The original thread gives me vibes of being controversial and Skiff representatives of being too pushy. Now, the suggestion was added, and my question is was that too premature?
People start to report privacy issues with Skiff which their CEO is dismissive of. This is in the light of them claiming to pass multiple security audits while still not publishing any of them.
They misleadingly claim to be open-source while being only source available. Also see this GitHub issue. While I understand PG doesn’t have a requirement for listing open-source services only, I don’t understand why this didn’t raise any red flags during the review.
Even on this forum some people complain about Skiff inappropriately using recovery details for marketing. The same issue was raised during the submission review, but they still didn’t bother to change this.
Now, a lot of people use PG as an authoritative place to find privacy-respecting services, and I hope they understand they are responsible for recommendations they make. Skiff may be a good addition to the site at some point but I think it’s not today, and situations like this negatively affect PG’s reputation.
The privacy issues linked are pretty minor imo. Also the remote content blocking would break emails for a lot of people iirc so it makes sense that its off by default. A lot of privacy focussed email providers dont have perfect defaults for that reason (eg on Mailbox, the encryption is disabled by default)
Depends on how you define a minor issue. I don’t think IP leak is a minor issue. Leaking read receipt is depends, but this is not I expect when using a privacy-focused email. I also believe auditors should have caught and reported that.
Anyway, there’s more than just leaking the IP as you can see in the original post.
IMO, open source or source available license is not matter much for this kind of services. Since we will have to use the services on their server regardless, forking (for commercial purpose) would be meaningless. And it would not be recommendable to use (paid) clients from third-party packagers. Therefore, having the source available should be enough to verify the security and privacy aspect of the services.
From my point of view, Skiff services are not intentionally endanger users security and privacy. However, they definitely feel amateurish, combing with the stupid decision to do marketing campaigns through users’ recovery email.
If I have to complain about their services, it would be Skiff Mail. I am barely able to read my emails most of the time, either unreadable text due to text/background color rendering issues, or the background colors are totally off (emails from Steam). They have a lot of technical issues that need to be fixed.
My primary concern pertains to the inability of Skiff Mail to render properly. I don’t know anymore whether my decision to leave Gmail was correct, given that Skiff Mail, which is the core of their services, is currently in this state.
Nonetheless, I don’t think adding Skiff will negatively affect PG’s reputation, until it’s proven otherwise that Skiff is against privacy focus users. For example, I believe that Proton Calendar’s situation is much worse, which really affects users’ trust to the services/company overall.
In the source article:
Update 2023-Aug-29
They have fixed the IP address leak on iOS. No sign of users being informed of their exposure. Other issues remain.
The issue is not open source vs source available, the issue is they claim something that is not true. When it comes to privacy-respecting services, trust is important, and being dishonest on the home page do not help to gain it at all. Having PG publicity approve this and recommend such services only damages its reputation.
I agree they may not do this intentionally, but it doesn’t make this any better. Don’t forget that users who complain about Skiff on this forum most probably started using it based on PG’s recommendation.
Could you please elaborate?
I don’t see any postmortem nor problem acknowledgements for affected users. They just decided to sweep it under the rug. This is not the behavior I expect from a privacy-respecting service.
Agreed. There’s the honesty and hence trustworthiness question though. Its like Vivaldi claiming their browser is 95% open source because the Chromium base, which they largely do not make, is open source and you can see the rest of the code anyway. Yeah, still not open source though, you dont do it by percentages…
You have a point when it comes to mobile apps, but their web apps are all available and open source. I also believe PG recommends their web client too as they link to it and to its source code.
I don’t see how it makes Skiff’s case any better though.
Except that most probably don’t use Proton Calendar on the web on mobile platforms.
Not all the users who use Proton Calendar are PG readers, hence irrelevant and shouldn’t be used as an excuse for its close source mobile clients.
Moreover, you should know that there are Google Play and App Store badges for the close source calendar clients on Proton Calendar official website. I believe, Proton considers the apps to be the official way to use their services on mobile platforms.
Skiff makes their source available for the public to see every nook of their code, nothing to hide - zero trust. Proton Calendar issue, on the other hand, is not a technical issue like most of the Skiff issues. They’ve closed the source for years for no apparent reason. If you think their issues are on the same magnitude, I have nothing more to say
I don’t want to derail this thread into something not related to the concerns I posted in the top post, so if you think PG need to make changes to Proton Calendar recommendation, feel free to create another thread. If you want my opinion on it, you can also tag me there.
I don’t want to change PG’s recommendation (I have never said anything like that).
I just compared Proton Calendar’s case to Skiff’s cases that you think would affect their users’ trust, and also PG’s reputation. I picked up the case as an example that I believe it’s much worse. That’s all.
I don’t see a thread from Proton employers on this forum which push to add their services ignoring concerns made on said thread. When I open the linked source code for Proton Calendar I see it’s GPL licensed which is an open source license as Proton claims on their website. I don’t see Proton using recovery emails for marketing purposes. I also don’t see Proton hiding auditing reports. You link to an archived repo, saying they made Calendar closed source while they just moved the code to a monorepo
I agree. Also, Skiff’s marketing has recently been giving out some serious red flags as they have spread out disinformation while attacking Proton. We can’t even solely blame their marketing department for this because one of these blog posts has been written by Andrew Milich himself. I think this kind of behaviour is unacceptable, and could warrant their removal from PG.
Not sure if this is the best place to share, but I recently noticed their transparency page has changed as well. The “latest reports” part which was regularly updated with “no reports” has been completely removed.
Would it be possible to assume they have been served with an NSL if the transparency page has largely disappeared? I would imagine that’s their version of a warrant canary.
Just to second that Skiff has never corrected their false statements about GDPR compliance. I have never deemded this provider mature enough.
We should really consider to tighten the requirements to avoid situations like this. But the question than becomes what should be the criteria? What can we objectively look at to see the difference or is this all gut feeling?
