
Show HN: Leave Me Alone – A privacy focused email unsubscription service - jivings
https://leavemealone.xyz
======
jamieweb
Looks interesting...

It took me a bit of time to find out how it actually works, as the 'How it
works' button doesn't actually tell me how it works. I had to click onto the
FAQ in order to find out that it integrates with Gmail.

Unfortunately I will never be giving a third-party access to my inbox like
that. I was hoping that this service would be something where you can forward
a spam email and they visit the unsubscribe link for you, or you simply paste
in an unsubscribe link and it handles it all.

Perhaps these suggestions could be added as extra features for those of us who
want to unsubscribe without giving away access to our inboxes?

Currently my personal process for unsubscribing is to either put the
unsubscribe link into urlscan.io, and if that doesn't work (e.g. if it
requires a complex form input), then I forward it to a malware sandbox machine
and do it there.

~~~
vertis
I understand the privacy concerns, but for me, if I'm prepared to outsource my
email to Google then how different is it to let other SaaS scan my inbox to
provide their service (I accept size is one factor).

The Privacy Policy of Leave Me Alone is pretty clear on their respect for my
data (not selling it).

If they don't respect this policy, it's going to get found out eventually, and
it's going to hurt their business and their future reputation as founders.

Their incentives are in the right place to behave in the way that they've
stated.

Security could be a concern as well, but it's all done within the framework
that Google has created. Tokens can be revoked (if one desires, immediately).

Which just leaves the servers being compromised before/during the interaction.
This isn't impossible and is something that LeaveMeAlone should definitely be
considering. However, A breach potentially means the end of their business.
This makes me trust, again, that their incentives are in preventing this from
happening and investing in hardening the servers (etc).

~~~
gnicholas
> _if I 'm prepared to outsource my email to Google then how different is it
> to let other SaaS scan my inbox to provide their service...If they don't
> respect this policy, it's going to get found out eventually, and it's going
> to hurt their business and their future reputation as founders._

The likelihood that some small SaaS shop will be found out for
unethical/illegal behavior is much smaller than Google being found out. It
does look like their hearts are in the right place, for what it's worth. But
there's no way for them to promise never to sell to someone interested in
monetizing the data.

~~~
jivings
Thanks for the kind words.

I think the only way we can make this promise is by doing what we're doing
right now and not actually storing any email content.

I'm not sure the best way to prove that this is what we're doing, short of
open sourcing the code, so I'm open to suggestions there!

~~~
royosherove
Hold public audits by a trusted 3rd party to show you are not keeping any data
- on a repeating basis (6 months?)

~~~
jivings
We're already required to perform an audit by Google every 12 months (I've
mentioned the requirements of this below, but it basically amounts to the same
thing), would this be acceptable?

~~~
gnicholas
What are the details of this? I've seen how things work on the Chrome Store
side, and it's completely haphazard. There isn't an official audit schedule,
as far as I can tell, but like with the iOS App Store, they do sometimes
decide to flag/remove an extension for completely bogus reasons, with
little/no notice: [https://medium.com/@BeeLineReader/google-yanked-my-chrome-
ex...](https://medium.com/@BeeLineReader/google-yanked-my-chrome-extension-
this-sunday-d9c481e285cb)

~~~
jivings
As of this year with apps that access the Gmail API it is an official audit by
an authorised third party assessor.

More info here: [https://cloud.google.com/blog/products/g-suite/elevating-
use...](https://cloud.google.com/blog/products/g-suite/elevating-user-trust-
in-our-api-ecosystems)

~~~
gnicholas
That's great. I'd emphasize this both in the privacy policy and in the FAQ.
It's not bulletproof, but it goes a long way.

------
LinuxBender
Another option would be to use a mail provider that lets you point your own
domain to it and create aliases. Fastmail and protonmail come to mind. Create
a unique alias for anything you sign up for. You will then know if that
company sold or mishandled your email address. If that happens, simply delete
the alias for that company.

[Edit] To the_pwner224's point, you can also create a wildcard and send
everything to a catch-all mailbox and/or write rules for it so you can tell a
business "their-business-name@yourdomain.tld".

~~~
333c
I do this on FastMail. All of my accounts are [site name]@[mydomain], so when
I get spam on an address, I can easily set up a rule that sends all messages
to that address to junk.

I also have other custom rules:

filter@[mydomain] goes to a special folder that isn't the inbox, for services
whose messages I want to be able to access occasionally, but not most of the
time.

spam@[mydomain] goes straight to spam.

I just went through my spam folder and found a bunch of spam (automatically
filtered) to my "real" email address. That was surprising until I remembered
that my email address is published on my website. I suppose my efforts were
somewhat in vain.

~~~
julianj
I run a script that moves any email to to the trash that does not come from a
list of approved domains. I have toyed with the idea of setting up a catch all
domain to do the same as you, but keep finding excuses not to proceed. How
much time to you spend on administration for your solution?

------
mplewis
Remember the last time we did this?

[https://www.nytimes.com/2017/04/24/technology/personal-
data-...](https://www.nytimes.com/2017/04/24/technology/personal-data-firm-
slice-unroll-me-backlash-uber.html)

Email is not an API. Never give a third-party service read-write access to
your email.

~~~
willio58
Did you read the description of this service at all? They literally link to
this exact story as an example of why they are a payed service.

------
WestCoastJustin
The big no-go for me would be allowing you access to my gmail inbox. Google is
already starting to add unsubscribe links right in the email header area [1,
2]. You probably don't want to complete with them as they have a much wider
insight into email patterns and can quickly come up with a much wider block
list. I'm sure you take security seriously but your service would definitely
be the weakest link if someone broke into your auth token database. At least,
that is how I think your service works, it is not really clear, other than it
works with gmail (and I'll allow you access to read emails). I'd focus on the
security message here as I think this will come up a lot.

A suggestion. A proxy service might work here, where I use your service and
you give me a email@leavemealone.xyz, I use that email@leavemealone.xyz email
to sign up to lists, then you forward email to my inbox, then I never give you
access to anything. Then this will work with any email provider and you can
access way more customers.

[1] [https://imgur.com/rPCntTK](https://imgur.com/rPCntTK)

[2]
[https://support.google.com/mail/answer/8151](https://support.google.com/mail/answer/8151)

~~~
jivings
A valid concern for sure! The tokens we store are all encrypted, but you can
also revoke them easily on Google's OAuth screens if god forbid we were to
have a breach. I believe we can also revoke all tokens by refreshing our own
Google OAuth keys.

Regarding the unsubscribe within Gmail, I can't vouch for exactly how that
button works, but there are three methods that are possible.

1\. Subscription services can specify in the email headers that they have
"one-click" unsub functionality. In which case following the link should
unsubscribe you.

2\. They can also specify an email address, and sending an email to should
unsubscribe you (you can check this by clicking the button and then checking
your sent emails).

3\. They can also just specify a regular unsub link. This usually requires you
to input additional info such as your email address, or a reason for
unsubscribing. I don't think that Gmail will be unsubscribing you from these,
and they are probably the most frequent.

Leave Me Alone will try all of these methods to unsubscribe you, including
filling out any forms if required.

It will also show you all of your subscription emails in one place, which I
don't think is possible from within Gmail.

~~~
WestCoastJustin
Cool, thanks for the reply. Sorry, I am not trying to be a downer, just giving
you honest feedback. I know it is extremely hard to come up with an idea,
create a website, all the sketching/coding/testing, promoting it, etc. The
website looks pretty slick.

~~~
jivings
No problem! Answering these types of questions and standing behind your idea
is as important as a sexy looking website!

------
drinchev
Btw since about 3 years I'm using lots of gmail filters ( like around 200+ and
counting ) to separate mails to different labels and it kinda works.

I have lots of labels for each service that I use. They all include unicode
symbol character, to visually separate it from untagged mails. For example "
DHL", " UPS", " fitbit", "︎ Uber", "︎ Austrian Airlines", " O2" and others.

The logic is all e-mails coming from the specified domain e.g. dhl.com goes to
the DHL label. Then another filter that takes newsletter@dhl.com which goes to
newsletters and skips the inbox. This way I was able to handle the e-mail
clutter and not rely on 3rd party service that I might be afraid will reduce
my privacy concerns.

P.S. Ha. Bummer HN trimmed my unicode symbols anyway here is a screenshot :
[https://imgur.com/fpX8OLH](https://imgur.com/fpX8OLH)

------
vertis
Highly recommend Leave Me Alone. Discovered it late last year through Twitter
and it helped me unsubscribe from 238 newsletters with about 5 mins effort.

It's also an open startup so you can look at all the actionable metrics at
[https://leavemealone.xyz/open](https://leavemealone.xyz/open)

------
snazz
This looks fine and dandy, but I’m always skeptical of anything that says it
won’t sell my data, because it could turn around and do so tomorrow. Aside
from the clear business model and the claims on the homepage, is there any way
for me to prove that my privacy will be respected with this service?

~~~
jivings
This depends on how far your trust stretches. As of this year all apps that
use the Google Gmail API have to undergo an independent assessment from a
security firm to ensure that they are;

a) not mishandling data b) not breaching Google's privacy policies c) securing
data appropriately

There is a grace period for existing apps, but we have to undergo this
assessment soon if we want to be allowed to keep running.

More info here: [https://cloud.google.com/blog/products/g-suite/elevating-
use...](https://cloud.google.com/blog/products/g-suite/elevating-user-trust-
in-our-api-ecosystems)

------
arkades
I just tried it out. Looks fantastic; I immediately bounced from the three day
free scan to the six month. I appreciated the spam estimate.

I did have the problem that the six month scan just hung up at 29%. Went to
account info for scan history, and when I went back to the scan page it was
back to asking me for 8$ - despite never having finished the scan. So, as it
stands, are the paid-for results only available in a single session? Lost if
you navigate elsewhere on the same site? (Accessing from iOS)

Only thing I would have appreciated is some way to easily distinguish between
subscriptions-spam (eg, newsletters) and spam from places I need occasional
communications from (eg, receipts from wayfair purchases.) I’m not sure what
that would look like though - maybe a tag-and-archive for the latter?

~~~
jivings
Oh sorry I didn't notice the part of your message where you had a problem.
Send me a message through support chat (click your profile image and "get
help") and I'll sort you out!

~~~
arkades
I don’t know what happened, but it sorted itself out. Love it.

~~~
jivings
Glad to hear it!

------
newscracker
I personally wouldn’t share my emails with anyone, and would never use any
service that requires sharing my inbox with it. Unsubscribing may also be a
problem in some cases, especially with spam, where you signal to the spammer
that you’re around just by the act of unsubscribing. So unless a service like
this knows which ones are fine enough to unsubscribe from without further
repercussions, it could exacerbate the problem.

Ideally I’d prefer an app that analyzes this locally and does it. Apple’s
Mail.app shows unsubscribe links at the top of emails sent through lists. I
haven’t used it for the reason mentioned above.

The pricing for this service seems decent enough for certain cases since it’s
more of a one time use case, but some sort of combo pricing for multiple
inboxes could serve those who use multiple email addresses.

Edit: jamieweb’s comment here
([https://news.ycombinator.com/item?id=19038588](https://news.ycombinator.com/item?id=19038588))
here states that it supports only Gmail. Since Gmail already has
unsubscription options in each email, this one seems to be doing the
consolidated view and taking additional steps by sending an email. Doesn’t
seem like a lot of differentiation and value add, which is something that
needs to be explained on the front page.

------
gvajravelu
The service looks interesting, but this isn't a problem for me. I know what
services I'm subscribed to and unsubscribe from the ones I don't want to
receive.

A bigger problem for me is services that I have already unsubscribed from but
the company doesn't honor my request. I'm still on some of their lists years
later which infuriates me.

~~~
jivings
Something we plan to do is name and shame companies that do this.

They're in breach of the CAN-SPAM act and should be punished appropriately.

------
gnicholas
Out of curiosity, how did you decide to offer these different tier levels? Why
is the most expensive tier 6 months instead of "Lifetime"? The latter would
seem more impressive and potentially get more people to spring for the price.

I realize that if someone hasn't emailed you in the last 6 months, they're not
really an active concern. But customers aren't thinking that deeply when they
go to purchase — they're just looking at the time periods and dollar amounts
and weighing the options.

~~~
jivings
Yes, there are a couple of reasons;

1\. Like you mention, if you don't receive a subscription in the last 6
months, it's probably not something you're bothered about.

2\. Scanning some users inboxes is very bandwidth intensive, and time
consuming (some people never delete an email). We experimented with 1 year
scans and some users just give up waiting. We could probably improve the
process, however due to point 1, we think 6 months is probably adequate.

------
butz
"The only folder we exclude is the spam folder." I would pay for a service
that unsubscribes my email from spam senders. Especially those without
unsubscribe link in email.

~~~
jivings
Where did you get that quote from?

We don't exclude the spam folder.

------
jxr006
forget email. How about killing the spam phone calls.

