1 September 2013
Jon Callas: Silent Mail Shutdown - Why How When
More on this topic:
Subject: Re: why not disable external mail, keep intenal mail (Re: Who bought
From: Jon Callas <jon[at]callas.org>
Date: Sat, 31 Aug 2013 20:15:25 -0700
To: Adam Back <adam[at]cypherspace.org>
On Aug 31, 2013, at 1:05 AM, Adam Back <adam[at]cypherspace.org> wrote:
> More precisely its the exposed meta-data in the SMTP. But why
would you > use meta-data rich transport for silent circle
internal-mail? (Internal-mail I
> mean silent circle user to silent circle user vs external mail being
> mail to silent circle user or silent circle user to smtp mail user).
> I said it before, but again: why not cancel external mail, and leave
> internal mail working - silent circle obviously have the tech for that
> because they have SMS equivalent in-mail. Good for you: users
> to continue to communicate will encourage the people they are
> communicating with to also pay for subscriptions. Maybe you could
> people to give each other gifts of 1month membership, which you hope
> extend themselves; or some referal system with a bonus free month to
> existing user etc.
> Now there might be some software legacy, but that seems straight
> enough. The crypto gap is purely the in and out mail. (Other
> software changes, but others have discussed how to combat that issue,
> some claim legal advice is that its harder for the mil-int community
> legally force companies to change their software. (Hushmail saga
I believe that when one is on a team, the more senior one is on the team,
the more one has the responsibility to discuss the *team* decision even when
one's opinion was different. Actually, *especially* when one's personal decision
was different. Every decision has reasons for and reasons against. One's
job as a senior team member is to talk about the way one came to the decision
for, and not about the reasons against.
I just had a short conversation with Mike Janke about this issue and this
discussion, and with his leave I'm going to go against my normal beliefs.
Silent Circle is Mike's vision. He did physical security in a variety of
countries and saw that people who are expats from anywhere in anywhere else
have a lot of issues they have to face that are all secure communications.
Moreover, these people are told "no" all the time (don't use Skype, don't
use Gmail, don't trust SMS, don't use cell phones, landlines) and never "yes."
The initial vision of Silent Circle was to give those people a "yes." There
are (were) three pillars of that vision to give people yesses --
voice/video/etc., texting etc., and email etc.
When I wrote that the email was "something of a quandary," that means that
Mike was always for it and I was always against it. I see the other side
of it and believe that something that's email-like is essential. We have
an architecture for how we're going to grow texting into "messaging" and
that will be email-like with true end-to-end security for internal mail.
It is a ways off. There are lots of things to work on, from user experience
to syncing across devices -- each with real security.
In the meantime, what do the users do? We did a lot of talking to end users,
and what they want and need is more than just internal email. They need it
to be connected to the Internet. Part of the use case includes that someone
wants to send a subscriber a PDF of an insurance form, rental agreement,
or so on that the subscriber needs to print out, sign, scan, and send back.
A number of them said that what they really wanted as much as anything was
an email system run by people who give a damn about security as much as the
crypto itself. Whatever that means.
Mike was (and is) a happy customer of one of the existing secure email systems
for years, understood its limitations and thought that a useful system could
be made out of a conventional email infrastructure augmented by PGP Universal.
I was on the other side. PGP Universal is designed for a different use case,
a different threat model, blah, blah, blah. You've heard me say it, so I
won't repeat it.
When I rationally looked at the facts of the situation, Silent Mail's proposed
security was *different* than other secure email systems, but similar. If
someone uses it "securely" then it's very good, and when they use it
"conveniently" it isn't worse than any of the other convenience-minded secure
email systems. Moreover, and getting to the real brass tacks here, Mike's
the boss. It's his dream and his money funding it. As an interim system to
have, it isn't that bad.
Additionally, one of my bugaboos about security is something I call "security
arrogance." Security arrogance is when the security person tells the users
what their threat model should be. It's closely related to another thing
I talked about a decade ago that I called "the security cliff" -- you start
with no security and to get to security, you have to climb a cliff rather
than ascend a ramp in that you can't stop halfway up. I believe that one
of the ways we security people shoot our clients in the foot is to focus
on the ways that security is imperfect and thus argue that less-than-perfect
security is worse than no security.
Okay, fine. Hoist by my own petard. Silent Mail, ho!
I'll also add that other team members were of course, spread all over the
essential quandary here from thinking it was wonderful to being conflicted
to thinking that Silent Mail was worse than nothing.
Development-wise, we had some plans to improve Silent Mail -- specifically,
one of the tasks was to make a network widget that would scrape offending
headers out of SMTP. However, note that we're a startup. Life is not a zero-sum
game, but development is. Every iota of effort that's spent propping up SMTP
is an iota that's not going to making its replacement. This ended up being
a different sort of quandary. The people who accepted Silent Mail warts and
all (or shock, horror liked it) like the idea of the new "messaging" system
even better. Thus, propping up SMTP didn't really have any champions, and
it's not like we have people sitting around doing nothing. We all considered
Silent Mail to be a stop-gap.
Let me fast-forward up to the day before we shut Silent Mail down. One of
the major requests that we had was to split the suite of products up. We
were working on precisely that. (And it should go live next week.) In fact,
we were *discussing* a breakup of the suite even before Silent Mail went
live, and we noted that it became a legacy product after being up for about
As there was more and more news about state-sponsored espionage (China, Countries
Starting With The Letter 'I', etc.), we got more "business" customers and
they were as a rule not interested in secure email that was not under the
direct control of their own IT. Post-Snowden, the people who thought, "It's
good enough" became fewer. The proportion of users who were using Silent
Mail was about 5% of the total.
Every account has a page where you set up your devices, and there's a link
to click to set up Silent Mail. Only people who clicked that link got set
up, and the 5% number is the people who set it up, so that's obviously an
upper bound of people using it.
We had been discussing shutting it down -- that 5% figure is either an argument
for why it just isn't succeeding as a product, or an argument why the people
who are using it understand it and its limitations. It was a discussion item
for our September BoD meeting. My plan was to suggest we stop taking new
orders and subscription renewals as part of the suite break-up, and then
just let it fade away. I was, in fact, lobbying hard for that. I believe
I would have prevailed at the board meeting, but of course I'd think that.
Your suggestion about making it be internal-only was something I'd be willing
to compromise on. However, remember that much of the whole *point* of Silent
Mail is that it's a well-run Internet Email System.
Now let's get to the day we shut it down. I had been at the VoIP conference,
ClueCon, in Chicago. As luck would have it, I finished up early and failed
to get standby on an early flight home. Others of us were scattered with
other travel. One of my major thoughts was what if there's paperwork on its
way, and that paperwork doesn't know I'm in an airport lounge? When I finally
got Mike on the phone, he said, "You did the right thing. I'm glad you're
my partner." Interestingly, the guys who work for me told me after that they
had decided that they would delete things themselves if things went on for
another couple hours.
I know this has been long, so let me sum up answers to your questions:
* Silent Mail was always a debate between perfect and good enough. It was
even a debate over what it means to be good enough.
* The people who thought it was good enough don't think like you and me,
and I think their point of view has it's own validity.
* The people who wanted it wanted it to be an Internet Email System above
all. Even in the design of the new thing, it has to be connected to the Internet
so that someone on the Internet can send you an email. Pulling back to being
internal-only would not meet the goals of the people who wanted it.
* We're a startup. We only have so many resources, and no one was the champion
of making Silent Mail better. The people who thought it was good enough didn't
see the point in making it better, and the people who thought it wasn't good
enough didn't see the point either.
I hope this helps explain.
List-Id: The Cypherpunks Mailing List <cypherpunks.cpunks.org>