May 22, 2017

Mailbox tools: A threat to consumer data privacy and security.


The increasingly controversial topic of consumer data privacy and security was in the spotlight recently in a New York Times article critical of the business practices used by Slice, the owner of email subscription management application Unroll.me, and Uber. The article revealed Slice sold consumer data from Unroll.me to the popular ride-share company.

“Uber devoted teams to so-called competitive intelligence, purchasing data from an analytics service called Slice Intelligence. Using an email digest service it owns named Unroll.me, Slice collected its customers’ emailed Lyft receipts from their inboxes and sold the anonymized data to Uber.”

While Unroll.me CEO Jojo Hedaya offered an apology, it failed to satisfy some customers, and comment sections on various websites heated up as some customers requested their data be destroyed.

But there’s a problem.

Unroll.me and other tools like them can reserve the right to indefinitely retain your email data, and owning this type of data is what makes companies like Unroll.me (Slice) so valuable.

For example, in a response to the Unroll.me story on Y Combinator, a contributor claimed, “A large part of Slice buying Unroll.me was for access to those email archives. Specifically, they wanted to look for keyword trends and for receipts from online purchases.”

And what most consumers don’t realize is this type data collection and selling is occurring with other mailbox tools companies, too (e.g., Boxbe from eDataSource, and OtherInbox and Organizer from Return Path). We previously covered some of these tools in our blog The Truth About Email Panel Data.

Why are consumers voluntarily handing over their email data?

Do you read the Terms and Privacy policies of every online service you use?

According to the recent study The Biggest Lie on the Internet: Ignoring the Privacy Policies and Terms of Service Policies of Social Networking Services, researchers found 86% of test subjects spent less than one minute reading terms of service, and a staggering 97% spent less than five minutes. Additionally, less than 2% noticed that by agreeing to the terms of services, they were actually “providing a first-born child” as payment for access to the test application. 

Like most consumers, we assume free mailbox tools users rarely read the policies they agree to. But the old adage remains true: If you’re not paying to use a product—newsflash—you (and your data) are the product.

Return Path eDataSource Consumer Data Privacy and Security Threat

Free mailbox tools users: You (and your data) are the product.

Email industry veteran Laura Atkins recently took the mailbox tools and email panel data industry to task regarding security risks for users. And in a response to Atkin’s concerns, Return Path’s Chief Privacy Officer, Dennis Dayman, offered this comment:

“Our registration flow makes it clear that we use users’ data for market research purposes, but in an anonymized and aggregate fashion. We make that statement in concise, plain English right at the point of registration – not buried in a click-through Terms of Service that no user will ever see.

But this is how the Return Path-owned Organizer sign-up page reads:

“In offering this service, we collect and share certain information about non-personal email messages (e.g., commercial emails). This data helps us to gain insights into consumer behavior, and also helps us improve the email ecosystem by better understanding how people interact with the non-personal email messages they receive.”

While we agree with Return Path’s Dayman that users should be given a “plain English” explanation of what their tools will do with customer data without needing to read a long privacy policy, we feel the Organizer website copy fails to fulfill that need.

So, we did the thing most mailbox tool users likely never do: Read the approximately 4,653-word Return Path Data Privacy Policy.

Note: We’re not attorneys, so please consult one if you want a legal opinion regarding any of the information discussed in this blog.

Buried in the privacy policy, we discovered the tool is collecting “commercial, transactional, and relationship messages” (Service Usage Information)—no, not just commercial mail. And are “relationship messages” personal emails? According to the website, the tool is focused on non-personal email. Unfortunately, after multiple reads of this section in the policy, we failed to find a clear explanation of the term.

Listed elsewhere in the policy are sections regarding non-personally identifying information being collected and sold to third parties (Service Usage Information), that emails might be stored indefinitely (Retention of Personal Information), that the app might track user location when engaged on mobile devices (Aggregate Information), and that your data may be sold to another company (Change of Control/Asset Transfer) at any time. What happens to your data if another company acquires Return Path? It’s not clear to us.

Do you see that information communicated in “plain English” here:

Return Path's Organizer Email App

Source: Return Path’s Organizer

Neither do we.

Selling Lyft receipts are just the tip of the iceberg

The sale of Unroll.me data to Uber has left many people upset, but it doesn’t even scratch the surface on the broader collection of data being sold elsewhere.

For example, Return Path offers multiple free mailbox tools to consumers and “collects detailed consumer receipt data from a diverse array of sources” to show “item-level receipt data can show you what consumers are actually doing,” reportedly collecting data on payments, banks, retailers, e-commerce, etc.:

Return Path Consumer Insights Privacy And Security Concerns

Source: Return Path Consumer Insights

On the Return Path website, just above this image, and at the time of this blog, it read “Return Path offers consumer data like you’ve never seen before.” If the above graphic is an accurate representation of the data Return Path is collecting and selling, their “Consumer Insight” collection goes well beyond Lyft receipts. Insurance quotes, online statements, purchase history, Netflix viewing habits, switching phone providers… Is this the type of information consumers envisioned sharing when they signed up for a free mailbox tool?

Ironically, it seems that the very mailbox tools claiming to improve user productivity and help you avoid spam may actually have its data bought and analyzed to inform more, better spam (or mo’ better spam) based on the information harvested from user’s email accounts.

Remember, if you’re using a free mailbox tool, you (and your data) are the product.

Third-party mailbox tools can pose a major security risk

The Y Combinator post also alleged previous issues with security at Unroll.me:

“I worked for a company that nearly acquired Unroll.me. At the time, which was over three years ago, they had kept a copy of every single email of yours that you sent or received while a part of their service. Those emails were kept in a series of poorly secured S3 buckets.”

Poorly secured S3 buckets? Keeping a copy of every single email? Regardless of if it’s sent or received? If this is true, it could mean that Unroll.me’s S3 storage is chock full of purchase receipts, password resets, and who knows what kind of personal messages. Even sent messages totally unrelated to the use of the tool can be stored.

And what about login credentials? Although some providers (Gmail, Yahoo, Outlook) provide OAuth authentication, AOL and Apple (icloud.com) do not, and these mailbox applications ask for your login credentials, including your password, to use the service. While all companies claim they follow standard best practices for security, data breaches have become a common occurrence at many software companies.

Multiple sources pointed out some of these tools request full read and write access to your account. This means that the application, or anyone who potentially breaches it, might have free reign to manage your inbox as they see fit.

How to stop mailbox tools from collecting your email data

If you’re a user of Unroll.me, Boxbe, Organizer, or other mailbox tools and you want to revoke their ability to collect, store, and sell your data, here are instructions on how to shut off their access:

For users who shared their email login credentials with a mailbox tool, you should immediately change the password for your email account.

We also encourage users to contact the tool owner and ask for clarification on if and how your personal information (e.g., transactional messages, personal messages, login credentials) is being stored, along with a link to the section of their privacy policy permitting them to do so.

Author: Alex Griffis

Alex Griffis is a product geek at 250ok, where he focuses on product design and improving our customer experiences.

You may also like...

How the top 500 internet retailers collect email sign-ups (2016).

Welcome to How The Top 500 Internet Retailers Collect Email Sign-ups (2016), an analysis of how retailers promote their programs, leverage mobile optimization, use social sign-ups, capture personal data, and more. In addition, we have shared some year-over-year trend insights compared to How The Top 500 Internet Retailers Collect Email Sign-ups (2015). Let’s dig in. Sign-up […]

How the top 500 internet retailers collect email sign-ups (2015).

We reviewed the top 500 internet retailers to analyze their email collection practices and sending habits. Check out some of the trends we discovered while analyzing over 1,000 websites owned by the internet’s top retailers.

Deliverability myth: Why you need to measure inbox placement. [INFOGRAPHIC]

It’s important to measure and compare your delivered rate to your inbox rate. What’s the difference? Let’s say your email service is reporting 90% deliverability with a 10% bounce rate. Then you run your campaign through your deliverability service and it reports the same 10% bounce/missing rate, but 72% inbox placement and 18% spam placement. Both look […]

Ready to get started?