CTemplar - Investigate this Icelandic-hosted, FOSS encrypted mail service?

[RanceJustice]

Hello everyone. On its surface, CTemplar seems like a great potential addition to PrivacyGuides list. In many ways it seems to be following the technical and policy setup of those like ProtonMail, but its Icelandic location - known for significant privacy laws and history of local courts NOT rubber-stamping requests from friendly nations - may make an even stronger case for its inclusion in the list.

I think it would be a good idea to investigate its features, certifications/audits, and policies to see if it will be a favorable inclusion. Barring misrepresentation of policies and/or political/legal changes in the country it certainly seems like it should qualify. I know one issue that may hold it back a bit is that free users still need an invite (pay service tiers can be accessed without one), but these are freely available by contacting the site's staff via email, on Reddit/forums, via social media etc. Shall we take a look at the particulars of this service?

Thanks!

[Mikaela]

It has been previously discussed in privacytools/privacytools.io#1642 and it also contains comments from the founder. Based on the last comments, they seem to have suffered unrecoverable data loss, I don't know whether that should be held against them as mistakes happen to everyone and they have likely learned from it.

[OneWhiteBird]

Yes! We are also planning on implementing seamless failover in the future.
Backups are also being tested for integrity.

Let us know if you have any other questions!

[dngray]

I can't think of anything else that needs answering. So I think we'll move this one to approved, as the last issue on the old Privacy Tools tracker, covered most things.

[OneWhiteBird]

Certainly! If you remember anything else, you're welcome to query me.

Thank you for your time!

[dngray]

I've put up an initial PR privacyguides/privacyguides.org#292 it would be good if we could get some dark looking logos of the 1st and last ones mentioned on https://ctemplar.com/media-kit/ for light pages.

I'm thinking you might just want to invert the text.

[OneWhiteBird]

Certainly! We will look into it and comment on the PR.

[Dyrimon]

From their reddit response:https://old.reddit.com/r/ctemplar/comments/oh3xj4/system_failure_issue/

We recently had a system failure and some of our customer's data were irrecoverably lost.

We truly apologize for that. We cannot restore data from backups because we do not keep backups for security reasons. We will be revisiting that policy in the future. We will be happy to process refunds for anyone regardless of when they created their account.

I'm not sure this provider is reliable if their policy is not keeping backups of the supposedly encrypted data for "security reasons". I've never heard of such an absurd policy.

[nourkagha]

Also opposed to the addition of CTemplar. Pretty amateur and unreliably run service, as is clear from all the signs including that privacytools/privacytools.io#1642 discussion. Has the founder's identity even been verified yet?

I don't really like the look of this page and it comes across as very pretentious and unprofessional. Still waiting on those supposed 'response' updates, but they probably forgot that it exists: https://ctemplar.com/zero-censorship-policy/

I think you need to have a certain level of quality, professionalism and integrity to be recommended on Privacy Guides. CTemplar does not inspire confidence.

[dngray]

Also opposed to the addition of CTemplar. Pretty amateur and unreliably run service, as is clear from all the signs including that privacytools/privacytools.io#1642 discussion. Has the founder's identity even been verified yet?

They have yes. I was also privately sent company documents (Articles of Association), Certificate of Incumbency, Memorandum of Association, and D&B (Dun & Bradstreet) global database reference.

Still waiting on those supposed 'response' updates, but they probably forgot that it exists: https://ctemplar.com/zero-censorship-policy/

I hadn't actually seen that.

My feel of them is they're a smaller company, which kinda makes sense as they incorporated in 2019, vs the other companies which have been in operation for almost a decade.

I think you need to have a certain level of quality, professionalism and integrity to be recommended on Privacy Guides. CTemplar does not inspire confidence.

I have observed in general their marketing has improved since they started. It is something we're still looking at.

[Godfry]

@Dyrimon
The reason we didn't keep backups in the past is so users could have complete control of their data. When a user presses "Delete" their data was deleted instantly and permanently. All other services keep backups of users data for at least a month or more. We feel this is a feature that some people wanted which is why we set things up this way. In the past, I recommended other email services to those who wanted an email service that keeps backups. We've recently made changes to this policy and we now keep backups.

@nourkagha
I've verified my identity as dngray outlined and you are welcome to see my picture on the about page also. We've also updated our transparency report to reflect the data loss incident. I once heard someone say "The only way to get 5 years experience is to work 5 years." When we started this company in 2018 we were inexperienced and had times of unreliability. Since then we've gained experience and improved reliability. There are other wonderful email services that have more years of experience than we do.

People’s civil liberties are under attack and I believe the secure email ecosystem is improved with more services for users to choose from. Let’s work together to encourage a healthy ecosystem.

[dngray]

No longer relevant privacyguides/privacyguides.org@25d0374