My goodness the cynicism is so real here. Let’s address these points properly.
I believe this is evident from product launch, with a privacy policy logging of user IP Address, Mac Address, Cookie Identifiers, Mobile Carrier (Cell Phone Provider), User Settings and Browser or Device Information. Yes, I understand you later changed this, but a company truly passionate about privacy would never dream of including such language in the first place.
We had the appropriate technical controls in place that was privacy preserving. Our lawyers wrote the privacy policy and we got another lawyer to redo our privacy policy to actually match what the technical controls are. In fact, this is in contradiction to your belief that we are run by marketing/business people. We paid way more attention to the technology than we did the legalese. Was this a mistake in hindsight? Sure. You can see evidence that we are technical people by reviewing our whitepaper skiff.com/whitepaper and watching our recent conference talk at BSidesSF 2023.
Next is the choice to HQ in the U.S., subject to secret court orders to hand over keys and back doors, and subject to penalty if informing users that this is happening. You could have incorporated in Panama like NordVPN, or anywhere in Europe where the legal process is more transparent for users. The argument that because BitWarden made a poor choice and people still use it, you too can make the same poor choice, is not a good argument.
We are never going to come to an agreement on this and has been hashed multiple times above. So, I’m just going to say we should agree to disagree on these points.
Next is the App. You’re saying, “here’s our product that is private unlike Google, now go download it from Google so they can track you in FireBase etc.” Again, if the people running the company were truly passionate about privacy, there would be an APK download on the website or on GitHub or F-Droid, and it wouldn’t contain any trackers or dependence on Google.
We do offer direct download to users who request it and we’ll provide them a link to our Github to download. We are working on stronger support for push notifications outside of google’s ecosystem before publicly advertising it because of the subpar experience. Firebase is used for push notifications. Note that all the tracking in the Firebase APK is off. However, we understand the concern and are working towards moving off of Google’s push notification system. We do have to be practical when a vast majority of users use Google Play Services that our initial focus will be where a majority of users are.
Next, transparency. I can’t find information anywhere on your website where you are located or who is behind the company. Contrast that with Tuta where there are names and pictures of staff, and the company address.
This is being worked on. Again, we are a bunch of engineers and designers not business people and marketers so we didn’t initially understand the value of an About Us page for some time until we hear this feedback from our users. As builders, we just wanted to focus on building the best product out there. We’ve heard this feedback and should have something published soon (likely sometime this summer at the latest but hopefully earlier).
You also do not have a transparency report to inform users about how many times law enforcement has contacted you and how many times you’ve handed over user data.
This is a fair criticism. We don’t have this today. Again, our focus is building the strongest technical controls that this isn’t an issue because we won’t have any relevant data to hand over. It is something we want to do and we should do in the future.
And no independent audits that prove your product is delivering what it is promising?
We do yearly audits. The last few years was done by Trail of Bits. Feel free to contact them to verify that. This year we are scheduled to be audited by Cure53. I am very much looking forward to our external audits so that we can continue building the best product out there. We don’t use second rate firms on this that so many other firms do so that we can check a box.
Best case scenario is that Skiff is run by marketing / business people
I really don’t understand how you could have arrived at this conclusion. If we were a bunch of marketing and business people, we would have focused on all the things you said and wouldn’t have built the best in class technical controls that we already have today because we’d be so focused on marketing without actually working towards building the best product.
who want to cash in on the privacy market and otherwise have little understanding and concern for privacy.
The privacy market as a whole isn’t proven to be extremely lucrative. Look at the number of commercially successful companies in the privacy space versus those that make money off of ads. If I was personally trying to cash in, I’d be working at a FAANG company trying to cash in or working in some other space. There’s so many easier ways to cash in than building in the privacy space.
I feel like these are just personal attacks because you have some sort of beef because we haven’t done things perfectly and refuse to accept that as a young startup, we have to absolutely fight for our survival while also combatting cynicism from those in the privacy community who get upset someone is trying to build a better product for them.
It would be great if we can continue to continue this dialogue in a constructive manner. Are there features or other things that are missing? We are open to the feedback as shown above countless times.