Avoiding the next Skiff

Startups that are looking to quickly reach a steady state might require additional capital for acceleration (eg. Proton).

Established projects might raise capital, just to stretch their legs (eg. Bitwarden).

Neither means they will become bad actors.

If the community had not supported Proton in their early days simply because they raised VC money, it would have been a net negative for everyone involved.

As for longevity, there is no reliable signal for it. All empires fall.

As cliched as this might sound, it is the will of the founders to persist that helps a company survive, and there is no way to measure this. Also, there is no arbitrary timeline after which longevity is guaranteed, because there are infinite variables that can change.

PG’s current system of engaging with end-to-end encrypted, open-source, externally audited services with data portability works, and I don’t think we should let outliers dictate the course.

The risk being discussed here is losing access to your data, services, or software in the long term. I think the factors can be boiled down to the following, and should be evaluated and presented to readers of the site:

1. Data liberty
2. Software/service liberty
3. Upstream business model

Let’s evaluate these points:

Data liberty

If a service or program upholds data liberty (e.g. by providing an option to mass export your data in an open format) there’s little risk in something going wrong down the road. It may be an inconvenience, but your data won’t be lost. For example, ProtonMail lets you mass export your mail as EML files, while Tuta still has this on their roadmap. PrivacyGuides readers should probably be informed of such distinctions.

Software/service liberty

If a piece of software is licensed as free/libre software, the risk of problems occuring down the road are reduced. For example, after Simple Mobile Tools sold out, they lived on as Fossify due to the GPL license. A similar story happened with Bromite, spiritually living on as Cromite after development stalled. Sure, it’s inconvenient, but there would have been no recourse if these apps were proprietary.

Similarly, if the service side of things is licensed freely, self-hostable, and allows easy migration between providers, the risks of things going wrong are reduced. Bitwarden hasn’t really had problems yet, but it wouldn’t matter because you can always host it yourself (or use Vaultwarden). Using a custom domain with an email provider like Skiff also prevents vendor lock-in.

Upstream Business Model

This is the factor most discussed in this thread, for good reason. Making good software and services takes a lot of effort. If that effort is not sustainable, it should raise some red flags. I think we can agree that some things like Bitwarden, Mullvad Browser, or Fedora have reliable business models behind them.

I won’t comment on whether VC funding should be an automatic disqualification in this regard. But I do think there’s a long-overdue conversation on PrivacyGuides about the longevity of its recommendations. Here are some examples that have been on my mind:

• Brave, Session, LBRY, etc are built on the speculative value of their obscure cryptocurrencies.
• Mozilla (and by extension Firefox) has had controversial direction over the years and is financially inseparable from Google. edit: this point was corrected by xe3 below.
• High-profile nonprofits like Signal, GrapheneOS, and DivestOS have at times warned they are not sustainable or are in significant need of contributions.
• Frontends like SearXNG, Nitter, Teddit, Piped, are all doomed to break eventually, which we’ve increasingly observed in recent months.

I could keep going but it would need its own topic at this point. Just wanted to share my thoughts.

Which again, nobody was saying, but what I was saying was that there is no way to tell one way or the other until one of these three things happen. After one of those things happen it might still be hard to tell, but I think it is always impossible beforehand. Thus, the idea to wait for one of those things to happen before allowing a VC-backed company forward.

This is a good point, but I’m not sure I agree. Besides it being speculative, my current line of thinking is that our community is not obligated to support every new privacy startup just because they look promising. I’d rather focus on products are going to be useful for a large number of people, and a big part of that is longevity. Maybe I’m off base with this desire and people do want us to shine a spotlight on all the newcomers to the space with our recommendations, but I don’t think so.

Ultimately if Skiff 2.0 or even Proton 2.0 comes along, I’m just saying I don’t think they really deserve anything more than a forum thread here about them, until they can pass the criteria I outlined. That’s my personal opinion on the matter anyways, but I still feel pretty strongly about it at the moment.

I don’t think this is true (or at least not so simple). The majority of Firefox revenue comes from leasing the privilege of being the default search provider to the highest bidder, which is currently Google, and before Google was Yahoo, and after Google will be _____?

Google has been the default in the US since 2017, Yahoo was the default in the US since 2012, various others have paid for the privilege of being regional defaults in other regions (Yandex, Baidu). Search deals are one of the primary ways that Browsers–a free to use product–have been monetized for a long time, Mozilla is not the first, the last, or the largest Browser to support itself this way.

I’d agree if you’d said that Mozilla’s revenue depends heavily on revenue from their default search deal, but saying that Mozilla is financially inseparable from Google is just not correct.

With that said, I’d very much like to see Mozilla diversify it’s revenue sources over time, and this is something they have been actively prioritizing and working towards in the last few years especially (unfortunately this gets some pushback also, as many people just want to have their cake and eat it too–they criticize Mozilla’s dependence on a single revenue stream, and then turn around and criticize Mozilla for ‘not focusing on Firefox’ when they do try to introduce new products and services to diversify their revenue stream and decrease dependence on the search deal).

Fair point. I still think the bigger concern about Mozilla’s direction is accurate.

Depends on the country. The example Im aware of is Portugal where the financial reports of any business are public information. There’s a small administrative fee though. Its detailed here: Consultar contas anuais | Justiça.gov.pt

However, people concerns over Google’s privacy practices didn’t happen in 2012 or 2017. At least, not as strong as in a few years ago. But despite that and its mission (ads) about protecting people privacy, it’s still sticking its life on Google, a privacy invasive company.

I don’t know about Yandex, but Baidu? It seems my thought about Mozilla/Firefox is correct.

Yes, it’s true. Fortunately, there’s a real example that this isn’t necessary true anymore, Brave. The main Brave’s revenue comes from the users who opt-in into their ads network, not forcing down on your throat/opt-out like what Firefox does.

I agree on this. But in order for this to happen, it would have to make a sustainable innovation. Currently, there’s zero. But it will be fine, since all it does is to wait another paycheck from Google, etc. without having to do anything.

This. It is good to give room for the people who like to do deep dives in new stuff on the forum and I think the community always has done so since the forum was launched. Many tools are openly explorered and feedback is shared (in few cases even directly with the developers). This is awesome. Yet to underwrite @jonah’ summary the main website should really serve (imo) as a solid recommendation framework for any new comer to privacy. People who are already involved find their way to the forums and already know the drill (or learn) of trying out new things.

True. Mozilla is very much separable; not only financially, from Google. These are two very different corporations.

I’m wondering how Brave fits in to all of this.

1. Brave is heavily funded by Venture Capital (including Peter Thiel’s fund and as many as 33 others according to pitchbook)
2. Brave is to my knowledge not self-sustaining/profitable, and has a business model that is very ambitious (high risk/reward), success or sustainability is far from guaranteed.
3. Brave’s success is largely based on getting people to buy into a core business model (ads+crypto) that many of its users find distateful, and that PG specifically recommends it’s users opt out of.
4. Brave as a business raises the hackles of many people for many of the same reasons Skiff did.

I’m not advocating the removal of Brave as a recommendation necessarily, but it seems to me that any rule that would’ve ruled out Skiff based on receiving VC funding and being overly focused on growth over sustainability will (and probably should) rule out Brave Browser as well.

Brave is unique as an up-to-date chromium-based browser that respects privacy. In contrast, Skiff isn’t bringing much new to the table compared to Proton.

The only thing is there is community run implementations of chromium, and the Brave browser is not 100% dependent on a particular company’s domain as with a service that hardcoded to work that way.

Parts of Skiff were open source (parts were also not) and it was never possible to self host.

Uniqueness/least-bad-option does seem like a valid factor to consider in terms of relaxing the rules in some cases. But it doesn’t really sidestep the fundamental issue of VC funding.

If a rule like this were to be enacted, I don’t think the uniqueness of Brave (on Desktop, it isn’t unique on Android) wouldn’t be enough to warrant a recommendation. I think at best it would warrant the type of half-recommendation @jonah has mentioned in discussions about recommending Mull (“it doesn’t meet the criteria… but…”).

Personally I think its worth taking some time (weeks not days) to let the dust settle on this Skiff situation, get some distance from it and consider whether any criteria change is really necessary and if so if focusing on one specific type of funding model is the most precise or effective approach or if there are other approaches that would be better. I can recall 3 recent cases of surprise sales like this (Skiff, The Simple Mobile Tools and Raivo), I believe only one of these 3 was VC backed.

Parts of Skiff were open source (parts were also not) and it was never possible to self host.

Personally, I don’t see that as a relevant factor in this context. The people choosing Skiff/Proton/Tuta, are specifically choosing not to manage their own e-mail server, I suspect that much much less than 1% of customers would pivot to self-hosting if Skiff, Proton, or Tuta gave users that option. Using a custom domain and pivoting away to another provider is a more practical solution that was and is possible with Skiff, and already recommended for scenarios like this.

To add three more just off the top of my head. Maybe we can do a more thorough analysis of different privacy tools over the past 10 years if we want more data to establish this pattern, but it does feel rather self-evident to me.

• ownCloud raised VC funds in 2014, had to be forked to Nextcloud in 2016 as a result.
• Wire raised VC money in 2019, and that same year ditched some of their privacy policies and reorganized as a US company
• Rocket.Chat was momentarily looking like a promising new player in the Matrix ecosystem, raised VC funding last year and dropped support for federation.

The only difference is that I can’t see a way that the other two were predictable. Some things will just happen and we will have to just work with that, although I will note that we very intentionally never recommended Simple Mobile Tools!

However, as far as I can tell VC-funded startups follow a very predictable schedule of events, and waiting them out feels prudent to me.

In my opinion this seems true of VC backed ventures as well. I feel like we have discussed more exceptions to the rule in this thread than cases where a rule against VC funding would apply. It just feels like you can’t paint all VC backed businesses with the same broad brush.

In this thread, current or former VC backed privacy services and apps include:

1. Skiff
2. Brave
3. 1password
4. Bitwarden
5. DuckDuckGo
6. Proton (formerly?)
7. Tuta (formerly?)
8. Tailscale
9. Sudo
10. Privacy[.]com
11. Abine DeleteMe
12. Owncloud
13. Wire
14. Rocket.chat

Of this list, my personal assessment is:

• 1-4 (Skiff, Owncloud, Rocket.chat, Wire to a lesser extent) turned out to be disappointments (I say 1 to 4 because I am takign your word for 3 out of the 4, I’m not very familiar with the 3 examples you gave)
• 5 (Duckduckgo, Proton, Tuta, Bitwarden, 1password) have received VC funding but have stayed true to their missions and stood the test of time (so far). At least some of these are profitable/self-sustaining.
• 1 (Brave) I have low trust in their long term commitment to anything other than pursuing profit, fortunately privacy & growth have been aligned for them so far, but this could change at any time.
• 3 (Abine, Sudo, Privacy[.]com) I don’t distrust, but also don’t trust them to put long term mission above short term gain if forced to choose,
• 1 (Tailscale) not sure what category that would fall under, but I don’t use it and its not a PG recc so I’m not going to think too hard about it.

and waiting them out feels prudent to me.

On the one hand I agree, I am very skeptical of Venture Capital or Private Equity involvement in anything (especially the latter), I agree with you that its quite typical for these types of funding to come with strings attached and often to prioritize growth and short term profits over everything else.

But at the same time I think it is a lot messier than just VC backed services = bad, and I don’t know if there is any time frame long enough to reliably differentiate the bad from the benign.

Its a complicated topic, and I have mixed feelings. I mostly agree with what you said in this comment

Lurker here. Let’s move on to talk about solutions instead of coming up with all companies we know, that has been funded by VC.
VC is here to stay. Oldtimers and newcomers are using it and that is OK, though interesting to note.

As another member has mentioned; we should create a section below recommendations called “newcomers” or something. It is in this section Skiff would have been mentioned at the beginning of the inclusion of Skiff.

This section is not for recommendations, nor for non-recommendations. It is for people who like to try new stuff; that meet the initial criteria. Think of it as a section for the distrohoppers of PG.

Situations like with Skiff happen and we cannot protect ourselves from them.
My view is that we should not change any criteria at all. What we should do is add a note about how we handle recommendations.
Step1: pass all criteria
Step2: be added to the newcomers section
Step3: be added to the recommendations

We would have a vague time frame for step3, such as “at least a year before being recommended” + “when the PGcommunity is convinced the recommendation is here to stay”

This would allow a newcomer being used by firstmovers, where they, after some time, will start to recommend the newcomer to other users here in the forum. As time passes, the newcomer will be more and more recommended, more users will use it, and the reputation of the newcomer will naturally rise to the level of an already recommended app.

Don’t let a few early recommendations change a good level of criteria. Let’s just tweak the steps after the criteria a little and let’s have faith in the criteria already in place.

In my mind this is what this forum is. I’m not saying we can’t do this, I’m just saying… I guess I’m not quite convinced of the “value add” for people here yet. The “vague time frame” feels hard to manage and keep fair for people too.

Maybe there is a desire to mark certain forum threads in Tool Suggestions that they “officially meet our criteria” even though they’re not listed yet?

I think there might be value in this idea to give recognition to up and coming projects without fully committing and recommending them.

Brave sucks, but it’s arguably the least shit chromium (imho). And the founder has a lot of street cred (made js, worked with ff). If there’s actually a good chromium based browser I don’t think brave would get recommended, it’s just certain usecases needs chromium and it’s at the very least better than google chrome

Just to be clear, I wasn’t just randomly listing companies. The majority of the examples I brought up are both current PG recommendations, and have taken VC funding. This is why I felt it important to enumerate them. I think many in this thread have not appreciated how many of the current recommendations are currently or were previously VC backed, and assumed Skiff the only one (or one of a few)

With that said, I think that you have some good ideas and make some interesting proposals that deserve some thought and consideration. I also understand @jonah feelings about it being hard to define some arbitrary time frame that would be meaningful and effective.

VC rule aside, I’m sort of coming around to @jonah earlier comment about a generally more conservative/cautious and deliberate approach to recommendations. I think it wouldn’t even require any criteria change. Just an understanding that the recommendations are what PG feels confident standing behind long term, and things not on the list are not necessarily ‘lesser’. I do also like your idea of something like a ‘newcomers’ section, or something that allows giving visibility to promising projects without being a formal recommendation. (this could also potentially be a stickied forum post or something if a ‘newcomers’ section felt too formal or was too easily confused with recommendations).