, they lived on as Fossify due to the GPL license. A similar story happened with Bromite, spiritually living on as Cromite after development stalled. Sure, it’s inconvenient, but there would have been no recourse if these apps were proprietary.
Similarly, if the service side of things is licensed freely, self-hostable, and allows easy migration between providers, the risks of things going wrong are reduced. Bitwarden hasn’t really had problems yet, but it wouldn’t matter because you can always host it yourself (or use Vaultwarden). Using a custom domain with an email provider like Skiff also prevents vendor lock-in.
Upstream Business Model
This is the factor most discussed in this thread, for good reason. Making good software and services takes a lot of effort. If that effort is not sustainable, it should raise some red flags. I think we can agree that some things like Bitwarden, Mullvad Browser, or Fedora have reliable business models behind them.
I won’t comment on whether VC funding should be an automatic disqualification in this regard. But I do think there’s a long-overdue conversation on PrivacyGuides about the longevity of its recommendations. Here are some examples that have been on my mind:
- Brave, Session, LBRY, etc are built on the speculative value of their obscure cryptocurrencies.
- Mozilla (and by extension Firefox) has had controversial direction over the years
and is financially inseparable from Google.edit: this point was corrected by xe3 below. - High-profile nonprofits like Signal, GrapheneOS, and DivestOS have at times warned they are not sustainable or are in significant need of contributions.
- Frontends like SearXNG, Nitter, Teddit, Piped, are all doomed to break eventually, which we’ve increasingly observed in recent months.
I could keep going but it would need its own topic at this point. Just wanted to share my thoughts.