The founders of unroll.me were pretty dishonest, which is a large part of why the company I worked for declined to purchase the company. As an example, one of the problems was how the founders had valued and then diluted equity shares that employees held. To make a long story short, there weren't any circumstances in which employees who held options or an equity stake would see any money.
I hope you weren't emailed any legal documents or passwords written in the clear.
although every day someone would still email with a question "why you are not free like unroll.me".. sigh.
they are encrypted and can only be decrypted by "scan" and "action" (delete, trash, etc) jobs, job servers are not exposed to the outside and can only be accessed via the private network via ssh using access keys and only from a specific node which has those keys. keys are password protected. access to that specific node is restricted to a set of known public ip addresses. database and job servers are different servers of course. database servers are also only accessible within the private network.
the only thing that's publicly exposed is a load balancer.
to access anything else we log in to the "gateway" instance which we access by ip only and it does not have any domain name associated with it.
with all that – I am very open to ideas about protecting that further.
This gives you something fundamental to compete on.
now, whether it's valuable enough to justify the price – depends a lot on how you use your email. we've got users managing 3-5 accounts with hundreds of thousands of emails each and they use our labeling/organization more than removal. think of it as of a way to act upon a group of emails no matter what the size of the group is.
(and I kinda think our website is not really good at communicating this – our traffic is mostly coming from android app right now and we've been putting website work off. who knew!).
You offer plain and simply ask for 8€ per month per account.
That's simply a ridiculous amount of money for 99% of the people, what you have but we can't see is part of the problem, not the trust, the price is just not worth for what you offer, so, don't complain about "not a single new customer from 50 clicks".
and it's even scarier with iCloud for example – they don't have oAuth and people need to enter their passwords to scan/clean. (they do have "app-specific" passwords though but looks like people have hard time figuring those out.)
It's not a perfect solution but it's an option to consider
my day job is in ecommerce (I work as a product manager at FastSpring) and I used to work on CleanMyMac at MacPaw – had to work with trust in both. it's somewhat unexpected but people who are buying software for themselves usually don't care about PCI compliance, audits, and other artifacts of "institutional validation". they care about a "norton secured" badge, proper language, recommendation from a person they know, a review at the website they read, "that green thing with the lock in my browser".. we're now at the phase where we are trying to find the right combination.
just to be clear – it's very different from project to project and depends on the audience. what I'm saying is that we're making decisions emotionally mostly based on our prior experience and rely on internal "thermometer" to tell us if what we're seeing is trustworhty.
Having said that, I deal with independent audits in my job, and they're not all that reassuring.
How does an independent audit detect out of band taps (swapping binaries, re purposing archives/backups, mirroring, etc) on infrastructure the auditor wasn't monitoring before the audit? logs? but more importantly amortized or not the customer eventually pays for all this activity that at the end of the day is more fluff than substance (in terms of what the customer can actually verify)
In the end doesn't all this come down to just another form marketing?
Please note, that I recognize that there are many scenarios where an independent audit would add value. I just don't think it adds anything that social validation doesn't already add when considered from the perspective of a consumer to whom the infrastructure behind the service is unavoidably opaque.
Also, it's only been 30 minutes since your first post, and 50 is a small sample size.
> I haven't been a part of that company for several years now, and did not have any legal agreements or first party relationship with either of the companies named above, and since the deal closed since with Slice it would be difficult for anyone to allege damages.
And if all this disappears, then yes, someone did attack me legally over it. I don't like the business culture that has built up around this kind of thing -- reputation is important, so let's defend it with lots of lawyers and NDAs, but it's too much effort to be up front about business practices that might give us a bad reputation. That's bullshit.
I'm seriously conflicted about this because I too have seen some extremely horrible stuff in the last couple of years, some of which I'm quite sure would rock the world orders of magnitude worse than what unroll.me has been up to and that was secured roughly in the same way (or maybe even worse) and with data best qualified as 'radioactive'. I do sign NDAs and I stick to them religiously but it is very hard at times to do that. Even so I understand that I'd make life miserable for those that employ me if I'd ever break an NDA.
My boundary, and the legal boundary that NDAs (even despite what is written in them) are generally held to is "trade secrets." I would hope that everything in my post is three or more years out of date, and would no longer qualify as such.
I say not doing evil to the rest of mankind trumps protecting the evil few.
Leaking systems that work seem like the moral road?
> we don't store any of your emails on our servers.
Either way, I just deleted my Unroll.me account and revoked access to my Gmail account. I don't think there's anything the company can do to ever get me back as a user.
That might also be a case of an article that's written from the point of view of one feature ("what happens if I delete") and not what's going on under the hood. There are other references to deleting data stored with unroll.me, e.g. When you go through the delete steps you need to do it in a particular order so that data on their side is removed, as discussed in another comment thread.
Granted, I tend to think the people who run Gmail are more honest than that, but if someday the wrong people retired and others took over or what have you, I wonder just how suddenly that could change?
In fact it would be a stupid idea for them to sell any of that data directly to a 3rd party. Instead they package them in user friendly (marketer/advertiser friendly) ways to capitalize. Some of these are shady and I'm not a fan but overall I think this approach is fine.
The problem happens when you sell user data to a 3rd party.
Here's an example: Let's say you start an email newsletter about travel. You get millions of subscribers. Then you start putting ads on your email. Maybe sometimes even send sponsored messages. This is kind of annoying but not "unethical".
On the other hand, the same company could take all the email list and sell it to bunch of travel agencies. Then all the million users who subscribed suddenly start receiving spam emails from these travel agencies. This is unethical because they literally "sold" your email address.
Of course this is more of an extreme example, but the pattern is the same.
Yes, it is called Gmail Sponsored Promotions or "GSPs." Depending on the audience they can apparently be quite effective. 
Your main problem is going to be getting everyone to use it. If you converted 25% of the people using email today to an end to end encryption system it means that they can either only email anyone else in that 25% or anytime they send or receive an email from the other 75% it's not going to be encrypted the entire way.
Just curious if you do anything novel there.
With an HSM, it would have to be marked as exportable (bad for security), or to happen via some proprietary HSM to HSM cloning method endorsed by the vendor.
That said, I don't see that much HSM usage outside of the government or their contractors.
On top of that, it should be very clear that everything I said is hearsay at best. If I had known the attention this would receive, I would have been clearer about it.
Seed money is the first to take the risk and deserves the majority share of profit
VC (series A,B,C) are putting in the most money and brining big hitters for the board and advisors. They clearly deserve the majority share.
Founders do all the work and it's their idea so they deserve all the money.
The second generation leaders productive, operationalize, and bring legitimacy to the company, so they deserve all the money.
Whichever group has the leverage forces the table to tilt their direction.
It doesn't matter how good the potential is, how sure the victory is, how close the first breakthrough customer is, if you don't trust someone, or there's a slimy/smarmy vibe then just walk away. It's not worth putting in years of effort to have to resort to contract lawyers to get paid.
Somewhere in the past few decades we've conflated the two - and a larger portion of our population believe that Capitalism is the goal. It's not, it's a way to achieve our goals. It is efficient, it is effective, it will always have little to no morals and consolidate in the hands of the few. That is not a judgement of the system it is an assessment. No different than stating a hammer will will work well with nails and poorly with screws.
We as a world society (and particularly an American socienty) need to refocus on what our goals of society are. And actively decided when to use and when to rein in specific tools to achieve our goals.
Absent of focusing on goals, our tools become our goals and we get the results we're seeing today.
I'll avoid getting into an internet argument, and just leave this quote here.
> tech has become a cesspool of slimy founders + and unbridled capitalism - this needs to stop for the greater good
This was the thread the comment was posted in and it's entirely the topic of discussion.
In the future try to choose more productive ways of describing people's views and engaging in discussion than as 'rabble-rousing' 'rants'.
If you want to understand what the implications are you need to spend time not with technologists but with ecologists. In nature there is a reason the apex predator doesn't evolve predatory advantages at a faster rate than its prey evolves defensive advantages. These rates grow or shrink in lockstep depending on resource availability. If they don't the ecosystem collapses.
Too often, it's used to shut down all conversations around corporate malfeasance re:privacy, so the industry doesn't get better, we all just move on to the next big story. And victims are blamed and shamed. "Your fault for using a free service, what did you expect?" vs. "This is unacceptable behavior, let's force a change."
Not to mention so many don't understand free vs. non-free. Are there ads? Are there optional purchases that keep the company going? As someone else mentioned here, unroll.me showed ads, which would lead users to believe their usage was being subsidized by those ads - and Slice's About page on its web site says nothing about using unroll.me as a data source, it claims to use its own shopping app.
It's ok that we pay you sub market salary because you get great ipo and equity.
When you bump into your colleagues in the morning you have an extra talking point.
Also spreading unfounded rumors about data storage practices you know zero about is really irresponsible.