1. 43
  1.  

  2. 26

    This article doesn’t introduce anything new on the table, and it shrugs away security as “just use PGP” which is not a reasonable alternative. Why doesn’t anyone encrypted mails? Because PGP tooling sucks, it’s UX sucks and it doesn’t work as user friendly as for example signal/whatsapp/you name it.

    1. 12

      I’ve been training non-tech people on practical computer security. In the past couple of years we’ve switched from introducing PGP as a viable but very difficult/brittle option to just using it as an exercise to understand the ideas behind public-key cryptography and not strictly hierarchical trust models.

      Given how easy it is to accidentally downgrade the channel, using it for very sensitive information is just a bad idea. Email clients with PGP plugins etc. just aren’t a “reasonably safe by default” option.

      1. 7

        I agree. I find the “email is not private, so I don’t treat it as such” argument a bit moot. PGP is so easy to misuse that it nearly shouldn’t be seen as secure. Why try convincing people that the privacy story of email is okay instead of attempting to do better? :(

        1. 2

          Another problem with PGP and email are mobile devices. I do not want to download whole inbox to my phone, but I want to be able to search through them. With chats it is less of the problem, as I search history a lot less frequent than my email.

          1. 1

            That’s because the point of the article is not privacy; it’s spam, privacy and workflow management.

            1. -7

              PGP tooling is completely fine! You can’t just say something sucks without giving any reason for it!

              1. 14

                The first time I used PGP, I started by generating a key pair for myself and the first thing the program asked me was if I want to use Elliptic Curve Cryptography or RSA. Then it proceeded to ask for various details like key size and so on. At the time, I was either in the final year of my computer science degree or already obtained it, and there were some real head-scratchers among those questions. Is Elliptic Curve Cryptography really more secure? What is a good key length? Question over question. Now, if this is what the onboarding process feels like for someone who has spent a significant amount of their life studying computers, I cannot imagine what it feels like if you’re new to computers. There is no way the masses are going to use a tool that asks you deep cryptographic questions, some of which cannot even be answered by industry experts.

                PGP is fine in the sense that the software is robust and it works (though I’m really not a fan of the lack of perfect forward secrecy - I think it’s an issue that is hand-waved away far too often). But it’s not fine for people who just want to quickly connect without having to study cryptography - and that should be the target audience if you want widespread adoption.

            2. 15

              That’s all email is to me. They’re mostly unimportant messages that I receive, deal with, and move on.

              I’m 38, and I’m feeling 83 right now. An old fossil that remembers that distant time in my youth, where email was the main, sometimes the only way people could contact me online. To this day, I cannot afford to not check my emails. Many are important. So I tend to assume, by default, that people treat their inbox the same way. Or at least that they should.

              10-15 years ago, a friend of mine asked me to get a Facebook account, so we could keep tabs on each other. I subscribed, tried it, then quickly shut it down: that thing was clearly a glorified second inbox, and I already had one. Why would I have two inboxes to check, when I can have only one? And I certainly don’t want 10 notifications a day about distant friends petting their cat.

              Still, Facebook has taken over. Or Twitter. Or Instagram. Or whatever. A couple years ago, I was part of an orchestra, and they set up a Facebook group (even forced me to join), because “nobody reads their email”. Like, Facebook, whose notification items fall from your wall faster than you can check them, where messages are often missed even if you’re dilligent, is more reliable than email in practice because people just don’t use their email to communicate.

              Has email become little more than a gateway to subscription services now?

              1. 1

                I feel with you, tough I am several years younger. But I still experienced the pre-facebook Internet era.

                Has email become little more than a gateway to subscription services now?

                It depends on the persons involved. With enough care it is possible to get many people to write you e-mails; I have got nearly all of my friends to do that by now. Problems arise if people want group functionality – someone will always set up a Facebook group or a WhatsApp chatroom. Many people today are unaware of mailing lists as they should be used (many open-source projects still use this medium properly). When they hear “mailing list” they think it refers to advertisement mail. It is also problematic for non-technical people to set up a mailing list. Services like freelists.org exist, but they’re only available in English. Then, getting people to abstain from thread hijacking and do quoting right is a fight against windmills. It’d help tremendously if email clients stopped quoting the entire message on reply and just give a blank editing window. Why has this copy-on-reply ever been invented?

                1. 4

                  Mailing list software hasn’t really kept up with the times. Ideally one should be able to create them in a few clicks - select a name/topic, add some addresses, and away you go. Each email can have a footer with links for the individual addressee to manage their “subscription”.

                  (This sort of subscription might already exist. The point is that most people can easily create a group (private or not) on Facebook. Doing the same with email is not as easy).

                  1. 2

                    I understand that your criticism is mostly targeting UX issues rather than the underlying bits and pieces. In that sense, I more or less agree. However, with regards to almost everything related to what’s happening underneath the hood, I would even go so far as calling email is the most fundamentally broken piece of critical infrastructure we have (… well, that I am more intimately familiar with anyway). And there is no reasonable escape. No open protocol will be able replace it. But it badly needs to be replaced.

                    In the late aughts, I was a college student, and our department begun transitioning away from mailing lists. I really liked the concept of mailing lists and loved using my mail clients for reading lists, but even then the experience to make lists was horrible. When I was a TA, managing the lists was also quite annoying. The web clients were also terrible.

                    (This sort of subscription might already exist. The point is that most people can easily create a group (private or not) on Facebook. Doing the same with email is not as easy).

                    Agree. I think there’s a lot of mileage to be had by the open source world by improving the experience of mailist lists or usenet sites.

                2. 1

                  Has email become little more than a gateway to subscription services now?

                  Yeah. I’m 26 and was interested in Hey, but even if it was $50/yr it wouldn’t be worth it to me. I really don’t receive many emails. If I do, they’re newsletters, receipts, or bank transfer confirmations. I still keep my email open all day but I wouldn’t blame someone my age if they didn’t check it.

                  You’re correct that people don’t want a second or third inbox. The problem for you is that email is no longer anyone’s first inbox.

                  1. 2

                    Amazing how different lives a few people can lead. I’m in a similar age bracket and read about 300 emails on a quiet weekday (down to just a few dozen on weekends). It’s mostly not social, that stuff I keep in person as much as I can.

                    And Facebook sucks as an inbox. Try keeping more than a few dozen notifications; they silently get dropped so you never have too much clamoring for your attention.

                    1. 1

                      The problem for you is that email is no longer anyone’s first inbox.

                      What is then? It would seem there are quite a few popular “first inbox”, which would basically force me to have several outboxes (I can manage), and several inboxes so I can see the replies. Pity, really.

                  2. 18

                    Email from a self-hosting perspective absolutely is, though. Absolute clusterfsck to try and configure.

                    1. 10

                      Configuration is one thing. Actually getting email delivered is another. I feel like you’re instantly on Google’s and Microsoft’s blacklist with your little server, marking all your messages as spam. It’s horrendous!

                      1. 12

                        Email is now a cartel. Old thread about it.

                        tl;dr if you really want to die on that hill, start by choosing your VPS provider carefully…

                        1. 2

                          Damn, my VPS of choice is DigitalOcean and I have to tell people to maybe check their spam folder for my email. Annoying.

                          1. 1

                            I relay all my email from my VPS through my (personal) FastMail account, which is easy and works well enough. Thus far the volume is still well within my account limits, but if I go over them I’ll probably just use SendMail or whatnot.

                            You can probably do the same with gmail or other providers.

                        2. 2

                          I spent a few hours setting up DKIM and SPF, after which my emails were delivered to gmail addresses (haven’t checked ms, but I’ve heard they’re more lenient) without a hitch. Yes, it’s irksome to have to spend even that amount of time, but it’s not that much work.

                          1. 2

                            Microsoft often marks its official communications as spam (usually correctly :)) in my Office 365 account… With the cloud and hosts reusing IP addresses all the time the old spam-fighting methods simly do not work anymore (many were bad ideas even back then)

                            1. 1

                              DMARC can be painful to setup.

                              1. 0

                                It’s trivial what do you mean

                            2. 6

                              I don’t think this is related to the article’s content.

                              1. 5

                                I’m not sure I agree. Services like Mail in a Box and Mailcow make getting started a little simpler. Overall it is complicated, but email is a complicated system. Being complicated doesn’t mean it’s broken though.

                                1. 3

                                  Which part is the most painful?

                                  1. 3

                                    I understand that email hosting used to be appalling and most of it still is but OpenSMTPD is actually really nice to use. I’ve chosen to write email apps over webapps for a couple things, e.g. self hosted instagram where I email photos from my phone to myself.

                                    Just need OpenIMAP and OpenSpam and Open Everything Else and we are all good.

                                    1. 1

                                      Could you go into some more details about your OpenSMTPD based workflow? I’ve been thinking of building apps over email, but would love to hear about others’ usage.

                                    2. -2

                                      It’s really not that hard.

                                    3. 5

                                      I understand that your criticism is mostly targeting UX issues rather than the underlying bits and pieces. In that sense, I more or less agree. However, with regards to almost everything related to what’s happening underneath the hood, I would even go so far as calling email is the most fundamentally broken piece of critical infrastructure we have (… well, that I am more intimately familiar with anyway). And there is no reasonable escape. No open protocol will be able replace it. But it badly needs to be replaced.

                                      Disclaimer: I’m a masochist voluntarily working on email related libraries and applications.

                                      1. 1

                                        What specific things, besides the usual suspects did you have?

                                        1. 3

                                          I intentionally avoided giving specifics (it’s rather difficult for me to enumerate my circles of hell), but because it’s an easy example for me to give as I worked on it… parsing email address lists (To:, From: etc.). Email clients often don’t sanitise whatever that they try to send, and remote SMTP servers will accept it anyway. What you’re left with is a lot of malformed address lists like User, Example <'address@example.org'>, Another email@example.org.

                                      2. 5

                                        For better or worse, I don’t agree with this:

                                        To me, email is a way of receiving simple communications that have a short time to live

                                        Maybe it should not be used for it, but newsletters, file sharing (!), tickets and receipts, etc. are not short lived. I often need to look them up many weeks, maybe even months later, and some I want to keep around and consume at my leasure. I think Hey addresses those issues well.

                                        The fact that the email protocol should probably never have been used for that is another issue entirely. If email was “pure” communication - prose from a sender to one or more recipients - that would be fine, but we’d need another protocol for receiving “things” that are easy to manage by machines (tags, content types, sender, etc.) whereas regular emails with text and attachments are anything but.

                                        1. 2

                                          I don’t agree with this article, but like the author, I don’t find Hey to be a meaningful or interesting improvement for me. My use of email isn’t the same as the author’s. My emails aren’t short, ephemeral messages, I use Slack or other messengers for that. I also don’t find to Spam to be a problem anymore. I use Gmail and I almost never seen a spam message in my Inbox, or see a non-spam message marked as Spam.

                                          The problem with privacy is two-fold, I think. First, Gmail: even if a lot of people move away from Gmail, Google still has everyone’s email because of all the remaining people who use Gmail. Secondly, even if email is insecure, but in lots of cases you still have to use it for sensitive things because people on the other end have no other method for communication. But this is true of communication systems in general. A large part of India’s commerce, including transfer of sensitive information happens over WhatsApp. Is this good? No, but changing it is more than any single email provider can do.

                                          On the other hand, I don’t think Hey is a meaningful improvement for me. As the author notes, the UI is too different and jarring, and doesn’t expose the right things in the right places. Having an “Imbox” seems silly. Having privileged “Paper Trails” and “Feed” also seems unnecessary. Why aren’t these just labels that maybe have dedicated buttons? Requiring approval of new senders is… fine, I guess? But getting lots of email from people who haven’t emailed me before isn’t a use case that’s relevant to me. What percentage of email users is it actually relevant for me? It seems like Hey is targeted for people who have that specific problem.

                                          For me, like it or not, Gmail is actually a good tool. It has good labels and deterministic filters, good keyboard shortcuts and a decent UI. It should do a better job of making filters more accessible, and instead of having privileged “categories” it should be possible to turn any label into a separate inbox-like view. Combined with a native app like http://airmailapp.com on macOS, it’s a good local optimum.

                                          1. 2

                                            I was ready to disagree with you until I read your article. I agree wholeheartedly. I’m going to pay for a year to see how Hey shapes up but I’m also looking at JMAP.

                                            I want to try and configure a JMAP server with GraphQL and encryption layers.

                                            1. 2

                                              There are some good points in the article but I feel this doesn’t apply too much for me. I usually have lots of long-lived emails for various reasons:

                                              1. it’s the best place for me to store some documentation that is from a not so common sender. For example documents from my work I don’t store them in email, but a contract from your gym, for example, I store them in email. Search is also pretty good these days to find this stuff.

                                              2. I use some emails as tasks, sometimes because the task is replying to the sender (and can be time-consuming) and sometimes because I just don’t want to move it to Trello because it implies more work and going back to email when I need to do the task.

                                              1. 2

                                                If I was going to name one downside to email, that completely kills it for me, is that it doesn’t have built-in access control.

                                                The old-school system that got it right was RSS; if you unsubscribe, the feed is gone. Web Push and mutual-follower private messaging systems are also good examples of how to do this, since they also only allows a sender if you grant access, and provides the ability to revoke that access if you want.

                                                Apple Login is effectively trying to layer a Web Push-style opt-in-opt-out system on top of email; it’s the right approach for emails coming from outside companies. Experts have known to do this for years, and Apple’s turning it into a usable product.

                                                1. 2

                                                  I used a system similar to Hey years ago to filter spam. I found it didn’t work all that well: you have to carefully go through your “spam” and pick out emails that appear genuine; it’s a lot of effort. I find that “classic” spam filtering provides a better UX in general.

                                                  Perhaps Hey has some ways to improve on it, we’ll see. I got an account but didn’t care much for the UI (and I’m happy with FastMail anyway) so didn’t experience any real-world use.

                                                  1. 3

                                                    To my understanding the Hey system is for things that aren’t “traditional” spam but are unwanted anyway, like when political campaigns get ahold of your email.

                                                  2. 2

                                                    I agree. When something is broken you don’t have billions of active users.

                                                    Personally, other than the privacy concerns and some UX issues, I’m mostly happy with Gmail. I didn’t exactly love the new design and UX introduced last year but the autocomplete and correction features are super helpful for a non native English speaker.

                                                    1. 1

                                                      Hyperbolic declarations of brokenness have been en vogue for quite a while. If techies were a nation, the “I don’t like X” -> “X is broken!” leap would be its national pastime.

                                                      1. 1

                                                        I must say that I agree with the article on a lot of counts.

                                                        As for Hey, it just seemed like Inbox for Gmail or some decent extensions that did things like that for you. I think it’s just a matter of them having good defaults, not “fixing” anything fundamental.

                                                        I did have one point that I see a bit differently though. I don’t see email as short-lived communication channel. Sure, lots of mail is just fire and forget. But it’s much more flexible then just that. I can have and have had years long correspondence. I have several different workflows for handling different types of mail. I organize my conversations per topic, type, sender, much more then just short-term convo.

                                                        And the last point of no-short-termness is that it’s a lot more asynchronous then instant messengers that everybody now uses. I can not reply to you at all for a day or two. And then I can say “I’ll get back to you on this when the time is better for me”. And then have time and room to meaningfully address the topic.

                                                        I guess that’s why the article has so many good disclaimers about that being his opinion. So I’m not disagreeing, I just wanted to bring my perspective into the discussion.

                                                        1. 1

                                                          But just because you’re not prepared to put the work in, doesn’t mean that email is broken. Email is far from perfect, but I don’t think it’s broken. What do you think?

                                                          Anecdote: half of my tech friend circle have not even heard of email filters, so it’s less of a choosing-to-have-a-bad-workflow issue and more of a filter-interface-is-badly-designed issue. The other half who uses filters, myself included, think it’s too much work to design new filters for unwanted email (university seems to make new sources of email every term). The only way I survive is with a plugin for Thunderbird called Quick Filters, and even that is tedious. I have hundreds if not thousands of filters.

                                                          I signed up for Hey just now and I’d agree it’s horrendously designed for an email client. Though I’d say this post misses the point regarding filtering spam. Tedium is a design flaw – you can’t blame the user for not being able to manage their inbox – and Hey addresses this remarkably well.

                                                          • It’s one-click-to-filter, compared to Quick Filters’ one-drag-and-two-clicks-to-filter.
                                                          • It makes filtering rather accessible – no need to dig through dozens of email features to discover the filtering feature for the first time.
                                                          • Even for non-Hey users, Hey’s marketing spreads awareness of easily accessible filters, which hopefully can get picked up by other email clients. And it might encourage non-Hey users to look for the filter feature in their client for the first time.
                                                          1. 1

                                                            So to summarise… spam is sort of manageable if you invest some time in it, but email is essentially not private and the workflow is difficult to manage and doesn’t lend itself well to most communications.

                                                            Which to me sounds like saying, “It isn’t broken, it just isn’t good at any of the things people actually use it for”.

                                                            1. 1

                                                              So by that rationale, is your mobile phone broken? Or your laptop/desktop? All these devices (especially Windows) aren’t private out of the box, and their workflow isn’t optimised for you specifically either.

                                                              You need to harden these devices by installing AV, the apps you use, disabling intrusive services, like Cortana/Siri & telemetry.

                                                              Just because some work is needed up front to get something working how you need/want it to work, doesn’t mean it’s broken. It just means they’re configured to have wide appeal. I don’t recall people claiming their laptop, desktop and/or mobile phones’ are intrinsically broken though…

                                                              1. 1

                                                                People have been trying to bolt security/privacy onto email for decades and haven’t succeeded. You can invest the work needed to encrypt your outgoing emails, but then you can no longer send them to just anyone with an email address, and even if you do manage to find a recipient who can decrypt the message there’s a possibility they’ll reply in plaintext quoting your entire message.

                                                                By contrast, most mobile phones, laptops and desktops come in a more-or-less useable state. It’s very easy to “customise” them to your workflow by installing your favourite applications or tweaking the settings. If you have slightly different needs there are a whole host of different OSes and distros which come ready-made for different use cases. The point is that you can set up your system to work how you want it to: you can’t make email private.

                                                                In this age of surveillance, both corporations and governments (foreign and your own) are determined to read, store and process anything they can. To have one of the most widely used communication methods not be private-by-default is irresponsible and dangerous. Email cannot be made private, so unless you want to make an argument along the lines of “the tool isn’t broken, it’s just that every single user is using it wrong”, then I think it’s fair to call it broken.