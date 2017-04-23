https://news.ycombinator.com/item?id=14181152
I remember when the big wave of smart email apps first came out a few years ago, and the horror was the expressed here when it was revealed that these apps basically route all of your email through their servers in order to do processing on it.
Sadly at lot of the trepidation about services like that seems to have abated -- or maybe the general population just isn't aware of how intrusive these types of services could be. But I would never allow any third party service to access my email.
Have you ever emailed your social security number, had your social security number emailed to you, or signed up for any sort of service to your gmail account including your paycheck management company, your tax returns, your bank, or anything else that via email password reset could be used to access your social security number?
Certainly I'd go so far as to say that almost anybody's "real" gmail account could certainly be leveraged to get the last four digits of your social security number. Given the low entropy of the other 5 numbers given other details [1], even if you can say with a straight face that your email has never had your very, very regex-able social security number in it, it's still got most of the bits, most likely. Perhaps not enough to automatically target you without a bit more machine learning than I think we quite have at the moment, but... getting perilously close, honestly. Someone who really dedicated themselves to taking "gmail inboxes" and writing a system to determine social security numbers from that could probably do pretty well. It wouldn't quite be just "fire some machine learning at it", but the system as a whole seems pretty feasible to me.
[1]: http://www.stevemorse.org/ssn/ssn.html . It isn't quite as bad as it seems for many of us, because we didn't all used to get SS numbers at birth, so my SS number does not correspond to my birth. But if you have my last 4 numbers and a handful of other bits of information about where I've lived, it's distressingly few bits between me and my identity getting stolen.
In many countries this is public information. Why is it sacred in the US? What can you do with it?
I could not find ANY disclosures whatsoever.
Nowhere does Unroll.me disclose that they sell your emails to the highest bidder.
I wish we had a FTC that could bankrupt Unroll.me's previous and current founders and executives. Absolutely despicable behaviour.
Privacy Policy indicated the following:
> We also collect non-personal information − data in a form that does not permit direct association with any specific individual. We may collect, use, transfer, sell, and disclose non-personal information for any purpose. For example, when you use our services, we may collect data from and about the “commercial electronic mail messages” and “transactional or relationship messages” (as such terms are defined in the CAN-SPAM Act (15 U.S.C. 7702 et. seq.) that are sent to your email accounts. We collect such commercial transactional messages so that we can better understand the behavior of the senders of such messages, and better understand our customer behavior and improve our products, services, and advertising. We may disclose, distribute, transfer, and sell such messages and the data that we collect from or in connection with such messages; provided, however, if we do disclose such messages or data, all personal information contained in such messages will be removed prior to any such disclosure.
Damningly, if they're collecting and disclosing transaction details, they're also technically conveying personal information given the ease by which identities can be reversed from this sort of data.
In a moment of desperation, I signed up for this a while back. I found it not to be useful and tried to remove my account with the site, which turns out to be essentially impossible.
I ended up revoking access to my email account and continued to receive emails from unroll.me that the service "has lost its connection to your account," which I found hilarious, because in my desperate attempt to get rid of spam, I created more.
I've tried to unsubscribe from these unroll.me emails several times before, and the unsubscribe link takes me to a page containing all the subscriptions that the service once found on my account (the one you'd see if you were trying to use the service---so all that data is still there, for sure, and it has been many months), and I have never actually been unsubscribed.
You can remove its authorisations at: https://myaccount.google.com/permissions
Had to search my inbox as a sanity check to make sure I hadn't signed up for the service. Turns out I hadn't, but it was pitched on Product Hunt both in April 2015 and May 2016.
I'm hoping at least security folks made the mental connection that signing up meant compromising your personal emails. That's the single reason I didn't bother.
Wouldn't you remember granting a third party full access to your email inbox? That doesn't seem like a trivial decision to make.
It wasn't that long ago that the worst thing that would happen with a third-party mail client was that it would suck and you'd have to stop using it.
Assuming someone only signed up with their personal address. Curious how many .gov email addresses are in their database...
As far as a different service, I found Unroll.me to be just another annoying email I had to read and found it kinda useless since if I wanted to "roll up" an email, I had to read the daily email to see what it suggests and then add to my rollup list. My solution was to just unsubscribe from any email that I didn't actively read (which was most of them). Especially given that most services are one-click unsubscribe now in the Gmail interface or Mail.app, it's pretty simple compared to a few years ago.
The privacy policy is clear and easy to find and understand. You can be annoyed with yourself for not reading it. You can decide the service isn't worth the tradeoffs. You can be annoyed with yourself for being naive about how free products work.
But it's illogical and disingenuous to call this "under the radar" or blame the service for your own surprise about how it works. We have free will and a responsibility to understand the agreements we enter into. Admitting so casually that we can't handle those things is a scary thought.
For example, you cannot put the fact that the user is signing up for a subscription service into the fine print or the terms of services when it is not stated anywhere else on the website. Even if the customer clicks the "yes, I have read the terms and totally agree with everything that's in there"-button.
I think most EU countries have similar rules[3].
People have free will and that's their choice. I'm not surprised that most don't. I rarely do. But it doesn't make sense that the people who have strong feelings about privacy aren't reading them. You can't give up what's clearly your own personal responsibility and then blame someone else for the consequences.
However, blame should also go to companies that hide important privacy info in privacy policies, with the full knowledge that most of their users will never see it.
Given that the company here is a single entity, while their users are a disorganized mass, I think the company should bear much more responsibility for fixing the situation. They can unilaterally fix it for everybody, while their users can't.
The company also exists with the sole purpose of running its business. That is all they do. Their users, on the other hand, are quite busy doing many other things and dedicate perhaps 0.1% of their time to doing business with this company.
In a relationship that's this lopsided, we should not hold both sides to the same standard. The company should bear far more responsibility for hiding important information where nobody will read it than their users should bear for not hunting it down.
Edit: it occurs to me that this is basically like getting conned. Somebody spins a story at a gas station about how they're trying to get to Cincinnati and they just spent their last $5 on money for their sick kid and can you just help a guy out, and they manage to con some poor sucker, do we focus our ire on the con artist or on the sucker? I'm OK with telling the sucker that they should be more careful and they shouldn't have fallen for the story, but they are ultimately the victim here, and the culprit is the scammer.
That is just ridiculous. You're describing a lie. This situation has transparency that people have simply chosen to ignore. Fine print isn't a crime.
Do how do you spend reading every click-wrap agreement you accept?
We condition users not to read these things, so we can't be surprised when they don't read them.
No, but I don't complain about the consequences. If I agreed to terms that gave my house to unroll.me, they'd never be able to enforce it because it's egregiously inappropriate. I take that much for granted. The actual unroll.me terms are not egregiously inappropriate. They may be distasteful to most people here, but it's not offensive or inappropriate that the terms are allowed to exist.
I disagree. A casual reading of the privacy policy gives the impression that they are not selling the contents of your inbox. There's one long, awkward sentence that technically covers it, but I don't think it's obvious what they're talking about.
This is what a clear statement would look like:
We make our money by selling the contents of the emails you receive. We will make our best effort to scrub personally identifying information from your emails, though this process is difficult and maybe even impossible in some circumstances.
https://www.quandl.com/alternative-data/email-receipt-data
Maybe it's time for some ethical standards among developers. Dumping email to an insecure server should be something that every developer would refuse. Somebody was just following order.
Facebook, Google, ..., Unroll.me
Seems like the Gruber version of outrage porn.
By the way, folks seem to be intent on down voting your comment into oblivion. That, sadly, seems like increasingly typical behavior here, and elsewhere on the internet. The thinking seems to be: "I don't agree with your opinion therefore I will do my best to make your opinion disappear." Does that make anyone smarter? Perhaps someone was deeply, personally offended — in which case, off with your head, right?
The boundaries broken are not comparable, but I just don't feel that Gruber has any moral high ground to stand on because of his affiliation with members in the industry.
In addition, it's not like we haven't seen this act before with company CEO's. This sort of thing happens all of the time, and in every industry. He's a smart guy, but his post seems overly-reactionary.
I am less bothered by the CEO's comment than by their monetization strategy, but then again, I don't really see the need for the product in the first place.
"I'll call someone I've never met a lying sociopath but I draw the line at downvotes!"
