Avoiding the next Skiff

You have a point, but I think a thread in the forum about an eventual recommendation, has a purpose of pretty swiftly being approved or rejected.
If a newcomer is mentioned below the recommendations in the newcomers section, they have a place for this limbo, before they are mature enough to move to the recommendations. When they are mature enough, someone creates a thread and we discuss the pros and cons.
Sure, members will create threads about newcomers that should be recommended prematurely, but then we just discuss it and agree that the discussion is too early to have, thread closed and point users to the newcomers section on PG.

I was not referring to your post in particular, just a general feeling about where the discussion in the thread was headed. Your thoughts about VC has value about what we should include in our notes about criteria IMO.

The thing here is. You don’t always have other good options. As for privacy com or sudo. F.x. (not that I can. Use these) but they are very recommendable to US persons. There simply aren’t any good/better alternatives.

Hi @jonah and all.

We are huge fans of your work, and you are creating a lot of value, and help increasing privacy and security of communications.

I 100% agree that the current framework for assessing whether the products are good or bad from privacy and security point of view is not sufficiently robust and can result in some mistakes. That you started the discussion about how to reduce the risks in mistakes in evaluations and avoid recommending some projects that stop seeing privacy as a priority, is a really important an timely one.

At the same time, I strongly believe that applying formal filters, without analysing the realities behind that, would also be a mistake, as these formal filters are easy to manipulate and exploit, and it would result in both withholding recommendations on the basis of being VC funded for the projects that increase privacy now and in the long term, and also recommending the projects purely on the basis of being non-profit would equally result in promoting the projects that undermine users privacy.

To illustrate how wide is the spectrum of the possibilities, there are two notable examples from the rather recent history of Internet evolution:

1. Netscape, a VC funded and successful company. Without Netscape, the open web as we know it would simply not happen, as this company single-handedly evolved the rather immature protocol for the online documents (v1 of the web) to the robust online application platform (v2), by adding SSL (security), JavaScript (applications) and cookies (user authentication and authorisation). While third-party cookies are used as a monitoring anti-privacy tool, and they are rightly prohibited now in many browser (or, at least, can be prohibited by the users), the first-party cookies are the essential mechanism without which you simply cannot provide services via the browser - even this forum would not be able to function without the work that Netscape did. Would this happen if Netscape was not a VC funded company? Absolutely not, there would be no appetite for that level or risk. Instead we would have a big tech oligopoly we have today 20 years earlier, just with the different players - the ideas that dominated tech industry at the time were about “information superhighway” developed and tightly controlled by few players like Microsoft and IBM. My strong belief, without discounting the risks of VC funded model, is that the company that has any chances of disrupting today’s tech oligopoly can only come from venture funded space - this level of risk and degree of innovation required to get the idea from v1 to v2 is almost never available to non-profit organisation.

2. The opposite example of a non-profit that did its best to undermine people privacy is thorn.org. Funded by big tech companies it lobbied the logically flawed narrative that “privacy undermines child safety”, they managed to promote substantial legislative advances in various countries, that have the potential to undermine privacy, irrespective of where the project is located, but purely on the basis where the users live - effectively trying to give the national governments the legal right to mass surveillance. It was only thanks to a strong oppositions from some commercial companies and pro-privacy political groups the most damaging provisions have been removed from the laws that have been passed, and both the scope and severity of the allowed measures to achieve child safety have been substantially reduced to the point of having no tangible impact on privacy. We can discuss it in more detail if you are interested, there is a lot of FUD being shared in online forums from the misunderstanding of what laws were passed and what impact they might have.

And there is a huge space in the middle of these two extremes. Simply applying the filter “non-profit good / vc funded bad” will obviously result in really bad mistakes.

So while I do agree with the need to revise the framework to assess and to regularly re-assess the products, also separating assessment of the current status and the future risks, and the ability of the users to mitigate these risks (e.g. via data sovereignty, as was correctly pointed out by @dngray), and also licensing constraints, I don’t think that the proposed “ban” would be productive - it would have exactly the opposite effect, and will make the repetition of “Netscape phenomenon” that we are very much in need much less likely, and also “thorn.org” effect more likely, if people who have some standing and trust from the users community start indiscriminately recommend non-profits and ban vc funded projects (which is already happening to some extent).

I have a lot to contribute to this discussion, but it does feel like forum format might be not the most efficient from the point of view of reaching the consensus. I propose to make it a public debate, that would be live streamed where multiple participants could share their views, from both sides of this discussion.

Coincidentally, I am currently working on the proposal about what I believe are really important criteria for assessing the communication products (I am aware of course that your scope is wider than that, but this is the space I am interested in) from the perspective of their positive or negative impact on the privacy and security of the users, including technical parameters, operations and distribution parameters, licensing, governance, funding and sustainability. All these things need to be carefully assessed for the correct evaluation of both the current status quo of the project and also its future potential to improve and risks to become worse, and then such assessment has to be repeated annually, or at least after 2 years, similarly how security assessments are reasonably expected every 2 years.

We could call it “Privacy impact assessment” - that would result not just in a decision to recommend or not, with a one-paragraph summary, but in a long-form document, similar to “Technology security assessment” - both should be based on a holistic multi-faceted framework, and not just on formal criteria. I think in the same way projects are funding their “security assessments”, they would fund “privacy impact assessments”, if the criteria are understood and agreed in advance.

I’ll share what I think this framework could be in a week or two, but the sad conclusion is that at least from technology design point of view, right now there is not a single product that can be seen as truly private and secure, at least on some parameters, and all require some substantial changes, and everything is a trade off. If I were an independent reviewer, I would not be able to whole-heartedly recommend any of the existing communication solutions without some disclaimers, including the one we are building, and would only be able to explain pros/cons, and help the users make an informed choice based on their own circumstances.

While technical parameters I am applying to communication solutions are likely to be not relevant to the other product categories, the framework for assessing funding and governance models (the source of risks we are discussing here) would likely apply to all categories. In any case, it is much more complex than black/white vc/non-profit assessment that is often applied in privacy community.

It’s like when you are buying the car - you cannot just look at the body shape (which in this case would be non-profit/vc-funded), you have to also assess the engine (governance model and board composition) and transmission (control provisions that the investors or sponsors have, or expect, based on their origins).

Let me know if you interested in having a public panel discussion online, where we could debate some of these questions.

I will share more soon.

In any case, thanks a lot for the work you do and for this discussion - this is very important.

It’s @jonah not @johan

Thank you @rollsicecream
Really sorry @Jonah, I do swap letters occasionally.
Corrected!

One option is to keep a separate section near the recommended services that contains Skiff (and others) as examples of services that were recommended in the past but are now no longer recommended. There can also be a detailed description of why they were recommended, the facts of what happened and why they are not recommended anymore. I think an upside to this is it allows people to perhaps learn and make better informed decisions about which services to use. I think on some level, situations like what happened to Skiff are unpredictable.

Seems like a really reasonable idea.

I’ve been lurking here and I’d like to add my two cents.

I think the biggest punch in the gut is those that went ahead and changed all their emails on accounts to skiff domain emails. I like what vishnukvmd said. All empires fall. It could be tuta or proton in the future and we can’t ever know.

Is it worth creating a section on data portability for the email section? Perhaps a section on domain ownership and the options for varying degrees of privacy with each? For domain ownership you only have a couple options: 1.) purchase it with your own information at a traditional registrar (using your true information is up to you if you want to follow the rules however does not require a physical address only a contact address) or 2.) use a proxy like njalla or 1984. Then building on the domain ownership there could be a paragraph or two describing data portability and how easy it is to move providers if you have your own domain.

I know a newcomers section was thrown out but what about tiers of trust or recommendation for the email section (or maybe others if it’s warranted)? Different levels of data portability can move a provider from one tier to another. Changing password managers is very easy. Changing email providers can come with a lot of headaches depending on the provider but if you own your own domain and the provider supports exporting emails then it’s not too bad.

Tier 1: Newcomers to the privacy space. A decent product that may provide some benefit in the privacy space or provides good value to other options. VC and the future still unclear.

Tier 2: Can be a newcomer with good data portability options or relatively long term player that doesn’t support things like exporting emails. I think Tuta would land here since they have been around a while but they don’t support exporting emails. If/when they do that would certainly bump them to tier 3. For newcomers that are VC backed if they have good portability as a mitigating factor then they could bump to tier 2.

Tier 3: Gold standard. Been around a long time and have proven to be committed to privacy and reliability. Data portability is easy. VC is not a concern.

This would also solve the problem of not adding competing products in a space with good options. I know if something isn’t on PG it’s not that it’s bad it’s only loosely discouraged vs if it is listed it’s highly recommended. One area where I think this has had an unfortunate casualty is Keepassium vs Strongbox. As the site grows it would be good to give good products a listing or thumbs up if they deserve it even if they don’t support as many features and their price point reflects that.

I’m personally against VC backed products, but even I wouldn’t advocate a blanket ban. I think it misses the real point, which is credible exit (Credible exit - by Gordon Brander - Subconscious). All companies will fail eventually, what are your options then? I wrote up my thoughts on this when keybase was acquired (Keybase has left the building) but the TLDR is:

1. Open source including the server (so you can pay someone to run another server)
2. Allow data export
3. Easy migration
4. Viable business model

As pointed out above, Proton used to have VC investors. Brave has very sketchy ownership Brave - Crunchbase Company Profile & Funding and tons more investors. I don’t think this warrants removal though.

Cloaked has raised much more money too Cloaked - Crunchbase Company Profile & Funding (3x more than Skiff which makes no sense because they released a few months ago ?).

Notesnook is popular despite being in Pakistan (way worse than US/EU/UK/AU privacy laws).

This list may just have to change over time. Services will come and go, unfortunately, but it’s the way the world works.

True, but the constant changing of tools may be daunting to newcomers. Most don’t want to constantly switch tools. Maybe a newsletter specifying major updates would help. Users could even choose which tools they’d like to receive updates about to avoid information overload.

In favour of heightened criteria for VC-backed products, but not a blanket ban.

Yeah it looks like the consensus so far is not a blanket ban, but nevertheless high skepticism of (currently) VC backed operations. I recommend “No VC” being added as a “best case” criteria throughout the site.

With all that said about VC fund, whether it shouldn’t be a blanket ban, or we should list the services tiers, time since establishment, etc. In the end, it’s just a speculation that’s not based on fact, but a limited info that can be gathered publicly. In fact, it’s often based on someone’s speculation/opinion that anything could change at any time, more than anything else.

I agree that we shouldn’t recommend a tool/service that’s too new, though. But again, Skiff was launched 2 years ago with 2 million users as of 2023-11. IMO, its sunset is unexpected to many users.

Well, even Google has a ton of things in their graveyard, some of which lived up for nearly 2 decades, while some were killed a year or two after launched. It’s a part of any business, VC fund or not.

(Mozilla is no exception too)

Nevertheless, my general criteria for a good service would be:

• Sustainable = The service must have a clear business model.
• User dependent = The service’s revenue must rely on the users’ participation/subscription, not from the deal with another companies that could lose its interest in the service at any time. This way, the service’s longevity could be speculated from its user base precisely.

It seems Skiff met both of my criteria, but it still couldn’t prevent them (or any business company for that matter) from selling their services.

Therefore, in the worst case (without the sustainable business model and the user base to back the service), I think the service can still be recommended regardless if it’s:

• Provider/maintainer independent = The service must be able to maintain/run by the other (including yourself/self-host) in case the original provider/maintainer decides to sell or discontinue the service.

I agree too many recommendation changes (especially when these changes are not publicized prominently) can be hard to keep up with, particularly for occasional visitors to the site, and also could possibly “de-value” the seriousness of a PG recommendation if there is too much ‘churn’.

Someone recommended a page to list previous recommendations that have been removed and a short explanation of why they were removed (and when). I think that this would be a good idea. It is inline with PG’s philosophy of transparency and openness, and will reduce confusion, and allow us to learn from these situations.

Newer VC backed products certainly have increased risk of disappearing or fundamentally changing their business model in ways that would disqualify them from recommendation. But I would assess (and I think most who have been involved in the privacy or FOSS space for more than a few years would agree) small open source projects, particularly single developer projects are at least as likely, possibly more likely to disappear, be abandoned, or fall out of favor over the long term. While the reasons are usually worse in the case of VC backed for-profit ventures, the outcome is the same for end users.

In favour of heightened criteria for VC-backed products, but not a blanket ban.

This is my current perspective as well. More scrutiny & skepticism, but not a blanket ban (nor a ban that is contorted with the benefit of hindsight to address Skiff but specifically carve out various exceptions for every current VC backed recommendation but not future ones).

Seems kind of arbitrary… This cuts out a lot of possible business models, from ones used by Firefox (default search engine), to those used by Element (selling managed Matrix services). There are a lot of ways to be sustainable that don’t rely on individual users…

True. It’s the best case that I can imagine. But even that is not a guarantee that any company wouldn’t sell their business now or in the future.

Lurker here, but for my money, if the best privacy service is backed by VC funds, it is what it is. I feel the problem is that Skiff was VC backed and didn’t offer anything that existing recommendations couldn’t do. There shouldn’t be a blanket ban on VC, but if there’s an equivalent service that’s not VC funded, that should be the recommendation.

There’s also something to be said for gut feeling. The whole thread was sketchy af. It was really uncomfortable how pushy they were. I can’t make a coherent argument right now, but I certainly got the impression that it should never have been recommended.

There’s also something to be said for gut feeling. The whole thread was sketchy af. It was really uncomfortable how pushy they were.

I agree.
They were very insistent, not to say oppressive, which struck me at the time as rather… suspicious.

Also, when they were proposed, they didn’t even have the basic email configurations: no DNSSEC/DANE, no CAA, no MTA-STS.
Then they implemented everything (or almost everything) that was requested, but I think this is a mistake, because they met the criteria not because they believed in it, but because they wanted to be listed.

When there was criticism, the response was: “We worked hard on it, it breaks our hearts.”

They delivered new features very fast (for 4 products), which may have seemed interesting at first, but when compared with other services, it was strange to see such a difference. I’ve never used Skiff, but from what I’ve read, there was some potential, but the product delivered was far from accomplished, looking more like a pile of new features.

Claiming to be open source (which I personally don’t care about) when it clearly wasn’t.
Repeated requests for details of the security audit.
I have serious doubts about the “GPDR compliance” they claimed.
Quite aggressive communication with competitors. Far from being the only ones, but it bothers me.

Also, I think you need to consider something else in the future. Only Skiff Mail was recommended, but Skiff was a bundle of services. Even if you only recommend one product, in this case the main one, people will be tempted (economically logical) to use the other products. But the other products, Drive and Page, didn’t seem to meet the criteria of the other sections.
I think it’s important to be more careful with bundle services recommendations.