May 22, 2017
Mailbox tools: A threat to consumer data privacy and security.
The increasingly controversial topic of consumer data privacy and security was in the spotlight recently in a New York Times article critical of the business practices used by Slice, the owner of email subscription management application Unroll.me, and Uber. The article revealed Slice sold consumer data from Unroll.me to the popular ride-share company.
“Uber devoted teams to so-called competitive intelligence, purchasing data from an analytics service called Slice Intelligence. Using an email digest service it owns named Unroll.me, Slice collected its customers’ emailed Lyft receipts from their inboxes and sold the anonymized data to Uber.”
But there’s a problem.
Unroll.me and other tools like them can reserve the right to indefinitely retain your email data, and owning this type of data is what makes companies like Unroll.me (Slice) so valuable.
For example, in a response to the Unroll.me story on Y Combinator, a contributor claimed, “A large part of Slice buying Unroll.me was for access to those email archives. Specifically, they wanted to look for keyword trends and for receipts from online purchases.”
And what most consumers don’t realize is this type data collection and selling is occurring with other mailbox tools companies, too (e.g., Boxbe from eDataSource, and OtherInbox and Organizer from Return Path). We previously covered some of these tools in our blog The Truth About Email Panel Data.
Why are consumers voluntarily handing over their email data?
Do you read the Terms and Privacy policies of every online service you use?
According to the recent study The Biggest Lie on the Internet: Ignoring the Privacy Policies and Terms of Service Policies of Social Networking Services, researchers found 86% of test subjects spent less than one minute reading terms of service, and a staggering 97% spent less than five minutes. Additionally, less than 2% noticed that by agreeing to the terms of services, they were actually “providing a first-born child” as payment for access to the test application.
Like most consumers, we assume free mailbox tools users rarely read the policies they agree to. But the old adage remains true: If you’re not paying to use a product—newsflash—you (and your data) are the product.
Free mailbox tools users: You (and your data) are the product.
Email industry veteran Laura Atkins recently took the mailbox tools and email panel data industry to task regarding security risks for users. And in a response to Atkin’s concerns, Return Path’s Chief Privacy Officer, Dennis Dayman, offered this comment:
“Our registration flow makes it clear that we use users’ data for market research purposes, but in an anonymized and aggregate fashion. We make that statement in concise, plain English right at the point of registration – not buried in a click-through Terms of Service that no user will ever see.”
But this is how the Return Path-owned Organizer sign-up page reads:
“In offering this service, we collect and share certain information about non-personal email messages (e.g., commercial emails). This data helps us to gain insights into consumer behavior, and also helps us improve the email ecosystem by better understanding how people interact with the non-personal email messages they receive.”
Note: We’re not attorneys, so please consult one if you want a legal opinion regarding any of the information discussed in this blog.
Listed elsewhere in the policy are sections regarding non-personally identifying information being collected and sold to third parties (Service Usage Information), that emails might be stored indefinitely (Retention of Personal Information), that the app might track user location when engaged on mobile devices (Aggregate Information), and that your data may be sold to another company (Change of Control/Asset Transfer) at any time. What happens to your data if another company acquires Return Path? It’s not clear to us.
Do you see that information communicated in “plain English” here:
Source: Return Path’s Organizer
Neither do we.
Selling Lyft receipts are just the tip of the iceberg
The sale of Unroll.me data to Uber has left many people upset, but it doesn’t even scratch the surface on the broader collection of data being sold elsewhere.
For example, Return Path offers multiple free mailbox tools to consumers and “collects detailed consumer receipt data from a diverse array of sources” to show “item-level receipt data can show you what consumers are actually doing,” reportedly collecting data on payments, banks, retailers, e-commerce, etc.:
Source: Return Path Consumer Insights
On the Return Path website, just above this image, and at the time of this blog, it read “Return Path offers consumer data like you’ve never seen before.” If the above graphic is an accurate representation of the data Return Path is collecting and selling, their “Consumer Insight” collection goes well beyond Lyft receipts. Insurance quotes, online statements, purchase history, Netflix viewing habits, switching phone providers… Is this the type of information consumers envisioned sharing when they signed up for a free mailbox tool?
Ironically, it seems that the very mailbox tools claiming to improve user productivity and help you avoid spam may actually have its data bought and analyzed to inform more, better spam (or mo’ better spam) based on the information harvested from user’s email accounts.
Remember, if you’re using a free mailbox tool, you (and your data) are the product.
Third-party mailbox tools can pose a major security risk
The Y Combinator post also alleged previous issues with security at Unroll.me:
“I worked for a company that nearly acquired Unroll.me. At the time, which was over three years ago, they had kept a copy of every single email of yours that you sent or received while a part of their service. Those emails were kept in a series of poorly secured S3 buckets.”
Poorly secured S3 buckets? Keeping a copy of every single email? Regardless of if it’s sent or received? If this is true, it could mean that Unroll.me’s S3 storage is chock full of purchase receipts, password resets, and who knows what kind of personal messages. Even sent messages totally unrelated to the use of the tool can be stored.
And what about login credentials? Although some providers (Gmail, Yahoo, Outlook) provide OAuth authentication, AOL and Apple (icloud.com) do not, and these mailbox applications ask for your login credentials, including your password, to use the service. While all companies claim they follow standard best practices for security, data breaches have become a common occurrence at many software companies.
Multiple sources pointed out some of these tools request full read and write access to your account. This means that the application, or anyone who potentially breaches it, might have free reign to manage your inbox as they see fit.
How to stop mailbox tools from collecting your email data
If you’re a user of Unroll.me, Boxbe, Organizer, or other mailbox tools and you want to revoke their ability to collect, store, and sell your data, here are instructions on how to shut off their access:
- Gmail: Visit security page and go to “Connected apps & sites” under “Sign-in & security” on the left menu. Click the service you would like to remove and it will show the blue “Remove” button. Answer “Yes” when asked, “Are you sure you want to remove access?”
- Outlook: Using add-ins in Outlook.com or Outlook on the web
- Yahoo!: Remove permission to a third-party app
For users who shared their email login credentials with a mailbox tool, you should immediately change the password for your email account.
You may also like...
It’s hard to believe we are nearing the end of yet another exciting year in email, and 2019 proved to be one of the most momentous and active years to date. Over the past year, the number of new technologies, mergers and acquisitions, mailbox provider (MBP) announcements, news, and highlights is evidence of the versatility […]
I recently gave a presentation on global privacy regulations to a post-graduate marketing class and one of the things I noticed while preparing was that even within a single country, privacy is complicated. On a global scale, it is really complicated. For example, Canada has one federal private sector privacy law, three similar provincial laws, […]
*Update: This article was featured on email influencer Jordie van Rijn’s emailmonday blog! To see it in action, plus a great round-up of other articles and thought leadership looking forward to the future of email, click here.* The Black Friday emails are deleted, marketers’ email lists are checked twice, we pretty much know which senders […]