I’d need some help for the reviewing of Service Disroot (ToS;DR Phoenix).
Disroot.org is a company providing multiple services, such as email, cloud and messaging (open source and licensed under GPLv3)
They seem quite privacy-focused, and yet there is something ambiguous I wanted your opinion about.
Should there be a point linked to Private messages can be read for this service?
Their email service doesn’t use E2EE so they’d have the technicall means to access their content.
“All emails, unless encrypted by the user (with GnuPG/PGP, for example) are stored unencrypted on our servers” - Mail.disroot.org
However, as far as I know their agreements do not mention collecting the content of any private communication.
Moreover, other parts of the service do use end-to-end encryption, which makes the choice even harder on whether applying or not the case mentioned above:
“All files uploaded to the server are end-to-end encrypted which means no one with access to the server can decrypt/read the data” - Upload.disroot.org
“All files sent to the cloud are encrypted with a key-pair created based on the user password to add an extra level of security. Note, however, that the keys are stored on the server, which compromises the level of security to some degree (e.g.: if an attacker knows your password and obtain the encryption key-pair, can decrypt the data). However, no “Master Key” does exist on our setup, which means the Admins cannot decrypt any file stored on the cloud without knowing user’s password prior” - Cloud.disroot.org
Currently, if the pending points get approved, Disroot would have an A rating, although this could drop to D due to the blocker nature of the case.
What are your thoughts?