Avoiding the next Skiff

Why not delist Tuta for

  1. Way worse marketing against Proton
  2. Sketchy claims when German govt ordered them to insert backdoor
  3. Honeypot testimony

Mozilla is a joke. The CEO made $7m last year while their products languished. Firefox In Peril While Mozilla Rewards CEO


Tech CEOs usually make more so it’s not really a problem Mozilla alone can fix. If they paid their CEOs less, they’d be left with someone less competent.

I extremely strongly disagree @clockwork, however, this Mozilla discussion is off-topic here. Maybe you all should take it to this thread: Mitchell Baker steps down as CEO of Mozilla Corporation :slight_smile:

1 Like

Efforts must be made to create defined guidelines of a more composite nature. While not outright disqualifying VC funding, the guidelines must detail an additional set of more stringent conditions before approving said service.

@jonah and @dngray, I think there is another important discussion to be had besides the whole VC funding criteria.

What about the plethora of examples of shady marketing of Skiff discussed in the remove skiff thread both before, under and after the admission on PG.

I think this needs to be reflected upon and be taking into consideration in the evaluation process going forward.

At least in my mind, it reflects poorly back on PG when recommended services / providers engage in such behavior.


Never trust Silicon Valley tech bro startup companies. They’re not companies that are created to make a long-lasting product and solve real problems. Those startups are intended to and will make an exit or they fail. There is not really much of an in-between with those type of companies. Startups are the primary way larger corporations can outsource the development of new features and new products, while not taking on any of the liability nor any of the risk.

Additionally, it’s all about branding, marketing, and sales rather than solving a problem using a technical solution. Same story as the crypto bros and all of their crappy apps of which a lot of them are scams and most of them die.

I never used Skiff, because I saw it as another hyped up service that doesn’t solve any real world problems. You can self-host email or use proton/tutanota or you can use a number of quick email solutions like cock.li, cyberfear.com, pissmail.com, or onionmail.org. So what unique problem was Skiff solving? Did Skiff actually care about privacy? What about advocacy? The answer is a clear and resounding no.

I agree that VC and angel funded companies should not have their products listed except under very strict conditions. There is no good reason to have them, especially when they exit to companies like Notion. (jesus fucking christ, out of all the companies out there)

PrivacyGuides should be primarily focused on FOSS software and not proprietary garbage, especially from startup companies. It’s too similar to privacytools.io listing services like ExpressVPN and Incogni. More rigorous background checks should be conducted especially around the reputation of the developers. It should be a red flag, if they aren’t actually participating in the privacy community and aren’t advocating for rights and a better understanding of privacy & security.

Additionally, I really don’t understand why Skiff was listed, but why none of the ones I mentioned above are. Sure, cock.li shouldn’t be trusted and is used by sketchy people, but all of the above fulfill an important use case. You can create an email address with any of them without having to fill out a captcha, without having to verify your identity, and without providing any other information, like an existing email or phone number. They also allow Tor use and host a .onion version of the site. So what’s the use case? Compartmentalizing of identities. You can create an email via Tor and use that email for just one service/site. Nothing is tied back to you unlike if you used proton or tutanota or used simplelogin.

That’s the whole point of using those email providers. You can create one, two, three, a dozen, or even a hundred email addresses quickly and use each one for only one service via Tor and remain anonymous.

I understand that PrivacyGuides focuses more so on white hat privacy rather than darknet opsec, but some of the practices and methods overlap as does the one I just mentioned.

What I would like to know is what the primary focus of PrivacyGuides really is and what the threat models are which determine the choice of products and services. If it’s just a gateway to get normies into privacy tools, then it certainly accomplishes that. If it’s supposed to do more than just that, then I believe it fails at its mission. I’m not criticizing, it’s just something I don’t fully understand.


I think it entirely depends on the product as a dozen of examples could be made where that isn’t true.

And we don’t recommend any of those, because that usually is pretty obvious. There are a heap of them in the decentralized routing network category that simply have no real usage.

They were extremely aggressive in their marketing, and sometimes to the point of including false information about PGP, the number of users etc. When I asked questions about that I never got any answers. There was a lot of focus on getting this item “mentioned” in as many places as possible, no doubt because an exit like this was planned long before we knew.

Perhaps we should not list things, which follow this aggressive marketing strategy, because it certainly felt like a pump and dump scheme at the time. Especially when I inquired about how they were going to sustainably give every user 100GB and basically all the features of the paid plans.

The problem is a lot of those options are either not providing zero knowledge encryption, or they are simply regular or anonymous providers. Meaning you really don’t know who is running them. When it comes down to it, there really isn’t too much reason to use those over an aliasing service.

While we do prefer open source solutions, in some cases closed sourced counterparts are particularly good (eg 1Password) or have no viable open source option.

We don’t list any of those things.

The thing is that’s really just marketing. They could very well be playing the lip service and not actually doing anything or planning on sticking around long term.

We don’t list anonymous providers or ones which don’t provide zero knowledge encryption once you go down that road, they could be run by anyone. I’m personally hoping there will be more providers maybe integrating options like https://lacre.io

and you can use an aliasing service for that too, without having a dozen mailboxes that don’t change anyway. The issue is this has many human failure, and we recommend against extremely complicated sets of rules about when and where to use one of the 10 accounts you might have.

Generally people don’t simply need a dozen identities with separate inboxes. Unless you’re doing something which would get you a subpoena and legal action then something like addy.io or simplelogin is fine.

And so do spammers, which makes them often banned.

The problem is a lot of people who think they need “darknet opsec” are just larpers in reality who have not realized that it takes a lot of work to maintain completely anonymous identities, and these really should only be short lived anyway.

The threat model is not something we choose for you but something you do for yourself. The reason is it can vary from person to person and can include factors such as, technical background, geographical location, general usage and interests/activity etc.


With all the shit they’ve pulled (crypto referral hijacking, etc), I don’t think brave should be a recommendation in an ideal scenario. Except that we are not in an ideal scenario and the alternatives are arguably far worse (the community would riot if PG started recommending chrome/edge for privacy). So the recommendation seems closer to “this is the least bad” than “this is the best”

E-mail providers doesn’t exactly face the same issue right now. We have more competition and as such can afford to be more picky


I agree with pretty much all of @dngray’s comment here.

I understand the reasoning behind this - but if a project is astoundingly good it shouldn’t be rejected simply because it has VC backing. If this does become a rule we should be able to make exceptions.

Proton is a great project that we’ve recommended for ages. To me it would have been a shame if we’d rejected it until it bought out the VCs as even before that point it was still a good project.

No VC-funding is probably the ideals scenario, but this sounds like a pretty good criteria:

On a light note this is just quite funny:

1 Like

Maybe apart from VC, you should consider companies which have audited by trusted 3rd party companies and have actual reports which are available to public.


On a light note this is just quite funny:

On a slight tangent, but yeah this is probably the case and leads to further questions about Andrew Mulich’s actions. Not only was he trying to gain attention through privacy guides, he was also misleading people on places like Reddit (like claiming they were going to add all these features eventually - andrew-skiff comments on MAJOR Security Flaw: Skiff fails to log out a session when the account password is altered or if the account is recovered via email. If an individual gains access to your device while it is logged into Skiff, they remain logged in indefinitely. There is no option in the Settings to force a logout... only a FEW WEEKS ago). Now r/skiff is deliberately locked down to prevent further posts after the buyout. I’m not going to say to much about him but this seems, no IS, very slimy to mislead your users like that.


I wholeheartedly agree with this. It’s one thing to say that you have audits, or will get them done soon. It’s another thing to actually publish them.


Yes, they should actually publish them. Saying that “we had an audit and we will publish it soon” doesn’t count.

1 Like

It may as well be lie.

Agreed. As I said in the remove skiff thread I think that unpublished audits shouldn’t pass the criteria since they are never actually shown. What reassurance does that give to the user? Absolutely nothing.

In Skiff’s case it was a lie. For the future, we should see the actual audit reports, instead of blindly trusting company representatives.


Also like to share MB’ view to you. Basically as what I also said. We should emphasis on more on: use your own domain(s) for important stuff.


Thanks for listing my concerns with them :slight_smile: couldn’t have wrote it better myself.

1 Like

I wouldn’t say Skiff didn’t offer anything current providers did not. Skiff’s biggest positives were actually things PG’s other recommendations lack in my opinion: more free tier (custom domain + 15GB storage), actively developed—it had a been a long time since I’ve seen such swift development of so many features in a product (with a lot of attention paid to user feature suggestions), and a cohesive fresh UI (yes Proton had a UI refresh, but it still lacks modern UI/UX touches in many areas, especially being unappealing on the web version).

In the case of Skiff, it definitely had its problems, but I don’t think this outcome was entirely predictable. Given the benefit of the doubt up to this point, Skiff very well had the potential to grow into a solid provider. While I think more caution is needed and natural after something like this, I also don’t think it should make judgements harsher on other newer projects that may really be outstanding companies with passion and integrity.

I’m not going to be the one to propose a finalized solution, but I just wanted to voice this perspective some more as I’ve seen it get lost in parts of this thread.