IMO, there’s no way to prevent another Skiff. If Skiff didn’t announce the sunset of its services yesterday, I might continue using them (at least, for a while). The services were good while they last. There’s just no solid ground about why we should remove them other than their bad marketing practices. Otherwise, it would be removed a long time ago.
Regarding VC fund, it doesn’t really tell anything. Assuming it’s funded by the company owner, it would still seek for profit. The only difference is that it’s coming from a rich boy. The company cloud’ve sold its services all the same, or even going out of the business entirely. Or it could’ve turned against its privacy goals along the line.
And not all VCs requre a company to sell the user’s data to make money.
Matrix is an example of that that regularly gets funding from VC, but they would likely encourage Matrix Foundation to spend some of that money on things for example that government/corporate users might want, and things like EMS to turn a profit.
Didn’t Matrix do some shady things too though? Like the AGPL + CLA thing and discontinuing the IRC Matrix bridge, which is like Embrace Extend Extinguish
Again, this has never been in question. What VCs do require are one of the following three things, and we need to be completely clear on this for this discussion to even work:
Acquisition by a larger company
IPO
Their investment to be repaid (e.g. via a share buyout)
I am arguing that any company that has not yet done one of these three things must not be recommended, because we do in fact know that they must do one of those three things eventually. Once they do one of those three things, then we can decide whether they should be recommended. It’s a matter of waiting.
Anyways…
Let me write out the full criteria in my mind which IMO address your concerns (this would be added to, e.g. General Criteria - Privacy Guides or something):
Business Model: We only recommend tools which have the potential to last in the long term. This means that companies beholden to shareholder profits over their founders or customers are generally barred from being recommended, such as VC-backed or (in some jurisdictions) publicly traded companies. Exceptions may be made in limited circumstances:
For software:
If existing open-source, community-run implementations surrounding the software exists.
For example: Vaultwarden with Bitwarden, Conduit/FluffyChat with Matrix, Headscale with Tailscale.
At our discretion, if the software is fully open source and self-hostable without reliance on a cloud service for operation, even if community made alternatives do not exist.
For this criteria we would use our best judgement to determine how easy it is for someone to self-host. This is because it is unreasonable to expect community implementations to exist for all software, especially as they become more complex.
For example, if Synapse was the only Matrix server option, I think Matrix would still qualify under this exception because Synapse is (relatively lol) very easy to self-host. On the other hand, some open-source software is virtually impossible to self-host even with the source available due to e.g. lack of documentation, etc.
For service providers:
If you can migrate to a self-hosted version, which does not rely on a cloud service for operation, with zero loss in functionality.
The implication here is that merely being able to export your data is not enough, because you should be guaranteed a continuity of service, not just data retention.
For example, Skiff Mail would not qualify because the service depended on the @skiff.com domain which is a highly-centralized resource.
On the other hand, something like Bitwarden, which can be migrated to Vaultwarden without loss of functionality (since the API domain is not tied to some network effect), would qualify.
Or, at our discretion, if you can sufficiently demonstrate long-term success without an obligation to maximize shareholder profit (through e.g. an “exit”). This could be achieved with some combination of the following, for example:
Operating for >10 years.
Having a viable business model which allows you to continue operation without seeking additional external investments.
Having a legal structure which prevents external investors from adjusting the company’s privacy-focused mission.
For example: Benefit Corporations
Buying back and eliminating VC investor stakes in your company.
If this proposal goes through, I would also be in favor of replacing “Element” with “Matrix” on our website, but that is a separate discussion we’ll have later.
They do mean something, especially if we allege that skiff needing to be listed on PG was growth hacking (which VC consumer startups would totally pursue vs projects that grow organically, say).
Mind, even indie projects may sell (their souls) like SimpleMobileTools, once there are enough users to attract buyers.
Just to reiterate, I see our goal in this thread as simply figuring out a way to weed out companies like Skiff at the beginning of our process, not to evaluate the complete health of a company.
Like @dngray mentioned, some events — like Simple Mobile Tools being sold — are simply unpredictable, so we can’t spend too much time worrying about scenarios like that. My opinion is that the whole Skiff thing specifically was predictable, as others have also pointed out.
Affirmative, but once this is done, company is crossed out from PG. Quite simple really.
No it’s not that simple. Lots of people trust PG and their recommendations can lead to some checking out or actively using the service. There can be real consequences if the company changes course. So no, just shoving things under the rug isn’t the solution and I don’t know why you are advocating for that.
I’d like to chime in here with : no change.
It’s hard to analyse a company. Privacy guides did their best in therms of tests, questions, and asked for changes and missing functionality. Pretty sure the core team had the best interest of their user.. they can’t predict any and every move of an other entity they don’t control. It’s not a mistake of pg that another entity did not live up to it’s expectation.
I’d say to simply continue as-is to look for good faith company and to continue to adapt to the current software cycle, ie being flexible. Being too hard or too soft will not improve things.
Skiff had support for custom domains? Well maybe that’s generally something we should push for more. Even if you use proton or Tuta. Using your own domain name is really the way to go for important stuff.
But that only matters if you are self hosting, no? For an end user support for custom domains is what matters. I mean, no one (or very, very few people) are going to self host their email. That’s why none of the email providers recommended by PG are self hostable (client & server) - do correct me if I am wrong.
Yes it does, it gets evaluated by these same criteria. I believe all of the recommendations we have which received VC funding would pass this benchmark due to the exceptions we’ve outlined though, so in practice it will not change much.
I could give further explanation on why these exceptions exist if they aren’t self-explanatory, but the short version is that a self-sustaining company like Element taking on VC investors very late into their company’s development is simply different than a startup like Skiff taking on VC investors to keep them afloat. This is why most of the scenarios where a product that gets VC funding after we’ve determined it’s good will likely get a pass.
The criteria is mainly a filter for startups and not established tools. Whether established tools taking on VC funding should be more heavily scrutinized is probably a separate discussion.
And it was because of Skiff that it was added to the criteria. The reason is because prior to thinking about them every provider implicitly had already met this condition. So I guess we do have them to thank for that.