what can you and your colleagues, at Nylas and throughout the industry, do to reassure customers and the public at large regarding their privacy and the confidentiality of the data which is entrusted to your applications and your server infrastructure ... including the threats posed by state-level actors? How do you address encryption in-flight and at-rest and what can be done about improved key management? What would you see as the ideal progress in these issues for the industry and the whole Internet?
Are there specific angles you are interested in? This is a really broad topic and it's tough to answer comprehensively.
We follow industry best practices for managing our infrastructure, including relevant compliance certifications and regular pen-testing, and have in-house security expertise. We support and are compliant with EU-GDPR. Of course, there are lots of unsolved problems in security and best practices alone won't guarantee that you will never face a data breach, but it's the place to start. All data is encrypted to and from our servers unless your email server doesn't support TLS, and we disallow the use of deprecated, insecure TLS versions for all connections to our API. All of the messages that we sync are stored encrypted at rest.
I am not a key management expert and would have to check with my team on their thoughts about the future there.
With regard to state-level actors, we comply with the relevant data request laws the same way the providers of the email accounts we integrate with do, though if we thought a request we received was unethical we would consider refusing.
Email is fundamentally insecure in its current form, and if you're seriously concerned about state-level actors, I recommend you use Signal for your private messaging needs. It doesn't support all of the features of email, but it's very secure.
That said, I'm also cognizant of the part Nylas is playing in the evolving ecosystem of apps that integrate with email, and the issues surrounding platforms enabling access to sensitive data. Right now, most email systems have all-or-nothing controls for apps that need access to your email, and in some cases do not even support revokable access tokens for apps. I see finer-grained access controls as essential to being able to scale a platform surrounding email. That means being able to grant limited access---read-only, for example, or to be able to access only emails in a specific folder. We're not there yet, but we want to push email forward in this way, because people want tools to be able to connect to their email and they're here to stay.
I think that trust is a fundamental part of human society and I don't believe in the techno-utopian viewpoint that we can create institutions that don't require trusting anyone. Whatever solutions we come up with will be part technology, part laws and regulations with consequences.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Christine,
what can you and your colleagues, at Nylas and throughout the industry, do to reassure customers and the public at large regarding their privacy and the confidentiality of the data which is entrusted to your applications and your server infrastructure ... including the threats posed by state-level actors? How do you address encryption in-flight and at-rest and what can be done about improved key management? What would you see as the ideal progress in these issues for the industry and the whole Internet?
Are there specific angles you are interested in? This is a really broad topic and it's tough to answer comprehensively.
We follow industry best practices for managing our infrastructure, including relevant compliance certifications and regular pen-testing, and have in-house security expertise. We support and are compliant with EU-GDPR. Of course, there are lots of unsolved problems in security and best practices alone won't guarantee that you will never face a data breach, but it's the place to start. All data is encrypted to and from our servers unless your email server doesn't support TLS, and we disallow the use of deprecated, insecure TLS versions for all connections to our API. All of the messages that we sync are stored encrypted at rest.
I am not a key management expert and would have to check with my team on their thoughts about the future there.
With regard to state-level actors, we comply with the relevant data request laws the same way the providers of the email accounts we integrate with do, though if we thought a request we received was unethical we would consider refusing.
Email is fundamentally insecure in its current form, and if you're seriously concerned about state-level actors, I recommend you use Signal for your private messaging needs. It doesn't support all of the features of email, but it's very secure.
That said, I'm also cognizant of the part Nylas is playing in the evolving ecosystem of apps that integrate with email, and the issues surrounding platforms enabling access to sensitive data. Right now, most email systems have all-or-nothing controls for apps that need access to your email, and in some cases do not even support revokable access tokens for apps. I see finer-grained access controls as essential to being able to scale a platform surrounding email. That means being able to grant limited access---read-only, for example, or to be able to access only emails in a specific folder. We're not there yet, but we want to push email forward in this way, because people want tools to be able to connect to their email and they're here to stay.
I think that trust is a fundamental part of human society and I don't believe in the techno-utopian viewpoint that we can create institutions that don't require trusting anyone. Whatever solutions we come up with will be part technology, part laws and regulations with consequences.