I think clearly there is some need to define a criteria to weed out technically proficient products that secretly aren’t in it for the long-term. There are of course many examples of this: Skiff, Keybase, Ello, Krypt.co, etc. The problem is of course where to draw that line.
IMHO, the most promising possibility to me at the moment is to simply reject VC funded projects (I’m going to merge the discussion about that into this topic below, so you can read it).
Being around and satisfying almost all criteria for a while (couple years?) should also be a criteria, to avoid making a recommendation that quickly gets taken back as a young company pivots focus (granted, I don’t know how long Skiff has been around for, but it seems to have just made the criteria recently).
I agree with this, but I would also like to add that since Skiff does not solve additional problems that the current recommendations did not already solve, we should have been a lot more hesitant to add them. If we really wanted to add them to the site, there should have been a set time period of at least 6 months where we would’ve waited to list Skiff in order to watch them and make sure they followed best practices. If problems did arise, we could see how they react and after those 6 months or so, we would make our decision accordingly.
I think it may be quite extreme as VC money doesn’t necessarily mean they will close at some point or malicious. I don’t have any good examples of a good VC-backed service though so ¯\_(ツ)_/¯
It may not be straightforward to figure out criteria to filter out companies like this. In addition to what others said about being more conservative when adding not well established services, maybe we can define some red flags which could point to possible issues with them? In Skiff’s case for example they were trying too hard to promote themselves using all possible channels like PG (even scams like PT), attacking other services via their blog posts and not being shy of spreading disinformation about them.
Another example is shady audit claims without actually posting reports which I honestly surprised didn’t raise any red flags in the past.
We shouldn’t hinge our recommendation on not having anything to do with projects we find distasteful (unless said groups are objectionable in ways that go beyond “we dislike them”). Otherwise we run the risk of becoming like GrapheneOS.
I’ve seen this idea floated around here about Skiff, but we did evaluate Skiff Mail from January 2023 to June 2023, which was a while. I’m unconvinced that adding an additional arbitrary timeframe on top of the existing discussions would help matters too much.
Unless, perhaps it could be a function of some time period where a new service has to have been around for at least some % of time since the existing services have been around. Not sure how exactly to describe this, but like all our other email recommendations have been around since the early 2010s, so like 10ish years on average. Maybe a new provider not adding too much special would have to be around for x% of 10 years? Or something. I dunno, just brainstorming, but that being said, Skiff had been around for 3 years by the time we added them, which isn’t insignificant.
This possibility is what I’ve been leaning towards more lately. Definitely something to consider.
There are definitely people out there who believe it does (and I don’t really think they’re wrong)
That wasn’t my point. My point was promoting itself on a commercial “best privacy guides 2024” website and using this as a way to prove users you’re a privacy focused service should raise some flags. That’s a nordvpn-tier behavior.
I work for a startup which has taken VC money multiple times but still a private company and had been for more than 10 years. Founders are actually relatively good people and the company actually care about its users. It doesn’t have anything to do with privacy space (and I don’t have any such examples) but there are companies like this and just outright banning them may be not the best move. I agree we should favor non-profits/non-VC companies though as they are on a more of a safe side most of the time.
I do agree. I suspect their persistence to be quickly mentioned on PG may very well have been because of other issues that were not public.
Worth noting that Matrix technically gets VC funding too. I think it really depends on the VC and what their goals are with the project. Having said that I’m not a fan of walled-garden encryption email providers. I don’t think there is a lot to be gained when the encryption is only on their server and there is no way to send encrypted mail to people not on that service.
Email is not an instant messenger, and it has to be as interoperable as it can be. That does mean we’re basically stuck with PGP, which again encrypts everything that is really possible to be encrypted with an Email.
You can’t encrypt the headers as the server has to process the email at some point.
I think it really depend on how centralised it is. Being VC funded is a criticism for matrix. But you can recommend matrix without recommending matrix.org. Skiff however is a centralised VC funded project
Perhaps age out of beta could also be a non-recommendation? At least for services. From a quick search, skiff only launched out of beta ~May 2022? So we’re effectively recommending a 1 year old product
Well there is a way out for such companies who take VC funding, which is just to buy VC investors out. For example, Proton Mail received VC funding at some point, but no longer has VC investors. Thus they’re back in our good graces
The counter-argument I’ve seen to this is something like avoiding VC funding is a bit of a genetic fallacy (or some variation thereof), in the sense that we’d be evaluating a company based on their funding more than their technical merits or team or whatever.
That being said, VC funding obviously comes with many strings attached in the form of legal obligations to prioritize profit above all else.
Another point towards banning VC-backed companies: To my knowledge, and after a quick skim through, none of our current recommendations are VC funded (correct me if I’m wrong, anybody), which would at least make it an easy criteria to add.
I guess Element (not Matrix) is VC backed as @dngray just pointed out actually. We could consider recommending “Matrix” as a whole instead of “Element” specifically (which might be good to highlight projects like conduit/cinny/etc. too tbh) if we wanted to have a more strict “no VCs” approach.
To be quite honest, Element is probably my top choice out of all our current recommendations if I had to choose who I think might be acquired by someone next, so the whole Matrix argument is actually making me lean even more towards the “no VCs” approach
I just remembered Bitwarden also just did that funding round which I found to be kind of… strange, to say the least.
Bitwarden is another case of good decentralization like @KDEBacon mentioned though, because we have open-source clients and a community-run open-source server implementation. So that could certainly be a factor in regard to both Matrix/Bitwarden, which wouldn’t have applied to Skiff because Skiff Mail was highly reliant on the skiff.com domain name, obviously.
Just looking at it pragmatically, VC is almost always a death sentence for a good product. It’s not the funding itself but all the strings attached, business decision does affect technical merit in the long term. Even protonmail survived VC hell by un-VCing themselves. So massive caution until proven otherwise is preferable even if a bit unfair.
In this case a false positive is far more destructive than a false negative. For example, imagine a timeline where we did not recommend protonmail because they’re VC funded, we still have tutanota and mailbox.org, those works fine. Compare it to current day, changing email is not something you easily do in a short timeline
I’ve been lurking this forum for a couple years, feeling that most of you know more than I do, so I won’t contribute that much to the discussion. This Skiff deal made me feel like I just wanted to say something at least.
I don’t think VC funding needs to be avoided at all costs, but companies/products with VC funding maybe need to be more transparent (as much as they legally can, not sure what the laws are in the U.S.). As mentioned above, VC funding can help good companies get off the ground and become self sustainable as Proton did, but in the name of privacy, they should be transparent of the funding.
Maybe it’ll be too hard to verify this, but that’s one take on how to avoid things like this happening again.
Well part of the law is that shareholders can sue the company if the company isn’t maximizing profits (for most companies with external investors). This has been the case since Dodge v. Ford Motor Co. - Wikipedia.
Exactly like you said though, Proton became self-sustainable. IMO we shouldn’t be recommending a company like Proton before that point, so the proposed criteria holds well in this case.
Well not the same thing because CTemplar just disappeared (less predictable outcome) whereas Skiff being acquired was virtually guaranteed by its funding model (although it happened earlier and less nicely than I’d expected).
CTemplar was also a “legacy” reccomendation tbh so… less applicable in general. I mean, CTemplar wouldn’t have made the cut today regardless of the outcome of the discussion here
I’m not yet sure how I feel about this sort of rule, I worry that defining what is and isn’t acceptable outside investment might be more difficult and messy than it first appears, and may be a crude/imprecise rule that would impact some recommendation categories more than others.
For example, should funding from a social-purpose / public-interest fund such as this disqualify something? On the one hand, it is a profit seeking venture, on the other hand it is a fund focused on promoting projects that serve the public interest and a healthier internet.
It would also be worth considering what current recommendations would be affected. Off the top of my head, I’m pretty sure that Bitwarden, Duckduckgo, and Brave are VC backed. Tailscale, Sudo, Privacy[.]com, Abine (DeleteMe) are a few other examples (though not officially recommended by PG I think).