Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: Leave Me Alone – A privacy focused email unsubscription service (leavemealone.xyz)
53 points by jivings on Jan 30, 2019 | hide | past | favorite | 47 comments

Looks interesting...

It took me a bit of time to find out how it actually works, as the 'How it works' button doesn't actually tell me how it works. I had to click onto the FAQ in order to find out that it integrates with Gmail.

Unfortunately I will never be giving a third-party access to my inbox like that. I was hoping that this service would be something where you can forward a spam email and they visit the unsubscribe link for you, or you simply paste in an unsubscribe link and it handles it all.

Perhaps these suggestions could be added as extra features for those of us who want to unsubscribe without giving away access to our inboxes?

Currently my personal process for unsubscribing is to either put the unsubscribe link into urlscan.io, and if that doesn't work (e.g. if it requires a complex form input), then I forward it to a malware sandbox machine and do it there.

I understand the privacy concerns, but for me, if I'm prepared to outsource my email to Google then how different is it to let other SaaS scan my inbox to provide their service (I accept size is one factor).

The Privacy Policy of Leave Me Alone is pretty clear on their respect for my data (not selling it).

If they don't respect this policy, it's going to get found out eventually, and it's going to hurt their business and their future reputation as founders.

Their incentives are in the right place to behave in the way that they've stated.

Security could be a concern as well, but it's all done within the framework that Google has created. Tokens can be revoked (if one desires, immediately).

Which just leaves the servers being compromised before/during the interaction. This isn't impossible and is something that LeaveMeAlone should definitely be considering. However, A breach potentially means the end of their business. This makes me trust, again, that their incentives are in preventing this from happening and investing in hardening the servers (etc).

> if I'm prepared to outsource my email to Google then how different is it to let other SaaS scan my inbox to provide their service...If they don't respect this policy, it's going to get found out eventually, and it's going to hurt their business and their future reputation as founders.

The likelihood that some small SaaS shop will be found out for unethical/illegal behavior is much smaller than Google being found out. It does look like their hearts are in the right place, for what it's worth. But there's no way for them to promise never to sell to someone interested in monetizing the data.

Thanks for the kind words.

I think the only way we can make this promise is by doing what we're doing right now and not actually storing any email content.

I'm not sure the best way to prove that this is what we're doing, short of open sourcing the code, so I'm open to suggestions there!

I totally understand this difficulty. My startup's browser plugin [1] changes text appearance to make reading on-screen easier, and this obviously requires the ability to "view and change content on all sites you browse". I'm sure this permission request scares off some people, but we've not had too much trouble with it.

We make it clear in our privacy policy that we don't tie any usage information to user accounts, ever. I think it also helps that we have awards from social-good type organizations like the United Nations, NewSchools Venture Fund, and Stanford. (OTOH, given the leaked emails from the Stanford-based founder of Snapchat, maybe that last one hurts more than it helps....)

1: http://www.beelinereader.com/

It would be interesting if you could define a restricted-API for email, with just enough functionality to provide your service. The issues right now is that there is no fine-grained way to grant permission to ones email, it's all or nothing.

Of course, it might take a long time for email providers to offer such restricted-API access, if ever. As a stop gap, you could offer an open-source daemon your users could self-host. It would act as a gateway, granting you limited access to their email, without you needing their password or cart-blanche permissions.

Hold public audits by a trusted 3rd party to show you are not keeping any data - on a repeating basis (6 months?)

We're already required to perform an audit by Google every 12 months (I've mentioned the requirements of this below, but it basically amounts to the same thing), would this be acceptable?

What are the details of this? I've seen how things work on the Chrome Store side, and it's completely haphazard. There isn't an official audit schedule, as far as I can tell, but like with the iOS App Store, they do sometimes decide to flag/remove an extension for completely bogus reasons, with little/no notice: https://medium.com/@BeeLineReader/google-yanked-my-chrome-ex...

As of this year with apps that access the Gmail API it is an official audit by an authorised third party assessor.

More info here: https://cloud.google.com/blog/products/g-suite/elevating-use...

That's great. I'd emphasize this both in the privacy policy and in the FAQ. It's not bulletproof, but it goes a long way.

I like the forwarding idea, not only because of privacy issues but also because I can easily forward emails from account types they don't support.

That's a really nice idea, and would be easy for us to implement. I love it. I'll add it to our roadmap right now.

Plus one for this idea.

In fact, I love everything about products that use semantic email addresses as the UI. followup.cc is great at this for their email reminder service. If I could forward an email to unsubscribe@leavemealone.xyz that would be amazing...

Sounds good, and it would be perfect if you could make the 'How it works' button point to somewhere that explains the Gmail integration right off the bat, rather than buried a bit. :)

Yes, we will definitely do this as well.

Another option would be to use a mail provider that lets you point your own domain to it and create aliases. Fastmail and protonmail come to mind. Create a unique alias for anything you sign up for. You will then know if that company sold or mishandled your email address. If that happens, simply delete the alias for that company.

[Edit] To the_pwner224's point, you can also create a wildcard and send everything to a catch-all mailbox and/or write rules for it so you can tell a business "their-business-name@yourdomain.tld".

I use Fastmail with my own domain name and wildcard addresses. So an email sent to anything@me.com will come to my inbox. While I do have a default address of me@me.com, I can change it to anything@me.com when writing a message in Thunderbird or using their webmail.

Here are some rules I already have made: https://imgur.com/a/L90sQJD I generate incrementing numbered emails to continue using Glassdoor after they block you for not giving info, thus the glob pattern.

For job seeking, I give employers the email 'job@me.com.' I suppose it does sound a bit weird, but if anyone gets spammy, I can add a rule to delete any messages with to=job@me.com and subject contains company name, without globally blocking any messages with company name in the subject.

FM specifically is based in Australia which you may have issues with, but I've given up trying to maintain privacy vs. big gov - they can see your email regardless of what you use, except maybe ProtonMail.

I do this on FastMail. All of my accounts are [site name]@[mydomain], so when I get spam on an address, I can easily set up a rule that sends all messages to that address to junk.

I also have other custom rules:

filter@[mydomain] goes to a special folder that isn't the inbox, for services whose messages I want to be able to access occasionally, but not most of the time.

spam@[mydomain] goes straight to spam.

I just went through my spam folder and found a bunch of spam (automatically filtered) to my "real" email address. That was surprising until I remembered that my email address is published on my website. I suppose my efforts were somewhat in vain.

I run a script that moves any email to to the trash that does not come from a list of approved domains. I have toyed with the idea of setting up a catch all domain to do the same as you, but keep finding excuses not to proceed. How much time to you spend on administration for your solution?

Remember the last time we did this?


Email is not an API. Never give a third-party service read-write access to your email.

Did you read the description of this service at all? They literally link to this exact story as an example of why they are a payed service.

We hope we wont be judged by the crimes of others.

The immoral actions of our competitors is one of the reasons why we started Leave Me Alone and we want to remain a privacy first service.

In fact we actually don't store any email content (only encrypted sender/receiver info), so we can't sell it to third parties, even if we wanted to.

The big no-go for me would be allowing you access to my gmail inbox. Google is already starting to add unsubscribe links right in the email header area [1, 2]. You probably don't want to complete with them as they have a much wider insight into email patterns and can quickly come up with a much wider block list. I'm sure you take security seriously but your service would definitely be the weakest link if someone broke into your auth token database. At least, that is how I think your service works, it is not really clear, other than it works with gmail (and I'll allow you access to read emails). I'd focus on the security message here as I think this will come up a lot.

A suggestion. A proxy service might work here, where I use your service and you give me a email@leavemealone.xyz, I use that email@leavemealone.xyz email to sign up to lists, then you forward email to my inbox, then I never give you access to anything. Then this will work with any email provider and you can access way more customers.

[1] https://imgur.com/rPCntTK

[2] https://support.google.com/mail/answer/8151

A valid concern for sure! The tokens we store are all encrypted, but you can also revoke them easily on Google's OAuth screens if god forbid we were to have a breach. I believe we can also revoke all tokens by refreshing our own Google OAuth keys.

Regarding the unsubscribe within Gmail, I can't vouch for exactly how that button works, but there are three methods that are possible.

1. Subscription services can specify in the email headers that they have "one-click" unsub functionality. In which case following the link should unsubscribe you.

2. They can also specify an email address, and sending an email to should unsubscribe you (you can check this by clicking the button and then checking your sent emails).

3. They can also just specify a regular unsub link. This usually requires you to input additional info such as your email address, or a reason for unsubscribing. I don't think that Gmail will be unsubscribing you from these, and they are probably the most frequent.

Leave Me Alone will try all of these methods to unsubscribe you, including filling out any forms if required.

It will also show you all of your subscription emails in one place, which I don't think is possible from within Gmail.

Cool, thanks for the reply. Sorry, I am not trying to be a downer, just giving you honest feedback. I know it is extremely hard to come up with an idea, create a website, all the sketching/coding/testing, promoting it, etc. The website looks pretty slick.

No problem! Answering these types of questions and standing behind your idea is as important as a sexy looking website!

Also, you have to open each email in gmail to use the unsubscribe link. It's not in the message list view or available as a bulk action.

I was worried about the difference too, I'm glad you are focusing on a single thing to make it work.

> Google is already starting to add unsubscribe links

The Mail app on iOS also offers this. Not sure how it works, but it seems to have a high success rate in my experience.

Btw since about 3 years I'm using lots of gmail filters ( like around 200+ and counting ) to separate mails to different labels and it kinda works.

I have lots of labels for each service that I use. They all include unicode symbol character, to visually separate it from untagged mails. For example " DHL", " UPS", " fitbit", "︎ Uber", "︎ Austrian Airlines", " O2" and others.

The logic is all e-mails coming from the specified domain e.g. dhl.com goes to the DHL label. Then another filter that takes newsletter@dhl.com which goes to newsletters and skips the inbox. This way I was able to handle the e-mail clutter and not rely on 3rd party service that I might be afraid will reduce my privacy concerns.

P.S. Ha. Bummer HN trimmed my unicode symbols anyway here is a screenshot : https://imgur.com/fpX8OLH

Highly recommend Leave Me Alone. Discovered it late last year through Twitter and it helped me unsubscribe from 238 newsletters with about 5 mins effort.

It's also an open startup so you can look at all the actionable metrics at https://leavemealone.xyz/open

This looks fine and dandy, but I’m always skeptical of anything that says it won’t sell my data, because it could turn around and do so tomorrow. Aside from the clear business model and the claims on the homepage, is there any way for me to prove that my privacy will be respected with this service?

This depends on how far your trust stretches. As of this year all apps that use the Google Gmail API have to undergo an independent assessment from a security firm to ensure that they are;

a) not mishandling data b) not breaching Google's privacy policies c) securing data appropriately

There is a grace period for existing apps, but we have to undergo this assessment soon if we want to be allowed to keep running.

More info here: https://cloud.google.com/blog/products/g-suite/elevating-use...

I just tried it out. Looks fantastic; I immediately bounced from the three day free scan to the six month. I appreciated the spam estimate.

I did have the problem that the six month scan just hung up at 29%. Went to account info for scan history, and when I went back to the scan page it was back to asking me for 8$ - despite never having finished the scan. So, as it stands, are the paid-for results only available in a single session? Lost if you navigate elsewhere on the same site? (Accessing from iOS)

Only thing I would have appreciated is some way to easily distinguish between subscriptions-spam (eg, newsletters) and spam from places I need occasional communications from (eg, receipts from wayfair purchases.) I’m not sure what that would look like though - maybe a tag-and-archive for the latter?

Oh sorry I didn't notice the part of your message where you had a problem. Send me a message through support chat (click your profile image and "get help") and I'll sort you out!

I don’t know what happened, but it sorted itself out. Love it.

Glad to hear it!

We have a task on the roadmap that I think will help with this. We want to add a message next to each subscription in your list that says something like "47% of users unsubscribed from this mailing list".

This will hopefully give you a metric with which you can decide if something is important or not.

I personally wouldn’t share my emails with anyone, and would never use any service that requires sharing my inbox with it. Unsubscribing may also be a problem in some cases, especially with spam, where you signal to the spammer that you’re around just by the act of unsubscribing. So unless a service like this knows which ones are fine enough to unsubscribe from without further repercussions, it could exacerbate the problem.

Ideally I’d prefer an app that analyzes this locally and does it. Apple’s Mail.app shows unsubscribe links at the top of emails sent through lists. I haven’t used it for the reason mentioned above.

The pricing for this service seems decent enough for certain cases since it’s more of a one time use case, but some sort of combo pricing for multiple inboxes could serve those who use multiple email addresses.

Edit: jamieweb’s comment here (https://news.ycombinator.com/item?id=19038588) here states that it supports only Gmail. Since Gmail already has unsubscription options in each email, this one seems to be doing the consolidated view and taking additional steps by sending an email. Doesn’t seem like a lot of differentiation and value add, which is something that needs to be explained on the front page.

The service looks interesting, but this isn't a problem for me. I know what services I'm subscribed to and unsubscribe from the ones I don't want to receive.

A bigger problem for me is services that I have already unsubscribed from but the company doesn't honor my request. I'm still on some of their lists years later which infuriates me.

Something we plan to do is name and shame companies that do this.

They're in breach of the CAN-SPAM act and should be punished appropriately.

Out of curiosity, how did you decide to offer these different tier levels? Why is the most expensive tier 6 months instead of "Lifetime"? The latter would seem more impressive and potentially get more people to spring for the price.

I realize that if someone hasn't emailed you in the last 6 months, they're not really an active concern. But customers aren't thinking that deeply when they go to purchase — they're just looking at the time periods and dollar amounts and weighing the options.

Yes, there are a couple of reasons;

1. Like you mention, if you don't receive a subscription in the last 6 months, it's probably not something you're bothered about.

2. Scanning some users inboxes is very bandwidth intensive, and time consuming (some people never delete an email). We experimented with 1 year scans and some users just give up waiting. We could probably improve the process, however due to point 1, we think 6 months is probably adequate.

"The only folder we exclude is the spam folder." I would pay for a service that unsubscribes my email from spam senders. Especially those without unsubscribe link in email.

Where did you get that quote from?

We don't exclude the spam folder.

forget email. How about killing the spam phone calls.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact