Label products which use Google Firebase or other Google dependencies

Disclaimer: I am the lead developer of a competing note taking app Notesnook. The reasons below might be taken as anti-competitive or defamatory — even though that is not my intention. These are real privacy concerns,

I am listing these reasons after due research. They are not security vulnerabilities but design faults which would require a significant rewrite in order to be fixed.

I am also not asking to remove Cryptee (that should be the community’s decision) but I am asking to at least list these warnings appropriately so users can know what they are getting into.

1. Cryptee uses Google Firebase for all its login/signup & cloud storage + database. This should be a huge no when it comes to privacy. Even if everything is E2E encrypted, using Google Firebase is like using Google Analytics i.e. you are saying “Use my service because it is more private than Google services” but in fact, you are also using a Google service to run your own. Hypocritical at the very least.
2. Sign up with Google should be another red flag for similar reasons. You cannot possibly recommend people to use Google if you care about privacy.

I think it should be a given for any privacy respecting tool to motivate users away from Google & other user privacy violating companies. Otherwise, what’s the point?

I don’t think Cryptee or any pther service should be de-listed “because Google”. Unless using Firebase and Sign Up with Google has an actual impact on user privacy, I don’t think it matters too much.

By that logic, Signal should be removed since their servers are hosted on AWS.

While I agree, Google and other privacy-violating companies offer a lot of services, many of which are useful to companies and developers while having little to no impact on user privacy. Databases is one example of this, especially with e2ee content.

many of which are useful to companies and developers while having little to no impact on user privacy. Databases is one example of this, especially with e2ee content.

If that is true then why is it a concern to users regarding where (as in geolocation) data is stored as long as it is E2EE?

If a country’s privacy laws and privacy regulation is put under question, shouldn’t a company’s privacy practices be put to the same question?

By that logic, Signal should be removed since their servers are hosted on AWS.

The problem here is very different. Using a managed service under Google’s control to host your users’ data is a big violation of trust because Google still has access & control over all of it.

Again, I am not asking for delisting of any service but to clearly label where (country & company) each service/tool stores their data. I think that is an important piece of information to be considered by users before choosing a particular service.

Regarding “Sign up with Google”: there is a very clear impact on user privacy here. Do you really want Google to know and link to every single service you sign up to? Is that not a violation of privacy? I know that it is a choice for the user but by making this possible, a service is basically encouraging this behavior.

For cryptee, sign in with google may have an advantage: it’s the only way to get 2FA now.

That’s similar to the argument that using the same password everywhere may have an advantage: you won’t forget it.

It doesn’t take away the fact that you are still putting users at risk unnecessarily. For example, there are other auth services that can be used (Auth0, Okta etc.) or a self hosted solution for authentication.

User data should not belong to a single company, directly or indirectly.

When the data is truly e2ee, it doesn’t really matter where it’s stored because it can’t be decrypted either way. You could have your data stored in some vault in Cayman Islands, or in Moscow, and it wouldn’t make much of a difference with regards to the data itself.

They absolutely should, but Cryptee hasn’t shown any signs of being privacy-unfriendly (that I know of). They don’t use Google Analytics or other trackers.

But that implies that the data is unencrypted. Encrypted blobs aren’t exactly useful to anyone who wants user data.

Like you said, this is a user choice, and one that many people would prefer over keeping track of another account. And as @anon20402919 mentioned, it is the only way to get 2FA.

The difference being, you have an option to set your own password for Cryptee. You don’t have the same option to enable 2FA. Obviously, the ideal solution would be that Cryptee has their own 2FA, but for the time being that’s not an option.

It’s a risk that users themselves have the freedom to choose to take. Like you said, it’s a choice. I don’t think anyone would argue that more choices is a bad thing.

it wouldn’t make much of a difference with regards to the data itself.

What difference would it make then?

They absolutely should, but Cryptee hasn’t shown any signs of being privacy-unfriendly (that I know of).

I don’t think that’s the right approach to this. Privacy is such a sensitive matter that even if a company hasn’t yet shown any signs of privacy unfriendly behavior, it is still a huge risk to use Google as your data store. You can’t wait for a privacy violation before you take a notice because by that definition, even companies with the worst intentions could be given leeway.

they have been audited for their data security.

No, they haven’t.

Why do you have to constantly attack against other privacy projects? This isn’t the first time you have done so, as you have previously written a Notesnook blog post about how Bitwarden should not be trusted anymore. Instead of focusing on bringing down other privacy projects I would suggest that you focus on improving your own product.

Here are also some relevant discussions regarding this. This is not really the kind of critical issue that you are trying to argue.

https://libreddit.mha.fi/r/PrivacyGuides/comments/1005wa0/cryptee_google_login_issues/

Why do you have to constantly attack against other privacy projects? This isn’t the first time you have done so, as you have previously written a Notesnook blog post about how Bitwarden should not be trusted anymore.

Raising genuine privacy concerns against other private tools should be encouraged. Bitwarden, Signal or any other app is not exempt from this just because you think so. Other than that, the blog post you link to is an opinion piece i.e., you are free to disagree.

Here are also some relevant discussions regarding this. This is not really the kind of critical issue that you are trying to argue.

Thank you for sharing the relevant discussion on one of the points. Let me dissect John Ozbay’s (the creator of Cryptee) response on Reddit:

we only use them for authentication now, and don’t even use their sockets etc anymore.

No, they use it for storing user’s data as well.

By your definition, I’m guessing you wouldn’t use Signal either […] Nor would you use Firefox I presume.

Since when did it become okay to do something just because Firefox or Signal do it? Firefox is not the most private browser —that is why there are forks like LibreWolf. Mozilla’s position on this is very clear. Similarly, Signal has been under fire for asking users’ their phone number since it started. These are facts and they are not hidden or looked over when people recommend both of these services. Why should that be the case for Cryptee? That’s the whole point of this post:

PG should clearly and very boldly label each service that makes use of Google. Otherwise, everything looks the same and a user looking for a private notebook tool could easily fall for the marketing speech.

(I also do hate google myself) It’s hard seeing a privacy service and Google’s logo side-by-side.

And yet, Cryptee continues to make use of Google.

But I’d respectfully say that, as long as us privacy services (like Signal, Telegram, Cryptee etc) are taking advantage of Google, and not the other way around, that’s a win for everyone.

No, it is not. Being dependent on Google is the fastest way to losing people’s trust. Google is the very definition of violation of user privacy and that is not disputed anywhere. Their whole business works on selling & making use of users’ data. There are very real ethical and privacy implications here.

Privacy Guides is a trusted source of private alternatives which is why it should take these very valid and very critical concerns into consideration. I am aware that not everyone’s threat model is the same. I am also aware that a lot of people don’t really care if Google eats their meal or not. But this resource is for everyone with all kinds of threat models.

Currently, a person browsing PG is not warned, in any way, if a tool/service depends on another proprietary service like Google. If you use F-Droid, you must have noticed their non-free, proprietary etc. labels. I am asking for the same on PG.

Do you have a source for this? Without one, I’d be more inclined to believe the creator of Cryptee about his product over you.

As I said before, Google provides a lot of services that are useful for a lot of different things. It’s a giant company, and user data collection and advertising is only part of their business model.

Also, if you’re going after Cryptee for using Google services, why not Proton for using Google’s notification system, or Signal for routing messages through AWS, or any other company for using any external service in their product?

Is this about Google, or about open source vs proprietary? Because those are 2 very different discussions.

And that right there is the answer to your question. Cryptee is a reasonably private service by most standards, and those who don’t want to use it, won’t. It’s always recommended that people do their own research and not just rely on PG or any other guide to give them all the answers. That’s the whole point of threat modelling.

I am not sure how secure Google firebase and whether it is possible to login to someone’s account if Google’s servers are breached and someone (wink wink) have access to it.

Also, if you’re going after Cryptee for using Google services, why not Proton for using Google’s notification system, or Signal for routing messages through AWS, or any other company for using any external service in their product?

That is not my point. I am not going after any particular service or tool or company. I have no qualms or enmity toward anyone. Kindly, read again what I said above:

PG should clearly and very boldly label each service that makes use of Google. Otherwise, everything looks the same and a user looking for a private notebook tool could easily fall for the marketing speech.

I specifically tagged this post under “Site Development” because I think this is something that should be mentioned on all tools — not just Cryptee. Cryptee is just one example of such a service but it isn’t the only one.

Cryptee is a reasonably private service by most standards, and those who don’t want to use it, won’t. It’s always recommended that people do their own research and not just rely on PG or any other guide to give them all the answers.

I think that’s defeating the whole point of having a guide in the first place. A useful guide should warn its users about potential drawbacks of each approach. Of course, everyone should do their due research but if a guide will just be a list of tools then it isn’t a guide — it’s a list.

I also think that having such warnings will only increase the usefulness of PG.

End to end encryption means that the data is encrypted before it leaves the users’ devices, yes?

Also, considering that many big companies use Google Firebase and other Google services, I’m pretty sure they try pretty hard to maintain their security. It’s not perfect, obviously, but the chances of a breach are pretty low.

It is good that you brought this up and we would have to look into the implemantation.

However, using certain google services doesn’t neccesarily warrant a removal from the site, it comes down to the details.

Appart from that it totally depends on someones threatmodel whether using google is bad or not. If someone evaluated that their threatmodel is nothing more then hiding from the iran government for example, using google services might not be an issue at all.

The thing with privacy is that its a subjective and relativistic topic, privacy means something different for everyone.

In any case, it may not be a bad idea to include a note.

I fully agree with Abdullah. It doesn’t matter if it’s Cryptee, Signal, Bitwarden, Tor Browser, or anything else; things like that shouldn’t be ignored.

People should be fully aware of things like these and all the consequences that come with them.

I don’t know. I just find it a little grotesque that you, a lead developer of a competitor come here trying to remove a tool that directly competes with your own product and then claim you could have chosen any other service as well. However, you didn’t do that. You specifically made your argument about Cryptee which doesn’t honestly surprise me considering that you are a direct competitor. Furthermore, some of the arguments you have made don’t seem to be true such as Cryptee storing their data on Google servers. Where is the evidence for that? Also, I think that we should give Cryptee the chance to defend themselves before removing anything.

However, using certain google services doesn’t neccesarily warrant a removal from the site, it comes down to the details.

Absolutely. If that were the case, you wouldn’t be able to have any app on the list.

The thing with privacy is that its a subjective and relativistic topic, privacy means something different for everyone.

I 100% agree; which is why I think it is necessary to add such a note so people with various threat-models are better informed about what each tool actually uses underneath all the marketing speech. It’ll also be an independent evaluation by the PG team & community whether such a note needs to be added or not for a particular service.

He didn’t suggest removing Cryptee, in fact he suggested the opposite of not removing Cryptee and just adding a note.

No, not directly, but he opened up the possibility to do so, if the community feels like it after this discussion he brought up.

trying to remove a tool

I very specifically said that delisting a tool based on this is up to the community in the original post.

chosen any other service as well

I chose a service I have better research on precisely because it is a competitor. Even if I specifically targeted Cryptee, it doesn’t make any of what I said untrue. Cryptee does use Sign up with Google and they do store their data on Google servers.

such as Cryptee storing their data on Google servers

This is a list of all the 3rd party services used by Cryptee from their own privacy policy:

Cryptee’s Sub-Processors

Cryptee uses multiple providers (sub-processors) to provide the Service to its users. These processors are all committed to GDPR, and are listed below.

Google Cloud Platform
Google Ireland Ltd. - Gordon House, Barrow Street, Dublin 4, Ireland
Privacy Resource Center  |  Google Cloud

Cloudflare
Cloudflare, Inc. - 101 Townsend St., San Francisco, CA 94107
Cloudflare's Privacy Policy

Sentry.IO
Functional Software, Inc. - 132 Hawthorne St, San Francisco, CA 94107
Privacy Policy 3.2.0 (October 5, 2023)

Stripe.com
Stripe Payments Europe, Ltd. - 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland
https://stripe.com/privacy

and for paid users before February 21, 2021,

Paddle.com
Paddle Payments Ltd. - Core B, Block 71, The Plaza, Park West, Dublin 12, Ireland
Paddle Master Services Agreement | Paddle
Privacy policy | Paddle

Google Cloud Platform constitutes a huge array of services including Google Firebase (which is very clearly used by Cryptee in their code) & their hosting service. It is 100% possible the GCP is only used for auth/sign up and that Cryptee just forgot to mention where exactly they store the Documents & Photos when they get uploaded…OR it could be that GCP is used for storing the data as well. (I think this is an important piece of information that should be mentioned in every privacy policy.)

Also, I think that we should give Cryptee the chance to defend themselves before removing anything.

This is an open forum. I am not a team member of PG who can prevent someone from posting here. Everyone is free to comment here just like you and me so if there is any defense necessary, they can come and comment.

However, I am not here asking for justification for why Cryptee uses Google services to provide different functionality or that they stop using it. That’s Cryptee’s concern and they know better what they should use and what they shouldn’t. I am here proposing the addition of either a note or a label — a warning for all PG users before they can commit to any such service.