I only have a few days left on my trial, and I think I will end up paying for it. I really like how the app feels, how responsive it is, and the thoughtfulness of the features.

Also, I spent some time looking at the frontend code (it's all sourcemapped and easily accessible) and I'm super impressed by the quality and simplicity.

It's really great to see a commercial project of such quality, although it *is* closed source.

@gueorgui I really wanted to like hey, but I feel like they don’t take privacy and encryption seriously. Do you feel differently?

@flip What makes you feel this way? I haven't done a thorough audit, but Basecamp folks are quite outspoken on privacy and against surveillance capitalism in general. They are based in the US, though, and that's not great.

@gueorgui this is from their site at

“ We accept that end-to-end encryption is not a realistic goal for mainstream email service. This means HEY is not a good avenue for certain forms of high-risk exchanges. If you’re working on human-rights issues in oppressive states, national security matters in any state, or otherwise face extremely sophisticated opponents, or if your life in any way depends on the sanctity of your end-to-end encryption, don’t use email.”

@gueorgui I live in the US and I work with human-rights groups

Granted, many other email services have these same issues... but they don’t cost $100 a year

For that price, I’d expect them to do more

@gueorgui I had assumed that they also didn’t support MFA because they didn’t have me set it up when I signed up... but their security page says they require it... so I’m at a loss there

@flip Ah yeah, that's true. If you work with sensitive info, you're better off communicating through Signal, or maybe something like Protonmail. I don't have the same threat model, so for me Hey is more acceptable.

Regarding MFA, they support it (I have it turned on) and require it for paid accounts IIRC.

@gueorgui I guess I just feel like if I’m paying $100/yr I’d want them to not casually say “email wasn’t made for e2e encryption so we didn’t build any tools to help you”

@gueorgui and then, finally, I would like some canaries. Right there on the security page. If it were true, I’d expect them to brag about it and say “we have never shared user information with any government agency”

@flip That's a great point, and I'll send a feature request for that.

@flip @gueorgui they are not wrong tho, email e2e encryption sucks: vendor lock-in and/or bad design doesn’t make it an option 😔

@royniang @flip Yeah, e2e encryption doesn't really work with email, Signal is the only way I know that kind of works (and that has its own issues). I guess in the future, GPG support could be added, as I think there are browser implementations.

I've had GPG set up in my email clients for years and haven't used it for a real sensitive conversation even once, but again my threat model is not the same as yours.

@royniang @gueorgui for me, if I were working on a $100/yr mail client that already is getting weird with features, that’d be a good reason to get working on a standard

@flip @royniang @gueorgui that would be great to see. Im surprised protonmail or tutanota hasn’t announced any plans on making a standard

@flip @royniang @gueorgui I don’t get why you go so hard on this. Hey wants to sell a user experience of email, not a technical email solution or a standard. As with all luxury brands selling « an experience » it’s a premium price and not for everyone, which explains the price (sell higher to less people). As for open source, they said they are going to share all the libs they developed for the project, saying the rest is classic boring ruby tech Stack.

@flip @royniang @gueorgui Just to be clear I’m not trying to defend them (even if I like their frontend approach), just stating that maybe it’s not worth expecting certain things from certain people in the first place to avoid being disappointed or angry.😅

@thomasorus @royniang @gueorgui I think it’s appropriate to “go so hard” when the homepage reads like a manifesto by someone with a messiah complex. They want to act like saviors, they’re going to be held to savior standards

@flip @royniang @gueorgui You really are angry at them! I don't know, the price is stupid but I don't feel they lied about being luxury mail? All the talking points in the manifesto and feature pages are about user experience, and they deliver it?

I get this feeling you expect them to do more on a technical, privacy and security side because of the kind of usage you have with emails, but they never intended to do it in the first place, that's not their business, it's proton mail's business.

@thomasorus @royniang @gueorgui nah, not angry. It doesn’t take much energy for me to share my thoughts from evaluating the service

Don’t know why you’d think I was angry... you should see all the blog posts written about Hey. Many of them are considerably more long winded than I’ve been

@flip @royniang @gueorgui Well people are often so positive and chill here that I felt it this way. :'D

@thomasorus @royniang @gueorgui you can be chill AND real at the same time. Just sharing some thoughts

As for your questions about expectations and whatnot, I feel like you’re considering Hey in a vacuum. I think all things like this need to be considered in historical context, with respect to the zeitgeist, and an eye on the future

And here’s your proof that I’m not angry: I’m simply not going to get into the details of all of that

@thomasorus @royniang @gueorgui and I feel like good things came from the conversation that wouldn’t have come up without a dissenting voice. I even considered paying for Hey for a brief moment! It was truly a wild ride

@flip @thomasorus @royniang I would actually like to see some points against using Hey, I might learn something new. So if you have any links handy, please do share them!

@gueorgui @thomasorus @royniang all I’ve heard so far is in line with not trusting them with data and then ad homonym attacks on DHH honestly

It wasn’t what I wanted, but it looks like it’ll work for a lot of folks

@flip @thomasorus @royniang Ahh, I see. I have no problem with DHH (I actually quite like him) and, I guess as a corollary, I'd trust him/his company with my data more than, say, Google.

@gueorgui @thomasorus @royniang I feel like comparing to Google is like multiplying by zero sometimes

It’s interesting to consider how many economic units I’d trust/value service X over Google X though

@flip @thomasorus @royniang Yeah, right after posting I thought Google was a bad example.

Let's see: I currently use Fastmail. I trust them because:
- They charge for the service (I'm not the product)
- They've been around for a long time
- They're recommended by friends
- They contribute to open source (JMAP project)

But not everything is perfect:
- They're in Austalia (not great privacy laws)
- I don't know anything about the people running the company


Show more

@gueorgui Their manifesto states that "email's a treasure", and they don't offer e2e, regardless whether or not it's secure or whether one needs it. They also state that while they securely store email, they have the keys, meaning at any time they can access it, or give access to whomever. Thanks but no thanks, regardless of one's threat model.

@gueorgui And here's the reoccurring problem, a new thing appears that attracts people with shiny new bells and whistles in the UI. It's also closed source and you are at the mercy of their self proclaimed experience and reputation. It's email for crying out loud. It's never been that complicated. You send it and you receive it, with the choice of encryption for sending and/or storing. Everything else is theoretically just bloat built to compete with other services.

Sign in to participate in the conversation

Merveilles is a community project aimed at the establishment of new ways of speaking, seeing and organizing information — A culture that seeks augmentation through the arts of engineering and design. A warm welcome to any like-minded people who feel these ideals resonate with them.