I only have a few days left on my hey.com trial, and I think I will end up paying for it. I really like how the app feels, how responsive it is, and the thoughtfulness of the features.
Also, I spent some time looking at the frontend code (it's all sourcemapped and easily accessible) and I'm super impressed by the quality and simplicity.
It's really great to see a commercial project of such quality, although it *is* closed source.
@gueorgui I really wanted to like hey, but I feel like they don’t take privacy and encryption seriously. Do you feel differently?
@flip What makes you feel this way? I haven't done a thorough audit, but Basecamp folks are quite outspoken on privacy and against surveillance capitalism in general. They are based in the US, though, and that's not great.
“ We accept that end-to-end encryption is not a realistic goal for mainstream email service. This means HEY is not a good avenue for certain forms of high-risk exchanges. If you’re working on human-rights issues in oppressive states, national security matters in any state, or otherwise face extremely sophisticated opponents, or if your life in any way depends on the sanctity of your end-to-end encryption, don’t use email.”
@gueorgui I live in the US and I work with human-rights groups
Granted, many other email services have these same issues... but they don’t cost $100 a year
For that price, I’d expect them to do more
@gueorgui I had assumed that they also didn’t support MFA because they didn’t have me set it up when I signed up... but their security page says they require it... so I’m at a loss there
@flip Ah yeah, that's true. If you work with sensitive info, you're better off communicating through Signal, or maybe something like Protonmail. I don't have the same threat model, so for me Hey is more acceptable.
Regarding MFA, they support it (I have it turned on) and require it for paid accounts IIRC.
@gueorgui I guess I just feel like if I’m paying $100/yr I’d want them to not casually say “email wasn’t made for e2e encryption so we didn’t build any tools to help you”
@gueorgui and then, finally, I would like some canaries. Right there on the security page. If it were true, I’d expect them to brag about it and say “we have never shared user information with any government agency”
@flip That's a great point, and I'll send a feature request for that.
@royniang @flip Yeah, e2e encryption doesn't really work with email, Signal is the only way I know that kind of works (and that has its own issues). I guess in the future, GPG support could be added, as I think there are browser implementations.
I've had GPG set up in my email clients for years and haven't used it for a real sensitive conversation even once, but again my threat model is not the same as yours.
@flip @royniang @gueorgui I don’t get why you go so hard on this. Hey wants to sell a user experience of email, not a technical email solution or a standard. As with all luxury brands selling « an experience » it’s a premium price and not for everyone, which explains the price (sell higher to less people). As for open source, they said they are going to share all the libs they developed for the project, saying the rest is classic boring ruby tech Stack.
@flip @royniang @gueorgui You really are angry at them! I don't know, the price is stupid but I don't feel they lied about being luxury mail? All the talking points in the manifesto and feature pages are about user experience, and they deliver it?
I get this feeling you expect them to do more on a technical, privacy and security side because of the kind of usage you have with emails, but they never intended to do it in the first place, that's not their business, it's proton mail's business.
As for your questions about expectations and whatnot, I feel like you’re considering Hey in a vacuum. I think all things like this need to be considered in historical context, with respect to the zeitgeist, and an eye on the future
And here’s your proof that I’m not angry: I’m simply not going to get into the details of all of that
Let's see: I currently use Fastmail. I trust them because:
- They charge for the service (I'm not the product)
- They've been around for a long time
- They're recommended by friends
- They contribute to open source (JMAP project)
But not everything is perfect:
- They're in Austalia (not great privacy laws)
- I don't know anything about the people running the company
@gueorgui Their manifesto states that "email's a treasure", and they don't offer e2e, regardless whether or not it's secure or whether one needs it. They also state that while they securely store email, they have the keys, meaning at any time they can access it, or give access to whomever. Thanks but no thanks, regardless of one's threat model.
@gueorgui And here's the reoccurring problem, a new thing appears that attracts people with shiny new bells and whistles in the UI. It's also closed source and you are at the mercy of their self proclaimed experience and reputation. It's email for crying out loud. It's never been that complicated. You send it and you receive it, with the choice of encryption for sending and/or storing. Everything else is theoretically just bloat built to compete with other services.
Merveilles is a community project aimed at the establishment of new ways of speaking, seeing and organizing information — A culture that seeks augmentation through the arts of engineering and design. A warm welcome to any like-minded people who feel these ideals resonate with them.