
We Can Do Better - minimaxir
http://blog.unroll.me/we-can-do-better/
======
cylinder
Give me a break!

>"So it was heartbreaking to see that some of our users were upset to learn
about how we monetize our free service."

This reminds me of the United CEO "apology" that wasn't. Really, your gentle
little heart was just _shattered_ to learn people were upset that you _send
their bloody Lyft receipts from their email inbox to Uber!!_ You pour soul!

You know, America, you could do with less bullshit. I would respect this guy
more if he said simply, "We offer a service at no charge, and in order to make
money, which is what we need to live and so do our employees, we mine data
from inboxes and sell it. This is all in our privacy policy which I advise
everyone read before they hand anyone access to their email."

~~~
dsfyu404ed
>"We offer a service at no charge, and in order to make money, which is what
we need to live and so do our employees, we mine data from inboxes and sell
it. This is all in our privacy policy which I advise everyone read before they
hand anyone access to their email."

You can deal with that. I can deal with that. Most people here can deal with
that. A lot of people can deal with that. The news can put some spin on that,
use it to enrage a bunch people who don't know any better causing a problem
that makes shareholders unwilling to deal with that.

Welcome to the modern world. Being frank about things isn't a risk worth
taking.

~~~
fatbird
Are you seriously suggesting they lying-by-small-print is somehow the more
moral course for them to have taken?

~~~
mikeash
I think they might just be saying that we tend to reward lying and punish
honesty, so we shouldn't be too surprised when this sort of thing happens.

It frustrates the shit out of me, but I think it's true in many cases. This
company would have died instantly if they had been up-front about what they
were doing. By lying, they've managed to have some success. I don't condone
lying and I wish they wouldn't do it, but given the incentives, I'm not
surprised that they did.

~~~
fatbird
I take your point, but we didn't reward lying here--they profited as long as
we were unaware they lied. Once revealed, the ship is going down fast. This is
just to say that crime pays... until it doesn't.

What would be scandalous (and still might be) would be for this to be
revealed, and no one to care about it. I'm cautiously optimistic this might be
the case--even Uber's bad behaviour is catching up to it.

~~~
mikeash
I think we did reward lying. We didn't _intentionally_ reward lying, but
that's not what I meant. We don't intend for this to happen, but that's how it
works out the way things are set up.

The ship is going down fast, but how much money did they make in the meantime?
Will the CEO's salary and bonuses be clawed back? I doubt it.

------
mikeash
They don't get it. Their cardinal sin was not failing to disclose how they use
your data, although that certainly is a grave sin too. Their cardinal sin was
_selling their users ' e-mails_.

Yeah, _if_ they were going to sell your Lyft receipts to Uber, they should
have been very clear that this was what they were doing. But that's secondary
to the fact that they never should have been doing that in the first place.

I think this bit sums it up perfectly:

"I can't stress enough the importance of your privacy. We never, ever release
personal data about you. All data is completely anonymous and related to
purchases only."

They care _so_ much about your privacy that they only sell info about the
stuff you buy, which is _definitely_ not personal in _any_ way, somehow.

We'll tell Uber about that time you went to visit your girlfriend, and we'll
sell info about that weird t-shirt you bought, but your privacy is _totally_
important. Yup.

Edit: I should probably clarify, I'm sure they _do_ get it, but they don't
care and want to keep selling your data, so they'll pretend like the failure
to disclose was the big problem.

~~~
k__
Did they sell it that way?

Or did they simply sell something like "of our 100000 users, 30% bought Lyft
rides."?

I mean, I still think it's wrong, but selling who bought what is a bit
different than selling how much of a group bought how much of an item.

~~~
mikeash
If all they sold was a count and a percentage, that would be pretty benign.
But what are the odds?

Their privacy policy lets them sell individual messages as long as they're
scrubbed of "personal information." Where their bar is for that is anyone's
guess.

If all they wanted to do was collect and sell aggregate data, you'd think they
would say so, and would have reiterated it in their "apology." If they
actually gave a shit about their users' personal data, they'd make sure their
privacy policy was as restrictive (for the company) as possible while still
permitting them to operate.

~~~
ivv
Slice sells aggregated order data for categories of goods by brand, calculated
by looking at email receipts. Things that are useful for calculating overall
demand, seasonality, market share, etc. I don't know about selling the actual
email content; would be surprised if they did. (Not affiliated with Slice, but
am an occasional data buyer, which is how I know of them.)

~~~
mikeash
From their privacy policy:

"We collect such commercial transactional messages so that we can better
understand the behavior of the senders of such messages, and better understand
our customer behavior and improve our products, services, and advertising. We
may disclose, distribute, transfer, _and sell_ such messages...." [emphasis
mine]

Of course they might not sell your messages, but it's pretty weird that they'd
put up a "we totally can sell your vaguely anonymized messages" and then not
take advantage of it. What they sell to Uber may not be what they make
available to you.

Even if they don't currently, they could start doing so at any time. And even
if you somehow trusted them not to, they could get bought out by someone not
so trustworthy.

~~~
ivv
They could be, no disagreement there.

Now I'm curious: what is the commercial value in the aggregated email content
that would make someone want to pay for it, besides the purchase and receipt
data that Slice is already providing (plus subscription and open rates)?

~~~
mikeash
Lyft receipts provide origin and destination addresses as well as the exact
date and time. That would be tremendously valuable for Uber. That info could
be aggregated and then sold to Uber, or their privacy policy would also allow
them to just scrub these e-mails (and the manner of scrubbing is not
specified, so who knows if they consider the exact origin and destination
locations to be personal information or not) and sell them to Uber directly.

~~~
ivv
Makes sense. The clickstream data that ISPs are now free to sell would be a
goldmine then.

~~~
mikeash
Totally! It'll be a golden age for targeted advertising. Maybe less so for the
targets of advertising.

------
jwilliams
If you're jumping off Unroll.me, first log into unroll.me via your Google
Login. Go to settings, turn off everything (like the ad tracking) and then
delete your account. It's at the bottom of the page in light grey. They'll ask
why you're deleting. I'd suggest choosing "privacy".

After, that head into Google > Account > "Connected Apps & Sites" > Manage
Apps -- and then explicitly remove Unroll.me there too.

Don't do the reverse as the Google Access is needed to log in and delete the
Unroll-side data*

* Assuming they delete anything, but still worth doing.

~~~
jacquesm
If they don't delete it and they have European customers they are breaking the
law.

~~~
MichaelBurge
How does that work? If I have a server in my US living room, and someone from
an overprotective country visits my server, and my pokemon trading site sets
an is_deleted flag to keep foreign keys valid, can you really say I'm breaking
the law?

It doesn't seem like laws specific to some European country should apply
anywhere outside of that country. I can maybe see the EU(since they like to
apply laws everywhere).

You did call them 'customers', which means there's an exchange of money. Is
there a restriction on European banks to prohibit them from dealing with sites
that don't comply with the country's law?

~~~
jacquesm
Don't do business in the EU if you don't intend to respect the laws. I find
the word 'overprotective' out of place in your comment, it says that you feel
that once someone gives you their data it is yours to do with as you please.

As for laws specific to a country applying outside it: you can do whatever you
want but the moment you hold assets abroad or intend to travel you are
exposing yourself to potential legal action, something always good to keep in
mind. The United States has a long history of enforcing its laws outside its
borders.

Also, you are wrong about how you'd go about implementing such deletion. You
don't need an 'is_deleted' flag at all to keep your foreign keys valid, all
you would have to do is to overwrite the record with random data or blank the
personally identifiable fields and delete anything that that user has given
you. That's not that hard and purposefully mis-implementing that would not
look very good if it ever came to a lawsuit. Pro-tip: consult with a lawyer
versed in the matter if you want to do this stuff at all it is better to do it
by the book.

"Keeping foreign keys valid" is not an excuse to break the law.

~~~
yladiz
Prefacing that I think we all have a right to privacy/right to be forgotten,
or whatever phrasing is used for this in the EU, as a thought exercise, I'm
wondering if you didn't want to abide by this, could you effectively do it? If
I run an app and didn't want to handle the whole process of deleting user data
or wanted to keep it for later, for whatever reason, would it be possible to
forbid/block EU users/customers from using the website?

~~~
rovr138
Make that part of your terms. We don't fully delete the data. We don't allow
for this reason EU residents since we can't comply with law XXXX.

If they use it, they're the ones breaking the agreement.

Not sure what would happen though. If they sue you, you can probably sue them
back. But not sure what you would end up needing to do.

------
nommm-nommm
A very important part of a good apology is, in no unclear terms,
_acknowledging what you did wrong_ \- they do not do that, it's extremely
vague and only hints at "we weren’t explicit enough." Explicit about what? Why
were people upset? It also gives a mild air of "sorry you were upset" non-
apology. Not quite, but definitely has gives off that vibe.

Basically, bad apology

So, I'm totally unfamiliar with this and the CEO doesn't elaborate on what
happened at all so can someone give some context? Reading this thread I can
see it is something to do with GMail...

What is/was unroll.me? What service did they claim to provide? What did they
get caught doing? How did they get caught? What did their private policy not
say?

BTW, if you are interested in the art of the apology and apology analysis
check out [http://www.sorrywatch.com](http://www.sorrywatch.com) particularly
[http://www.sorrywatch.com/2012/12/11/the-parts-of-a-good-
apo...](http://www.sorrywatch.com/2012/12/11/the-parts-of-a-good-apology/) and
[http://www.sorrywatch.com/2012/12/12/parts-of-a-bad-
apology/](http://www.sorrywatch.com/2012/12/12/parts-of-a-bad-apology/)

~~~
Prefinem
I was a user of unroll.me (one off cleanups of spam here and there). It
automatically unsubscribes emails for you based on your preferences, etc. To
do this, you give them access to your GMail account. Apparently they were
scraping your GMail account for information and selling it to third parties.

~~~
fortenforge
I don't think they actually unsubscribe you. They basically sit in front of
your incoming email and don't pass on emails that match specific patterns.
(And apparently sell that sweet, sweet anonymized data)

~~~
Prefinem
I am not sure if they do or do not, but their tag line is

>Instantly see a list of all your subscription emails. Unsubscribe easily from
whatever you don’t want.

So, probably makes sense for them not to unsubscribe so they can still get any
info on you but to the layman, it would seem they unsubscribe you from emails.

------
Alex3917
As someone with a startup that heavily leverages Gmail OAuth, this kind of
thing is upsetting because it causes folks to lose trust in the technology.
Google is partly at fault here though. There should be an audit trail visible
to users so that they can see every time a third-party service downloads a
message or an attachment. There should also be more granular scopes so that
folks can, for example, authorize access to only email threads with certain
labels, including the built-in labels. (E.g. only personal email or only
commercial email.)

It would also be nice if there were a way for folks with the gmail ID of a
thread to download the parsed thread/attachments from Google, with a special
scope designed for this. (So that services can get the entire DKIM-validated
thread by just letting users copy an address, forward the last message, or via
a plugin.)

I spent over a week writing our TOS, privacy policy, and security page, but
privacy laws and the underlying technology should be sane enough by default
that people shouldn't need to feel like they need to closely parse every word
before signing up.

~~~
xur17
The ability to restrict access to specific domains would be really helpful for
a lot of use cases.

For example, there are several travel apps that watch for flight and hotel
emails, and then track them / notify you about them. If I could give the app
permission to access emails from delta.com, united.com, southwest.com, and
aa.com, I would be a lot more comfortable granting access. As it is now, I
have to give the app read AND write access to ALL email.

~~~
lurker456
There is a workaround for that. You can create a second account and create a
forwarding rule on the first to forward only mails from delta.com, aa.com

~~~
Alex3917
That only works for individual email messages though, not for threads. So in
this case it would work, but it's not a great generalized solution, even by
hacky workaround standards.

------
elahd
I prodded unroll.me a couple of years ago about their data retention policy.
Their answer was sketchy so I ended up not using the service. I'm surprised it
took this long for someone with reach to look into them.

Original thread:
[https://twitter.com/elahd/status/575692415132135425](https://twitter.com/elahd/status/575692415132135425)

DMs: [http://imgur.com/H0UABYa](http://imgur.com/H0UABYa)

~~~
abuani
I interviewed with them a number of years ago, and particularly remembered
after the initial wave of interviews asking what they felt about their moral
obligation to protect users data because they had full read/write access to
emails. The response was overly vague and generic, so I wrote them off and
immediately removed myself from their service. I wasn't expecting them to be a
company a number of years later, and I didn't expect them to have been tied
into this. It's mind boggling to think that had I not asked that question, I
likely would have continued for my onsite interview and could very well have
been an employee with them at this time.

------
interpol_p
Wouldn't it just be better for them to come out and say:

"We were mining your emails for profit and tried to hide that in our marketing
and brand. We will continue to mine your emails if you want to use our free
service, but we'll be more upfront about it in the future."

Why bother trying to act sincerely apologetic? I'd be more sympathetic to them
if they would just bluntly state what they want to do.

~~~
dsfyu404ed
Emotions, feelings and naive people who think the world is black and white.
That's why.

~~~
interpol_p
I don't think their chosen approach has resonated well with their users at all
(emotionally or intellectually). People find it hilariously insincere and
insulting.

It seems it would be better received if they were up-front in this instance.

They might as well tell their users, "This is how it is. Take it or leave it."
Instead of trying to wrap that same message in a layer of false sincerity and
lies.

~~~
jerf
Part of what we can't see is what percentage of their user base is even going
to hear of this. HN may be up in arms, but if that's all that happens it may
not amount to much. Then again, huge swathes of their user base may in fact be
HN or people influenced enough by people reading this article to delete it.
It's hard for us to know from here.

Speaking for myself, I'd never even heard of this company, so I doubt it's an
HN darling particularly.

------
hprotagonist
john gruber's take:
[https://daringfireball.net/linked/2017/04/23/heartbreaking](https://daringfireball.net/linked/2017/04/23/heartbreaking)

------
wallflower
> At the time, which was over three years ago, they had kept a copy of every
> single email of yours that you sent or received while a part of their
> service. Those emails were kept in a series of poorly secured S3 buckets.

From
[https://news.ycombinator.com/item?id=14180463](https://news.ycombinator.com/item?id=14180463)

However, their Privacy Notice claims to not store emails that are not personal
emails but certain types of "commercial" emails as defined by the CAN-SPAM
act.

Are they really hoovering up everything?

From [https://unroll.me/legal/privacy/](https://unroll.me/legal/privacy/)

> We also collect non-personal information − data in a form that does not
> permit direct association with any specific individual. We may collect, use,
> transfer, sell, and disclose non-personal information for any purpose. For
> example, when you use our services, we may collect data from and about the
> “commercial electronic mail messages” and “transactional or relationship
> messages” (as such terms are defined in the CAN-SPAM Act (15 U.S.C. 7702 et.
> seq.) that are sent to your email accounts. We collect such commercial
> transactional messages so that we can better understand the behavior of the
> senders of such messages, and better understand our customer behavior and
> improve our products, services, and advertising. We may disclose,
> distribute, transfer, and sell such messages and the data that we collect
> from or in connection with such messages; provided, however, if we do
> disclose such messages or data, all personal information contained in such
> messages will be removed prior to any such disclosure.

We may collect and use your commercial transactional messages and associated
data to build anonymous market research products and services with trusted
business partners. If we combine non-personal information with personal
information, the combined information will be treated as personal information
for as long as it remains combined.

Aggregated data is considered non-personal information for the purposes of
this Privacy Notice.

~~~
canspamcancan
> However, their Privacy Notice claims to not store emails that are not
> personal emails but certain types of "commercial" emails as defined by the
> CAN-SPAM act.

> Are they really hoovering up everything?

I worked on a competing product a long long time ago. (Well, a competitor in
the "all your emails are belong to us" space.)

The way ours worked was that we hovered everything, but before we provided any
analytics staff access to it, we grabbed only emails of interest, tokenized
the data in them, and then copied them to the analytics data store.

But we were constantly refining what "of interest" meant, which means that we
had to go back and re scan the archives periodically, which would always turn
up new stuff for the analytics team. The need to re scan historical data as
the models improved meant that we had to keep all of the source material, even
if it wasn't accessible to the people who were most interested in looking at
it.

------
specializeded
Disgusting company, disgusting "apology".

Add the specific names involved (e.g. Jojo Hedaya) to a list in your head,
they'll inevitably be involved in more shadiness throughout the years and it's
fun to reminisce.

~~~
RubenSandwich
I agree that this is completely appalling and their apology is basically
"Sorry you didn't know." But let's not characterize Jojo Hedaya as a bad guy
just yet, I did a basic searched and didn't find anything else shady from him.
I guess what I'm saying is let's give him a chance and hope for the best, one
big thing like this shouldn't mean he is beyond redemption. At least that is
what I hope and believe about humanity.

------
ed
As mentioned in the comments, you'll want to go here and revoke access:

[https://myaccount.google.com/permissions](https://myaccount.google.com/permissions)

Even after deleting your unroll account, they'll have access until you revoke
it.

~~~
bvi
I had deleted my unroll.me account several months back - yet I still receive
emails from time to time about the new subscriptions I have. They've not had
permissions in my Google account since I deleted my account, so it's odd that
I keep getting emails from them.

------
jacquesm
What I always wonder about when I see business like these: What comes first?
Do they first think about what they could sell and then go about setting up a
service that gets users to provide them with that data or do they first create
a nice service and then realize they have to keep the lights on somehow?

~~~
wallflower
Example of the former.

[http://shoparoo.com](http://shoparoo.com)

~~~
kevinmannix
In what way? Genuinely curious.

~~~
wallflower
> Shoparoo is trying to take grocery product collection programs, like General
> Mills Box Tops for Education, into the smartphone age. Our primary business
> is market research, specifically collecting item-level purchase data from
> households, said CEO Jared Schrieber in an interview. We developed an
> amazing technology that allows this data to be captured in just seconds via
> people simply snapping pictures of their receipts with their smartphones.
> However, this begged the question, how could we encourage a large number of
> people to spend a few seconds after each shopping trip taking pictures of
> their receipts? Our answer, Shoparoo, was inspired by the Box Tops for
> Education school fundraising program where parents spend a few moments of
> their time cutting out product labels from grocery products.

[http://betakit.com/shoparoo-partners-with-unilever-to-
turn-r...](http://betakit.com/shoparoo-partners-with-unilever-to-turn-
receipts-into-funding-for-schools/)

------
kristianov
I feel so frustrated. This Jojo CEO is just gonna get away with it, and in a
few days people will forget. He will continue his status as a "successful
entrepreneur", getting investments and still selling customer private
information to whomever or whatever.

And nothing's gonna happen to protect user's privacy. All I (or any one) can
do is to use fake accounts to sign-up for free services.

------
rdtsc
> We never, ever release personal data about you. All data is completely
> anonymous and related to purchases only.

Can someone explain how this works. I've heard they sold customer's Lyft
receipts to a competitor. How do they sell receipts by making it completely
anonymous. Do they have someone there by hand monitoring what it is user's
private data and what isn't?

~~~
ocdtrekkie
I would assume that since a Lyft receipt has a predefined format, it isn't too
difficult to script the scrubbing of particular lines of data, assuming Lyft
doesn't change their format.

Of course, if they do change their email format, your script is probably
letting data leak until you notice and fix it, but obviously privacy wasn't
the top priority on Unroll.me's minds in the first place.

------
newsat13
This is truly despicable. Honestly, they signed up users for a _completely_
different service and monetize by mining gmail data. TBH, I feel the same rage
against all Google services which are about taking notes, mail, contacts,
location and what not whereas in reality they are just mining away. For the
startups out there - the Big G is an exception because their service is so
wide spread and hard to ignore that people accept their mining as a necessary
evil but for others this is totally not a good business model.

~~~
zitterbewegung
You are selling google short. Google doesn't sell their consumer data to
anyone directly. They use it to help inform advertisers how to sell stuff to
you. Uproll is directly selling data about their customers to third parties
for whoever will pay.

~~~
newsat13
This is not true of unroll. From the blog, "I can't stress enough the
importance of your privacy. We never, ever release personal data about you.
All data is completely anonymous and related to purchases only. To get a sense
of what this data looks like and how it is used, check out the Slice
Intelligence blog.". So they are the same as Google.

At the end of the day, nobody outside the company truly knows if either of
them sell identifiable information.

~~~
TheCoelacanth
YMMV on how anonymous anonymized data actually is considering that most people
are uniquely identified by the combination of date of birth, zip code and
gender[1].

[1]
[https://news.ycombinator.com/item?id=2942967](https://news.ycombinator.com/item?id=2942967)

------
thatswrong0
They can do better.. yet they still haven't updated their FAQ. You'd think
that at the very least, before trying publicly trying to cover their asses,
they'd at least do the bare minimum and write SOMETHING about it on the FAQ.
Why even link to the FAQ from the blog post if you haven't touched it yet?

Don't say you're going to do something going forward, DO IT.

------
tlogan
Kinda unrelated.

As of now, it is _impossible_ to run a pure B2C SaaS which depends on users
paying for it.

Is this going to finally change the market so that B2C SaaS companies can
charge for their service? I doubt.

The question here is: is our privacy dead? Maybe only we need a law to enforce
it?

If make a law enforcing the privacy, then many of these free service will stop
being free - causing even bigger digital divide.

What is the solution here?

~~~
Balgair
I think that yes, privacy is dead, to those that do not value it. Would you
trade your gmail history for a doughnut? If yes, then it is 'dead' and not
worth much, if no, you still have it, mostly.

The thing to look at it the economics of your privacy. Why has it died? I
think it is because your privacy has some intrinsic value to it. Averaged over
enough people and a long enough time, it has some average dollar value, like a
lotto ticket. However, it then becomes a commodity like all others, and
subject to markets and their rules. If everyone is collecting your privacy and
data and then trying to sell it, who is the buyer and what is the price? Who
is buying the data from Bose and their scummy headphones and how much are they
paying per 1k people?

To me, it seems that the market for 'data' is not at all transparent and that
is why there is a grab for the data. If these kinds of companies can convince
a potential buyer that their scummy headphones data is worth the price, then
maybe the buyer can take it and make more cash off of it. But I think that
since the markets are so inundated with people's 'data' that the price is not
worth much at all. I mean, when I look at 'targeted' ads or whatever, then all
I see is nonsense. I think that currently, the data is worth far too much due
to the lack of transparency in the market. Once everyone realizes that humans
are too random to target marketing towards, then the prices will drop and the
bottom will fall out of the market. The real money, as Apple and the Goog have
seen, is in walled gardens that force you to buy their products above all
others. Currently, we are in the 3rd round of this match, there is a lot more
fighting left.

------
marojejian
I'm a longtime Unroll.me user. I've found the service very useful.

I'm not sure how I feel about all this. But after reading the threads - I
think these things are true:

1) Unroll me does disclose that it sells your data in a way it considers
anonymized.

2) The CEO is here apologizing for not making this more clear, not for the
practice.

3) There is no evidence they violated their own terms.

What are people upset about most here? Is it the practice or weak disclosure?

If disclosure, what would constitute appropriate disclosure? I pretty much
assumed they were doing something like this. How else would they support the
service?

As a user, if they are selling my data in a way that is not linked to my name,
but used in aggregate statistics, why should I care? I don't think I do. In
fact, I can image such data would make the overall economy more efficient.

On the other hand, if such data is being used to ID me specifically, I am more
anxious. But there is no evidence of this, correct?

I am genuinely asking. I might cancel my account, but more over general
security anxiety, vs. what appears to have happened.

------
dmlittle
> from this point forward, with clearer messaging on our website, in our app,
> and in our FAQs.

Yet when you try to subscribe, are freaked out by the permissions required and
don't give access to your entire email you're greeted with the following
message: "Unroll.Me takes your privacy & security seriously"

------
mirimir
I remember hearing about unroll.me, last year or so. It made no sense to me,
at first. But then I got that they needed full access to my email accounts. I
was gobsmacked.

I really don't get why people would be OK with that. Somehow the possibility
of a cleaner inbox doesn't seem worth the risk of identity theft.

------
emaildata
Unfortunately there are many other services out there that sell user email
data to companies will to pay for it. See www.boxbe.com which sells data
through www.edatasource.com, and getunsubscriber.com (which is similar to
unroll.me) and several other applications from www.otherinbox.com which sell
data through Return Path ([https://returnpath.com](https://returnpath.com))

Edit: to see how you can buy this type of information, see:
[https://returnpath.com/solutions/consumer-data-
insight/](https://returnpath.com/solutions/consumer-data-insight/)

------
smallgovt
I'm genuinely curious why people are insisting on assassinating this
company/CEO's reputation.

Selling anonymized user data is legal. In certain markets (like this one), any
company that does NOT sell your data (and therefore charges their users), will
be out-competed by companies that do.

Assuming there is a price to your online privacy (which most ppl clearly
believe since they use Google) and the value this product brings to market
exceeds that price threshhold, we're better off for it.

It seems to me the way to enact change is through legislation/regulation. And,
anger towards any specific actor in this under-regulated field is misdirected.

~~~
aj0strow
I don't get it either. Google reads your email to serve better ads. You grant
unroll.me access to filter marketing campaigns. Now they read your email too.
Selling anonymous purchase info is pretty benign given the amount of access.

~~~
jeffjose
The difference is Google doesn't sell the data to other people. You agreed to
Google reading your email when you signed up for the service, with Google.

Its like saying, my travel agent knows my travel plans.

unrollme on the other hand was asked to do a specific task. And while they
were probably really good at it, they took it upon themselves to be curious
and find more information, black out some and sell that info to others.

Its like saying, you travel agent sells the data on what car you came in, what
you were wearing and what you were feeling when you came to discuss your
travel plans.

------
ben174
Something huge is missing here. This blog post states they're going to be more
clear about how they sell users' data, but I just read every word on the
Features and FAQs pages, and there's not a single mention of it.

[https://unroll.me/features/](https://unroll.me/features/)

[https://unroll.me/faq/](https://unroll.me/faq/)

------
Jerry2
I'm reminded by the (now old) adage: _' If you are not paying for it, you're
not the customer; you're the product being sold.'_

Before you decide to use one of these 'free' services, stop and think what
that will really cost you and whether you're OK with the price you will pay.
That way you will be less surprised (and outraged) when things like this are
revealed.

~~~
ocdtrekkie
Indeed. I'd like to flay Unroll.me for this, but really, I have a hard time
sympathizing with it's users. People should realize by now that all "free
services" make money. And if you aren't paying them, someone else is. You
should probably understand a company's business model before you sign up with
them, and especially before you grant them access to your email account.

------
deegles
If Google were to release a rideshare service, would they be allowed to data
mine Gmail for the competitive data? Is that in their ToS?

~~~
jacquesm
They shouldn't but Google does not have much in terms of Chinese Walls
internally. The contents of your gmail account or youtube history could easily
affect your search results.

------
smallgovt
A lot of people want this company/CEO to be punished, but I don't think the
level of outrage is deserving.

1) There isn't anything inherently wrong with selling user data as long as
it's properly disclosed.

I understand that to some people, online privacy is of immense value -- almost
an inalienable right alongside life, liberty, and pursuit of happiness. But,
we also need to recognize that to others, online privacy has little to no
value.

Since there is such a range of value judgements, I think services like this
should be freely available for people who don't value online privacy.

It doesn't seem right to project one's value system/judgments onto others when
both value systems can peacefully co-exist.

2) The company's practice of selling data was properly disclosed in their ToS

I understand this is arguable, but imo, the ToS is a reasonable place for
proper disclosure. Your average consumer knows this sort of practice is
possible and also knows that the place to look for disclosure of said practice
is in the company's ToS.

------
pteredactyl
Why not just charge a fair price for their service? And why is this such a
novel concept?

It's offensive for a company to a) be involved in shady data practices like
this and b) for them to believe their customers are naive enough to fall for
it.

------
yamaneko
I revoked access two years ago, but I don't recall going through the steps for
deleting my data. Does anyone have any advice? Should I sign up again and
ensure that everything was deleted, then revoke access again?

------
nsxwolf
Light gray on white? I guess someone downvoted the hell out of that blog. That
can't be a deliberate design choice, right?

------
emperorcezar
Did people really sign up for this service without knowing it was being used
to data mine? If so, maybe you should sit back and think about how you use the
web.

Companies have to make money, and it's free, so it should be assumed they are
mining it.

Also, stop being idiots and saying that they are sending your receipts. As far
as we know they aren't. They are sending aggregate numbers. Just like the
dozen other free services you're probably using right now.

------
orless
Seems nowadays we need a kind of "remove.me" service to quickly remove your
account from certain services.

~~~
nommm-nommm
Best we have is
[http://backgroundchecks.org/justdeleteme/](http://backgroundchecks.org/justdeleteme/)

------
xbeta
Is there a way to completely cancel my account with Unroll.me ? And remove all
traces of my data with them?

------
thegabez
I wonder how many users they lost to release this same day.

~~~
jacquesm
Too few. If they're still in business next week I'd consider that a failure on
Google's part.

------
sdsdlkf
This is disingenuous. Cleary, he knew what he was doing.

------
NumberCruncher
I don't understand the outrage against unroll.me. From their privacy policy:

>> We may collect, use, transfer, sell, and disclose non-personal information
for any purpose.

They told me they gonna sell my data and now they sold my data. Bloody
bustards!

~~~
Chris2048
What's non-personal data? My emails are personal data!

------
alexkavon
Garbage.

------
mb389
account deleted

------
sagivo
I unsubscribed and removed access to my Gmail right after. Companies that
hides behind small prints to tell you they read and sell your mails should not
access my private mailbox.

------
draw_down
Ugh. This wasn't a mistake, it was their business model.

~~~
TAForObvReasons
> Unroll.Me is a free service

"If you are not paying for it, you're not the customer; you're the product
being sold". The free services should worry you

~~~
draw_down
Yeah yeah yeah

------
robertwpearce00
This is a reminder that if you're not the client, you're the product.

~~~
vkou
This is so trite, it is borderline meaningless.

Much of the time, you are both the client and the product. See, for example:
Cable television.

~~~
nikcub
It is. There is nobody here who hasn't heard it a dozen times, and the general
public audience it should be aimed at doesn't understand it.

Further, it is cited as a rule but it is far from one. Paying for a product
doesn't guarantee your privacy and using a free product doesn't mean your
privacy is being violated.

For ex. you can pay for Google Apps over Gmail but the privacy policy and
terms of use is still the same (I actually can't think of a single service
with a pro paid level where you _gain_ privacy - Flickr, Dropbox, Freshbooks,
Mailchimp, LinkedIn, Salesforce, Office online - you name it). Likewise there
are countless examples of free and open source software that do respect your
privacy.

I don't think there is a shortcut to teaching the general public about privacy
- especially not one that can be wrapped in a one line cliche.

~~~
pooper
> Paying for a product doesn't guarantee your privacy and using a free product
> doesn't mean your privacy is being violated.

While what you say is logical, it gets scary pretty quickly. What about uber?
What about airbnb? Or worse, what about paypal, intuit, wells fargo?

I propose a simple thought experiment as a band-aid. If we can't beat them, we
must join them. Every company that collects information about me, must
disclose the said information to me. Failure to disclose in a reasonable time
frame should result in an automatic fine worth 100x minimum wage per hour
every hour after the end of the reasonable time frame. Of course, we'd need
very strong whistle blower protection. This would be a terrible idea because
if it works (and I doubt it), it will have a huge chilling effect on small
businesses. Responding to all the requests would put them out of business.

I don't know what the solution could be... but I know educating people is
difficult especially when the people don't want to be educated.

~~~
matt4077
It's getting a bit repetitive in this thread, but I can't help but to mention
that what you're proposing is the legal status quo in the EU.

At some point so many people started annoying Facebook with these requests
that they added a self-service option to download all the data they have on
you somewhere in setting. (Google has something similar, "Google takeout")

~~~
pooper
I don't mind the repetition because I had no idea. Sorry, I am not very
familiar about laws even here and even more ignorant about EU matters.

------
dbg31415
Let's be honest, pretty clear that Google is already selling your anonymized
data (actually, I think it's their data according to the TOS you agreed to).
And giving your un-anonymized data to the government. Eww.

There's no reason to get up in arms here... there's no such thing as privacy
-- whenever you use a free service, you are the product being sold.

