The Truth About Disroot
1. Disroot may be a criminal organization
Disroot offers a data retention policy that is illegal in the Netherlands.
On 9/18/19 attackers who identified themselves as connected with Disroot DDOS’ed Privacy-watchdog.io. They tried to use bullying and harassment to get us to take down this page. You can read more about it here. Disroot has not disavowed this attack. This illustrates that Disroot is run by people who engage in illegal cyberwarfare.
2. Disroot’s code and security architecture are below average
Disroot says their code is open source and they say you can review it on Rainloops GitHub account here. But Rainloop is an independent corporation and Disroot is only one many groups who use it. Rainloop is not marketed and not intended for security or privacy. Rainloops website markets itself as “decent performance, simple installation”. It’s so simple it reportedly takes less than 10 minutes to set up, here’s the guide. Or follow a 12 min youtube video. It’s so simple that hundreds of clubs and groups use Rainloop. For example, local mom groups, Cyberpunk sites, food stores, advertising agencies, hosting services, kids clothes stores, tutorial sites, real estate services, and cloud computing retailers.
Disroot depends on Rainloop for its security and to provide updates. That’s a problem because Rainloop has only worked 12 days in 2018 and 18 days in 2019. They have 739 open bugs, fixes and issues that are “Pending”. Rainloop is not well maintained, it is not designed for privacy or security and it has security issues unfixed. When you use Disroot this is what you’re getting.
Disroot says they offer built-in encrypted email however that’s misleading. They provide TLS/SSL encryption. This is what everyone uses and it’s average. You’re using the same email security that everyone uses. All emails are saved as plain text on their server. They offer an add on “option” to encrypt emails server side. But Disroot gets all of those emails in Plain text and you have to trust that they won’t read them. Be careful trusting Disroot because the evidence suggests they are a criminal organization (more on that below). They also know your private key and password so if they wanted to read your encrypted emails they could with ease.
3. Disroot misrepresents their company and pays for biased reviews
The website leads a visitor to believe it is a volunteer-run community. However, Disroot contradicts this statement when they say they are actually a non-profit company. This is what most secure email services do to avoid taxes. Disroot’s claim of being a “volunteer-run organization” is just clever marketing. They are the same type of non-profit company everyone else is.
The Disroot NPO Company earns revenue from donations and through Patreon (Archive). With their tax-free revenue they purchase good reviews (Archive) from Dan Albright who’s goal is to “make you (and your company) look great!“. This would explain why his article is biased toward Disroot calling it “The Best Private Encrypted Email”. The reality is Disroot privacy and encryption are very mediocre at best. It’s not a good sign when a company has to pay people to say good things about them.
Disroot also seems to have purchased a whole page of good reviews from a site called “Digdeeper” (Archive). Anyone reviewing Digdeeper can feel how biased it is towards promoting Disroot. Digdeeper also attempts to elevate Disroot by shitting on all the other email services, see for yourself. Digdeeper recommends two other webmail services called Riseup and Autistici. The majority of security & privacy experts will tell you to avoid those two sites, at all costs, because of their history with Law Enforcement.
4. Disroots has serious legal issues that affect their users
Disroot’s users are also bound by Rainloops Terms of Service. Rainloop is a US-based company with terms of service that could imply they send your data to US datacenters.
All users data is stored in the Netherlands. The Netherlands are inside the 14-eyes but what’s worse is Edward Snowden said the Dutch are the “Surveillance Kings of Europe”. Dutch law requires companies to retain all users personal data for 6 months. When you press “Delete” on an email Disroot is legally required to keep a backup for 6 months. But that’s only if your lucky and That also means Disroot is legally required to record IP addresses for 6 months. In 2014 the European Court of Justice (ECJ) declared this data collection to be a violation of rights and said the law was invalid. But the ECJ is not a dutch organization and the Dutch government continues the data retention laws stating they are required to “fight terror”.
5. Disroot is a Law Enforcement “Honey Pot” or will be soon
There used to be a server that provided a similar service as Disroot that was set up for a criminal group’s private use. The Dutch hijacked it (Archive) and recorded everything coming in and out. They also hijacked and ran the Hansa Market for a few months. Based on the history of Dutch law enforcement I think Disroot is currently compromised by Dutch law enforcement. If they are not currently compromised then they will be soon. Remember, CIA officials have said, “There’s no such thing as intelligence sharing, There is only intelligence trading.” And Disroot could provide massive amounts of data to “trade” if compromised and it would be extremely easy to do.
Disroot offers a data retention policy that is illegal in the Netherlands. This gives Dutch law enforcement an easy way to hijack Disroot’s whole email service. They do not need a court order to take over Disroots services because Disroot is offering features that are illegal. And when Disroot is compromised 100% of your data will be recorded by law enforcement because of their weak security architecture. At that point, it’s only a matter of time before your plain text Disroot emails are stored right next to your Gmail emails within the massive Utah NSA data center.