Skiff Mail is a new end-to-end encrypted email service, but should you use it?
Skiff Mail has been launched to the public, it is a new end-to-end encrypted email service provider. The company says that it focuses on protecting the privacy of its users.
The service is Web3 native, you can visit this page to sign up for a free personal account.
Update: Skiff has updated its privacy policy. It does not collect the MAC address of the user. The company says that users don't need to contact Skiff to delete their personal information, and that it does not use third-party tools to track users.
The following information has also changed in the meantime or has been corrected:
- The pricing page does not reveal storage quotas anymore for the Free account. The homepage states that free users get 10 gigabytes of space.
- The privacy policy states that the service does not store information that is sent automatically, such as IP addresses, persistently.
- Skiff uses the open source analytics tool Matomo, which aggregates and anonymizes data. The data is not tied to user accounts and Matomo is not used in the actual app, according to Skiff.
- Skiff states that it is not tracking clicked links, interacted content or how active users are.
- Do not track is not used because there is no user tracking, according to Skiff.
- User information can not only be deleted by reaching out to Skiff Mail via email.
- Skiff says that it does not collect general location information, approximate location information based on IP addresses.
- Skiff says that it is not disclosing user information to third-parties.
- Skiff uses not third-party services, according to the company.
End Update
Though Skiff Mail's blog post says that users get 10GB of free cloud storage space for signing up for a personal account, the Pricing page which you can access from the settings shows that you only have 1GB of space. Email isn't the only thing that Skiff can do, you can save notes in Markdown format, code blocks, edit and create documents too. You can opt in to store your data on a decentralized server, add email aliases, import documents from Google Drive or directly upload them from your computer. Users have an upload cap of 30MB. One of the features that are highlighted in the announcement post, is Skiff's instant search, which can look up results in thousands of files instantly.
The data associated with your account is synchronized across your devices. Skiff's apps are open source, you can access the web app from your browser, or install the mobile app on your iOS or Android device, or the Desktop app on your macOS machine.
While signing up for an account, Skiff Mail will prompt you to save a one-time use recovery key, that you can use to unlock your account if you forget your password. If you lose it, you can't access the account, because of the encryption that the service uses. You may enable 2FA (two-factor authentication) from the settings, to protect your account. New users can sign up for an account using their MetaMask Wallet, and the company says it will soon support Brave Wallet.
Skiff Mail has paid plans that you can upgrade to, for more benefits.
Should you use Skiff Mail?
It's always good to see a new encrypted email service provider trying to provide some competition to the rest. But, should you use Skiff Mail? Let's take a look at the service's Privacy Policy, shall we? You may read it here.
Scroll down to the section titled Automatic Data Collection, and you'll see that Skiff Mail's website collects the following information from the user.
- IP Address
- Mac Address
- Cookie Identifiers
- Mobile Carrier (Cell Phone Provider)
- User Settings
- Browser or Device Information
Collecting the user's settings is perhaps acceptable as are the browser and device info, they are probably related to the cookies stored in the browser, and maybe for compatibility. In addition to the above personal data, Skiff Mail also collects the general location information and approximate location based on your IP address.
Not convinced yet? Let's keep reading the privacy policy. Skiff Mail's privacy policy mentions that it will collect other information such as web pages that you visit before, during and after using its services. It will also track the links that you click, the content you interact with, and how often you are active and use the company's services. The company will not respect Do Not Track requests sent by the web browser.
The Privacy Policy says that all data that Skiff Mail collects is used for providing its services, market and advertise its products to the user, and for its operational purposes. However, the next section in the privacy policy reads that the company will disclose user information to third parties for a variety of business purposes, and this includes sharing the data with their service providers, business partners, advertising partners. And if it were ever to be merged with, or acquired by another company or something like that, your information may be sold or transferred as part of the transaction.
Though there is a delete account button in the settings, the only way to delete your user information, is to reach out to Skiff Mail via email. And then there are some third-party tools that are used by the company for analytical purposes, and these have their own privacy policies.
The only thing that Skiff can't access seems to be the contents of your mails, because they are encrypted. But, what good is end-to-end encryption, if a service collects so much data from the user and tracks them? It learns your browsing habits, which is essentially profiling the user. This isn't different from what Facebook and Google do, is it?
If you read the privacy policy of other end-to-end encrypted mail services like ProtonMail and Tutanota, you won't find such data collection clauses there. And the data they collect are anonymously done, i.e., they don't profile users.
What do you think about Skiff Mail's privacy policy?
This article (Updated • Jun 6, 2022) and Comments provide a clear overview of Skiff Mail.
Skiff is not illegal as long as it complies with their privacy policy.
Skiff just takes a similar stance to Google and Meta (Facebook).
As long as “Google services” such as Google chrome are popular, it is natural for US-based startups to use them as business models.
After all, it is a business product by a profit-making company, so “priority is given to the maximum profit for the developer”.
Simply put, it’s projecting “Google”.
already created an account before i saw this. should i delete my account? im worried
I think that, given that this article is inaccurate, the article should be edited and the incorrect stuff have a striketrough.
Absolutely! One year on and still no UPDATE!!!
@Bump,
When “ghacks” first published the article (May 18, 2022), it was exactly as the author (Ashwin) showed in the screenshot.
However, it seems that Skiff has updated its privacy policy, etc., probably in response to the ghacks article.
So ghacks author Ashwin has updated the article (Updated • Jun 6, 2022) and clarifies it at the top of the page:
Update: Skiff has updated its privacy policy. It does not collect the MAC address of the user. The company says that users don’t need to contact Skiff to delete their personal information, and that it does not use third-party tools to track users. End Update
If Skiff’s allegations are legitimate and ghacks are unjustified, legal action can be taken.
About 15 months have passed since then, but Skiff remains silent.
Don’t take Skiff’s word for it.
Anyway, the reviews on Comments are spot on.
Whether or not you believe in Skiff is up to you.
Hey! I’m Andrew, the CEO of Skiff (andrew@skiff.org). Unfortunately, the content here is inaccurate – we don’t collect or have access to any of the information you described (IP, MAC address, ISP, etc.).
Also, the idea that the “free plan might require payment” is regrettably also completely inaccurate. In the future, it’d be great to clarify such things in advance, especially given how important it is to empower the rare breed of privacy-first products in the world.
If Andrew is the CEO of Skiff, it would be very courteous of @Ashwin (tech geek) to investigate these claims AND CLARIFY!
If correct, Andrew and Skiff deserve an apology and correction to this article.
What the cyberworld needs is more startups like this (if Andrew’s claims are correct). The last thing a great new service needs is derogatory and false claims, driving potential clients away.
C’mon @Ashwin, reach out, verify, and update your article (I respectfully request)!!!
This is silly. Not being tracked is the number one reason people choose an encrypted email provider (“I want to get away from Google”). Actual encryption comes as a distant second.
Offering encryption but tracking whether you have clicked on some kinky pornographic link before using your Skiff email (did I understand this correctly ?) sorts of defeats the purpose, doesn’t it ?
Also, there’s one very important matter I do not see addressed in this so-called privacy policy : what will Skiff do if required to surrender personal information by the police, courts, lawyers or just disgruntled third parties and assorted do-gooders ? Will they resist requests from abroad ? And by the way, what country are they in ? This seems to be the United States, but some people on the planet do not live there, as some American companies have not yet realized.
I also read some disturbing suggestions that the free plan might require payment after a while, and that the features/price mix might be changed. So it’s possible they are trying to hook you up with their present terms, only to make them less attractive afterwards.
This would certainly fit with their intrusive “privacy” policy.
> Also, there’s one very important matter I do not see addressed in this so-called privacy policy : what will Skiff do if required to surrender personal information by the police, courts, lawyers or just disgruntled third parties and assorted do-gooders ? Will they resist requests from abroad ? And by the way, what country are they in ?
https://skiff.com/about-us
Based in San Francisco, Egypt, Israel, and France
Any of those states can “exercise great power” and must obey.
As you are concerned, personal dignity is not protected.
Excellent overview.
I guess the answer to the question posed in the article’s title is NO.
What do I think about Skiff Mail’s privacy policy?
I think it’d rather be called a privacy-less policy, encrypted e-mails set aside hopefully because once you notice a failure you may become excessively skeptical. Not to mention an announced 10GB free cloud storage and a factual 1GB.
No such twists with Posteo which I’ve used for years.
Thanks Martin for this most informative article brought to us tactfully with an article’s title question mark.
Lesser tact would have led to “Skiff Mail is a new end-to-end encrypted email service and why you should avoid it.”.
Another piece of trash. The Web is filled with trash.
EDIT: Thanks Ashwin, sorry.
Thank you, Ashwin, for this useful post.
>> The only thing that Skiff can’t access seems to be the contents of your mails, because they are encrypted. But, what good is end-to-end encryption, if a service collects so much data from the user and tracks them? It learns your browsing habits, which is essentially profiling the user. This isn’t different from what Facebook and Google do, is it? <<
Why is this at the end of the article rather than the beginning? It's obvious that the service shouldn't be used. EVER. Highlight that at the start of the article!
In the end, just the big players survive (gmail, outlook, etc.)
All this encryption talk is snake oil.
Oh, and Web3 is insufferable, like crypto talk and NFTs.
Excellent review, thank you.
I use Tutanota (paid) and find it is well suited to my needs.The free service is good, with few restrictions, but paying for it is a way of helping to keep them in business and continually developing their product.
Syncing data through a third party like this means all your devices and the accounts on them get linked to your profile. Since they also have your original ID, IP, MAC, contact list, metadata, etc., they know you own or use all of these devices, where you live, where you were, and were you go. From that they can track you any time one of those devices show up in a log somewhere, or one of the accounts on any of those devices is used anywhere.
Never sync your devices through a third party that collects so much info.
They glow
exactly right, OMG!!!!!
Garbage marketing, there is nothing more insecure and badly made than the email protocol… yeah, encrypted if you send it to the 3 skiff users but after that nothing will get encrypted once it goes to the most likely outlook, gmail, a website’s email service, hospital, lawyers, a doctor or anything like that.
So it is just marketing because you will probably never email a person with a protonmail or skiff or Tutanota or anything “e2ee” scheme to really have anything encrypted.
Also, Protonmail encryption was always not even secured, so I doubt Skiff will be any different.
And think about this, these email services are not even used by many people so technically you are not even hidden using it these services which means anyone can easily track you, know where you are etc etc.
Imagine being the only Skiff user in Dallas sending a mean email to a random person. And with all the data they collect and the one they can chare with ‘authorities’ then… good luck!
I’ve been using Tutanota for the past 5 years and am more than satisfied with their services. Privacy policy here: https://tutanota.com/privacy/
Although a free account is available a premium version only costs €1 / $1 and offers far more options. They also have an encrypted desktop client.
Tutanota also supports U2F such as Yubico tokens for example.
That should read €1 /$1 a month billed annually. Apologies for the error.