A quick look at HEY Email - Policy & Pricing

As I was browsing my feed, procrastinating from writing a post for this evening. I stumbled across this Toot from Chris which mentioned the new HEY email service from Basecamp.

I was certainly intrigued by their features like 'The Screener', 'Focus & Reply' and other little things like renaming the email subject and merging threads together.

You can read more about the features and the how it works here: https://hey.com/how-it-works/

It's a paid service at $99/year but they offer a 14 day trial without requiring a card (the way trials should be!). If I hadn't already chosen my new service for my emails, it sounded like something I'd like to try. I headed over to their pricing page for a little more of a breakdown. On which they gave a nice simple What you do/don't get.

No ads, no tracking, no selling your data and no peeking. I should hope not, you're not Gmail offering a "free" service. The bit I was paying attention to though was the "No peeking" that say their database is encrypted so they can't see your emails. Well, that should be a standard these days (ProtonMail/Tutanota).

Over we go to the Security overview to see what's on offer.

Encryption at-rest, at-work, and in-transit, but not end-to-end

OK, no E2E encryption. I'm not exactly Edward Snowden but that's a shame. After a couple of minutes, I realised this wasn't the same page I was reading on my phone. There are two separate "Security" pages. The "Security" at the bottom of the page and the "Security Policy" which is under "Privacy & Policies".

Now this is the bit that I read on my phone:

Within our firewalled private networks, data may be transferred unencrypted.

So, there is a chance that all of my data could be flying around your network, totally naked?

Our application databases are generally not encrypted at rest

Ooooook. This is sounding a little less secure.

Our database backups are encrypted using GPG.

Right, so this is where the "No Peeking by HEY - Our databases are encrypted" selling point from the pricing page comes in to play then. At least the backups are encrypted, but otherwise, it isn't.

Personally, this was enough for me to shake my head and NOPE outta there.

Over on their general Security page, they do freely admit that this is not the product for someone transmitting emails that could have serious consequences and that they are taking a different approach. This is an attempt at improving services available to the general end user, and that's a good thing. However, I doubt you'll ever turn the general user away from Outlook/Gmail/Whatever.

What truly made me scratch my head however, was this next bit.

They claim to encrypt at-rest, at-work, and in-transit. Just like their quick overview states. But hold on a minute, didn't I just read on your Security Policy that data within your network may be transferred un-encrypted and that your live application databases "generally" aren't encrypted and only your backups are? I'm seeing a little contradiction here in the statements across these two pages.

While they are not hiding anything at all and all of this is available on their site, I'm getting very mixed messages for a product that costs more than ProtonMail's Professional tier and far more than Tutanota.

Hopefully I've mis-understood something here with my tired, end of work day eyes and this is absoloutley not supposed to be a witch hunt or derogatory of any work that this team (of which are probably far more intelligent than me) have put in to this product. But I really think they need to make this more clear to the end user from the get go and not have one of their selling points claim it's all encrypted on their pricing page when that's not technically the truth.

I haven't taken a look at any of their applications yet but I'm going to assume Electron, like everything else on the planet at the minute. I also haven't glanced at their Privacy policy yet. Hopefully there aren't any more mixed messages.

They've got some fantastic features going on and I really hope something good comes of it. But as they admit, maybe this isn't the service for everyone. Good luck Basecamp & HEY.

Show Comments