Hacker News new | past | comments | ask | show | jobs | submit login

I worked for a company that nearly acquired unroll.me. At the time, which was over three years ago, they had kept a copy of every single email of yours that you sent or received while a part of their service. Those emails were kept in a series of poorly secured S3 buckets. A large part of Slice buying unroll.me was for access to those email archives. Specifically, they wanted to look for keyword trends and for receipts from online purchases.

The founders of unroll.me were pretty dishonest, which is a large part of why the company I worked for declined to purchase the company. As an example, one of the problems was how the founders had valued and then diluted equity shares that employees held. To make a long story short, there weren't any circumstances in which employees who held options or an equity stake would see any money.

I hope you weren't emailed any legal documents or passwords written in the clear.

situations like this is what makes it really hard for others in this space to survive. I run https://clean.email (and we don't store/retain/sell any data, just charge people to use it) and the biggest issue we have is lack of trust because of news like this.

although every day someone would still email with a question "why you are not free like unroll.me".. sigh.

I understand that you don't retain user emails, and that's good, but do I understand that your service has somewhere a database of OAuth bearer tokens that provide direct access to the email archives of everyone who has signed up for your service? How do you protect that? I would be terrified.

yes, that is correct. we actually started without keeping refresh tokens and only using access tokens – but they expire really fast and google api randomly stops accepting them so we had to start keeping refresh tokens as well.

they are encrypted and can only be decrypted by "scan" and "action" (delete, trash, etc) jobs, job servers are not exposed to the outside and can only be accessed via the private network via ssh using access keys and only from a specific node which has those keys. keys are password protected. access to that specific node is restricted to a set of known public ip addresses. database and job servers are different servers of course. database servers are also only accessible within the private network.

the only thing that's publicly exposed is a load balancer. to access anything else we log in to the "gateway" instance which we access by ip only and it does not have any domain name associated with it.

with all that – I am very open to ideas about protecting that further.

Encryption at rest? Backups and encryption thereof?

All job servers are stateless by design and easily disposable/replaceable with a fresh build so we don't back them up. we don't back up user data either – it's deleted within 24 fours (or immediately on request). the only thing backed up is a table with refresh tokens which are encrypted and decryption keys are not backed up with it.

Well now you have an excellent value proposition you can point to for why you aren't free.

Yeah, I'm working on the website update right now to put ToS/policies front and center – "we can do a better job" communicating our policies :)

> the biggest issue we have is lack of trust because of news like this.

This gives you something fundamental to compete on.

Could you explain the limits of the free plan? Interested in trying this out but it's not clear what I'll get it and if/when I'll be forced to pay. That said, I understand the value in paying for such a service instead of selling off all my data.

Free plan allows you to clean (remove, trash, label etc) 1000 emails

Thanks! That sounds pretty reasonable. It would be great to have that explained somewhere on the site.

Hmm, makes sense. I went ahead and added it under pricing. Thank you :)

Awesome :) Minor nit, the grammar you're currently missing an article. It should be "Cleaning the first 1,000 emails is free!"

fixed that too. thank you again.

that's the thing about quick fixes lol :)

Interesting. I can't click your Terms of Use link. Would you happen to have a direct link handy?

We have them on the "about" page – https://clean.email/about – but we are actually working on a separate page right now. as I said above – we can and should do better putting our policies front and center.

it's kinda funny how ~50 people who came from this thread to our service illustrated the point of the lack trust – not a single person registered :)

I clicked, I read your value prop, I just can't see myself paying $95+ /year for less obnoxious email in my inbox. It's really not that big of a problem to me.

ugh. I have "Yearly pricing to the homepage" sitting in my to-do list for a few weeks :) so – there's yearly pricing (and it starts with 14.99 / year (I know, this looks really weird, but it took us some time to get to this pricing).

now, whether it's valuable enough to justify the price – depends a lot on how you use your email. we've got users managing 3-5 accounts with hundreds of thousands of emails each and they use our labeling/organization more than removal. think of it as of a way to act upon a group of emails no matter what the size of the group is.

(and I kinda think our website is not really good at communicating this – our traffic is mostly coming from android app right now and we've been putting website work off. who knew!).

Then why you complain?

You offer plain and simply ask for 8€ per month per account.

That's simply a ridiculous amount of money for 99% of the people, what you have but we can't see is part of the problem, not the trust, the price is just not worth for what you offer, so, don't complain about "not a single new customer from 50 clicks".

Hey, quick fix: Just make Yearly the default option when the page loads, since the yearly options are the best price. Users to your site may just scroll through without clicking anything and only see the monthly prices (like I did).

this sounds like a great idea from the rational standpoint, but our data says otherwise. we've seen a conversion increase and generally more people started buying when we enabled monthly prices and again when we made them default. I have a few theories to back it up – but generally speaking pricing perception is emotional, not rational. looking at our prices you'd assume no one buys monthly, but about 40-50% of people do :)

Yea I'm certainly not eager to sign up for another service like this after finding out that the last one I used sold my data. It's getting really tough to trust third party services with your data these days.

my point exactly. I was just discussing this with a friend – there's really no way for us to prove that we don't keep or don't sell the data we get access to (aside from clearer tos/policies).

and it's even scarier with iCloud for example – they don't have oAuth and people need to enter their passwords to scan/clean. (they do have "app-specific" passwords though but looks like people have hard time figuring those out.)

Well there is, but it's not cheap. You get a trusted third party to Audit you and publish the result of their Audit, something similar to a SAS70.

It's not a perfect solution but it's an option to consider

fair point – this is something we consider doing before expanding to b2b market. but:

my day job is in ecommerce (I work as a product manager at FastSpring) and I used to work on CleanMyMac at MacPaw – had to work with trust in both. it's somewhat unexpected but people who are buying software for themselves usually don't care about PCI compliance, audits, and other artifacts of "institutional validation". they care about a "norton secured" badge, proper language, recommendation from a person they know, a review at the website they read, "that green thing with the lock in my browser".. we're now at the phase where we are trying to find the right combination.

just to be clear – it's very different from project to project and depends on the audience. what I'm saying is that we're making decisions emotionally mostly based on our prior experience and rely on internal "thermometer" to tell us if what we're seeing is trustworhty.

When dealing with sites where high trust is required I think people would much rather see an independent audit or compliance with a (legit) security accreditation than a Norton badge, however, most of the time this is not offered, so we make do with the crappy badge, a recommendation, or gut instinct.

Having said that, I deal with independent audits in my job, and they're not all that reassuring.

Pardon my ignorance or perhaps its just that I've become jaded, but outside of circumstances with dire/sever consequence such as laws, regulations, etc how does an independent audit (legit accreditation or not) verify what happens after the audit is done and the auditors long gone?

How does an independent audit detect out of band taps (swapping binaries, re purposing archives/backups, mirroring, etc) on infrastructure the auditor wasn't monitoring before the audit? logs? but more importantly amortized or not the customer eventually pays for all this activity that at the end of the day is more fluff than substance (in terms of what the customer can actually verify) In the end doesn't all this come down to just another form marketing?

Please note, that I recognize that there are many scenarios where an independent audit would add value. I just don't think it adds anything that social validation doesn't already add when considered from the perspective of a consumer to whom the infrastructure behind the service is unavoidably opaque.

I don't see how that indicates a lack of trust. People may not be in the mood to change, or need to do more research before they do, especially since it is very late in the evening for the Western world.

Also, it's only been 30 minutes since your first post, and 50 is a small sample size.

that's just a joke – I was not really hoping to get users from here :) I was actually surprised with 50 even clicking the link.

You won't survive and you clearly don't understand how this business works.

That's so far outside of what is acceptable that it should be actionable in some way and I sincerely hope Google cuts them off at the knees. Aren't you breaking an NDA by posting this? (If so, extra kudos to you!)

I'll quote what I said elsewhere:

> I haven't been a part of that company for several years now, and did not have any legal agreements or first party relationship with either of the companies named above, and since the deal closed since with Slice it would be difficult for anyone to allege damages.

And if all this disappears, then yes, someone did attack me legally over it. I don't like the business culture that has built up around this kind of thing -- reputation is important, so let's defend it with lots of lawyers and NDAs, but it's too much effort to be up front about business practices that might give us a bad reputation. That's bullshit.

I totally agree. But, and this is a very big but: companies would no longer be open to potential acquisition partners during the due diligence phase of an acquisition if professionals in this space would talk publicly (or even at all) about what they find.

I'm seriously conflicted about this because I too have seen some extremely horrible stuff in the last couple of years, some of which I'm quite sure would rock the world orders of magnitude worse than what unroll.me has been up to and that was secured roughly in the same way (or maybe even worse) and with data best qualified as 'radioactive'. I do sign NDAs and I stick to them religiously but it is very hard at times to do that. Even so I understand that I'd make life miserable for those that employ me if I'd ever break an NDA.

Yep. Working in Systems as I do, my word that I'll keep my employer's secrets is pretty precious. Still, we share war stories over libations with our peers. These stories have value; they're how we know as a community what products to use and what employers to seek or to avoid. While I didn't intend for this to get quite the audience that it's getting, I will own up to having shared the story.

My boundary, and the legal boundary that NDAs (even despite what is written in them) are generally held to is "trade secrets." I would hope that everything in my post is three or more years out of date, and would no longer qualify as such.

We're in immoral waters here: 1) NDA's prevent most human's getting closer to the truth. 2) Selected audiences (the drinking friends you share details with) know that companies x, y and z are scammers and criminal, but most don't. 3) As a consequence companies that are immoral and fronted by the most skilled marketing liars thrive too much.

I say not doing evil to the rest of mankind trumps protecting the evil few.

Leaking systems that work seem like the moral road?

Couldn't you leak anonymously?

I don't believe in that. For one, there is no such thing as anonymity to begin with, for another, I think if you do a thing like that you should stand by it.

Plus if you do it anonymously it's easy for the company to spin it as "hit pieces" which is what Uber does.

Is this answer on their FAQ an outright lie, then?


> we don't store any of your emails on our servers.

Either way, I just deleted my Unroll.me account and revoked access to my Gmail account. I don't think there's anything the company can do to ever get me back as a user.

I guess it's not a lie since they store it on Amazon's servers?

I'm not sure I can answer that in detail, or that it hasn't changed since the details were originally shared with me.

That might also be a case of an article that's written from the point of view of one feature ("what happens if I delete") and not what's going on under the hood. There are other references to deleting data stored with unroll.me, e.g. When you go through the delete steps you need to do it in a particular order so that data on their side is removed, as discussed in another comment thread.

The store them on amazon's...

In terms only of capabilities, that makes me wonder a lot about Gmail. I don't see anything there that they couldn't do if they wished to do it on a far grander scale.

Granted, I tend to think the people who run Gmail are more honest than that, but if someday the wrong people retired and others took over or what have you, I wonder just how suddenly that could change?

Gmail doesn't need to sell data to anyone, they use it for rest of the google suites like google.com, adsense, youtube, doubleclick, and all the other properties they own.

In fact it would be a stupid idea for them to sell any of that data directly to a 3rd party. Instead they package them in user friendly (marketer/advertiser friendly) ways to capitalize. Some of these are shady and I'm not a fan but overall I think this approach is fine.

The problem happens when you sell user data to a 3rd party.

Here's an example: Let's say you start an email newsletter about travel. You get millions of subscribers. Then you start putting ads on your email. Maybe sometimes even send sponsored messages. This is kind of annoying but not "unethical".

On the other hand, the same company could take all the email list and sell it to bunch of travel agencies. Then all the million users who subscribed suddenly start receiving spam emails from these travel agencies. This is unethical because they literally "sold" your email address.

Of course this is more of an extreme example, but the pattern is the same.

> "Instead they package them in user friendly (marketer/advertiser friendly) ways to capitalize."

Yes, it is called Gmail Sponsored Promotions or "GSPs." Depending on the audience they can apparently be quite effective. [1]

[1] http://marketingland.com/gmail-sponsored-promotions-everythi...

Who knows? Maybe at one point people will realize the value of local mail storage and end to end cryptography.

There are so many factors involved that it becomes unreasonable quickly.

Your main problem is going to be getting everyone to use it. If you converted 25% of the people using email today to an end to end encryption system it means that they can either only email anyone else in that 25% or anytime they send or receive an email from the other 75% it's not going to be encrypted the entire way.

Do you only use one device?

Using multiple devices does not preclude one from using a server and end-to-end encryption.

The reason I ask is about private key movement. I'm curious how you share that across devices. It's the biggest issue in e2e encryption imo.

Just curious if you do anything novel there.

I don't do anything novel. I have my private key on three devices.

How do you get that private key on each of your devices, this is a real issue for a lot of less technical users.

Unless they're using an HSM, that would most likely be a matter of just copying a file.

With an HSM, it would have to be marked as exportable (bad for security), or to happen via some proprietary HSM to HSM cloning method endorsed by the vendor.

That said, I don't see that much HSM usage outside of the government or their contractors.

Just so you know, you have been quotes on gruber's article. Be careful about what you say on careful forum especially since your profile gives your contact information.

Thanks. I'll let it stand for now. I haven't been a part of that company for several years now, and did not have any legal agreements or first party relationship with either of the companies named above, and since the deal closed since with Slice it would be difficult for anyone to allege damages.

On top of that, it should be very clear that everything I said is hearsay at best. If I had known the attention this would receive, I would have been clearer about it.

No, but you did just point a whole pile of nasties at a very juicy and poorly secured target.

I would hope that Slice secured it after the acquisition.

You can't be sure of that.

I wonder how expensive it would be to keep full text of all modern multi-gig mailboxes anyway.

tech has become a cesspool of slimy founders + and unbridled capitalism - this needs to stop for the greater good

In 20 years I haven't seen a time where this wasn't the case.

Seed money is the first to take the risk and deserves the majority share of profit

VC (series A,B,C) are putting in the most money and brining big hitters for the board and advisors. They clearly deserve the majority share.

Founders do all the work and it's their idea so they deserve all the money.

The second generation leaders productive, operationalize, and bring legitimacy to the company, so they deserve all the money.

Whichever group has the leverage forces the table to tilt their direction.

It doesn't matter how good the potential is, how sure the victory is, how close the first breakthrough customer is, if you don't trust someone, or there's a slimy/smarmy vibe then just walk away. It's not worth putting in years of effort to have to resort to contract lawyers to get paid.

It boils down to this: Capitalism is not the goal of society, it is a tool.

Somewhere in the past few decades we've conflated the two - and a larger portion of our population believe that Capitalism is the goal. It's not, it's a way to achieve our goals. It is efficient, it is effective, it will always have little to no morals and consolidate in the hands of the few. That is not a judgement of the system it is an assessment. No different than stating a hammer will will work well with nails and poorly with screws.

We as a world society (and particularly an American socienty) need to refocus on what our goals of society are. And actively decided when to use and when to rein in specific tools to achieve our goals.

Absent of focusing on goals, our tools become our goals and we get the results we're seeing today.

As sympathetic as I am to anti-capitalist rabble-rousing, your comment comes off as a canned micro-rant which doesn't relate in any substantial way to the parent.

Your comment is unnecessarily dismissive and inaccurate.

I'll avoid getting into an internet argument, and just leave this quote here.

> tech has become a cesspool of slimy founders + and unbridled capitalism - this needs to stop for the greater good

This was the thread the comment was posted in and it's entirely the topic of discussion.

In the future try to choose more productive ways of describing people's views and engaging in discussion than as 'rabble-rousing' 'rants'.

What has changed is speed and scale.

If you want to understand what the implications are you need to spend time not with technologists but with ecologists. In nature there is a reason the apex predator doesn't evolve predatory advantages at a faster rate than its prey evolves defensive advantages. These rates grow or shrink in lockstep depending on resource availability. If they don't the ecosystem collapses.

I agree, but it won't until the bubble pops, and even that won't sort out the monopolists. As long as it's centered around VCs with more money than sense or morals, tech is going to continue unabated in its transformation into Wall Street 2.0

There is a phrase which I live by - If it's free, you're the product.

What bothers me is that this phrase becomes a thought-terminating cliche.

Too often, it's used to shut down all conversations around corporate malfeasance re:privacy, so the industry doesn't get better, we all just move on to the next big story. And victims are blamed and shamed. "Your fault for using a free service, what did you expect?" vs. "This is unacceptable behavior, let's force a change."

Not to mention so many don't understand free vs. non-free. Are there ads? Are there optional purchases that keep the company going? As someone else mentioned here, unroll.me showed ads, which would lead users to believe their usage was being subsidized by those ads - and Slice's About page on its web site says nothing about using unroll.me as a data source, it claims to use its own shopping app.

That's all well and good - and many people realise and accept this - but the degree to which you're the product can clearly vary wildly. That's the real issue.

Of course it varies. It's up to you to decide/deduce/infer what the "cost" of using a free service likely is. Understanding that there IS a cost is really the first step, one which a good portion of the population seems to not understand.

To be fair Unroll.me shows you ads in their emails to you so a user may think thats how they monetise and be ok with that. Its another thing altogether when the company sells all of your email data directly to buyers.

I wish more people thought like that. with everything being free it's really hard to actually charge people for something.

Well, this site is free...what's the catch?

This is clearly and explicitly content marketing that attempts to fill YCombinator's venture capital deal funnel.

We come for startup and tech news. YC is a startup and tech funding company that needs to have it's portfolio reach us as their customers/employees/investors/etc...

we're definitely being watched and analyzed :)

Thanks for the heads up. If anyone else wants to delete their account you can follow these instructions: https://unrollme.zendesk.com/hc/en-us/articles/200165526-How...

... This is why I treat equity and ipo as monopoly money.

It's ok that we pay you sub market salary because you get great ipo and equity.

Yeaaaah no.

It's comparative to the "espresso machine in the office" perk.

When you bump into your colleagues in the morning you have an extra talking point.

With all due respect you were a consultant for 8 months at Returnpath and know nothing about why that deal didn't happen and you certainly weren't important enough there to know anything about the equity structure of the company. Returnpath is also a data company that buys companies for data collected from services provided to the user. Ask Josh Baer. That's why they bought his company.

Also spreading unfounded rumors about data storage practices you know zero about is really irresponsible.

Suggestion: delete Unroll.me account, fill reasons with "Other", and then "Privacy! https://news.ycombinator.com/item?id=14180463"

You might have been and possibly still are under an NDA from the acquisition process. I'm not sure it is worthwhile detailing all of this in a public forum.

And if they signed up to try Unroll.me they might have violated it already!

Probably (and hopefully) only a matter of time until someone starts to work on an Open Source version of Unroll.me.

This is a good idea. I'd love a version of UnRoll.me that I could host on my own servers.

til then, i wrote a script that'll let you unsub from everything at once before you close your unroll.me account.


So, should I change my email address because all of my emails were read and archived by Unroll.me on their servers?

AND I can tell you as a co-founder of the company this is 100% false.

Am I correct in thinking this is class-action lawsuit-able?

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact