GwynethLlewelyn
commented
1 year ago There are few answers to your question, and none of them official.
- While Keybase was a privately-held company, they often stated that most of their money came from venture capital funding. This is not unusual: VC investors are fine in 'burning' money in the short term if they can expect some payoff in the future. This did, indeed, happen when Zoom has bought Keybase. The VC investors most certainly bagged more than their investment, with all interest, and a hefty profit.
- Zoom bought Keybase because they had been under attack by the media, who correctly identified that Zoom's 'privacy' measures for what was being offered as a business-grade service were, at best, laughable (but in most cases inexistent, deficiently implemented, or pure wishful thinking). Due to the popularity and 'instant success' of Zoom during the lockdown, they got much more attention from the media than even before, to the point where their corporate customers might have started asking annoying questions which Zoom was unable to answer. Their solution was to grab a company with a top-of-the-line robust encryption technology, and do it quickly, getting the developers of that company to implement all the security of Zoom's platform ASAP. There were not many field-proven solutions out there who were available to be bought (WhatsApp and Signal being unavailable). Keybase was the obvious choice. Now whatever expenses they might have will come from the overall budget of Zoom. It's not unthinkable to believe that Keybase's infrastructure is now running on top of Zoom's own — thus sharing the same platform and reducing the operating costs.
- While your calculations are correct, they assume that everybody is using all the storage they have access to — which is rarely (if ever) the case. The more you give for free, the smaller the number of people will be that (statistically speaking) use all their storage space. As such, I'd think that most of those 450k users will just use a fraction of their space — perhaps not much more than, say, 10% (on average, that is). Which would mean that using AWS (which they claim to be using) would cost closer to US$ 2.5m a year. Keybase had secured 10m on their first round, which would give them a few years' time without any other business model (including, of course, the salaries of the 25 people working at Keybase); I haven't been able to track down any further sources of funding, but that doesn't mean there weren't any: after all, private companies, as opposed to publicly traded ones, do not require to publicly list their sources of funding; and, if they do, it's only rarely that these have been independently audited. Zoom, of course, as part of their due diligence, will know exactly how much Keybase was burning every month and how much they have secured in funding; but they're not really required to disclose how much they paid for it or how they intend to leverage Keybase's products and technologies into their own offerings.
- While Keybase certainly has access to some of your data, and might potentially sell it without your knowledge, that would be a gross violation of their own Privacy Policy, and you could sue them (and their owners, Zoom) for making such blatantly false claims. It is therefore reasonable to assume that Keybase is not really storing much data (beyond what they need to provide services), except perhaps for the names of teams and a large collection of profile pictures. Such information is pseudonymous in nature, and, as such, hardly worth anything to third parties; although one might admit that a statistical analysis made over the traffic that goes through Keybase's servers (e.g. understanding how many messages the average user sends per unit of time, or from which country they come from) might have some value in the market, which r could legally sell to third parties, since none of that processed information identifies any individual Keybase user. They cannot even build their business model along the lines of Gmail or Outlook, which harvest emails for potential keywords, to be forwarded to third parties as an important source of number-crunched information allowing ads to be better targeted towards yourself (and your interests); because messages are transmitted with end-to-end encryptions (E2EE), there will be nothing intelligible to read in any case. Not even your documents stored on Keybase (temporarily) can be harvested for further keywords — they are encrypted as well. In other words: while we need to take their word for it (that they will never sell ads, or one's personal data. As such, their (virtual!) hands are tired
You can read a bit more about this on https://restoreprivacy.com/secure-encrypted-messaging-apps/keybase/ as well as https://www.cnbc.com/2020/05/07/zoom-buys-keybase-in-first-deal-as-part-of-plan-to-fix-security.htm(
That said, I don't work for neither Zoom, nor Keybase.io, nor any potentially interested third party (such a a RL journalist looking for 'the latest scoop') — I'm just a regular user of their services. Like you so well put it, I habe similar questions to yours (especially after their acquisition by Zoom) . But at the end of the day, I figure out that, for my purposes, Keybase's services — especially those related to encrypted storage — are more than adequate, and the risks of storing data with them are substantially lower than having it on Google/OneDrive/Dropbox/Yandex (all of which I do use as well).
The lack of 'official' replies on the GitHub issues (which have accumulated recently) is also a bit worrisome for me, but understandable, since the core team has been overbusy in backpatching Zoom's code to have a semblance of security. In the CNBC article, Zoom's CEO is quoted as saying that Keybase's security model is overwhelmingly complex for Zoom's audience, so they will need to come up with something much simpler but secure enough to nevertheless give Zoom's customers some sense of security. I can imagine that this has pulled all resources and manpower that the 25-person-team at Keybase has, and little was left for 'secondary' aspects of their business, namely, keeping open a communication channel with their own userbase.
One bit of good news is that development of the client app(s) has never stopped.
seefood
There hasn't been much communication ever since Zoom bought the project. It's been two years.
I am looking for a messenger that is not selling my data. I really like Keybase but the total silence and the lack of understanding of the project sustainability goals is rather concerning.
Keybase currently offers 250Gb of storage for free. Last reports I have read mentioned 450k active users. That's 112Pb of data. That's $2.5m a month in something like S3. Just for the storage cost, not even counting any other infra. Dunno what Keybase is using but it surely isn't free and unlikely much cheaper than AWS. There is no paid plans, no donation button. Where's the money come from? If I can't understand how am I paying for the product - it is likely I am the product, right?
I'd really appreciate any clarification from the team. Really love the app and the core idea. Great job. But I can't trust you without these answers. I'm sure I am not alone.