Skiff Mail (Email Provider)

My goodness the cynicism is so real here. Let’s address these points properly.

I believe this is evident from product launch, with a privacy policy logging of user IP Address, Mac Address, Cookie Identifiers, Mobile Carrier (Cell Phone Provider), User Settings and Browser or Device Information. Yes, I understand you later changed this, but a company truly passionate about privacy would never dream of including such language in the first place.

We had the appropriate technical controls in place that was privacy preserving. Our lawyers wrote the privacy policy and we got another lawyer to redo our privacy policy to actually match what the technical controls are. In fact, this is in contradiction to your belief that we are run by marketing/business people. We paid way more attention to the technology than we did the legalese. Was this a mistake in hindsight? Sure. You can see evidence that we are technical people by reviewing our whitepaper skiff.com/whitepaper and watching our recent conference talk at BSidesSF 2023.

Next is the choice to HQ in the U.S., subject to secret court orders to hand over keys and back doors, and subject to penalty if informing users that this is happening. You could have incorporated in Panama like NordVPN, or anywhere in Europe where the legal process is more transparent for users. The argument that because BitWarden made a poor choice and people still use it, you too can make the same poor choice, is not a good argument.

We are never going to come to an agreement on this and has been hashed multiple times above. So, I’m just going to say we should agree to disagree on these points.

Next is the App. You’re saying, “here’s our product that is private unlike Google, now go download it from Google so they can track you in FireBase etc.” Again, if the people running the company were truly passionate about privacy, there would be an APK download on the website or on GitHub or F-Droid, and it wouldn’t contain any trackers or dependence on Google.

We do offer direct download to users who request it and we’ll provide them a link to our Github to download. We are working on stronger support for push notifications outside of google’s ecosystem before publicly advertising it because of the subpar experience. Firebase is used for push notifications. Note that all the tracking in the Firebase APK is off. However, we understand the concern and are working towards moving off of Google’s push notification system. We do have to be practical when a vast majority of users use Google Play Services that our initial focus will be where a majority of users are.

Next, transparency. I can’t find information anywhere on your website where you are located or who is behind the company. Contrast that with Tuta where there are names and pictures of staff, and the company address.

This is being worked on. Again, we are a bunch of engineers and designers not business people and marketers so we didn’t initially understand the value of an About Us page for some time until we hear this feedback from our users. As builders, we just wanted to focus on building the best product out there. We’ve heard this feedback and should have something published soon (likely sometime this summer at the latest but hopefully earlier).

You also do not have a transparency report to inform users about how many times law enforcement has contacted you and how many times you’ve handed over user data.

This is a fair criticism. We don’t have this today. Again, our focus is building the strongest technical controls that this isn’t an issue because we won’t have any relevant data to hand over. It is something we want to do and we should do in the future.

And no independent audits that prove your product is delivering what it is promising?

We do yearly audits. The last few years was done by Trail of Bits. Feel free to contact them to verify that. This year we are scheduled to be audited by Cure53. I am very much looking forward to our external audits so that we can continue building the best product out there. We don’t use second rate firms on this that so many other firms do so that we can check a box.

Best case scenario is that Skiff is run by marketing / business people

I really don’t understand how you could have arrived at this conclusion. If we were a bunch of marketing and business people, we would have focused on all the things you said and wouldn’t have built the best in class technical controls that we already have today because we’d be so focused on marketing without actually working towards building the best product.

who want to cash in on the privacy market and otherwise have little understanding and concern for privacy.

The privacy market as a whole isn’t proven to be extremely lucrative. Look at the number of commercially successful companies in the privacy space versus those that make money off of ads. If I was personally trying to cash in, I’d be working at a FAANG company trying to cash in or working in some other space. There’s so many easier ways to cash in than building in the privacy space.

I feel like these are just personal attacks because you have some sort of beef because we haven’t done things perfectly and refuse to accept that as a young startup, we have to absolutely fight for our survival while also combatting cynicism from those in the privacy community who get upset someone is trying to build a better product for them.

It would be great if we can continue to continue this dialogue in a constructive manner. Are there features or other things that are missing? We are open to the feedback as shown above countless times.

Can you explain why your app uses trackers including one from Facebook and requires many more permissions than your competitors?

This is the current situation at least with the Android apps: Tutanota: 0 trackers, 11 permissions. Proton Mail: 0 trackers, 14 permissions. Skiff Mail: 2 trackers, 29 permissions.

Thank you for taking the time to respond to my feedback. I will attempt to put on my ‘good faith hat’ as I read it and respond to your points.

I think the ‘cynicism’ that you feel from people is actually exacerbation over waiting for someone to come along and ‘get it right, and to then discover Skiff making some very questionable choices, that privacy conscious users have long understood to be antithetical to good practices. Like with location, transparency and the privacy policy.

I am having trouble with the scenario of privacy conscious engineers letting lawyers cook up privacy policy legalize, unaware of what the company they work for does.

But okay, let me ask you this: When the lawyers messed up and put all that stuff about collecting IP Address, Mac Address, Cookie Identifiers, Mobile Carrier (Cell Phone Provider), User Settings and Browser or Device Information. Did you ACTUALLY collect any of this data, or was is just a Privacy Policy mistake?

We do offer direct download to users who request it and we’ll provide them a link to our Github to download.

Can you please make it public for everyone? Would it be possible to get the apps not requiring notifications on F-droid, which already hosts apps that have their own independent notification system?

We do yearly audits. The last few years was done by Trail of Bits.

Where is it located? Can you please make it easier to find that stuff?

I really don’t understand how you could have arrived at this conclusion.

Respectfully, I am equally confounded how you can believe yourself and your product to be privacy oriented when you HQ in an eyes country that can legally force Skiff to install backdoors for harvesting unencrypted user data, which Skiff cannot legally inform its customers about.

I believe the even bigger issue is your view that it is not a deal breaker and that your US location isn’t a potential problem. If your view is that we just have to “agree to disagree,” then you’re not speaking the same language, or even living in the same universe as some of your customers.

I’m just going to say we should agree to disagree on these points.

That is a super dangerous statement right there.

Wow, this is an incredibly disappointing comment to read. We’ve reviewed every single sentence in your post publicly multiple times. The Ghacks article you cite literally has a correction at the top for being incorrect. It’s full of misinformation.

We’ve never used trackers. Never using Firebase analytics, Facebook trackers, or anything else. We use Firebase for push notifications, which Signal even used until a recent release Messenger Signal: Google-Firebase-Analytics-Tracker ⋆ Kuketz IT-Security Blog. We’ve also published an APK for users who don’t use Google Play.

On transparency, this is completely wrong. I’ve publicly and personally commented on almost every single discussion with my full name: https://twitter.com/milichab, https://www.reddit.com/r/skiff, Discord, LinkedIn, etc. We are extremely transparent. Check out our blog, where all of our team members are also listed: Skiff – Updates.

I disagree on the point about the US completely. The EU and UK have far more concerning proposals regarding end-to-end encryption right now. How could you deny or reject that? What happened to Tutanota in Germany is not speculation. What “could” happen to us is speculation not based on any legal fact. I don’t see BitWarden, Brave, Signal, or other privacy apps as having made a “wrong choice.” Quite the opposite.

On law enforcement, we have less information available than recommended software. We don’t collect IP logs of visits. Why would refute this point with speculation?

“No independent audits” suggests you haven’t even read the thread above. I’d argue we’ve undergone more scrupulous auditing than many of the products on PrivacyGuides: Two from Trail of Bits, and a third from a Mozilla auditor.

Anyway, we’ve spent enough time on this thread dealing with disinformation, lies, and circular arguments. I love privacy and the privacy community, but it’s seeming clear that we moved far beyond anything productive - feature suggestions, security questions, etc - into speculation and wasting time.

Note that we started this thread after we went through the PrivacyGuides criteria for email providers, three independent audits, recommendations in other privacy guides and lists, and more. It’s disappointing to see this thread reject well-made, generous, and truly private software.

We never collected any of the data mentioned. In fact, the article literally has a clarification at the top explaining this.

Skiff started as a few engineers who loved privacy building products. We’ve now become a real company with almost a million users. It’s shocking to see the bad faith in the entire community.

BTW, the US CANNOT force tech companies to install backdoors. There is absolutely no precedent to this, we’ve quite literally asked multiple legal teams - including the team that defended Apple against the FBI - about this, and so it’s completely wrong to say it here.

I don’t “agree to disagree” - a lot of what’s above is just wrong.

We’ve published an APK for people to download without the Play Store, but notifications don’t work. That should address other concerns on this thread as well.

If this is true, then how do you explain this εxodus report? If you aren’t using these analytics tools, they why they have been listed there? Also, I would still like to know your justification for your permission requirements. Currently, your app needs more than double compared to Proton or Tutanota. Why is that?

We’ve also published an APK for users who don’t use Google Play.

We’ve published an APK for people to download without the Play Store, but notifications don’t work. That should address other concerns on this thread as well.

Okay. Please share the link. It is not publicly available on GitHub right now.

On transparency, this is completely wrong. I’ve publicly and personally commented on almost every single discussion with my full name: twitter com/milichab, reddit com/r/skiff, Discord, LinkedIn, etc. We are extremely transparent . Check out our blog, where all of our team members are also listed: [Skiff – Updates](skiff com/blog).

Andrew, I don’t think you’re being fair here. I’m talking about your website, and it is not reasonable to expect that I go hide-and-seek across Twitter, Reddit, Discord, LinkedIn and hundreds of blog pages to find something that should be on skiff.com/about:

1. Location of the company
2. People in charge of company - CEO, CTO and COO.

We do yearly audits. The last few years was done by Trail of Bits.

Please provide link.

I disagree on the point about the US completely. The EU and UK have far more concerning proposals regarding end-to-end encryption right now. How could you deny or reject that? What happened to Tutanota in Germany is not speculation. What “could” happen to us is speculation not based on any legal fact. I don’t see BitWarden, Brave, Signal, or other privacy apps as having made a “wrong choice.” Quite the opposite.

BTW, the US CANNOT force tech companies to install backdoors. There is absolutely no precedent to this, we’ve quite literally asked multiple legal teams - including the team that defended Apple against the FBI - about this, and so it’s completely wrong to say it here.

It happened with Lavabit. It almost happened with Apple. Probably only went public because of them being Apple. Would have been forced to hand over keys if it went through federal court. Also, the point of secret courts is that they are secret. Isn’t that something you worry about just a little?

Aside from that, it would be helpful for me personally, if Skiff could please:

1. Publish transparency report link on front page of main website.
2. Add option to download APK on download page.
3. Add link to audit, perhaps next to whitepaper on front page.
4. Create ‘about’ page with information about company and leadership.
5. Clean up privacy policy and TOS even more.
6. Publish all apps on F-Droid.

Thanks again for your time.

We’re working on the About us page right now. I completely agree it needs to be there - we aren’t hiding anything about us or the company! We just rebuilt the site in March and haven’t added it yet. That’s a great expectation for a privacy-first service to have, and I don’t disagree with it at all.

I hope we can have this page out in the next week.

I don’t think the Lavabit case is representative; the Apple case and Signal’s legal work seems far more relevant. BTW, we’ve spoken to legal teams about the Lavabit case, and many of the issues were legal blunders that they made that turned into contempt cases - that was what prompted the company to shut down (https://www.washingtonpost.com/news/volokh-conspiracy/wp/2014/04/16/fourth-circuit-affirms-lavabit-contempt-finding/).

Anyway:

1. We can add an About Us page in the next week with much more information
2. Add a transparency page on the data that could be shared with law enforcement
3. Link to GitHub - trailofbits/publications: Publications from Trail of Bits - noting the 2 audits
4. The APK is in our public GitHub, but notifications don’t work, so we don’t default to it

I’m not sure what the issues are in the TOS or privacy policy. As I wrote above, I actually think we collect less information than some other recommended email/collaboration/file storage services.

Yes. Flipper is a debugging tool that is unused in production builds but included in the APK. We simply have to add the configuration to stop it from being bundled. Unfortunately, it is added as a debugging tool in React Native by default: React Native Support | Flipper (edit - adding code reference: GitHub - facebook/flipper: A desktop debugging platform for mobile developers.; note Flipper is completely open-source and not an analytics platform, and it’s also unused in the Skiff Mail app).

Firebase, as I wrote above, is used to send Push notifications, which Signal used to use. There are pros/cons of different push notification services, but we do not use Firebase analytics. That’s quite clear from our Privacy Policy as well.

Exodus does not report on any running code, network activity, or anything else - just the class names it can find in the bundle.

What permissions are you particularly looking at?

Fingerprint/biometric have been added to prepare for hardware key/biometric usage, which we rolled out. App badge, wifi state, network state, vibrate, and settings seem to be for basic app setup.

Do you have plan for publishing the apps on F-droid ? At least provide the download link for apk in this page : Download - Read more

We do plan to. We have not today because of the issue I wrote above, which is that notifications don’t work. I think that makes it really hard to use our apps as an email provider. For most users, using the web app as a PWA will be a better option because Skiff Mail works with browser notifications. The APK is here: GitHub - skiff-org/skiff-org.github.io.

We might add it to the downloads page but I still think using browser-based is as good an alternative for people with degoogled phones. What do you think of that option?

You can check notifications periodically (for example every 10 minutes) in the background. It won’t drain much battery.

However, I do understand that some users may find the lack of push notifications to be a significant inconvenience.

Additionally, some users may prefer using the app over the PWA because of certain advantages that apps offer, such as better offline functionality and tighter integration with the operating system. This may be especially important for users who rely heavily on email for work or other important tasks.

Here’s the direct link to apk :

https://github.com/skiff-org/skiff-org.github.io/raw/main/assets/apk/Skiff%20Mail%20-%20v39.0.0.apk

That’s a good point. That would probably work alright. Offline mode will work on the native app or APK, even without Firebase for push.

Note that we do update the version numbers and version 41 will be latest shortly.

Trying to create an account over tor:

SmartSelect_20230513-093621_Tor Browser1080×833 103 KB

Captcha isn’t loading even after allowing it.

Also Skiff takes longer time to load over Tor than any other providers.

I think Skiff should be optimized for networks like Tor , I2P and Lokinet.

We do have Tor/Lokinet users - I’m not sure what’s wrong here, but login and using the app should be fine. It’s possible that depending on the exit node, the traffic is being regarded as more or less suspicious by hcaptcha.

More updates:

• We’re adding an “About us” page now
• We’ve revised our privacy policy to reflect that no data is collected from app.skiff.com, and only Matomo is used on skiff.com
• We added bulk export to any inbox, built right into the app (there’s no separate “export” app you have to install)
• The Android APK is publicly available on our GitHub

Anything else? @jonah or maybe @dngray please let me know. We’d love to be listed, but the changes have also improved our product a lot so thanks for that help.

Awesome ! Thanks for listening to our feedbacks.