
Unroll.me - nav
https://daringfireball.net/linked/2017/04/23/heartbreaking
======
merricksb
Active discussion:

[https://news.ycombinator.com/item?id=14181152](https://news.ycombinator.com/item?id=14181152)

------
jonheller
This may sound silly, but I consider any application that requests full read
access to my Gmail account to be akin to asking for my social security number.

I remember when the big wave of smart email apps first came out a few years
ago, and the horror was the expressed here when it was revealed that these
apps basically route all of your email through their servers in order to do
processing on it.

Sadly at lot of the trepidation about services like that seems to have abated
-- or maybe the general population just isn't aware of how intrusive these
types of services could be. But I would never allow any third party service to
access my email.

~~~
jerf
"This may sound silly, but I consider any application that requests full read
access to my Gmail account to be akin to asking for my social security
number."

Have you ever emailed your social security number, had your social security
number emailed to you, or signed up for any sort of service to your gmail
account including your paycheck management company, your tax returns, your
bank, or anything else that via email password reset could be used to access
your social security number?

Certainly I'd go so far as to say that almost anybody's "real" gmail account
could certainly be leveraged to get the last four digits of your social
security number. Given the low entropy of the other 5 numbers given other
details [1], even if you can say with a straight face that your email has
_never_ had your very, very regex-able social security number in it, it's
still got _most_ of the bits, most likely. Perhaps not enough to automatically
target you without a bit more machine learning than I think we quite have at
the moment, but... getting perilously close, honestly. Someone who really
dedicated themselves to taking "gmail inboxes" and writing a system to
determine social security numbers from that could probably do pretty well. It
wouldn't quite be just "fire some machine learning at it", but the system as a
whole seems pretty feasible to me.

[1]:
[http://www.stevemorse.org/ssn/ssn.html](http://www.stevemorse.org/ssn/ssn.html)
. It isn't _quite_ as bad as it seems for many of us, because we didn't all
used to get SS numbers at birth, so my SS number does not correspond to my
birth. But if you have my last 4 numbers and a handful of other bits of
information about where I've lived, it's distressingly few bits between me and
my identity getting stolen.

~~~
jonheller
Oh, I would not be surprised if my SSN is floating somewhere out there because
of something like this. So that's a good point. I was more making the
comparison because I was looking for an analogy to something most people at
least try to guard heavily.

------
HappyTypist
I looked on their website, Frequently Asked Questions, and even hovered over
text like "Unroll.me is a free service" in order to find a disclosure.

I could not find ANY disclosures whatsoever.

Nowhere does Unroll.me disclose that they sell your emails to the highest
bidder.

I wish we had a FTC that could bankrupt Unroll.me's previous and current
founders and executives. Absolutely despicable behaviour.

~~~
eganist
Terms of Service pointed me to their Privacy Policy.

Privacy Policy indicated the following:

> We also collect non-personal information − data in a form that does not
> permit direct association with any specific individual. We may collect, use,
> transfer, sell, and disclose non-personal information for any purpose. For
> example, when you use our services, we may collect data from and about the
> “commercial electronic mail messages” and “transactional or relationship
> messages” (as such terms are defined in the CAN-SPAM Act (15 U.S.C. 7702 et.
> seq.) that are sent to your email accounts. We collect such commercial
> transactional messages so that we can better understand the behavior of the
> senders of such messages, and better understand our customer behavior and
> improve our products, services, and advertising. We may disclose,
> distribute, transfer, and sell such messages and the data that we collect
> from or in connection with such messages; provided, however, if we do
> disclose such messages or data, all personal information contained in such
> messages will be removed prior to any such disclosure.

Damningly, if they're collecting and disclosing transaction details, they're
also technically conveying personal information given the ease by which
identities can be reversed from this sort of data.

------
elahd
I prodded unroll.me a couple of years ago about their data retention policy.
Their answer was sketchy so I ended up not using the service. I'm surprised it
took this long for someone with reach to look into them.

Original thread:
[https://twitter.com/elahd/status/575692415132135425](https://twitter.com/elahd/status/575692415132135425)

DMs: [http://imgur.com/H0UABYa](http://imgur.com/H0UABYa)

~~~
kdoherty
I have tried the service, and my interactions with it have confirmed all
perceived sketchiness:

In a moment of desperation, I signed up for this a while back. I found it not
to be useful and tried to remove my account with the site, which turns out to
be essentially impossible.

I ended up revoking access to my email account and continued to receive emails
from unroll.me that the service "has lost its connection to your account,"
which I found hilarious, because in my desperate attempt to get rid of spam, I
created more.

I've tried to unsubscribe from these unroll.me emails several times before,
and the unsubscribe link takes me to a page containing all the subscriptions
that the service once found on my account (the one you'd see if you were
trying to use the service---so all that data is still there, for sure, and it
has been many months), and I have never actually been unsubscribed.

~~~
elahd
...and they still have all of your emails! You can't take back the emails
they've already archived, which (presumably) is everything that was in your
inbox before you disconnected your Gmail account.

------
eganist
Basically a repost of
[https://news.ycombinator.com/item?id=14180463](https://news.ycombinator.com/item?id=14180463)

Had to search my inbox as a sanity check to make sure I hadn't signed up for
the service. Turns out I hadn't, but it was pitched on Product Hunt both in
April 2015 and May 2016.

I'm hoping at least security folks made the mental connection that signing up
meant compromising your personal emails. That's the single reason I didn't
bother.

~~~
Freak_NL
> Had to search my inbox as a sanity check to make sure I hadn't signed up for
> the service.

Wouldn't you remember granting a third party full access to your email inbox?
That doesn't seem like a trivial decision to make.

~~~
eganist
I trust my brain but verify my memories from time to time. :)

------
timsayshey
Great, I'm sold on leaving unroll.me but I think there is a deeper problem
here. Email is so insecure and if you're already using Gmail then who knows
who Google is selling your emails to. Google is just a lot better about
keeping it a secret. Fooling yourself into thinking your emails are secure if
you're not using Unroll.me is a joke. Also, please suggest a secure
alternative when telling people to leave a service over security. I'd love to
switch to something else that gives me some false sense of security but
shutting off unroll.me and allowing my inbox to implode with spam is not a
great option right now.

~~~
yladiz
Although I've since moved on from Gmail, because I don't like Google having
access to all of my emails and harvesting the data from them, I do trust
Google as far as sanitizing emails much more than a service like Unroll.me.

As far as a different service, I found Unroll.me to be just another annoying
email I had to read and found it kinda useless since if I wanted to "roll up"
an email, I had to read the daily email to see what it suggests and then add
to my rollup list. My solution was to just unsubscribe from any email that I
didn't actively read (which was most of them). Especially given that most
services are one-click unsubscribe now in the Gmail interface or Mail.app,
it's pretty simple compared to a few years ago.

------
gdulli
> operating under the radar

The privacy policy is clear and easy to find and understand. You can be
annoyed with yourself for not reading it. You can decide the service isn't
worth the tradeoffs. You can be annoyed with yourself for being naive about
how free products work.

But it's illogical and disingenuous to call this "under the radar" or blame
the service for your own surprise about how it works. We have free will and a
responsibility to understand the agreements we enter into. Admitting so
casually that we can't handle those things is a scary thought.

~~~
mikeash
Few people read privacy policies. Everybody knows this. The people making this
product know this. If the only place they explain it is in the privacy policy,
then they are _knowingly_ and _intentionally_ putting it in a place where most
of their users will not see it.

~~~
gdulli
> Few people read privacy policies.

People have free will and that's their choice. I'm not surprised that most
don't. I rarely do. But it doesn't make sense that the people who have strong
feelings about privacy aren't reading them. You can't give up what's clearly
your own personal responsibility and then blame someone else for the
consequences.

~~~
mikeash
I agree that blame should go to people who care about privacy and then don't
read privacy policies.

However, blame should _also_ go to companies that hide important privacy info
in privacy policies, with the full knowledge that most of their users will
never see it.

Given that the company here is a single entity, while their users are a
disorganized mass, I think the company should bear much more responsibility
for fixing the situation. They can unilaterally fix it for _everybody_ , while
their users can't.

The company also exists with the sole purpose of running its business. That is
all they do. Their users, on the other hand, are quite busy doing many other
things and dedicate perhaps 0.1% of their time to doing business with this
company.

In a relationship that's this lopsided, we should not hold both sides to the
same standard. The company should bear _far_ more responsibility for hiding
important information where nobody will read it than their users should bear
for not hunting it down.

Edit: it occurs to me that this is basically like getting conned. Somebody
spins a story at a gas station about how they're trying to get to Cincinnati
and they just spent their last $5 on money for their sick kid and can you just
help a guy out, and they manage to con some poor sucker, do we focus our ire
on the con artist or on the sucker? I'm OK with telling the sucker that they
should be more careful and they shouldn't have fallen for the story, but they
are ultimately the victim here, and the culprit is the scammer.

~~~
gdulli
> Somebody spins a story at a gas station about how they're trying to get to
> Cincinnati and they just spent their last $5 on money for their sick kid and
> can you just help a guy out, and they manage to con some poor sucker, do we
> focus our ire on the con artist or on the sucker?

That is just ridiculous. You're describing a lie. This situation has
transparency that people have simply chosen to ignore. Fine print isn't a
crime.

~~~
mikeash
Lying is about intent. When you know that people will expect a reasonable
level of privacy by default, and that people won't read your privacy policy,
then selling all of their data and only mentioning it in your privacy policy
is _also_ lying.

------
siddhant
I find it fascinating that there are services which require access to your
_complete inbox_ , irrespective of how useful they might be or what they've
written in their privacy policy. Every single email you ever sent/received,
and every single email you will send/receive. Maybe I'm being paranoid, but
sorry, that's just a huge "no" in my book.

------
hncommenter13
Someone is selling similar data to investors via Quandl. The source is
confidential, however, so it's unclear if this is Unroll.me as well.

[https://www.quandl.com/alternative-data/email-receipt-
data](https://www.quandl.com/alternative-data/email-receipt-data)

------
spcelzrd
Selling data to the highest bidder doesn't surprise me. Users should expect
this, but since it's all buried in TOS, only more savvy users are going to
know or notice.

Maybe it's time for some ethical standards among developers. Dumping email to
an insecure server should be something that every developer would refuse.
Somebody was just following order.

------
meagher
> If you're not paying, you're the product.

Facebook, Google, ..., Unroll.me

~~~
ZeroGravitas
And if you are paying, they can make an extra buck by selling you out too.

------
dickbasedregex
Scummy to say the least.

------
jbmorgado
If you have ever used the service, it probably has still almost full access to
your gmail account (I noticed it had in mine).

You can remove its authorisations at:
[https://myaccount.google.com/permissions](https://myaccount.google.com/permissions)

~~~
hoektoe
Thanks for the link for the lazy

------
accountyaccount
Typically I'd expect this data to be anonymized, but when it's your entire
inbox how anonymous can it really be?

------
franciskim
I used unroll.me once but it didn't really work so I removed it.

------
nhangen
I don't find the practice ethical at all, but that said, don't understand why
anyone would be surprised by this. Users are almost always the product.

Seems like the Gruber version of outrage porn.

~~~
edw
I disagree. If think it's the false sadness — er, "heartbreak" — expressed by
the CEO in response to users being upset that angers Gruber. It's one thing to
be a straight up sociopath and run your sociopathic business but quite another
to pretend you care one iota about the people who you are monetizing by
turning them into a personal data slurry.

By the way, folks seem to be intent on down voting your comment into oblivion.
That, sadly, seems like increasingly typical behavior here, and elsewhere on
the internet. The thinking seems to be: "I don't agree with your opinion
therefore I will do my best to make your opinion disappear." Does that make
anyone smarter? Perhaps someone was deeply, personally offended — in which
case, off with your head, right?

~~~
nhangen
I get it. I just think Gruber is a hypocrite. Wasn't long ago he was invited
to an Apple meeting so he could then write a blog post shilling for them.

The boundaries broken are not comparable, but I just don't feel that Gruber
has any moral high ground to stand on because of his affiliation with members
in the industry.

In addition, it's not like we haven't seen this act before with company CEO's.
This sort of thing happens all of the time, and in every industry. He's a
smart guy, but his post seems overly-reactionary.

I am less bothered by the CEO's comment than by their monetization strategy,
but then again, I don't really see the need for the product in the first
place.

