Skiff Mail (Email Provider)

I just would like to know how we can get the PR Add Skiff Mail by jonaharagon · Pull Request #2108 · privacyguides/privacyguides.org · GitHub back on track

I think at this point it’s just a matter of waiting for the PG team to have the time to add it.

My understanding is that Skiff now passes all the requirements. Skiff doesn’t have non-Google notifications but neither does Proton so I don’t think that will be an issue, for example.

The one thing that is making me consider switching from Proton to Skiff is the fact that your developers are ten times faster. Seriously, I can’t even fathom how slow Proton is at adding the most basic stuff. They have been around for 10 years now and it feels like nothing has changed from one year to another.

Some of the limitations of the free version of Skiff seems kind of harsh though. Only 2 filters?? Only 5 folders?Proton in practice offers unlimited filtering, which is something I really like. You have them beaten when it comes to folders however.

You may want to consider a 1 dollar per month tier with unlimited filters and folders and nothing else. I’d sign up for that. I don’t really need more storage space, 10 gigs for email is already more than enough. IMO there isn’t really a tier specifically aimed at email users and that’s where I think a 1 dollar email tier might come in handy. Basically, a tier for those of us that will never use Skiff for anything but email.

Lastly, any future plans for a Skiff VPN?

What do you mean by ‘unlimited filtering in practice’? The protonmail website states 1 filter with the free plan, but I’m guessing you mean something more creative by ‘in practice’

What is the benefit of your e-mail provider also being your VPN provider? I don’t understand the comparative advantage to bundling a VPN with these unrelated services compared with standalone VPN and e-mail/cloud storage?

I understand the appeal of bundling various things like Mail+Office+Calendar+Contacts since there is some synergy in bundling these services, but a VPN is in my eyes more of a standalone service that doesn’t benefit from being bundled together with other services.

You can have one filter with lots of if statements in it. If it’s from Gmail accounts it goes into folder 1, if it’s from Hotmail it goes into folder 2, usw.

I was just curious. That is all.

Personally I’m very happy with the VPN I’m using at the moment. Just wondered if they were planning on expanding to literally everything Proton is doing or if they are happy with their current lineup.

That’s fair. But, the lowest priced plan is $3 per month, which is higher than $1, but it does have all of those benefits. Filtering should also get a lot more powerful soon.

Indeed that there is a 3 dollar tier with those features, but it also includes extra storage space which, as an email-only user, is completely useless to me. 10 gigs of emails is in practice unlimited gigs of emails.

For comparison, Posteo has a 1 € tier which is 1/3 the cost if you’re an email only user like me.

I get that you may not want to price it that low, as it might draw away users from the higher tiers. But it may also incentivize free users to pay for the extra filtering/folders.

Maybe if you add more premium only features it would be more appealing to pay a small fee for those?

Let me highlight once more that Skiff still spreads false information from the ad industry. This gives leverage to this false argument and is really really wrong. I cannot stress that how important it is that we do not tolerate these kinds of strange outcasts from privacy friendly businesses.

Skiff also still claims to be GDPR complaint while legally this impossible. They are misinforming their customers who may sign up believing them to be complaint. This could in theory result in fines for those businesses using Skiff. Without legal representation Skiff is not suitable for EU market.

Edit for reference:

This is completely false. I don’t even know what the point of your comment is? Skiff is GDPR compliant. We’ve hired lawyers that have EU offices so we can have local counsel if needed. I truly cannot understand the point of your comment at all. What is false and wrong? What are you referencing as information from the “ad industry”? Skiff has absolutely nothing to do with advertising.

I’m happy to correct anything you think could be clearer on our blog. Why not take a constructive tone?

Blogs are intended to provide resources for like-minded community members. Learning about browser fingerprinting is extremely valuable. Take a constructive approach and send a specific paragraph or sentence you want changed. Posting unrelated articles just isn’t helpful to us. Have you read through the thousands of pages on Brave's latest news | Brave Browser and The Proton Blog - News from the front lines of privacy and security | Proton and drawn the same conclusions?

The only constructive point you brought up was sending product update emails. This has been changed months ago, so I really don’t know what you’re talking about.

I honestly don’t think Posteo is a service that we are trying to emulate with this plan. Skiff offers a complete end-to-end encrypted workspace with far more features, native apps, capabilities, team/business use, and more. Posteo also does not offer builtin E2EE.

Generally I do not think software capabilities scale with price, but this might be an example where it does. For $3/month on Skiff (versus $1.10 per month on Posteo), you get 4 end-to-end encrypted products with many more capabilities, as well as 6 accounts to share a custom domain and your paid features.

Indeed, I wrote a quite detailed description about that here: Best secure email service? - #2 by dngray

I wrote many times now that the arguments for allowing fingerprinting under privacy are completely false. This is infromation craeted by the ad industry. I am not saying you are part of them but you have distributed that bullshit without having any understanding of what you are actually saying with great harm. Fingerprinting is not any more legal than tracking cookies. This is just wrong and not valuable at all because the infromation is false and misleading. There is no difference in the law at all. I said it so many times so time for a constructive messaging has been wasted long ago when you called me out for not having knowledge on this matter, while you are the one spreading misinformation.

No you are not GDPR compliant any laywer you have hired who told you this you should fire! I would recommned you to actually get a better insights, because all you say is not true at all. You need a legal entity on paper or a contracted representation office at least in order to have some sort of compliance. They should also be listed in your privacy policy as point of contact. You do not have this as of now. There is no EU establishment. Read more here: Representatives under Art. 27 of the GDPR: All your questions answered

@dngray I don’t see you are making any point.

You made it clear that GDPR doesn’t mean anything, which, by extension, means your argument about non-GDPR compliance doesn’t mean anything either. Yet, you go back and forth.

Let me ask you just one thing: Are you a lawyer who works with GDPR?

GDPR doesn’t mean anything? What? Where?
You must be mis understood.

No I am not a lawyer but I work in business information security risk management with lawyers and privacy experts. I was a researcher at an university on this topic before.

Besides I don’t think you need to be a lawyer to be more knowledge than the allegedly by Skiff hired lawyers in this topic.

Moreover note that I backed my comments with articles of the association of privacy professionals IAPP. I am not sure what js your complain?

The GDPR is a very easy law to read actually. I can recommend to do so. Obviously there are unclear parts but there are several judgements from the CJEU and local authorities to clear up confusions here.

Besides legal representation f.x. in many EU countries it has been ordered that storing personal data in the USA is actually a non compliance in most cases. See noyb win: First major fine (€ 1 million) for using Google Analytics

This you? If so, what are you arguing about? You have rendered your own effort invalid and meaningless.

And this, a good businessman would avoid making such a extreme statement. “ONLY”?

Once again, based on your own argument, GDPR compliance doesn’t mean anything. Furthermore, you argued about seeking legal advice. Since you are not a lawyer, with the choice of your language, I guess we shouldn’t be too convinced that your understanding of GDPR is 100% correct.

You can’t seem to sort out your own logic. Your statements are mixed with emotions. They make me wonder about your objectives here.

There is no such thing as being GDPR compliant like a sticker, label or certification. It does not exist. That is true and you are correct. It however is very clear that Skiff is not aware of the things I wrote above. I personally believe them not to be able to serve EU customers, and I would advice agaist using them for EU (in current state). This in my opinion makes the statement of Skiff harmful and that is what I complain about. Hope you can follow the logic now.

I believe your comments to be questioning my expertise, which is fine, but I wonder what gives you the authority to do so? If you actually have good counter arguments I would be very interrested so we can have a meaningful discussion about this rather than you just questioning me. Thanks.

Also to be clear: I do not have any objectives here in terms of business. I only care about PG doing a good filtering and I don’t mind to stear up the discussion about things I find odd. I am not saying Skiff shouldn’t be listed. But I do think a company like this should be held accountable for their statements.

Again, the effort in your latest conclusion is constructed on “Skiff is not GDPR compliant”.

At the same time… logic issue?

It’s pretty hard to convince others that you have a better understanding of the law, especially considering how much more complicated it is compared to this small thread.

Yeah the statement can never be true in either case but still it could lead to issues for those who believe it and take it as a given. That I find problematic. Imagine a SME signs up think they are all compliant because they just believed the comment of Skiff and trusted them. They get unlucky and someone complains at the authority or starts a law suit. Who will get the fine? It is not Skiff as processor, it is the SME, because they are the data controller.

Worse for Skiff would be when EU citizens start complaining at the authorities as users. Because Skiff targetting the EU as a market is subject to the GDPR. My understanding is that this could have legal implications for them. I will say I don’t think this is very likely, but there is always a chance.

I know it is hard to make people understand that you actually know the regulation, but please share your perspective! If you have a different view or reading of the GDPR it would be interreting as I said. I may be very direct to Skiff at this point (it has been a long journey) but I am definitlely willing to listen if you know of any cases that can counter this.

I made my checkout on skiff as a new user.

I saw no information about free account termination, but the already passed recommendations’ has highights on this site. (my method is to serach the terms pages for inactivity, day, week, month, year keywords… no result). Do you have any policy of this kind?

The pages for registering are in a bit odd order, and i think too restricted for an advanced user:
–At one point, there is the step, where i should save my recovery code, the code is copiable, but also button to the next step forces me to download that in a PDF form, and by that i am forced to write that to disk, instead of copying it in ram to encrypti it in a way, e.g. . Inside that from there is a line for recovery emailaddress, what is empty, but
–Next step: i am foced to add a recovery mail address, when i just copied my code, and downloaded the document, without this in it.
– after loggin in i was able to send emails without even confirming my account with the recovery mail (in opposite e.g. outlook).
(If i just missed parts and options sorry, i was kida distracted when made that reg.)

Personally i would take the risk what comes with not having a recovery email against being forced to manage an other account.
Even if forced or not, the recovery email question is in the wrong side of the recovery document creation’s logically. Sadly i had issues ith incoming emails so i was unable to check when would recovery address get the mail.

But i really like the service’s possibilities, i almost perfect for my needs!

That is very fair, I think the recovery flow could be much better. The current design is similar to how a recovery kit might work for a password manager. On account termination, accounts are never terminated!

@jonah just sending a quick ping, let me know if I can help with the PR or anything else in any way. I understand you’ve been busy but want to help get the small nits fixed if I can.