The skiff fiasco has left the entire “privacy and security community”1 hanging,

to say the least.

While this has not been the first time, it sure was pretty shocking, as even PrivacyGuides added skiff after half a year of scrutiny and the skiff team was highly active in the “privacy community”, and responded with trustworthy vibes (Social Engineering at it’s best). There were some signs, albeit very obscure.

Self Sustained Business

The highest priority in judging privacy tools should be given to how the business behind the product is running, if its free - it’s probably not a product you should trust (use…. maybe). If it’s backed by VC capital it’s a no-no.

Services and products that are made in public and out of online communities are ideal, at least from a privacy and security point of view.

Lindy

If a service has been there for years and shown a history of good faith, it will most likely be GOOD in the future. So trusting privacy household-names is the way. The timeframe for highly-critical stuff is 2-5 yrs atleast. (Email etc)

Shiny Stuff?

Try new things but don’t provide 100% of your trust, on day 1. We do this naturally offline, its not really intuitive online, but it will be, as the generations after us, will be trained by us.

VC Bad

VC’s have crammed that distribution is king so they invest heavily in marketing - that essentially means, taking different angles to capture ANYONE that will take the bait.

I guess some of them noticed a lot of chatter about this thing called “Privacy” and took that angle. Once the distribution is captured, they flip the greedy switch to capture as much money as they can.

But this strategy will also fail in a few years (maybe less) as people learn to quickly switch between products and services that were wolves-in-the-sheep’s-clothing, or they just use the privacy household-names for critical stuff.

The problem is credit here, as the cards are saved in these systems, they are charged automatically (most people <in USA?> don’t check their card statements) and the money just gets to the VC’s anyways, so it’s essential to use prepaid cards for services that you are not sure about - it’s better to not give any payment details or addresses in the beginning of course.

Skiff wasn’t really profitable so notion just bought the distribution?

Which distribution you ask? Well idk tbh. emails? Contacts? Pages? Calendar? These were all supposed to be E2EE.

So they bought an empty company?

Most prob they were acqui-hired by Notion. Sequoia Capital invested both in notion and skiff, that's where the link is.

Migration

Fortunately I only used them for emails, so this is what I did:

1. Exported all emails (so that I have a record of everything)

2. Added forwarding rules for all aliases to my custom domain (so that I can redirect it wherever I want in the future) - At the time of writing, I COULDN’T verify any forwarding rule, maybe their infra is taking a hit as everybody is moving out 🤣

3. Started changing email addresses in all the services I used the skiff email. (Forwarding is a last resort, not the first - as you can’t even trust that this forwarding will always be working in the future)

4. As I have exported all the emails, I have a record where I used the skiff aliases. It won’t take a day but I will get there. A few hours a week gone, just because I trusted a new email provider, lesson in there.

You can check their own page for migration.

What I have been exploring as an alternative?

I have been eyeing forward email for some time and just started testing it. I DON’T recommend it right now as I haven’t concluded anything about it yet but ofcourse you can test this service along side me.

P.S. I haven’t yet analyzed the Simple Mobile Tools thing but at the surface it seems different than a VC backed blitzkrieg.

Further Reading

1. https://blog.ecosia.org/trees-not-profits/

2. https://blog.notesnook.com/the-skiff-privacy-fiasco/