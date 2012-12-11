Hacker News new | comments | show | ask | jobs | submit login
We Can Do Better (unroll.me)
Give me a break!

>"So it was heartbreaking to see that some of our users were upset to learn about how we monetize our free service."

This reminds me of the United CEO "apology" that wasn't. Really, your gentle little heart was just shattered to learn people were upset that you send their bloody Lyft receipts from their email inbox to Uber!! You pour soul!

You know, America, you could do with less bullshit. I would respect this guy more if he said simply, "We offer a service at no charge, and in order to make money, which is what we need to live and so do our employees, we mine data from inboxes and sell it. This is all in our privacy policy which I advise everyone read before they hand anyone access to their email."


You can deal with that. I can deal with that. Most people here can deal with that. A lot of people can deal with that. The news can put some spin on that, use it to enrage a bunch people who don't know any better causing a problem that makes shareholders unwilling to deal with that.

Welcome to the modern world. Being frank about things isn't a risk worth taking.


Are you seriously suggesting they lying-by-small-print is somehow the more moral course for them to have taken?


I think they might just be saying that we tend to reward lying and punish honesty, so we shouldn't be too surprised when this sort of thing happens.

It frustrates the shit out of me, but I think it's true in many cases. This company would have died instantly if they had been up-front about what they were doing. By lying, they've managed to have some success. I don't condone lying and I wish they wouldn't do it, but given the incentives, I'm not surprised that they did.


I take your point, but we didn't reward lying here--they profited as long as we were unaware they lied. Once revealed, the ship is going down fast. This is just to say that crime pays... until it doesn't.

What would be scandalous (and still might be) would be for this to be revealed, and no one to care about it. I'm cautiously optimistic this might be the case--even Uber's bad behaviour is catching up to it.


I think we did reward lying. We didn't intentionally reward lying, but that's not what I meant. We don't intend for this to happen, but that's how it works out the way things are set up.

The ship is going down fast, but how much money did they make in the meantime? Will the CEO's salary and bonuses be clawed back? I doubt it.


Not moral, profitable. Companies are evaluated on their profit, not on their moral decisions (unless those decisions are illegal, but there's no law against saying "By signing up, you consent to us data-mining your inbox and selling the data").

And, of course, nobody is saying that it's a good thing that companies are evaluated on profit and not morality, just that it's true.


They don't get it. Their cardinal sin was not failing to disclose how they use your data, although that certainly is a grave sin too. Their cardinal sin was selling their users' e-mails.

Yeah, if they were going to sell your Lyft receipts to Uber, they should have been very clear that this was what they were doing. But that's secondary to the fact that they never should have been doing that in the first place.

I think this bit sums it up perfectly:

"I can't stress enough the importance of your privacy. We never, ever release personal data about you. All data is completely anonymous and related to purchases only."

They care so much about your privacy that they only sell info about the stuff you buy, which is definitely not personal in any way, somehow.

We'll tell Uber about that time you went to visit your girlfriend, and we'll sell info about that weird t-shirt you bought, but your privacy is totally important. Yup.

Edit: I should probably clarify, I'm sure they do get it, but they don't care and want to keep selling your data, so they'll pretend like the failure to disclose was the big problem.


Did they sell it that way?

Or did they simply sell something like "of our 100000 users, 30% bought Lyft rides."?

I mean, I still think it's wrong, but selling who bought what is a bit different than selling how much of a group bought how much of an item.


If all they sold was a count and a percentage, that would be pretty benign. But what are the odds?

Their privacy policy lets them sell individual messages as long as they're scrubbed of "personal information." Where their bar is for that is anyone's guess.

If all they wanted to do was collect and sell aggregate data, you'd think they would say so, and would have reiterated it in their "apology." If they actually gave a shit about their users' personal data, they'd make sure their privacy policy was as restrictive (for the company) as possible while still permitting them to operate.


Slice sells aggregated order data for categories of goods by brand, calculated by looking at email receipts. Things that are useful for calculating overall demand, seasonality, market share, etc. I don't know about selling the actual email content; would be surprised if they did. (Not affiliated with Slice, but am an occasional data buyer, which is how I know of them.)


From their privacy policy:

"We collect such commercial transactional messages so that we can better understand the behavior of the senders of such messages, and better understand our customer behavior and improve our products, services, and advertising. We may disclose, distribute, transfer, and sell such messages...." [emphasis mine]

Of course they might not sell your messages, but it's pretty weird that they'd put up a "we totally can sell your vaguely anonymized messages" and then not take advantage of it. What they sell to Uber may not be what they make available to you.

Even if they don't currently, they could start doing so at any time. And even if you somehow trusted them not to, they could get bought out by someone not so trustworthy.


They could be, no disagreement there.

Now I'm curious: what is the commercial value in the aggregated email content that would make someone want to pay for it, besides the purchase and receipt data that Slice is already providing (plus subscription and open rates)?


Lyft receipts provide origin and destination addresses as well as the exact date and time. That would be tremendously valuable for Uber. That info could be aggregated and then sold to Uber, or their privacy policy would also allow them to just scrub these e-mails (and the manner of scrubbing is not specified, so who knows if they consider the exact origin and destination locations to be personal information or not) and sell them to Uber directly.


Makes sense. The clickstream data that ISPs are now free to sell would be a goldmine then.


Totally! It'll be a golden age for targeted advertising. Maybe less so for the targets of advertising.


You don't know how they sold it and they're certainly not trustworthy enough to believe them even if they say that's the way they did it.

Until all companies that trade in user data are required to disclose how they do so by a regulatory body, and users have an access to an example "slice" of the data being traded, this will continue the way it does, because the incentives are there.


No one would pay for that data


Let's dispel with this fiction that the companies collecting all this personal data don't know what they're doing. They know exactly what they're doing.


I disagree. I think it's fine if a company wants to sell personal emails as long as they are completely up-front about it. But in that case almost nobody will sign up, so the amount of personal data being sold is minimized in either case.


I wouldn't raise a fuss about it in that case, since it's voluntary and so easily avoidable. I'd still call it a "sin," just one that would (I hope) be punished by having nobody sign up.


If you're jumping off Unroll.me, first log into unroll.me via your Google Login. Go to settings, turn off everything (like the ad tracking) and then delete your account. It's at the bottom of the page in light grey. They'll ask why you're deleting. I'd suggest choosing "privacy".

After, that head into Google > Account > "Connected Apps & Sites" > Manage Apps -- and then explicitly remove Unroll.me there too.

Don't do the reverse as the Google Access is needed to log in and delete the Unroll-side data*

* Assuming they delete anything, but still worth doing.


If they don't delete it and they have European customers they are breaking the law.


If you're a European customer who deletes your account, I'd email unroll to ask if your data has been deleted, and then report them if not.


Who do you report them to?


http://ec.europa.eu/justice/data-protection/individuals/misu...


Thanks for bringing this up. This is part of the Data Protection Directive (1995): http://ec.europa.eu/justice/data-protection/individuals/righ...


Does that apply to companies located outside the EU?


If they are doing business in the EU, they have to comply with the EU's laws.


What would it take to get laws like that in the US? Purely hypothetical, of course, since I don't believe it's possible.


Less lobbying, less money in politics.


Actually what is needed is MORE lobbying ... just for the right things by the right people. We'll never stop lobbying by those who are already powerful. But those who are not can empower themselves.

PS: Event doing what you propose "less lobbying, less money in politics" would require lots and lots of lobbying (as this is the current system).


How does that work? If I have a server in my US living room, and someone from an overprotective country visits my server, and my pokemon trading site sets an is_deleted flag to keep foreign keys valid, can you really say I'm breaking the law?

It doesn't seem like laws specific to some European country should apply anywhere outside of that country. I can maybe see the EU(since they like to apply laws everywhere).

You did call them 'customers', which means there's an exchange of money. Is there a restriction on European banks to prohibit them from dealing with sites that don't comply with the country's law?


Don't do business in the EU if you don't intend to respect the laws. I find the word 'overprotective' out of place in your comment, it says that you feel that once someone gives you their data it is yours to do with as you please.

As for laws specific to a country applying outside it: you can do whatever you want but the moment you hold assets abroad or intend to travel you are exposing yourself to potential legal action, something always good to keep in mind. The United States has a long history of enforcing its laws outside its borders.

Also, you are wrong about how you'd go about implementing such deletion. You don't need an 'is_deleted' flag at all to keep your foreign keys valid, all you would have to do is to overwrite the record with random data or blank the personally identifiable fields and delete anything that that user has given you. That's not that hard and purposefully mis-implementing that would not look very good if it ever came to a lawsuit. Pro-tip: consult with a lawyer versed in the matter if you want to do this stuff at all it is better to do it by the book.

"Keeping foreign keys valid" is not an excuse to break the law.


Prefacing that I think we all have a right to privacy/right to be forgotten, or whatever phrasing is used for this in the EU, as a thought exercise, I'm wondering if you didn't want to abide by this, could you effectively do it? If I run an app and didn't want to handle the whole process of deleting user data or wanted to keep it for later, for whatever reason, would it be possible to forbid/block EU users/customers from using the website?


Make that part of your terms. We don't fully delete the data. We don't allow for this reason EU residents since we can't comply with law XXXX.

If they use it, they're the ones breaking the agreement.

Not sure what would happen though. If they sue you, you can probably sue them back. But not sure what you would end up needing to do.


A lot of Japanese sites IP-ban foreigners so they don't have to deal with them. I always figured, why not leave the site open for everyone but not officially support them? I guess putting technical measures in place prevents having your assets seized, or being sued or arrested when you step foot there.

If an EU customer with data retention laws uses a VPN to bypass an IP-block(and pays with bitcoin or something), would you still be subject to their laws? Or would the attempt to block them be sufficient legally?


It's not about you blocking them or not blocking them. It's simply about respecting the rights of your users. If you feel that taking users data without giving them the option to ask for you to delete it needs laws that can and will be enforced then you can see why our industry has a bad reputation when it comes to managing end user data.

This sort of behavior is exactly why the industry is no longer self-regulating but is now forcibly regulated in the EU. And soon to be much more forcibly regulated, come 2018 the new version of the DPD will come into effect which has much more teeth because there are still plenty of companies that are trying to evade their responsibilities. For instance, from then on, if you have been breached you will be required by law to report the breach.

So, be nice to your users, respect their data and try to be better than your competitors rather than to find ways in which you can creatively evade legislation that is especially meant to apply to you and your customers.


Delete their email address, name, or any other identifying information. That's it.

To me, the troubling factor is that the EU hasn't clarified the law so seeks to apply it to individuals who are not in the EU and never intended​ to do business with EU residents. 


   any other identifying information
This part is actually much harder than it looks.

Honestly though, if you tell users you can delete their data on request, you should just do that - delete all of their data, full stop. If you can't or choose not to, you should just be up front about that, also - that means in plain language they will see, not buried in a TOS or whatever. It's the only ethical way to handle this. National boundaries and jurisdiction are side issues, really.


Not really, at least I've found keeping data much harder than deleting it. The only hard part is backups.


I think I was unclear - I meant that deleting only "identifying" data, i.e. anonymizing a dataset is hard. Perhaps I misread the earlier comment.

Deleting all data is as you note, easy, with the exception of backups.


Anonymizing a dataset is next to impossible, especially if you have the ability to combine it with other datasets.


precisely.


It would also be really nice if Google told you the last time an app accessed your account (or at least within a certain time frame, like "last 30 days", "last 90 days", etc). Facebook shows this information, and I just went and checked my app authorizations on my Google account to make sure that Unroll.me wasn't there, since I stopped using it a while ago and deleted my account, and saw that it was still there, but with no last accessed time, only the initial authorization time. It's frustrating that Google can't add a simple piece of very useful information onto their dashboard.


With regards to unroll.me, does it really matter? Once you grant access to your mail, they archive your entire inbox. The damage is already done.


Er, ongoing, new emails?


Yeah, it cuts off new email, but my Gmail account has over 13 years of data -- I'm sure a lot of other people have had Gmail for as long. It's the initial load of data to Unroll.me that hits hardest.


A very important part of a good apology is, in no unclear terms, acknowledging what you did wrong - they do not do that, it's extremely vague and only hints at "we weren’t explicit enough." Explicit about what? Why were people upset? It also gives a mild air of "sorry you were upset" non-apology. Not quite, but definitely has gives off that vibe.

Basically, bad apology

So, I'm totally unfamiliar with this and the CEO doesn't elaborate on what happened at all so can someone give some context? Reading this thread I can see it is something to do with GMail...

What is/was unroll.me? What service did they claim to provide? What did they get caught doing? How did they get caught? What did their private policy not say?

BTW, if you are interested in the art of the apology and apology analysis check out http://www.sorrywatch.com particularly http://www.sorrywatch.com/2012/12/11/the-parts-of-a-good-apo... and http://www.sorrywatch.com/2012/12/12/parts-of-a-bad-apology/


I was a user of unroll.me (one off cleanups of spam here and there). It automatically unsubscribes emails for you based on your preferences, etc. To do this, you give them access to your GMail account. Apparently they were scraping your GMail account for information and selling it to third parties.


I don't think they actually unsubscribe you. They basically sit in front of your incoming email and don't pass on emails that match specific patterns. (And apparently sell that sweet, sweet anonymized data)


I am not sure if they do or do not, but their tag line is

>Instantly see a list of all your subscription emails. Unsubscribe easily from whatever you don’t want.

So, probably makes sense for them not to unsubscribe so they can still get any info on you but to the layman, it would seem they unsubscribe you from emails.


Basically they are reading your emails and this data is/was used by Uber to keep track of their competition.


As someone with a startup that heavily leverages Gmail OAuth, this kind of thing is upsetting because it causes folks to lose trust in the technology. Google is partly at fault here though. There should be an audit trail visible to users so that they can see every time a third-party service downloads a message or an attachment. There should also be more granular scopes so that folks can, for example, authorize access to only email threads with certain labels, including the built-in labels. (E.g. only personal email or only commercial email.)

It would also be nice if there were a way for folks with the gmail ID of a thread to download the parsed thread/attachments from Google, with a special scope designed for this. (So that services can get the entire DKIM-validated thread by just letting users copy an address, forward the last message, or via a plugin.)

I spent over a week writing our TOS, privacy policy, and security page, but privacy laws and the underlying technology should be sane enough by default that people shouldn't need to feel like they need to closely parse every word before signing up.


The ability to restrict access to specific domains would be really helpful for a lot of use cases.

For example, there are several travel apps that watch for flight and hotel emails, and then track them / notify you about them. If I could give the app permission to access emails from delta.com, united.com, southwest.com, and aa.com, I would be a lot more comfortable granting access. As it is now, I have to give the app read AND write access to ALL email.


There is a workaround for that. You can create a second account and create a forwarding rule on the first to forward only mails from delta.com, aa.com


That only works for individual email messages though, not for threads. So in this case it would work, but it's not a great generalized solution, even by hacky workaround standards.


Totally agree with the audit trail. From time to time I look at which accounts are connected and nuke most, but making this a better informed decision through access history would be great.


An audit trail like that should include every access that Google makes to your email for their own purposes.


Human accesses or machine accesses? Because there are constant machine accesses for search indexing and spam detection.


Hence the 'for their own purposes'. So not related to gmail.


I prodded unroll.me a couple of years ago about their data retention policy. Their answer was sketchy so I ended up not using the service. I'm surprised it took this long for someone with reach to look into them.

Original thread: https://twitter.com/elahd/status/575692415132135425

DMs: http://imgur.com/H0UABYa


I interviewed with them a number of years ago, and particularly remembered after the initial wave of interviews asking what they felt about their moral obligation to protect users data because they had full read/write access to emails. The response was overly vague and generic, so I wrote them off and immediately removed myself from their service. I wasn't expecting them to be a company a number of years later, and I didn't expect them to have been tied into this. It's mind boggling to think that had I not asked that question, I likely would have continued for my onsite interview and could very well have been an employee with them at this time.


Wouldn't it just be better for them to come out and say:

"We were mining your emails for profit and tried to hide that in our marketing and brand. We will continue to mine your emails if you want to use our free service, but we'll be more upfront about it in the future."

Why bother trying to act sincerely apologetic? I'd be more sympathetic to them if they would just bluntly state what they want to do.


Because their lawyers probably advised against saying certain things in case of a lawsuit


Emotions, feelings and naive people who think the world is black and white. That's why.


I don't think their chosen approach has resonated well with their users at all (emotionally or intellectually). People find it hilariously insincere and insulting.

It seems it would be better received if they were up-front in this instance.

They might as well tell their users, "This is how it is. Take it or leave it." Instead of trying to wrap that same message in a layer of false sincerity and lies.


Part of what we can't see is what percentage of their user base is even going to hear of this. HN may be up in arms, but if that's all that happens it may not amount to much. Then again, huge swathes of their user base may in fact be HN or people influenced enough by people reading this article to delete it. It's hard for us to know from here.

Speaking for myself, I'd never even heard of this company, so I doubt it's an HN darling particularly.


john gruber's take: https://daringfireball.net/linked/2017/04/23/heartbreaking


> At the time, which was over three years ago, they had kept a copy of every single email of yours that you sent or received while a part of their service. Those emails were kept in a series of poorly secured S3 buckets.

From https://news.ycombinator.com/item?id=14180463

However, their Privacy Notice claims to not store emails that are not personal emails but certain types of "commercial" emails as defined by the CAN-SPAM act.

Are they really hoovering up everything?

From https://unroll.me/legal/privacy/

> We also collect non-personal information − data in a form that does not permit direct association with any specific individual. We may collect, use, transfer, sell, and disclose non-personal information for any purpose. For example, when you use our services, we may collect data from and about the “commercial electronic mail messages” and “transactional or relationship messages” (as such terms are defined in the CAN-SPAM Act (15 U.S.C. 7702 et. seq.) that are sent to your email accounts. We collect such commercial transactional messages so that we can better understand the behavior of the senders of such messages, and better understand our customer behavior and improve our products, services, and advertising. We may disclose, distribute, transfer, and sell such messages and the data that we collect from or in connection with such messages; provided, however, if we do disclose such messages or data, all personal information contained in such messages will be removed prior to any such disclosure.

We may collect and use your commercial transactional messages and associated data to build anonymous market research products and services with trusted business partners. If we combine non-personal information with personal information, the combined information will be treated as personal information for as long as it remains combined.

Aggregated data is considered non-personal information for the purposes of this Privacy Notice.


> Are they really hoovering up everything?

I worked on a competing product a long long time ago. (Well, a competitor in the "all your emails are belong to us" space.)

The way ours worked was that we hovered everything, but before we provided any analytics staff access to it, we grabbed only emails of interest, tokenized the data in them, and then copied them to the analytics data store.

But we were constantly refining what "of interest" meant, which means that we had to go back and re scan the archives periodically, which would always turn up new stuff for the analytics team. The need to re scan historical data as the models improved meant that we had to keep all of the source material, even if it wasn't accessible to the people who were most interested in looking at it.


Disgusting company, disgusting "apology".

Add the specific names involved (e.g. Jojo Hedaya) to a list in your head, they'll inevitably be involved in more shadiness throughout the years and it's fun to reminisce.


I agree that this is completely appalling and their apology is basically "Sorry you didn't know." But let's not characterize Jojo Hedaya as a bad guy just yet, I did a basic searched and didn't find anything else shady from him. I guess what I'm saying is let's give him a chance and hope for the best, one big thing like this shouldn't mean he is beyond redemption. At least that is what I hope and believe about humanity.


As mentioned in the comments, you'll want to go here and revoke access:

https://myaccount.google.com/permissions

Even after deleting your unroll account, they'll have access until you revoke it.


I had deleted my unroll.me account several months back - yet I still receive emails from time to time about the new subscriptions I have. They've not had permissions in my Google account since I deleted my account, so it's odd that I keep getting emails from them.


What I always wonder about when I see business like these: What comes first? Do they first think about what they could sell and then go about setting up a service that gets users to provide them with that data or do they first create a nice service and then realize they have to keep the lights on somehow?


Example of the former.

http://shoparoo.com


In what way? Genuinely curious.


> Shoparoo is trying to take grocery product collection programs, like General Mills Box Tops for Education, into the smartphone age. Our primary business is market research, specifically collecting item-level purchase data from households, said CEO Jared Schrieber in an interview. We developed an amazing technology that allows this data to be captured in just seconds via people simply snapping pictures of their receipts with their smartphones. However, this begged the question, how could we encourage a large number of people to spend a few seconds after each shopping trip taking pictures of their receipts? Our answer, Shoparoo, was inspired by the Box Tops for Education school fundraising program where parents spend a few moments of their time cutting out product labels from grocery products.

http://betakit.com/shoparoo-partners-with-unilever-to-turn-r...


I feel so frustrated. This Jojo CEO is just gonna get away with it, and in a few days people will forget. He will continue his status as a "successful entrepreneur", getting investments and still selling customer private information to whomever or whatever.

And nothing's gonna happen to protect user's privacy. All I (or any one) can do is to use fake accounts to sign-up for free services.


> We never, ever release personal data about you. All data is completely anonymous and related to purchases only.

Can someone explain how this works. I've heard they sold customer's Lyft receipts to a competitor. How do they sell receipts by making it completely anonymous. Do they have someone there by hand monitoring what it is user's private data and what isn't?


I would assume that since a Lyft receipt has a predefined format, it isn't too difficult to script the scrubbing of particular lines of data, assuming Lyft doesn't change their format.

Of course, if they do change their email format, your script is probably letting data leak until you notice and fix it, but obviously privacy wasn't the top priority on Unroll.me's minds in the first place.


This is truly despicable. Honestly, they signed up users for a _completely_ different service and monetize by mining gmail data. TBH, I feel the same rage against all Google services which are about taking notes, mail, contacts, location and what not whereas in reality they are just mining away. For the startups out there - the Big G is an exception because their service is so wide spread and hard to ignore that people accept their mining as a necessary evil but for others this is totally not a good business model.


You are selling google short. Google doesn't sell their consumer data to anyone directly. They use it to help inform advertisers how to sell stuff to you. Uproll is directly selling data about their customers to third parties for whoever will pay.


This is not true of unroll. From the blog, "I can't stress enough the importance of your privacy. We never, ever release personal data about you. All data is completely anonymous and related to purchases only. To get a sense of what this data looks like and how it is used, check out the Slice Intelligence blog.". So they are the same as Google.

At the end of the day, nobody outside the company truly knows if either of them sell identifiable information.


YMMV on how anonymous anonymized data actually is considering that most people are uniquely identified by the combination of date of birth, zip code and gender[1].

[1] https://news.ycombinator.com/item?id=2942967


They don't inform advertisers of anything. They allow advertisers to bid to show you an ad. That's all.


> Honestly, they signed up users for a _completely_ different service and monetize by mining gmail data.

That is also in contravention of the EU DPD:

https://en.wikipedia.org/wiki/Data_Protection_Directive

Specifically, point 2: Purpose.


I'm a longtime Unroll.me user. I've found the service very useful.

I'm not sure how I feel about all this. But after reading the threads - I think these things are true:

1) Unroll me does disclose that it sells your data in a way it considers anonymized.

2) The CEO is here apologizing for not making this more clear, not for the practice.

3) There is no evidence they violated their own terms.

What are people upset about most here? Is it the practice or weak disclosure?

If disclosure, what would constitute appropriate disclosure? I pretty much assumed they were doing something like this. How else would they support the service?

As a user, if they are selling my data in a way that is not linked to my name, but used in aggregate statistics, why should I care? I don't think I do. In fact, I can image such data would make the overall economy more efficient.

On the other hand, if such data is being used to ID me specifically, I am more anxious. But there is no evidence of this, correct?

I am genuinely asking. I might cancel my account, but more over general security anxiety, vs. what appears to have happened.


Kinda unrelated.

As of now, it is impossible to run a pure B2C SaaS which depends on users paying for it.

Is this going to finally change the market so that B2C SaaS companies can charge for their service? I doubt.

The question here is: is our privacy dead? Maybe only we need a law to enforce it?

If make a law enforcing the privacy, then many of these free service will stop being free - causing even bigger digital divide.

What is the solution here?


I think that yes, privacy is dead, to those that do not value it. Would you trade your gmail history for a doughnut? If yes, then it is 'dead' and not worth much, if no, you still have it, mostly.

The thing to look at it the economics of your privacy. Why has it died? I think it is because your privacy has some intrinsic value to it. Averaged over enough people and a long enough time, it has some average dollar value, like a lotto ticket. However, it then becomes a commodity like all others, and subject to markets and their rules. If everyone is collecting your privacy and data and then trying to sell it, who is the buyer and what is the price? Who is buying the data from Bose and their scummy headphones and how much are they paying per 1k people?

To me, it seems that the market for 'data' is not at all transparent and that is why there is a grab for the data. If these kinds of companies can convince a potential buyer that their scummy headphones data is worth the price, then maybe the buyer can take it and make more cash off of it. But I think that since the markets are so inundated with people's 'data' that the price is not worth much at all. I mean, when I look at 'targeted' ads or whatever, then all I see is nonsense. I think that currently, the data is worth far too much due to the lack of transparency in the market. Once everyone realizes that humans are too random to target marketing towards, then the prices will drop and the bottom will fall out of the market. The real money, as Apple and the Goog have seen, is in walled gardens that force you to buy their products above all others. Currently, we are in the 3rd round of this match, there is a lot more fighting left.


They can do better.. yet they still haven't updated their FAQ. You'd think that at the very least, before trying publicly trying to cover their asses, they'd at least do the bare minimum and write SOMETHING about it on the FAQ. Why even link to the FAQ from the blog post if you haven't touched it yet?

Don't say you're going to do something going forward, DO IT.


> from this point forward, with clearer messaging on our website, in our app, and in our FAQs.

Yet when you try to subscribe, are freaked out by the permissions required and don't give access to your entire email you're greeted with the following message: "Unroll.Me takes your privacy & security seriously"


I remember hearing about unroll.me, last year or so. It made no sense to me, at first. But then I got that they needed full access to my email accounts. I was gobsmacked.

I really don't get why people would be OK with that. Somehow the possibility of a cleaner inbox doesn't seem worth the risk of identity theft.


Unfortunately there are many other services out there that sell user email data to companies will to pay for it. See www.boxbe.com which sells data through www.edatasource.com, and getunsubscriber.com (which is similar to unroll.me) and several other applications from www.otherinbox.com which sell data through Return Path (https://returnpath.com)

Edit: to see how you can buy this type of information, see: https://returnpath.com/solutions/consumer-data-insight/


I'm genuinely curious why people are insisting on assassinating this company/CEO's reputation.

Selling anonymized user data is legal. In certain markets (like this one), any company that does NOT sell your data (and therefore charges their users), will be out-competed by companies that do.

Assuming there is a price to your online privacy (which most ppl clearly believe since they use Google) and the value this product brings to market exceeds that price threshhold, we're better off for it.

It seems to me the way to enact change is through legislation/regulation. And, anger towards any specific actor in this under-regulated field is misdirected.


I don't get it either. Google reads your email to serve better ads. You grant unroll.me access to filter marketing campaigns. Now they read your email too. Selling anonymous purchase info is pretty benign given the amount of access.


The difference is Google doesn't sell the data to other people. You agreed to Google reading your email when you signed up for the service, with Google.

Its like saying, my travel agent knows my travel plans.

unrollme on the other hand was asked to do a specific task. And while they were probably really good at it, they took it upon themselves to be curious and find more information, black out some and sell that info to others.

Its like saying, you travel agent sells the data on what car you came in, what you were wearing and what you were feeling when you came to discuss your travel plans.


Horrible argument. Because others so something shameful does not mean you have to support someone who does the same thing. I would love to see Googles, M$, Apple, ... Reputation "assassinated" as well. And a lot of stuff is legal that is horrible and a hell of a lot of stuff is illegal that is totally fine. Like smoking a joint. So using legal/illegal as a argument is really bad.

If course laws that make this illegal would be great, still "uncalled for" is your opinion. I in fact call to public-ally shame every company who sells user data for profit. I am disgusted by "free" stuff. I would rather pay for something then to get something "for free". That why I have a payed protonmail instead of letting google read my mails to name one example.


This comes down to a value judgement.

To some people (like you), online privacy is of immense value -- seemingly almost an inalienable right alongside, life, liberty, and pursuit of happiness.

To others, online privacy has little to no value.

I'm somewhere in the middle.

Don't you think services like this should be freely available for people who don't value online privacy like you do? It doesn't seem right to project your value system onto others when both can peacefully co-exist...

A logical solution that would protect both parties would regulate the transparency by which businesses must communicate these data sharing practices. I just don't see the logic around why any company who shares user data is automatically evil and worthy of assassination.


I unsubscribed and removed access to my Gmail right after. Companies that hides behind small prints to tell you they read and sell your mails should not access my private mailbox.


Something huge is missing here. This blog post states they're going to be more clear about how they sell users' data, but I just read every word on the Features and FAQs pages, and there's not a single mention of it.

https://unroll.me/features/

https://unroll.me/faq/


I'm reminded by the (now old) adage: 'If you are not paying for it, you're not the customer; you're the product being sold.'

Before you decide to use one of these 'free' services, stop and think what that will really cost you and whether you're OK with the price you will pay. That way you will be less surprised (and outraged) when things like this are revealed.


Indeed. I'd like to flay Unroll.me for this, but really, I have a hard time sympathizing with it's users. People should realize by now that all "free services" make money. And if you aren't paying them, someone else is. You should probably understand a company's business model before you sign up with them, and especially before you grant them access to your email account.


If Google were to release a rideshare service, would they be allowed to data mine Gmail for the competitive data? Is that in their ToS?


They shouldn't but Google does not have much in terms of Chinese Walls internally. The contents of your gmail account or youtube history could easily affect your search results.


I am pretty sure Google's allowed to use any of your data for two purposes: Improving their services (which arguably, your example would fall under) or for promotional purposes.

One of the big changes a couple years ago was when they unified all their terms and privacy policies under one that applied to your entire account. So I don't think there'd any longer be any distinction between where the data came from and which Google product they were using it for.


A lot of people want this company/CEO to be punished, but I don't think the level of outrage is deserving.

1) There isn't anything inherently wrong with selling user data as long as it's properly disclosed.

I understand that to some people, online privacy is of immense value -- almost an inalienable right alongside life, liberty, and pursuit of happiness. But, we also need to recognize that to others, online privacy has little to no value.

Since there is such a range of value judgements, I think services like this should be freely available for people who don't value online privacy.

It doesn't seem right to project one's value system/judgments onto others when both value systems can peacefully co-exist.

2) The company's practice of selling data was properly disclosed in their ToS

I understand this is arguable, but imo, the ToS is a reasonable place for proper disclosure. Your average consumer knows this sort of practice is possible and also knows that the place to look for disclosure of said practice is in the company's ToS.


Why not just charge a fair price for their service? And why is this such a novel concept?

It's offensive for a company to a) be involved in shady data practices like this and b) for them to believe their customers are naive enough to fall for it.


I revoked access two years ago, but I don't recall going through the steps for deleting my data. Does anyone have any advice? Should I sign up again and ensure that everything was deleted, then revoke access again?


Ugh. This wasn't a mistake, it was their business model.


> Unroll.Me is a free service

"If you are not paying for it, you're not the customer; you're the product being sold". The free services should worry you


Yeah yeah yeah


yeah, what disingenuous corporate PR bullshit.


Light gray on white? I guess someone downvoted the hell out of that blog. That can't be a deliberate design choice, right?


Seems nowadays we need a kind of "remove.me" service to quickly remove your account from certain services.


Best we have is http://backgroundchecks.org/justdeleteme/


Did people really sign up for this service without knowing it was being used to data mine? If so, maybe you should sit back and think about how you use the web.

Companies have to make money, and it's free, so it should be assumed they are mining it.

Also, stop being idiots and saying that they are sending your receipts. As far as we know they aren't. They are sending aggregate numbers. Just like the dozen other free services you're probably using right now.


Is there a way to completely cancel my account with Unroll.me ? And remove all traces of my data with them?


I wonder how many users they lost to release this same day.


Too few. If they're still in business next week I'd consider that a failure on Google's part.


This is disingenuous. Cleary, he knew what he was doing.


I don't understand the outrage against unroll.me. From their privacy policy:

>> We may collect, use, transfer, sell, and disclose non-personal information for any purpose.

They told me they gonna sell my data and now they sold my data. Bloody bustards!


What's non-personal data? My emails are personal data!


Garbage.


account deleted


This is a reminder that if you're not the client, you're the product.


This is so trite, it is borderline meaningless.

Much of the time, you are both the client and the product. See, for example: Cable television.


I'd disagree.

While it's true you can be paying someone to sell you to some third-party, it's virtually never the case where a private firm offers you a service completely gratis without sell you to some third-party. Furthermore, without the exchange of funds, you lose a lot of legal protections and the ability to hold the company accountable for a lot of their actions.

I know it might be annoying to hear it over and over, but I think it bares repeating because I can guarantee you that only some people have heard that phrase, and far fewer have truly understood it's impact.


It is. There is nobody here who hasn't heard it a dozen times, and the general public audience it should be aimed at doesn't understand it.

Further, it is cited as a rule but it is far from one. Paying for a product doesn't guarantee your privacy and using a free product doesn't mean your privacy is being violated.

For ex. you can pay for Google Apps over Gmail but the privacy policy and terms of use is still the same (I actually can't think of a single service with a pro paid level where you gain privacy - Flickr, Dropbox, Freshbooks, Mailchimp, LinkedIn, Salesforce, Office online - you name it). Likewise there are countless examples of free and open source software that do respect your privacy.

I don't think there is a shortcut to teaching the general public about privacy - especially not one that can be wrapped in a one line cliche.


> Paying for a product doesn't guarantee your privacy and using a free product doesn't mean your privacy is being violated.

While what you say is logical, it gets scary pretty quickly. What about uber? What about airbnb? Or worse, what about paypal, intuit, wells fargo?

I propose a simple thought experiment as a band-aid. If we can't beat them, we must join them. Every company that collects information about me, must disclose the said information to me. Failure to disclose in a reasonable time frame should result in an automatic fine worth 100x minimum wage per hour every hour after the end of the reasonable time frame. Of course, we'd need very strong whistle blower protection. This would be a terrible idea because if it works (and I doubt it), it will have a huge chilling effect on small businesses. Responding to all the requests would put them out of business.

I don't know what the solution could be... but I know educating people is difficult especially when the people don't want to be educated.


It's getting a bit repetitive in this thread, but I can't help but to mention that what you're proposing is the legal status quo in the EU.

At some point so many people started annoying Facebook with these requests that they added a self-service option to download all the data they have on you somewhere in setting. (Google has something similar, "Google takeout")


I don't mind the repetition because I had no idea. Sorry, I am not very familiar about laws even here and even more ignorant about EU matters.


If you're not paying money, you're not a customer.

Saying that a true statement is "trite" and "meaningless" doesn't make it untrue.


I assure you, millions of people pay good money for the privilege of having their eyeballs and viewing preferences sold to advertisers. As said above - we call it cable television.

Just because you are a customer does not mean you won't be monetized.


Let's be honest, pretty clear that Google is already selling your anonymized data (actually, I think it's their data according to the TOS you agreed to). And giving your un-anonymized data to the government. Eww.

There's no reason to get up in arms here... there's no such thing as privacy -- whenever you use a free service, you are the product being sold.




