54 comments

[ 2.6 ms ] story [ 79.6 ms ] thread
I looked on their website, Frequently Asked Questions, and even hovered over text like "Unroll.me is a free service" in order to find a disclosure.

I could not find ANY disclosures whatsoever.

Nowhere does Unroll.me disclose that they sell your emails to the highest bidder.

I wish we had a FTC that could bankrupt Unroll.me's previous and current founders and executives. Absolutely despicable behaviour.

Terms of Service pointed me to their Privacy Policy.

Privacy Policy indicated the following:

> We also collect non-personal information − data in a form that does not permit direct association with any specific individual. We may collect, use, transfer, sell, and disclose non-personal information for any purpose. For example, when you use our services, we may collect data from and about the “commercial electronic mail messages” and “transactional or relationship messages” (as such terms are defined in the CAN-SPAM Act (15 U.S.C. 7702 et. seq.) that are sent to your email accounts. We collect such commercial transactional messages so that we can better understand the behavior of the senders of such messages, and better understand our customer behavior and improve our products, services, and advertising. We may disclose, distribute, transfer, and sell such messages and the data that we collect from or in connection with such messages; provided, however, if we do disclose such messages or data, all personal information contained in such messages will be removed prior to any such disclosure.

Damningly, if they're collecting and disclosing transaction details, they're also technically conveying personal information given the ease by which identities can be reversed from this sort of data.

You can't sign up for the service without agreeing to the privacy policy, which is where you should expect privacy-related concerns to be discussed.
I don't find the practice ethical at all, but that said, don't understand why anyone would be surprised by this. Users are almost always the product.

Seems like the Gruber version of outrage porn.

I disagree. If think it's the false sadness — er, "heartbreak" — expressed by the CEO in response to users being upset that angers Gruber. It's one thing to be a straight up sociopath and run your sociopathic business but quite another to pretend you care one iota about the people who you are monetizing by turning them into a personal data slurry.

By the way, folks seem to be intent on down voting your comment into oblivion. That, sadly, seems like increasingly typical behavior here, and elsewhere on the internet. The thinking seems to be: "I don't agree with your opinion therefore I will do my best to make your opinion disappear." Does that make anyone smarter? Perhaps someone was deeply, personally offended — in which case, off with your head, right?

> That, sadly, seems like increasingly typical behavior here, and elsewhere on the internet.

"I'll call someone I've never met a lying sociopath but I draw the line at downvotes!"

I get it. I just think Gruber is a hypocrite. Wasn't long ago he was invited to an Apple meeting so he could then write a blog post shilling for them.

The boundaries broken are not comparable, but I just don't feel that Gruber has any moral high ground to stand on because of his affiliation with members in the industry.

In addition, it's not like we haven't seen this act before with company CEO's. This sort of thing happens all of the time, and in every industry. He's a smart guy, but his post seems overly-reactionary.

I am less bothered by the CEO's comment than by their monetization strategy, but then again, I don't really see the need for the product in the first place.

Basically a repost of https://news.ycombinator.com/item?id=14180463

Had to search my inbox as a sanity check to make sure I hadn't signed up for the service. Turns out I hadn't, but it was pitched on Product Hunt both in April 2015 and May 2016.

I'm hoping at least security folks made the mental connection that signing up meant compromising your personal emails. That's the single reason I didn't bother.

> signing up meant compromising your personal emails

Assuming someone only signed up with their personal address. Curious how many .gov email addresses are in their database...

It only works with major emails services like Gmail, Yahoo, etc, I believe.
Plenty of agencies on services like Google Apps for Government.
> Had to search my inbox as a sanity check to make sure I hadn't signed up for the service.

Wouldn't you remember granting a third party full access to your email inbox? That doesn't seem like a trivial decision to make.

I trust my brain but verify my memories from time to time. :)
Past you isn't future you. And checking is near free.
For someone who grew up before webmail existed, and where mail apps were a local thing, it's really easy to forget that granting a third-party app access to your e-mail often grants that access to a third-party company these days.

It wasn't that long ago that the worst thing that would happen with a third-party mail client was that it would suck and you'd have to stop using it.

Typically I'd expect this data to be anonymized, but when it's your entire inbox how anonymous can it really be?
> If you're not paying, you're the product.

Facebook, Google, ..., Unroll.me

And if you are paying, they can make an extra buck by selling you out too.
Selling data to the highest bidder doesn't surprise me. Users should expect this, but since it's all buried in TOS, only more savvy users are going to know or notice.

Maybe it's time for some ethical standards among developers. Dumping email to an insecure server should be something that every developer would refuse. Somebody was just following order.

I prodded unroll.me a couple of years ago about their data retention policy. Their answer was sketchy so I ended up not using the service. I'm surprised it took this long for someone with reach to look into them.

Original thread: https://twitter.com/elahd/status/575692415132135425

DMs: http://imgur.com/H0UABYa

Sounds like you have great evidence for a class-action against them. If they told their users they only retain emails for 7 days, but actually kept every email in an S3 bucket that was then sold illegally to Slice, every user of Unroll.me could sue for breach of contract, damages, etc...
If you go ahead with this, let me know!
I have tried the service, and my interactions with it have confirmed all perceived sketchiness:

In a moment of desperation, I signed up for this a while back. I found it not to be useful and tried to remove my account with the site, which turns out to be essentially impossible.

I ended up revoking access to my email account and continued to receive emails from unroll.me that the service "has lost its connection to your account," which I found hilarious, because in my desperate attempt to get rid of spam, I created more.

I've tried to unsubscribe from these unroll.me emails several times before, and the unsubscribe link takes me to a page containing all the subscriptions that the service once found on my account (the one you'd see if you were trying to use the service---so all that data is still there, for sure, and it has been many months), and I have never actually been unsubscribed.

...and they still have all of your emails! You can't take back the emails they've already archived, which (presumably) is everything that was in your inbox before you disconnected your Gmail account.
This may sound silly, but I consider any application that requests full read access to my Gmail account to be akin to asking for my social security number.

I remember when the big wave of smart email apps first came out a few years ago, and the horror was the expressed here when it was revealed that these apps basically route all of your email through their servers in order to do processing on it.

Sadly at lot of the trepidation about services like that seems to have abated -- or maybe the general population just isn't aware of how intrusive these types of services could be. But I would never allow any third party service to access my email.

I think this is correct but maybe not quite far enough. I am much more willing to give out my social security number than my Gmail password.
"This may sound silly, but I consider any application that requests full read access to my Gmail account to be akin to asking for my social security number."

Have you ever emailed your social security number, had your social security number emailed to you, or signed up for any sort of service to your gmail account including your paycheck management company, your tax returns, your bank, or anything else that via email password reset could be used to access your social security number?

Certainly I'd go so far as to say that almost anybody's "real" gmail account could certainly be leveraged to get the last four digits of your social security number. Given the low entropy of the other 5 numbers given other details [1], even if you can say with a straight face that your email has never had your very, very regex-able social security number in it, it's still got most of the bits, most likely. Perhaps not enough to automatically target you without a bit more machine learning than I think we quite have at the moment, but... getting perilously close, honestly. Someone who really dedicated themselves to taking "gmail inboxes" and writing a system to determine social security numbers from that could probably do pretty well. It wouldn't quite be just "fire some machine learning at it", but the system as a whole seems pretty feasible to me.

[1]: http://www.stevemorse.org/ssn/ssn.html . It isn't quite as bad as it seems for many of us, because we didn't all used to get SS numbers at birth, so my SS number does not correspond to my birth. But if you have my last 4 numbers and a handful of other bits of information about where I've lived, it's distressingly few bits between me and my identity getting stolen.

Oh, I would not be surprised if my SSN is floating somewhere out there because of something like this. So that's a good point. I was more making the comparison because I was looking for an analogy to something most people at least try to guard heavily.
A common way to get SSN in your email is either lease or mortgage documentation. Esp, if they send you results of any of these documents via email.
> operating under the radar

The privacy policy is clear and easy to find and understand. You can be annoyed with yourself for not reading it. You can decide the service isn't worth the tradeoffs. You can be annoyed with yourself for being naive about how free products work.

But it's illogical and disingenuous to call this "under the radar" or blame the service for your own surprise about how it works. We have free will and a responsibility to understand the agreements we enter into. Admitting so casually that we can't handle those things is a scary thought.

> You can be annoyed with yourself for not reading it.

Do how do you spend reading every click-wrap agreement you accept?

We condition users not to read these things, so we can't be surprised when they don't read them.

> Do how do you spend reading every click-wrap agreement you accept?

No, but I don't complain about the consequences. If I agreed to terms that gave my house to unroll.me, they'd never be able to enforce it because it's egregiously inappropriate. I take that much for granted. The actual unroll.me terms are not egregiously inappropriate. They may be distasteful to most people here, but it's not offensive or inappropriate that the terms are allowed to exist.

So "do as I say, not as I do"
That does not apply here. That's obtuse. It would be hypocritical for me to criticize not reading terms and then complaining about those terms if I was doing both those things. Everyone's free to do as I say and do, accept terms and then accept their consequences.
Few people read privacy policies. Everybody knows this. The people making this product know this. If the only place they explain it is in the privacy policy, then they are knowingly and intentionally putting it in a place where most of their users will not see it.
> Few people read privacy policies.

People have free will and that's their choice. I'm not surprised that most don't. I rarely do. But it doesn't make sense that the people who have strong feelings about privacy aren't reading them. You can't give up what's clearly your own personal responsibility and then blame someone else for the consequences.

I agree that blame should go to people who care about privacy and then don't read privacy policies.

However, blame should also go to companies that hide important privacy info in privacy policies, with the full knowledge that most of their users will never see it.

Given that the company here is a single entity, while their users are a disorganized mass, I think the company should bear much more responsibility for fixing the situation. They can unilaterally fix it for everybody, while their users can't.

The company also exists with the sole purpose of running its business. That is all they do. Their users, on the other hand, are quite busy doing many other things and dedicate perhaps 0.1% of their time to doing business with this company.

In a relationship that's this lopsided, we should not hold both sides to the same standard. The company should bear far more responsibility for hiding important information where nobody will read it than their users should bear for not hunting it down.

Edit: it occurs to me that this is basically like getting conned. Somebody spins a story at a gas station about how they're trying to get to Cincinnati and they just spent their last $5 on money for their sick kid and can you just help a guy out, and they manage to con some poor sucker, do we focus our ire on the con artist or on the sucker? I'm OK with telling the sucker that they should be more careful and they shouldn't have fallen for the story, but they are ultimately the victim here, and the culprit is the scammer.

> Somebody spins a story at a gas station about how they're trying to get to Cincinnati and they just spent their last $5 on money for their sick kid and can you just help a guy out, and they manage to con some poor sucker, do we focus our ire on the con artist or on the sucker?

That is just ridiculous. You're describing a lie. This situation has transparency that people have simply chosen to ignore. Fine print isn't a crime.

Lying is about intent. When you know that people will expect a reasonable level of privacy by default, and that people won't read your privacy policy, then selling all of their data and only mentioning it in your privacy policy is also lying.
We've all agreed to things we didn't expect, because none of us are willing to invest thousands of dollars worth of our time to check the side effects of trivial transactions. Instead we make the rational decision to trust our counterparties and to hope they don't disappoint us too often.

This situation sucks, and is a new problem, which deserves a solution. Contracts have always existed, but bespoke contracts for each minor transaction are a new development.

Long-term, we have two choices. The first is that industry devises reasonable standards that simplify the process for end-users. The second is that government will devise standards and impose restrictions on us. I suggest we acknowledge the issue and work on a solution, instead of just insulting those who correctly identify the problem.

In Germany there's actually a law[1] (Google Translate[2]) that prohibits companies from putting "suprising" statements into their terms of services.

For example, you cannot put the fact that the user is signing up for a subscription service into the fine print or the terms of services when it is not stated anywhere else on the website. Even if the customer clicks the "yes, I have read the terms and totally agree with everything that's in there"-button.

I think most EU countries have similar rules[3].

  [1] https://dejure.org/gesetze/BGB/305c.html
  [2] https://translate.google.com/translate?hl=de&sl=de&tl=en&u=https%3A%2F%2Fdejure.org%2Fgesetze%2FBGB%2F305c.html
  [3] http://europa.eu/youreurope/citizens/consumers/unfair-treatment/unfair-contract-terms/index_en.htm
> The privacy policy is clear and easy to find and understand

I disagree. A casual reading of the privacy policy gives the impression that they are not selling the contents of your inbox. There's one long, awkward sentence that technically covers it, but I don't think it's obvious what they're talking about.

This is what a clear statement would look like:

We make our money by selling the contents of the emails you receive. We will make our best effort to scrub personally identifying information from your emails, though this process is difficult and maybe even impossible in some circumstances.

I find it fascinating that there are services which require access to your complete inbox, irrespective of how useful they might be or what they've written in their privacy policy. Every single email you ever sent/received, and every single email you will send/receive. Maybe I'm being paranoid, but sorry, that's just a huge "no" in my book.
I used unroll.me once but it didn't really work so I removed it.
Great, I'm sold on leaving unroll.me but I think there is a deeper problem here. Email is so insecure and if you're already using Gmail then who knows who Google is selling your emails to. Google is just a lot better about keeping it a secret. Fooling yourself into thinking your emails are secure if you're not using Unroll.me is a joke. Also, please suggest a secure alternative when telling people to leave a service over security. I'd love to switch to something else that gives me some false sense of security but shutting off unroll.me and allowing my inbox to implode with spam is not a great option right now.
Although I've since moved on from Gmail, because I don't like Google having access to all of my emails and harvesting the data from them, I do trust Google as far as sanitizing emails much more than a service like Unroll.me.

As far as a different service, I found Unroll.me to be just another annoying email I had to read and found it kinda useless since if I wanted to "roll up" an email, I had to read the daily email to see what it suggests and then add to my rollup list. My solution was to just unsubscribe from any email that I didn't actively read (which was most of them). Especially given that most services are one-click unsubscribe now in the Gmail interface or Mail.app, it's pretty simple compared to a few years ago.

Google has their share of privacy problems, but they don't sell data