Research and Development

Recently, there has been a lot of media buzz about Mailpile, a new startup which has raised over $100,000 on IndieGoGo for its eponymous locally hosted web mail project. Having been present at the talk at which this project was officially launched at OHM 2013, I was surprised to see the media’s reaction to the project. Mailpile appears to have garnered almost universal acclaim for its security features, and praised for its goal of “Rescuing email from the cloud” (the name of the presentation given at OHM 2013, slides can be found here). I diagree with the media’s praise for this project, and here’s why…

In their presentation, the Mailpile developers stated the concerns with cloud email to be:

  • The centralisation of email storage, making mass surveillance trivial
  • Poor spam filtering
  • Lack of innovation with regards to F/OSS solutions
  • Mass encryption is a “distant dream”
  • Proprietary lock-in
  • Risk of EEE tactics (Embrace, Extend, and Extinguish)
  • Spam filters being used for censorship
  • Incompatibility with encryption

I happen to agree with each of these issues (perhaps excepting spam). However, in the wake of PRISM, maybe we should even expand this problem space. Metadata is a big deal: It reveals (in a best case scenario) who you’ve been talking to and when, how long your messages are, and if you include attachments. Why can’t we protect this data too? Granted, this would require a somewhat more radical solution,  but I don’t see why this is a problem that couldn’t be solved. Still, it’s not fair to judge Mailpile on the basis of problems it doesn’t aim to solve, so I’ll discount this for the rest of my post.

What Mailpile propose is yet another mail user agent. Mailpile’s killer feature in the presentation appeared to be the search functionality, returning genuinely impressive search results in mere milliseconds. Beyond this, the interface was vaguely reminiscent of GMail, though obviously still in a very early stage of development. So, a nice interface, but it still doesn’t seem to address what I believe is the key issue surrounding web mail: Centralisation. From a pragmatic standpoint, no matter how simple it is to employ GPG, the standard user will not opt for it. Therefore, in my mind, the easiest way to raise the barrier to mass surveillance (the hot button topic right now) is to decentralise the storage of email, something which Mailpile fails to address.

Let’s take each of the problem bullet points, and see if Mailpile offers a solution. Mailpile at least partly addresses the following:

  • Lack of innovation with regards to FOSS solutions – Does Mailpile count as innovation? That’s a matter of opinion
  • Proprietary lock-in – Mailpile somewhat addresses this. If one interface supports multiple back-ends, users will find it easier to move between them
  • Risk of EEE tactics (Embrace, Extend, and Extinguish) – Mailpile partly addresses this, much for the same reasons as above
  • Incompatibility with encryption – Mailpile solves this problem! A locally hosted client is ideal as a solution for this problem

So, out of 8 issues identified with cloud email, Mailpile fully solves 1, and partly addresses 3. What of the other 4?

  • The centralisation of email storage, making mass surveillance trivial
  • Poor spam filtering
  • Mass encryption is a “distant dream”
  • Spam filters being used for censorship

All of these, excepting mass encryption, are really server side problems. Mailpile couldn’t hope to solve these. So, what would? Spam filtering seems to be already solved – numerous crowd-sourcing solutions exist, and in my mind this is the right way to go about solving this problem. The decentralisation of email storage just relies on more people running mail servers, and not relying on one of the big cloud providers.

The relative complexity of installing, configuring and maintaining an email server puts many off – this is what web mail really offers the average user. In my mind, the solution lies in a mail server that’s simple to deploy and maintain. Decentralising the infrastructure is what will negate the majority of the evils of web mail, not another web mail client, no matter how timely the marketing is.

On Mailpile’s own web page, they have quotes from articles on their product. These come from Wired, TechCrunch, Boing Boing, and Crowdfund Insider. These large publications should have done their homework before praising Mailpile’s security, as it does not appear to address the problems it aims to solve. It is my belief that the majority of Mailpile’s funding has come off of the back of such positive press, some of which is completely unwarranted.  It’s nice to see a positive reaction to a product with the aim of improving security and privacy for end users, but next time can we actually make sure it delivers on these goals first?


Request to be added to the Portcullis Labs newsletter

We will email you whenever a new tool, or post is added to the site.

Your Name (required)

Your Email (required)