Skiff gets bought by Notion—another lost battle for privacy?

Skiff encrypted email service website homepage
(Image credit: Skiff)

Skiff, the popular secure email and document editing service, shocked its users during the weekend by announcing it'll be shutting down, following an acquisition by Notion. However, Skiff's accounts won't be converted under the new firm, but rather stop working completely after a six-month sunset period.

Founded in 2020 by Andrew Milch and Jason Ginsber, Skiff gained a devoted following thanks to its privacy and security-focused approach. In May 2022, it officially launched its Mail and Drive apps with the mission to empower people worldwide to "communicate without fear of interception or surveillance." Now, almost two years later, that dream seems to have vanished.

While the announcement is likely to come as a cold shower for users, it also sheds new light on the issues gripping the security software industry. Is this another lost battle for privacy, and what does it mean for all of us using Skiff apps? 

In a furious tweet by Session, an open-source encrypted messaging app, it argued that "Skiff selling out their users underscores a persistent problem that affects many privacy tools. At the end of the day, businesses will always prioritize their investors over their users," and deeming the move as yet another instance of "good intentions turned sour."

Other commentators were less harsh in their judgment. For instance, secure email providers Tuta (formerly Tutanota) and ProtonMail have simply reiterated the fact they have no intention to step down from their mission to deliver better privacy online while explaining to Skiff's forlorn users how they can switch to their services.

According to Meredith Whittaker, the President of Signal, the news further highlights the importance of privacy apps like Signal being a non-profit firm instead—something she described as "a structural safeguard protecting privacy in an industry where money is generally tied to surveillance."

Concerned Skiff users filled online forums such as Reddit to express their concerns over the move. "I only feel bad for everyone that got fooled into thinking they were going to be a reliable service," reads one of the comments. While another wrote: "Stop looking for a silver bullet product to solve your problems!" Other users lamented that new comments and posts appear to be turned off from the Skiff's subreddit (r/Skiff). Some even went so far as to say Skiff was simply taking the money and running.

Skiff's migration to Notion: how does it affect you?

At this point, you might be wondering, what's the big issue with Notion's acquisition of Skiff?

Let's start with the elephant in the room. While Notion's product offering includes different apps, such as shared documents, notes, and even a calendar, it is not an email provider. Skiff's end-to-end encrypted email app was a key factor for people switching in the first place. Most importantly, these users now risk losing their private data if they fail to switch before August.

I reached out to Notion to understand if an email app was now in the plan, but a spokesperson simply shared a link to their blog post alongside a general "nothing further to share at this time" comment.

However, one less end-to-end encrypted email provider on the market might be just one side of the issue—especially when it comes to your privacy. That's because while Notion's apps are praised for their smooth experience to enhance day-to-day workflow and productivity, there are prominent concerns around its security and privacy practices.

"Notion is great but it's not a privacy tool. I'm so, so happy I didn't pay for Skiff like I almost did," wrote a commenter on Reddit. Another user reiterated: "I'm a Notion customer, to be honest it's good for them to grow their business to a point, they can challenge services we have with Google and Microsoft. This part is ok to me, we need more alternatives, and why not a smaller one. But Skiff selling us to a non-privacy service is a terrible move."

Comment from r/Notion

After reading these and many similar comments online, I dug into how the provider claims to handle its users' data and I wasn't especially impressed from a privacy perspective.

For starters, Notion's privacy policy comes across as quite invasive. Nothing that I haven't seen before, but from a company whose services are extensively used by work teams and businesses I would have liked to see some more restraint in data harvesting.

According to its "Automatic Data Collection" rules, the provider gathers a great wealth of information that could reveal your identity. These include your IP address, different unique identifiers, details about your browser, operating system or device, location information, pages that you visit before, during, and after using the Notion services or website, information about the links you click, and how you interact with Notion products, and more.

Also the paragraph on how the team deals with do-not-track requests—something you can turn on to opt-out from online tracking for advertising purposes—doesn't shine for its commitment to privacy, quite the opposite actually. 

"Like most online services, we do not currently respond to Do Not Track signals," reads the policy, adding that the provider nonetheless will "honor legally-recognized browser-based mechanisms (such as the Global Privacy Control designed to signal your opt-out choices under certain state laws)."

Graphical concept of a data leak

(Image credit: Shutterstock/dalebor)

 Notion's security practices could benefit from some improvements, too.

The provider applies encryption both at rest (on the data stored on your Cloud, for example) and in transit. Yet, as a Notion employee explained to a user on Reddit a few years back, data is not end-to-end encrypted—and that appears to still be the case as there's no mention of E2E among its security practices. 

When in transit, the encryption is also less secure than when it is at rest, as Andreas Theodorou, Editor-in-Chief of Tech Software at Future PLC told me: "TLS 1.2 standard is becoming less secure by the day and can be susceptible to collision attacks. TLS 1.3 came about nearly 6 years ago, so to say that data in transit is 'encrypted using TLS 1.2 or greater' is vague and discouraging."

All this means that maliciously inclined employees or other third parties may be able to intercept and access your information without your consent. It's yet another concern for privacy-minded customers who once turned to Skiff, attracted by its "end-to-end encrypted solutions that put privacy back in the hands of the people," as the provider described.  

Again, I reached out to both Skiff and Notion asking for clarifications on these privacy concerns but they replied that they cannot share more information at this time.

Chiara Castro
Senior Staff Writer

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com

With contributions from