💾 Archived View for gemini.circumlunar.space › users › laur%C3%AB › mail › skiff.gmi captured on 2024-08-18 at 19:37:26. Gemini links have been rewritten to link to archived content

-=-=-=-=-=-=-

Skiff

Hey, it's been a long time - and my hands are itching for some action. Fortunately I have my chainsaw right here, ready to cut down another shitty provider ^_^. First of all, Skiff is Cloudflared - even the signup page - meaning CF steals your password. This should completely disqualify it already, but I'm Diggy and the job has only begun. The registration process requires malicious hCaptcha, and I'm not going to solve that shit. If you're wondering what hCaptcha is - it's just reCaptcha sans Google. It pretends to be private, but isn't:

Other information collected from End-Users as part of the Service to that is required to determine whether they are human, such as mouse movements, scroll position, keypress events, touch events, and gyroscope / accelerometer information as applicable.

Your captcha solutions will also be fed to an AI and shared with the website on which hCaptcha is embedded:

To provide a market for Labeled Data. Our Service enables high volume data labeling and human review for machine learning systems as a service to website owners and companies who need help getting their data labeled. To that end, we disclose Labeled Data to our Customers interested in acquiring Labeled Data.

You're a lab rat, "labeling" data for "machine learning systems". How comfortable does that make you feel? And surely, those "machine learning systems" will be used against us down the road with police bots and such - who will now be able to recognize objects because you've told them what they are. By the way, hCaptcha itself is Cloudflared, so they also get all this data. But let's go back to Skiff.

If you still want to register for Skiff despite this abuse, realize that the registration page does not work properly in Pale Moon (nor many other pages; I cannot even read the help page). The site starts executing some heavy JS, fan can be heard working in overdrive...but still, nothing displays. Not even through the Wayback Machine so it's not even the CF doing that; the code is just incompatible - Skiff obviously wants to give up the Web to Google and its minions (like Mozilla). But okay - you will say; I will just submit to overlord Google and use Chrome to sign up. What are you getting?

A service that does not support mail clients! As if Skiff did not earn enough red cards already, here we have yet another reason to kick it off the field for the people that didn't get the memo yet...(read the intro to see why mail clients are so important). The lack of support for mail clients also allows Skiff to keep certain features hostage (such as the amount of "Folders and labels") that would be freely available in a mail client. This way they get you to go for the paid plans. But even the paid plans are worse than the free ones of mail-client-supporting providers, so what's the point? They also shill "End-to-end encryption", which works the way you'd guess - only between Skiff victims. Recall how JavaScript-dependent E2E could be broken at any time by the provider by substituting compromised JS. But here it's even worse, because the Cloudflare MitM could do it themselves. Skiff also offers a Drive, Calendar, and some collaboration tool available - but here we're only covering the E-mail. Anyway, for more dirt on Skiff let's check out their ToS page:

3.4. Use of Customer Materials. In consideration of your use of the Services, you hereby grant to Skiff, its parents, subsidiaries, affiliates, licensees, designees, and successors and assigns a limited, non-exclusive right to use, copy, distribute and display Customer Materials

"Customer Materials" = all the data that's received from you. Skiff claims ownership of it and will throw it around unknown (to you) shady entities. How about their privacy page?

Skiff’s highest priority is to safeguard the privacy of the users on our platform. While you are on our platform, we collect only a minimal amount of data needed to provide you with our services.

The usual privacy posturing. But is it justified? Spoiler - lolno:

Automatic Data Collection. In order to protect you and our platform from malicious activity and to prevent fraud, we may collect certain information automatically when you use our Services, such as your Internet protocol (IP) address (temporarily), user settings, and Skiff-provided authentication cookies. We may also temporarily collect information regarding your use of our Services, such as pages that you visit before, during and after using our Services, the frequency and duration of your activities, and other information about how you use our Services.

So they spy on you pretty specifically, tracking your movements across the site and with timestamps attached - and even outside Skiff itself. It is clear they want to lay their hands on as much as they can - and forever, too:

We store the personal information we collect as described in this Privacy Policy for as long as you use our Services or as necessary to fulfill the purpose(s) for which it was collected, provide our Services, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, and comply with applicable laws.

You never get told the actual duration (in amount of days, etc - not even a range) - so the "temporary" storage appears to be a lie. Skiff will also give away all your data to a would-be buyer (I guess that's what the forever storage is for):

If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, purchase or sale of assets, or transition of service to another provider, your information may be sold or transferred as part of such a transaction

They also do targeted ads and location tracking:

You can use your mobile device settings to limit use of the identifier(s) associated with your device for interest-based advertising purposes and for location tracking.

You can graciously delete / block the cookies responsible for the tracking (apparently; I can't sign up so I can't audit this more specifically). But then...

However, if you adjust your preferences, our Services may not work properly.

Hahaha. You will watch our ads and you will be happy. Anyway, this service appears to be completely useless; I cannot even justify it over something like Gmail or Outlook - which is quite an achievement for Skiff. You'd think that with me being inside this provider review "business" for so long, there would come a time where I could say I've seen everything - but it doesn't appear to be approaching yet. And if I was able to actually sign up and enter this swamp I'd probably be able to discover even more bullshit, but I'm not solving that shitty captcha, so this will have to suffice (hey, I already feel dirty about having to run ug-c just to view their broken pages).