Meet the Big Tech Critic Behind Hey, Basecamp's Radical New Email Platform

The Basecamp cofounder and creator of web application framework Ruby on Rails David Heinemeier Hansson has become increasingly outspoken about Big Tech's privacy violations and monopolistic tendencies. Now he's inviting you to join the cause -- by switching your email provider. From a report: Two years ago, he and fellow Basecamp cofounder and CEO Jason Fried decided to do something about it. The culmination of that work is a paid, $99-per-year email service called Hey, which launches today. Along with protecting users from the types of invasive surveillance tactics that have become de rigueur online, Hey also contains some radical ideas about the way that modern correspondence should work. Silicon Valley will be watching the product closely: Consumers like to say they value their privacy, but are they finally willing to pay for it?

[...] Most people haven't tried a new email service since Gmail launched 16 years ago, if not earlier. A handful of startups have played around with email interfaces in the years since, trying to make the experience cleaner and mobile-friendly, but no one has touched concepts as foundational as the inbox itself. Hansson and Fried argue that now is the time to do just that. They have made several radical changes to the inbox, the most glaring of which is that you, the email recipient, have control over who is allowed to appear there. That means you screen all first-time senders. They've also separated out what they call the "The Feed" and the "Paper Trail," so that there are distinct places for emails like newsletters and shipping confirmation notices. Because The Feed requires opt-in confirmation, it's much more pleasant to browse than Gmail's cluttered Promotions tab. It's also more private: Hey strips incoming messages of the tracking tools known as spy pixels that have become common practice in many emails. (The service indicates any emails that originally had tracking capabilities by displaying a small binoculars icon next to them.)

Reasonably problem description, bad solution.

[Anonymous Coward]

What email needs is easy end-to-end encryption.

At that point it doesn't matter who's your email hosting provider.

Instead, he's claiming that a dumbed dow UI with his cloud service would somehow improve things.

Re:

[gl4ss]

it'll end up needlessly complicated and end up having a wrapped browser sold as native apps and it will need 700 megs of ram to just check your email.

because hey, it's basecamp.

then they will publish a blog post about how they have a super cool hybrid client using hybrid technology (they code one menu bar in native and slap it on the client and somehow it will take 720 megs of memory after that).

Re:

[rho]

End to end encryption is fine, except it has to be decrypted at some point. And wherever that is, you now no longer control the encryption. If you CC somebody on an encrypted email, that person can forward the email unencrypted to whomever he wants, and you can't control that.

Email was never designed to be a secure transport. That's why it's so popular. That, and the fact that it's distributed, or supposed to be.

Re:

[ichimunki]

I'm not all that concerned about end-to-end encryption, especially since as long as you have access to SMTP, you can easily incorporate encryption into your mail client.

So where can I get a fully compliant mail box for *my* domain, without having to go the VPS route and manage it myself? Hey.com isn't starting there, instead they're reinventing the UI? Useless. It's basically vendor lock-in for the one part of the experience that's supposed to be the most flexible (email is founded on the idea of servers m

Great solution. You've got the wrong target

[fyngyrz]

he's claiming that a dumbed dow[sic] UI with his cloud service would somehow improve things.

No, he's claiming that a dumbed down UI with his cloud service and as many people as possible giving him $99/year would somehow improve things.

And I'm sure he's right — his lot would improve considerably.

If he wanted to improve our lot, this would be an open source, locally hosted (on your computer and/or phone), email client. It isn't — so it's perfectly clear who the beneficiary of this is intended to b

Fastmail

[thatkid_2002]

Fastmail. The product already exists, and it's better.

Re:

[slazzy]

You should also own your own email address by buying a domain name, then you get true portability. email@FIrstLast.name works nicely.

Re:Fastmail

[theskipper]

And from the faq it's strictly for starting from scratch, no custom domains or importing. So for folks who need to point their mx records it's a complete non-starter. Personally I've been looking to switch to another paid provider with my domain, was really surprised to get stopped cold like this. Which is a shame because the Tour Features looked pretty cool.

Bold move for them to try to gain inertia from zero, but we saw gmail do ok with this model back then. Maybe they'll do the same, wishing them luck.

Re:

[jwdb]

And from the faq it's strictly for starting from scratch, no custom domains or importing. So for folks who need to point their mx records it's a complete non-starter. Personally I've been looking to switch to another paid provider with my domain, was really surprised to get stopped cold like this. Which is a shame because the Tour Features looked pretty cool.

Well, to be fair it says "Not yet, but eventually...", so they're aware of that people will want their own domains and appear to be working on it.

You can't fix email

[VeryFluffyBunny]

If we're concerned with privacy & security, email is basically useless. It was designed for sharing openly with everyone. Anyone can forward to anyone, messages get appended to messages & forwarded, ad infinitum. Even if 90% of people used a "private," i.e. paid for in $s, email service, the other 10% would still be able to hoover up most people's data. We need to think more in terms of distributed e2ee messaging services that are digitally signed to verify that the sender is who they appear to be,

Re:

[znrt]

If we're concerned with privacy & security, email is basically useless. It was designed for sharing openly with everyone.

yeah, those were lovely naive times.

Anyone can forward to anyone,

user problem.

messages get appended to messages & forwarded, ad infinitum.

that's not a problem with email design, but with moronic 'top post' or 'conversation' client fad crap. people is just not educated on how to use email properly. guess what happens if you give assault rifles to monkeys!

Even if 90% of people used a "private," i.e. paid for in $s

i use €, you insensitive clod!

the other 10% would still be able to hoover up most people's data.

user problem

We need to think more in terms of distributed e2ee messaging services that are digitally signed to verify that the sender is who they appear to be, the message is the one they sent, & nobody other than the recipient(s) can read it. I wonder what that'd look like?

i agree but that's half of the story. doesn't prevent spam nor tracking. a uneducated user will end up contemplating signed and unsigned email all the same. sure, you can trust something like signal

Re:

[mugurel]

sure, you can trust something like signal to handle keys transparently (i've not used nor thoroughly studied signal, it looks good) but ... 1) it's not really going to work if users don't really understand the difference and 2) how long do you expect to trust signal not being backdoored if it becomes mainstream?

That and Signal messaging still relies on centralized servers. Although you can create your own private Signal network, federation of servers is not currently possible, nor planned https://signal.org/blog/the-ec... [signal.org] . There may be good pragmatic reasons for that (as outlined in the blog), but as crippling as it may be, I think an open protocol standard and decentralized server infrastructure is a sine qua non for an e-mail successor.

Re:

[gweihir]

If we're concerned with privacy & security, email is basically useless.

No. But, as always, security and privacy are not free today. Use PGP/GnuPG and use a sane email client (in particular _not_ a web-browser!) and you have both security and privacy. The one thing an observer still gets is who communicates with whom. If you are concerned about that, use something like Tor-mail.

That said, basically all "alternatives" are worse.

So... in order to use Hey on my Windows desktop...

[QuietLagoon]

... I need to have a privacy-busting Microsoft account in order to download the Hey Windows desktop app from the Microsoft store.

Re:

[chemendonca]

No. You don't need to sign in/up to download. Just cancel the login prompt.

Paying for email? That's a novel concept

[mfearby]

I can't see me splurging on this. Gmail is already good enough.

Re:

[Aighearach]

They did a beta signup thing, and I signed up, and I never got any message. Not even an acknowledgement that I signed up.

I can't imagine giving these people money to manage communications anything, I mean, seriously.

There is a big gap between selling "opinionated programming" to web app startups and selling end user communication services. One you've rejected the concept of caring what people think, the other you absolutely have to convince people that you listen and respond.

Run your own e-mail server

[Akardam]

Then you'll have the option to have as much control over your inbox as you want, without having to rely on anybody else.

Re:Run your own e-mail server

[Bradmont]

Except that getting dkim, spf, dmarc, etc, all set up is rather a pain in the butt, and even when you get it right there are several major email providers that will still mark you as spam just for being a small operation.

Re:

[Y2K is bogus]

I found that PGP signing messages had an interesting side effect. When sending to Gmail accounts there is a non-negligible delay on receiving the messages, almost like they are actually doing a verification.

I run my own domain and email, have certs, spf, dkim, dmarc, everything, and still get labeled because none of that seems to mean ANYTHING, reputation is not part of any commercial email scoring.

OTOH, I run spamassassin, which checks for all of these, and I'd say it flags 98% of SPAM accurately, has a f

Re:

[AmiMoJo]

It's because encrypted mails looks a lot like spam with a load of junk text that is supposed to throw off filters, or Base64 encoded images in the HTML. At best it gets flagged up for some extra checks and rate limiting from that server, at worst it just straight into the junk folder.

I have to whitelist people who send encrypted email from Gmail itself (via Thunderbird) just to make sure it gets to my inbox.

So what?

[Akardam]

If you find it a pain in the butt to setup, fine, then it's your choice not to do it. But, then, don't complain that you've ceded or failed to retain/reclaim control over your e-mail.

For those that choose to run their own e-mail server, the control outweighs any heartburn for setting things up. Plus, I rather suspect lots of folk will learn a thing or two in the process, and be better off for it.

Perhaps you'd care to back up your claim about major e-mail providers by putting your money where your mouth is,

Yay, mail filtering!

[holophrastic]

Oh wait, been doing it for thirty years. And for free too. And with the snappiness of a local application.

Truly, I don't see the problem to be solved. I get over 400 e-mails a day. Over 375 are spam. I spend less than 1 minute deleting spam each day. There's a delete key right on the keyboard. Sorting by from: and sorting by subject: means that identifying spam can be done at about 17 messages per second. Yes, I've calculated the averages. General mail filters on friends and clients and alerts just based on from: alone mean that I can delay looking through the spam of days at a time.

I don't need a seven-in-one tool to make hammering nails easier. I just need some practice/training/experience using a normal hammer. Simple tools, that work simply, and can be mastered. Not mysterious magic wands that do or don't work with false positives and false negatives and hopes and prayers.

Thank you.

Re: Yay, mail filtering!

[slazzy]

It does get harder as you head up to 4,000 spam emails per day though. Especially if you are offline camping for a few days and come back to a mess.

Re:

[holophrastic]

Sure. But at that volume, so does the double-check for the false-positives. I'm a small business, I can't afford to miss a client e-mail and say "well, my e-mail thought you were spam".

Re:

[gweihir]

It does get harder as you head up to 4,000 spam emails per day though. Especially if you are offline camping for a few days and come back to a mess.

Not that much. Last time I disabled greylisting, DNS-RBL and Spamassassin on my own mail servers, I got about 800 spam messages a day (that was in 2015 or so). With greylisting, DNS-RBL, Spamassasin (with some custom scores and whitelistings), I have something like 5-10 a day at the moment and they are all easily identified.

Re:

[stabiesoft]

Not sure if you have already enabled it, but telling postfix to drop "unknown" IP senders reduces spam enormously. I've added all sorts of other rules like no mail from dynamic IP addresses etc. I get maybe 2 or 3 spams a day now.

Re:

[holophrastic]

Over the decades, grey-listing by far worked the best, but I couldn't delay new contacts like that.

SPF checking has more recently been quite successful, but I still need to check -- random people have random e-mail problems. Their e-mail is worth thousands of dollars to me, and pennies to them. So I won't bet my livelihood on anything even semi-automatic.

But really, it's 2020. I've been happily using e-mail for work and family and friends for thirty-five years. If there were problems with it, I wouldn'

Seems pricey

[stabiesoft]

I pay 10/mo for a server and I think they have a 5/mo plan. I also get to run a web server as a bonus. Domain registration adds a tiny amount to the total. I've ran my own server for decades now.

Re:

[gweihir]

Same here. I add a real secondary for email and DNS, so about $20/month. Gives me some nice off-site storage in addition and a web-server. That set-up has worked nicely for about 10 years and I will continue to do this.

Just Another Failed paid email provider

[nadass]

The marketing spin is buzzy and jazzy, but its utility is the exact same as all of the other email providers (for a price). Due to the infrastructure constructs of e-mail, everything else is just lipstick on a pig. Filtering incoming messages is not "radical" -- there's an experiment on Gmail called "Multiple Inbox" (it's a customizable view and i've used it for a decade). Stripping email content is not "radical" -- browser plug-ins have been doing this for decades (it's managed by "third-party images and ads servers").

They're just another paid email provider in an otherwise crowded market. This PR push is standard practice meant to gain traction, and EVERY UX tweak can be accomplished using add-ons and labs and customizing views and [...]. There's nothing fundamentally different with this player -- except for the name, "hey.com" seems easy to use but it's been a domain for spam for a while, and the spam is inevitable (and those third-party spam filtering platforms also already exist).

Re:

[dfghjk]

That would certainly be true if you ignore the things they provide that are not the "exact same as all the other email providers", things like adding your own entries in email streams, adding sticky notes to particular emails and changing the subjects of emails, to name a few that come to mind. Did you notice any of this?

Not advocating for or against, just pointing out that your take on it is shallow and inaccurate.

Re:

[nadass]

The features you speak of have been commercially available since the mid-1990's (albeit with different marketing terms). "Adding your own entries" is akin to selecting which email to reply to (and have the index of messages properly maintain the threaded stream), "adding sticky notes"... ever heard of Lotus Notes? And "changing the subjects of emails" was literally available since the days of CLI email clients.

But, sure, just because Gmail doesn't offer these features (lest it's an authorized lab experi

Quite interesting, actually

[jandoe]

I had a look at the presentation and it's actually interesting, modern take on email. The workflows are more similar to what we're used to seeing on the web today like infinite scrolls and personal pages. With mobile and desktop app for Linux (probably electron but still) it could be a nice option. Still, I'm not sure if anyone actually cares at this point. Personally, I only have to deal with emails at work. My private email is 99% notifications from online stores and login confirmations. I no longer use it to communicate with people. And when I see other people phones they usually have 100 pending notifications from facebook, instagram, twitter and gmail so I'm not sure they will pay $99 to help them organize their inbox. Maybe it will be useful for some people using private emails for business but I don't see everyone ditching their tested labels and folders and switching to a new paid service.

Re:

[dfghjk]

Agree completely.

Re:

[ElitistWhiner]

Hate email but love that it is better than snail mail. Snailmail continues to have a place in handwritten correspondence, fingerprint ID, wet signature and original docs. Unified standard communications platform will emerge but Hey! it isn't.

Email is one insight, unification and standardization away from obsolescence. There will arise such an event. Email as we know it, will dissolve into history subsumed by an innovative platform unlike .apps on cell phones, modular and OS level communications will flo

Security Problem -

[johnjones]

first of all there is no mention of how to submit a security problem...

secondly they have a security problem in that they allow Client-initiated renegotiation on mx.app.hey.com

Allowing sending mail servers to initiate renegotiation is generally not necessary and opens a receiving mail server to DoS attacks inside a TLS connection. An attacker can perform similar DoS-attacks without client-initiated renegotiation by opening many parallel TLS connections, but these are easier to detect and defend against usin

Say what? Which consumers value their privacy?

[gosand]

I laughed when I read this: "Consumers like to say they value their privacy, but are they finally willing to pay for it?"
Are those the same consumers who can't regurgitate all the details of their life and their information fast enough to Google, Facebook, and basically anyone who asks for it?

Just this week I had a friend send me a pic of a dumbbell set he bought online... a $700+ set (5-50 lb w/rack) for $98. But it would take 6-8 weeks for delivery. I went to the link, backed out the main page, and it