I've long been an advocate for greater online privacy and cybersecurity rights. Even before I began working as a Software Engineer in Silicon Valley, I didn't like the Google and Facebook approach to commodifying user behavioral data. To think that today we live in a world where mercurial data brokers trade granular and identifying data, while still we play into the fantasy when we allow them to call it "anonymous data". Where our private details are sold to the highest bidder across numerous social media and other platforms precisely for the purpose of manipulating us. Targeted shopping ads, targeted public service announcements, targeted and under-handed manipulations by lobbyists, racketeers, and people with hidden agendas, targeted misinformation from megalomaniacs, the unhinged, and the true believers...
This is the online world we currently live in and it's driven in large part by the fact that we as customers don't notice the manipulation on an individual level that much, but we sure do notice the free services: free email providers, free search engines, free social media platforms, etc. A newer surprising thing is just how few people notice all of the paid services that have gotten in on the data collecting and commodifying racket. The other day I sat down with my daughter at a restaurant in an airport and we were handed a tablet to submit our order. The only problem was that I was required to enter my name and email address. I politely requested that the waiter allow me to submit my order without typing in that information. After all, I'd be paying with a credit card so they would easily be able to get that information; certainly my name at least. Yet, they insisted I was required to type my name and email address. For a service that I was paying full price for (and with quite a markup in price, the restaurant being in an airport). There are numerous other such examples that most people have become used to and no longer notice.
So when /e/OS and their partnership with Murena came along I was pretty happy. What they offered was a dream come true for me: fully functional smartphones coupled with their fully functional version of Android with the Google APIs removed and additional privacy and security features added. The OS is free and open source. The phones are reasonably priced. They even have cloud services and automatic cloud syncing for backups, just like an Apple or Google. When the first Teracube 2e was available for purchase in the US (at murena.com) with /e/OS pre-installed I bought one. I had to find a US phone carrier who supported Teracube 2e, but it wasn't that hard. When they offered Fairphone 4 to beta testers back in 2021 I jumped at the chance. In fact, I've been using /e/OS for years now.
Well, "using" is a bit of a misnomer now. Murena has experienced a significant degradation in their cloud services and this has had some knock-on effects for their phone users. To be clear, over my years of using /e/OS I've dealt with minor bugs and cloud service outages. One particular bug that persists to this day stands out: my microSD memory card is only sometimes recognized. Bye bye gigabytes of music! The memory card is fine. I know this because if I put it into my computer my files are still there, readable and listenable. I also know this because occasionally, maybe 20% of the time, I'll restart my phone and my music will magically be there. Not right now, as I look in my phone, but you know, sometimes the files are there.
So yeah, I have been willing to put up with bugs and up until the past month or so their cloud services outages haven't effected me much. Minor hiccups for a small tech company. I've worked at a few small tech companies myself so I get it. But something happened and another persistent bug I've encountered has turned into quite a headache. For quite a while my phone couldn't connect to my cloud account. I honestly don't know when it started and the inability to connect was inconsistent and probably had more than one underlying cause over the last year or so. But about a month ago the connection stopped entirely. I could go to my cloud account at Murena and login on the website, but my phone could not ever seem to login. For the last month my apps haven't been syncing to the cloud, my data has not been getting backed up.
Did I receive a notification in any way explaining the changes or outages? No. This outage started on October 6, 2024. I found out about it weeks later, after losing some important data and searching online and finding this buried post: https://community.e.foundation/t/update-on-murena-io-service-outage/61781 . That is not the way I wanted to find out.
Let me explain the gory details of how this tragic mess unfolded to me last week around October 21st (note that as I write this the outage continues). Imagine you're on your phone and occasionally when an OS app is syncing with the cloud, like Notes or Email or something, you get a notification saying that it was unable to connect and a sync couldn't be performed. That's always a little concerning, but as long as at some point soon the sync is successful then all is right with the world. About a month ago the occasional turned into constant. Clearly there was a problem, but on the other hand this had been an inconsistent issue for a long time. Perhaps this was a temporary outage and would blow over.
It didn't blow over. And the failure notifications were really annoying and concerning. So I logged in to the Murena cloud from my browser. My login worked. I didn't notice that the cloud apps provided there were a limited subset of the usual cloud apps (in hindsight I realize this must have been true). But my login worked and I recalled having login issues previously on my phone because Murena has an user-unfriendly process for creating an "app" password that the OS uses when syncing cloud services. I have all of my login details stored in a password manager. Naturally, I figured I could just logout of my Murena account on my phone and then log back in. It's annoying to have to do that, but it's an easy fix.
I logged out and then... I could not log back in. All of my contacts (Contacts app) and notes (Notes app) were gone. On one hand, it's good that those are really the only cloud services I rely on, on my phone. On the other hand, my contacts and notes were gone! I was not given any indication in my phone that logging out would make any of my data inaccessible locally. I assumed that the cloud sync was just that, a syncing service that would keep the files up-to-date between my phone and the cloud. It had not occurred to me that logging out would mean the files would be gone. I mean, it's not a crazy user experience if you notify the user of this behavior before they logout. Which they did not do.
Two things about this. One, I had created a detailed family medical history in a note that I needed for an upcoming doctor appointment. Notes was the convenient place for it because I was literally taking notes from conversations with family members and expected to pull up the note in my doctor appointment. Two, I had a nearly completed review of Mind the Science by Dr. Jonathan Stea which I was preparing to submit to AIPT Science for publication on their website. Why was this review in Notes? Because I often read on the train and it's convenient to take notes on my phone in those situations. And why would it ever be a problem, it's sync'd with the cloud right? 🫠
So. I logged into Murena cloud on the web. I exported my contacts into a file and downloaded it onto my phone. I imported my contacts. Good! I now had them back on my phone despite the cloud sync not working. Time to get my notes. Except there is no Notes app in the Murena cloud. In fact, there are no files: documents, photos, etc are all not included in what's currently available (still at the time I'm writing this blog post they are not available). My notes are simply gone!
I frantically searched my phone for any notifications about a Murena outage: nothing. I searched online and that's when I found the forum post which explained the outage had been going for more than two weeks already, since October 6th (remember I found this out around October 21st and this was the aforementioned forum post: https://community.e.foundation/t/update-on-murena-io-service-outage/61781). It wasn't until October 25th that I received an email from Murena that was directed at all of their customers. "Minimal murena.io Service Restored" was the subject. It explained which services were running again (contacts, calendar, password, and webmail) and which were not (tasks, notes, files, and images). One noticeable omission: a timeline of when to expect services to come back, or else a plan to regularly communicate updates to customers. This is how it stands today, now more than one week after I received that email (the only communication I've received from them about this). I still don't have my notes.
Murena offered two channels of communication in the email they sent out: their community forum where I had originally read about the outage and Telegram. I appreciate that they communicated a little bit, but a community forum isn't great and Telegram, for me at least, is out of the question. Of course, the fact that their essential services can be so broken for so long is an enormous red flag. My experience highlights a cascade of failures, all of which could have been mitigated if they just had a decent fail over strategy in place. The obvious question is, why did Murena fail so hard on this? Didn't they plan for this?
I wish it wasn't like this, but this incident shows the perils of a small tech company trying to replace an Apple or a Google. For anyone who was skeptical of giving their data to Murena, this is a reason to dismiss Murena for good. For anyone who wants to embrace privacy, security, and right-to-replace technologies, this is a black mark for the whole industry. How can we expect people to trust the others in this market? Teracube, Fairphone, Protonmail, Tutanota, and the list goes on.
Not all of us are technically proficient and not all of us want a complicated system of local-only or self-hosted file backups. Murena was supposed to be a convenient bridge for any user who wanted both privacy and convenience. Yet, I can't even set Murena apps to save my files both locally and in the cloud, nor can I rely on Murena apps to let me know when logging out will remove my files. More importantly, I can't rely on Murena the company to let me know about an important outage and the steps I can take to mitigate problems (maybe at least attempt to warn customers not to logout?).
It's a sad time for smartphone privacy. I will rely on Murena even less than I already do, because yes, they have lost the trust they slowly built with me over the last four years. But I am hopeful that everyone will learn from this experience and better privacy-centric systems and companies will prevail.
This is the online world we currently live in and it's driven in large part by the fact that we as customers don't notice the manipulation on an individual level that much, but we sure do notice the free services: free email providers, free search engines, free social media platforms, etc. A newer surprising thing is just how few people notice all of the paid services that have gotten in on the data collecting and commodifying racket. The other day I sat down with my daughter at a restaurant in an airport and we were handed a tablet to submit our order. The only problem was that I was required to enter my name and email address. I politely requested that the waiter allow me to submit my order without typing in that information. After all, I'd be paying with a credit card so they would easily be able to get that information; certainly my name at least. Yet, they insisted I was required to type my name and email address. For a service that I was paying full price for (and with quite a markup in price, the restaurant being in an airport). There are numerous other such examples that most people have become used to and no longer notice.
So when /e/OS and their partnership with Murena came along I was pretty happy. What they offered was a dream come true for me: fully functional smartphones coupled with their fully functional version of Android with the Google APIs removed and additional privacy and security features added. The OS is free and open source. The phones are reasonably priced. They even have cloud services and automatic cloud syncing for backups, just like an Apple or Google. When the first Teracube 2e was available for purchase in the US (at murena.com) with /e/OS pre-installed I bought one. I had to find a US phone carrier who supported Teracube 2e, but it wasn't that hard. When they offered Fairphone 4 to beta testers back in 2021 I jumped at the chance. In fact, I've been using /e/OS for years now.
Well, "using" is a bit of a misnomer now. Murena has experienced a significant degradation in their cloud services and this has had some knock-on effects for their phone users. To be clear, over my years of using /e/OS I've dealt with minor bugs and cloud service outages. One particular bug that persists to this day stands out: my microSD memory card is only sometimes recognized. Bye bye gigabytes of music! The memory card is fine. I know this because if I put it into my computer my files are still there, readable and listenable. I also know this because occasionally, maybe 20% of the time, I'll restart my phone and my music will magically be there. Not right now, as I look in my phone, but you know, sometimes the files are there.
So yeah, I have been willing to put up with bugs and up until the past month or so their cloud services outages haven't effected me much. Minor hiccups for a small tech company. I've worked at a few small tech companies myself so I get it. But something happened and another persistent bug I've encountered has turned into quite a headache. For quite a while my phone couldn't connect to my cloud account. I honestly don't know when it started and the inability to connect was inconsistent and probably had more than one underlying cause over the last year or so. But about a month ago the connection stopped entirely. I could go to my cloud account at Murena and login on the website, but my phone could not ever seem to login. For the last month my apps haven't been syncing to the cloud, my data has not been getting backed up.
Did I receive a notification in any way explaining the changes or outages? No. This outage started on October 6, 2024. I found out about it weeks later, after losing some important data and searching online and finding this buried post: https://community.e.foundation/t/update-on-murena-io-service-outage/61781 . That is not the way I wanted to find out.
Let me explain the gory details of how this tragic mess unfolded to me last week around October 21st (note that as I write this the outage continues). Imagine you're on your phone and occasionally when an OS app is syncing with the cloud, like Notes or Email or something, you get a notification saying that it was unable to connect and a sync couldn't be performed. That's always a little concerning, but as long as at some point soon the sync is successful then all is right with the world. About a month ago the occasional turned into constant. Clearly there was a problem, but on the other hand this had been an inconsistent issue for a long time. Perhaps this was a temporary outage and would blow over.
It didn't blow over. And the failure notifications were really annoying and concerning. So I logged in to the Murena cloud from my browser. My login worked. I didn't notice that the cloud apps provided there were a limited subset of the usual cloud apps (in hindsight I realize this must have been true). But my login worked and I recalled having login issues previously on my phone because Murena has an user-unfriendly process for creating an "app" password that the OS uses when syncing cloud services. I have all of my login details stored in a password manager. Naturally, I figured I could just logout of my Murena account on my phone and then log back in. It's annoying to have to do that, but it's an easy fix.
I logged out and then... I could not log back in. All of my contacts (Contacts app) and notes (Notes app) were gone. On one hand, it's good that those are really the only cloud services I rely on, on my phone. On the other hand, my contacts and notes were gone! I was not given any indication in my phone that logging out would make any of my data inaccessible locally. I assumed that the cloud sync was just that, a syncing service that would keep the files up-to-date between my phone and the cloud. It had not occurred to me that logging out would mean the files would be gone. I mean, it's not a crazy user experience if you notify the user of this behavior before they logout. Which they did not do.
Two things about this. One, I had created a detailed family medical history in a note that I needed for an upcoming doctor appointment. Notes was the convenient place for it because I was literally taking notes from conversations with family members and expected to pull up the note in my doctor appointment. Two, I had a nearly completed review of Mind the Science by Dr. Jonathan Stea which I was preparing to submit to AIPT Science for publication on their website. Why was this review in Notes? Because I often read on the train and it's convenient to take notes on my phone in those situations. And why would it ever be a problem, it's sync'd with the cloud right? 🫠
So. I logged into Murena cloud on the web. I exported my contacts into a file and downloaded it onto my phone. I imported my contacts. Good! I now had them back on my phone despite the cloud sync not working. Time to get my notes. Except there is no Notes app in the Murena cloud. In fact, there are no files: documents, photos, etc are all not included in what's currently available (still at the time I'm writing this blog post they are not available). My notes are simply gone!
I frantically searched my phone for any notifications about a Murena outage: nothing. I searched online and that's when I found the forum post which explained the outage had been going for more than two weeks already, since October 6th (remember I found this out around October 21st and this was the aforementioned forum post: https://community.e.foundation/t/update-on-murena-io-service-outage/61781). It wasn't until October 25th that I received an email from Murena that was directed at all of their customers. "Minimal murena.io Service Restored" was the subject. It explained which services were running again (contacts, calendar, password, and webmail) and which were not (tasks, notes, files, and images). One noticeable omission: a timeline of when to expect services to come back, or else a plan to regularly communicate updates to customers. This is how it stands today, now more than one week after I received that email (the only communication I've received from them about this). I still don't have my notes.
Murena offered two channels of communication in the email they sent out: their community forum where I had originally read about the outage and Telegram. I appreciate that they communicated a little bit, but a community forum isn't great and Telegram, for me at least, is out of the question. Of course, the fact that their essential services can be so broken for so long is an enormous red flag. My experience highlights a cascade of failures, all of which could have been mitigated if they just had a decent fail over strategy in place. The obvious question is, why did Murena fail so hard on this? Didn't they plan for this?
I wish it wasn't like this, but this incident shows the perils of a small tech company trying to replace an Apple or a Google. For anyone who was skeptical of giving their data to Murena, this is a reason to dismiss Murena for good. For anyone who wants to embrace privacy, security, and right-to-replace technologies, this is a black mark for the whole industry. How can we expect people to trust the others in this market? Teracube, Fairphone, Protonmail, Tutanota, and the list goes on.
Not all of us are technically proficient and not all of us want a complicated system of local-only or self-hosted file backups. Murena was supposed to be a convenient bridge for any user who wanted both privacy and convenience. Yet, I can't even set Murena apps to save my files both locally and in the cloud, nor can I rely on Murena apps to let me know when logging out will remove my files. More importantly, I can't rely on Murena the company to let me know about an important outage and the steps I can take to mitigate problems (maybe at least attempt to warn customers not to logout?).
It's a sad time for smartphone privacy. I will rely on Murena even less than I already do, because yes, they have lost the trust they slowly built with me over the last four years. But I am hopeful that everyone will learn from this experience and better privacy-centric systems and companies will prevail.