Roni Äikäs

🚨 PSA: Skiff.com is lying about being open source!

Blog article banner, Skiff is false advertising. Skiff is not open source!

The email software startup based in the United States, Skiff advertises their email client as being open source.

Update! 10.2.2024: Skiff didn't do shit about it.

Skiff has been acquired by Notion today. Seems like a acquihire to me, but congrats to them. The license problem was never fixed and now the email product seems to get abandoned and Notion only cares for the notes lol.

Mini-update 21:50 UTC+2: They deleted the Github repo of skiff-apps. Here's archives of the two issues: Issue #93 (the original which was removed and Issue #94 (the "civil" one).

P.S. If you need encrypted email, I've heard Tuta is good. Don't use them personally, though.

Hello. The original issue (#93) was removed today. The conversation got heated, with no constructive feedback. Sorry about that. Shortly, the duplicate issue was reopened (#94), where I've tried to give better feedback and how Skiff should move forward. And it seems that Skiff is going to do something about the license in the future.

Update ends, text continues

But, after a quick look in their Github repository proved that they were in fact lying, and thy misleading customers.

Well, on their landing page, the first features section has the title "Open-source and audited", with only the smaller grey text showing, that they talk about Skiff Mail. Which can mislead users, if they don't read it carefully.

An image from Skiff.com's front page with the "Open-source and text" feature section

Then below that, there's the "Transparent, audited, & open source" section. They don't directly tell that it's only about the Skiff Mail and UI package, but some users will likely be mislead into understanding all the apps are open source.

They also claim that the "Skiff Mail's client is completely open-source". Well see about that later.

Screenshot from their website, showing "Transparent, audited, &
open source
Privacy is more than a promise. Anyone can verify our encryption protocols and privacy protections." and "Skiff Mail, Skiff Mail's client is completely open-source, giving you the confidence to communicate freely."

Even the It's FOSS News publication fell for their false advertising here. It's a mistake anyone can make, and Skiff's target customers is probably those who already know about privacy (at least a little bit), and probably understand what open-source is related to privacy.

So, it's a great marketing trick to include it in. It gives you creditability. There are a lot of people wanting more privacy in the open source community.

But their code is on Github? How is it not open source?

There's a difference between open source software and source available software. Open Source defined by the Open Source Initiative (OSI), and the 10 criteria for an open source license can be found here.

The most important of them in Skiff's case is 6. No Discrimination Against Fields of Endeavor.

The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research.

That means, an open source license cannot restrict you from using that software in a commercial way.

Let's have a look at Skiff Mail's license!

The project is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 license (view here).

As you can see from the name, it forbids commercial use. That goes against the sixth criteria of a software being open source.

So. I created an issue informing them of this. I later found out that there already was an issue, a year ago. But it was closed, with their CEO saying:

Thank you for the feedback! I will share it with our open source legal team. There are definitely reasons why we currently go with CC, largely around non-commercial use. Please email me (hello@) if you have more questions on this too.

Also after closing the issue, [@adulau](https://github.com/adulau] commented with:

I would then recommend to avoid the term open source in your communication and website. It’s not following the OSI guidelines. And it’s kind of misleading for the potential users. Thank you.

But, after a year, they are still doing it.

Funny thing: 10 minutes after my issue, a new one with the same issue was raised.

My [Github issue]%28https://github.com/skiff-org/skiff-apps/issues/93%29

The issue was closed shortly by their CEO, with the following comment:

Hello! Libraries inside the codebase are MIT licensed, including skiff-crypto and skiff-ui. We are not currently going to release other products for commercial use.

Oh, I didn't know that using open source libraries inside your app, makes your whole app open source, without an open source license! How wonderful! Well, here they also told us loud and clear, that they are not going to switch an open source license.

Then, the user that created the another issue commented linking an library used by the app not being open source. Which was deleted swiftly by the CEO.

He responded with:

Comments like this are unproductive and unhelpful. I mentioned that skiff-crypto and skiff-ui are MIT licensed. Commercial use is not a requirement for open source software. Study the MongoDB case.

We got a juicy one! The MongoDB case! If you don't know, MongoDB changed from an open source license to an source available license %28their own SSPL) in October 2018, which caused a lot of drama in the open source community. SSPL is not an open source license.

Conclusion

Skiff is marketing it's email client as open source, when it's not open source, but source-available software. This I believe is very misleading to potential users, and very likely has fooled current users also.

They have it in big letters on their landing page, but they are lying. I recommend you avoid using and/or contributing to Skiff and their products. At least until they fix their marketing.

They are leeching of the reputation of open source software in the privacy-first software field. Without contributing to the community, by using an open source license. They are a startup after all, their purpose is to make profit and cold hard cash for the investors.

If you need great, privacy-first, actually open source email client, use Protonmail (not sponsored). They were initially funded by the people (crowdfunded over €500,000), and have no venture capital investors. They have EU funding for privacy-first email. I'm pretty sure they are more likely to keep your data secure in the long run, than a startup burning cash. 90% of startups fail, you know? Skiff has been in business for little over 3 years, ProtonMail has been here for nearly 10 years!

Their servers are hosted in Switzerland with strict privacy laws, instead of USA when using Skiff. Yes, you can have your data be stored on the IPFS, but it will still be processed in the United States, the land of the lovely CIA, who totally respects your privacy 😉

Note: illiliti mentioned on Mastodon, that ProtonMail has a proprietary backend, and that they don't support standard protocols like SMTP/IMAP, and thus endorse vendor lock-in.

I wouldn't recommend protonmail because they are not fully open-source due to proprietary backend. Plus they don't support standard protocols like SMTP/IMAP and thus endorse vendor lock-in practice. They even invented their so-called "bridge" to workaround that, but it is so convoluted mess that nobody wants to use because it breaks certain types of messages (sent on Mastodon)

If you have any questions or corrections to the article, you can contact me on Mastodon @raikas@mementomori.social.

#foss #open-source #skiff