Skiff Mail (Email Provider)

The features discussed will help your users in the immediately as they are industry RFCs that many email providers (including non-privacy ones implement).

On the current criteria we do have core requirements, that being E2EE and do evaluate other such things such as marketing used surrounding a product.

If we did add Skiff Mail, it would be one of the weakest recommendations when compared to the others listed. That would not be fair to the others already listed.

That may be the case, however this evaluation was for listing in the email section.

There are certain expectations for email, these are that not collaborated on (unless you have shared inbox functionality). Once an email is sent it is not expected to change. This is vastly different from a collaboration office suite use case. They are complimentary tools to each other and they have their different roles.

What you’ve suggested, (paraphrasing), “just send a link to an encrypted document”, would be like me having explain to a lawyer that he “doesn’t want email” and he should just talk in a “online office suite”. They would not be happy with that solution.

The issue still remains that people will use your service and be under the illusion that emails that sent to remote providers are E2EE. That is a big problem and one you still need to address.

Even if you do not have a technical solution to that problem, you need to be honest about it to your customers. Accepting limitations of a product and informing users about that is something we hold in high regard. After all their safety should be first priority.

The popularity of your product is not something we evaluate, and it doesn’t concern us in our evaluation.

Our priority is to evaluate products and inform our readers about that product and what our experience consisted of. It is one of the reasons we do not accept money from any of the products listed, unlike some other websites.

Our site has always been community focused, factual, in evaluations.

The things I mentioned in my review weren’t necessarily blockers to being added. They were observations I made and I wanted share with the community.

The criteria is very much a minimum bar used to filter out products which are not “up there with the others”.

We are evaluating you on is the lack of export functionality.

This is important that customers and their data are not locked up in a service that they cannot move away from should they want to, or need to. I acknowledge that you say this feature is coming.

The other things I mentioned (filters, nested folders etc) are observations I made while testing the product. These things are common enough and its important users know what they are getting into before they use your product, as they may rely on these things for their workflow.

Password protected emails are important. A common usecase has been to share a “password” during a phone call or an in-person meeting. Then the sender will supply the document required to their customer or contact.

The extra functionality such as collaboration is not always needed when sending a sensitive document. In my consulting, my clients regularly want to send privileged legal documents or medical reports.

Export/headers/password protection are all great features to have.

I still completely disagree with Skiff Mail being the “weakest” recommendation. Nested folders were not supported on Tuta until a month ago, and Skiff Mail has numerous other helpful features that are either paid or non existent on Proton/Tuta (schedule send, auto reply, default signature removal on the free tier, both folders and labels, separate Calendar application, native macOS app, etc.).

It is because all the others provide some way to send an E2EE email. The issue with Skiff is that it is difficult to make that initial share without using some other product first.

Sharing a document on a collaboration suite, isn’t the same as an immutable copy with a date on it at a particular point in time.

The email header functionality is crucial for determining whether someone is the target of spearfishing. Some scammers will go to some effort to find out a lot about a victim, their org and then try to pretend to be someone within that org. All our current recommendations allow for this.

That was not part of the evaluation, but something I noticed along the way. It was worth mentioning because it is a feature that users may have had with other providers that they will lose when importing their mail into Skiff.

The last client I migrated had over a thousand directories. They had been using email for 20 years and had about 40k emails. They did not want to lose that structure, and it was necessary that the product I selected for them supported that feature.

The first tier of paid usage on Skiff is quite a bit more than it’s competitors. Sure, you do get more storage, but quite often a user won’t have 100GB of email or files to store. This impacts your product, because it means that a lot of people will stay on the free tier, which doesn’t make you any money. Money is needed for viability, and its important that the company remains healthy.

I am going to vote AGAINST listening Skiff.
I have made a test account and for this account I have set a recovery email. After doing this I started receiving unsolicited spam from Skiff on this email address. I have never signed up to the newsletter and this email alias was created today specifically for the recovery.

For this newsletter the email alias is shared with Sendinblue to send out the newsletter. I have never given any consent for this. Unacceptable. Generally sending out marketing emails.

Besides my sincere doubt about the security settings and the professionalism of the team on this, this is an absolute no go. I am leaving this discussion feeling betrayed by Skiff, this is a false privacy promise.

You received a product update with no tracking that can be opted out of. However, these emails should also go to your Skiff Mail address, not your external one.

I apologize for this - it is likely a bug from when we went from emails as logins (before Skiff Mail) to usernames as logins (everyone gets a Skiff Mail address). There are no trackers in the emails and you can unsubscribe to this and all future mail.

We don’t use Sendinblue.

I apologize that you feel disappointed, but I’d suggest looking at the responses above in good faith and realizing that we spent months on the recommended criteria - not even the minimum criteria.

To even explain more, many Skiff users only use Pages/Drive. Until May 2022, no Skiff user had a Skiff email address. So, all of those users received a Privacy Digest update containing product launches.

Here is a public link with a year of such updates:

https://app.skiff.com/docs/5a69bd5c-30bd-4e3f-bc32-411732454892#iZIdgMgnTY2Wkra%2FtDQl1%2BE%2FpfP5dK5%2BU8KyuLUBDks%3D

I will correct it was indeed Sendgrid, not Sendinblue, doesn’t change the argument.

Skiff send a marketing email, regardless of whether this is a product email it is SPAM. I do not want to unsubscribe, I never signed up for this.

Good bye

It’s not spam. It’s a critical product update with a major new feature offering. How would you suggest we notify our users that they can now privately purchase domains for even more private email? Or, that Skiff Mail even exists?

Sendgrid is used to manage unsubscribes in the email. As a note, other services you recommend use similar products. For example, Bitwarden users Hubspot to manage their product updates and newsletter - Hubspot is much worse for privacy than Sendgrid, which is a transactional mailing services.

Honestly, it’s so frustrating to see us held to arbitrary standards not enforced to the other products on the site. It breaks my heart to see our team respect your criteria and process and feel like they’ve been slapped in the face after months of work.

Also, I’d love to get Skiff Drive and Pages considered as well. I believe they are quite compelling feature wise compared to Cryptee/ProtonDrive/NextCloud. Should we open a separate ticket?

I have never received an email from bitwarden on my account there though hub spot and definitely not on a recovery address.

Abusing of this data is punishable under GDPR. Twitter expecting a massive fine for misuse of phone numbers

Your whole attitude now shows how you think if this issue. This isn’t privacy by design. You do not inform/bother people if they didn’t ask for it. There is no excuse.

Also your dns settings are still incorrect. So don’t understand why you say there are different standards. You don’t meet them…

This is categorically false.

Also, the NYPost is not considered quite a reliable source of privacy/GDPR violations (do you realize how many trackers are on that link?)

What DNS setting?

Honestly, I’d appreciate if other team members were able to chime in here. We’re not making any progress on substantive issues, just spreading disinfo about privacy law at this point.

Lol here you go man:

I know the GDPR very well i dont think you want to start this debate. Article 13 clearly states you need to inform the subject what is the intended purpose of data collection. You have therefore misinformed me.

Not correct. I’ve taken multiple privacy law classes, and this is a textbook example of legitimate interests: GDPR Legitimate Interests - GDPR EU.

I’ve also consulted with our legal counsel on this issue. We’re so far out of scope at this point.

The DNS discussion we had above here. Internet.nl clearly shows one of your configured severs does not meet the requirements.

I want to be clear, i am not a team member. Just because you mentioned this.

You are pulling legimate interest card. Well fair enough but no privacy activist will approve. And this case i highly doubt authorities would.

Legal loves this clause anything could be legimate interest. Also selling user data for profit. (People tried). It is a hilarious clause in the GDPR that needs to be refined. It leaves a lot of loopholes. But using data for other means is not allowed, you should read up.

I’m pretty sure that both Tutanota and Proton are also sending product updates from time to time. Since you can easily opt-out of these emails, I don’t really see a problem with this.

Definitely not via third parties and not to recovery addresses. I think they are opt in but good point if they do, generally a bad practice.

We don’t consider internal emails from the provider about their product to be spam, however when I created a Skiff account I didn’t test the recovery email.

We don’t consider sendgrid to be an issue, however sharing the recovery address with them is an issue. When a user provides the recovery address they do not expect to be contacted on it unless they initiate account recovery.

The criteria is purely a “we don’t even discuss products which don’t adhere to basic industry standards”, because there are thousands of them.

The things you implemented there (MTA-STS etc) are to prevent downgrade attacks on the transport encryption. As we know emails that leave Skiff are not E2EE.

We consider this a critical baseline because non-privacy providers like Google and Outlook implement these features in order to provide some safety to their users.

Once, the baseline is adhered to, we do actually test the product.

The target hasn’t moved. Your service was always going to be compared against our existing recommendations.

The criteria did not mention these requirements because implicitly they already provided:

• Export, facilitating in data liberty
• Using recovery email only for recovery
• Allowing users to see email headers, to determine whether the email is authentic.
• Provide some way to send an encrypted message to non-users of the provider

They do, but not to the recovery address. Not even Gmail will send product updates to the recovery address.

I’m not going to judge this too harshly, as I suspect it may have been a bug, it certainly should be investigated and fixed so it doesn’t happen again.

Having read enough privacy policies I did state in my initial report that I didn’t see any mention of GDPR.

One of the things I did notice in the privacy policy:

We may use information to market and advertise our products to you directly if you have signed up for the services and/or provided us with your email address. This includes marketing via email campaigns and notifications within the Platform. You can opt out of direct email marketing messages from us by clicking the “unsubscribe” button included in the footer of the emails we send you. For more choices about use of tracking technologies for advertising more generally, please see “Your Privacy Choices” below.

It’s not clear that is the recovery email. When I read this originally I assumed it was the skiff.com address.

International Data Transfers

All information processed by us may be transferred, processed, and stored anywhere in the world, including, but not limited to, the United States or other countries, which may have data protection laws that are different from the laws where you live. We endeavor to safeguard your information consistent with the requirements of applicable laws.

Emphasis added. This particular section stuck out to me originally, and leads me to believe this service isn’t GDPR compliant. In fact it seems to be a carve out specifically stating that attention to US law is the only thing considered.

One of GDPR’s primary reasons for existing is to establish legal basis for data collection. It is important that providers of any service stick to that reason when they collect a piece of data.

@amilich Just a personal message to you.

We’re not saying any of these things because we are mean, but because we genuinely care about privacy, and it is a passionate subject of ours.

Many of us are experts within the industry, and work in IT as sysops, netsec, devs and auditing sectors in our day-to-day jobs. I think you may have an idea that is the case already based on some of the feedback and intricate understanding of technical aspects.

Can confirm, just received a marketing email to my recovery address. That email address was unique and has not been used for anything else.

From: "Skiff Updates" <updates@marketing.skiff.org>
Subject: Block email trackers with Skiff