Hacker News new | past | comments | ask | show | jobs | submit login
Companies that buy data derived from scraping the contents of email (vice.com)
102 points by robin_reala 18 days ago | hide | past | web | favorite | 43 comments

Edison posted a response[0] with this amazing sentence:

> to protect your privacy by rejecting an advertising-based business model, our company Edison Software, measures e-commerce through a technology that automatically recognizes commercial emails and extracts anonymous purchase information from them

[0]: https://medium.com/changing-communications/a-reminder-of-how... (non-Medium: https://outline.com/7K3TAL)

That's an amazing level of marketing doublespeak right there. Protecting my privacy by reading my emails? Right, pull the other one.

"we had to destroy the village in order to save it"


Sounds pretty silly to extract your data instead of showing you ads — all in the name of protecting your privacy.

But to play devil's advocate, some ads do actually invade your privacy because they come from malicious malvertisers. If they are actually treating the purchase price information 100% anonymously (never linking it to PII), then there's an argument that they're protecting your privacy by doing this.

Or they could just run an ad platform that blocks malvertisements...

> If they are actually treating the purchase price information 100% anonymously (never linking it to PII), then there's an argument that they're protecting your privacy by doing this.

There is no privacy benefit here because you'd have even better privacy protections if they didn't trawl through your emails and extract data from them in the first place.

That's a painfully shameful attempt to conceal malicious practice.

I am having trouble parsing that out, why would they be extracting 'anonymous' purchase information from 'automatically recognize[d] commercial emails' if they care about protecting privacy... ?

I installed Edison on iOS somewhat recently. At the end of setting up my server info, there was a question asking if I approved them using/sharing my data. I tapped NO. My information was all deleted like I had just installed the app brand new. I thought it was a bug so I went through set up again. Selected NO again. Account info deleted. You can’t use the app without agreeing they can use your info/data.

I uninstalled.

This sort of thing is why I don't trust any apps that I haven't built myself, and keep them firewalled off from the internet to they can't phone home. I trust commercial applications on the desktop to exactly the same degree, for the same reasons.

In terms of privacy and respecting the users, the state of software today is deplorable.

WeChat killed their web interface for most users and replaced it with a message that translates to: "For your own account safety, this account cannot use the web version. You can use the Windows or Mac client [download links]"

Safety? Web is about as safe as it gets. It's one thing to spy on users but it's a whole another thing for Tencent to masquerade under the name of safety to cheat users into downloading what could quite possibly be spyware. That's not only spying but also spreading false information about computer security to the masses.

> Safety? Web is about as safe as it gets.

I strongly prefer native apps over web apps because I can firewall off native apps. I can't do the same for web apps.

I'd say the exact opposite, especially on desktop. Most native desktop apps can't run without access to the filesystem, for instance.

I was referring to the WeChat web app vs. the WeChat Mac/Windows app; the web version has no access to your filesystem, but they are not allowing people to use it anymore. The Mac/Windows versions could theoretically read any files on your system, spy on your clipboard, portscan your private LAN, scan Wi-Fi networks, and lots of other nasty things that the web version cannot.

Also with webapps it's much easier to inject JavaScript to "edit" their behavior. Desktop apps are often compiled to machine code (or have mysterious pieces thereof which are) which makes it difficult.

> Most native desktop apps can't run without access to the filesystem, for instance.

True, but in terms of privacy, that doesn't matter if the app can't communicate out.

WeChat is mostly an instant messaging app, so not letting it communicate out would defeat the purpose of using it in the first place.

I agree with you for purely offline tools such as Inkscape/GIMP/etc. though.

> not letting it communicate out would defeat the purpose of using it in the first place.

True. Apps that must communicate out in order to do their jobs are a different category.

Aren’t a lot of “native” apps of web apps mostly wrappers? In the case, you can silo off the web app yourself into its own wrapper to firewall it?

Yes. I should have been more specific. I wasn't talking about those -- I was talking about things you use a real browser to work with.

A colleague of mine is attending a conference this week where attendees are 'required' to install an app to their personal phones so that they can get the latest updates to changes to the conference agenda.

No doubt this is a data-mining platform marketed to conference organizers who probably don't have much of a clue what the real value add is for the app creator.

I have strongly encouraged them to not install the 'app'.

I get the average person and majority in general won’t do this. Just wondering. if you don’t give the app any permissions. And only open it once or twice the entire time. Does it have any real effect on your privacy?

Guessing that conference isnt Data Security 2020. I really hope it isn't anyway.

I'd bring old Nokia and ask if the venue supports it.

What if you don't have a cellphone?

Also relevant:

Google Admits: Third-Party Apps Can Still Access Your Gmail Data


Well... no shit? If you gave someone permissions to read your emails, obviously they can read your emails. And because they can read it, they can also copy your emails and/or share it with other companies. This isn't something that can be stopped by google.

Ya, the entire process is only to vet companies' policies on data access, retention, etc.


On an opt-in basis, which seems fine. A lot of people want email activity being fed to some other tool like CRM or call center software.

One great feature of gsuite, in my opinion, is the ability to prevent oauth-authenticated access to the email APIs, IMAP, and POP for your organization. These shady apps are ALL stealing your data. Literally every single one of them. And just telling your users to be careful about what apps they use isn't going to cut it, someone in your organization will leak everything.

From their T&C's page "you may provide us with information about your contacts (such as names, email addresses, etc.)"

Whoever installs this app consents to sharing the information of their contacts, who might not consent to having their data shared.

Ultimately, this could lead to giving disposable contact details to friends and relatives, in order to (try to) preserve one's privacy.

That's a tough problem to solve, "Import your Address Book" has been a feature of communications platforms as far back as I can remember.

And it's been a terrible practice from day 1.

People should really read the privacy policies before using any email app these days. Many popular ones state that they, at minimum, will keep access tokens on their servers, and many outright cache copies of your messages.

Even if you trust them on privacy or are willing to let them analyze your emails in exchange for some feature, there are very few companies that I trust to handle my email securely.

If a hacker gained access to my Gmail access tokens, they're a password reset link away from taking over most of my other online accounts and probably more than a few banking accounts. And then deleting the password reset emails.

Having worked for large and small companies (including ones that handle emails), security is always second (or third) compared to other business priorities. It takes a large effort to make sure everything is locked down and most companies don't have the skills, resources, and commitment to properly secure everything even if they nominally claim that security is important.

My lack of trust is the sole reason I never had email on my phone until a few months ago. I moved to ProtonMail and I use their app (which is great). I trust them. It's possible I'm wrong, but I know how they make money and if I use them long enough I'll be a paying customer when my free space runs out. They also open-sourced their codebase and I have a friend in law enforcement who has delivered warrants to them and they truly don't keep any data or have access to emails at all.

Most privacy policies are in legalese, and hard experience has shown that what I, as a non-lawyer, think they say is quite often very different from what they actually say.

As a result, I gave up bothering to read them unless they're one or two paragraphs long. I simply assume they say what 90% of them really say: they can take any data they like, do whatever they like with it, and they can unilaterally change the agreement any time they want.

If something is free on the internet, there is a good chance you are the product.

And if you're paying for something on the internet, there is a good chance that you are the product.

for the most part, these days, if you're on the internet you are the product.


Are there really no good open source email clients on iphones?

The app review process can be very time-consuming. I imagine this is at least part of the reason there are not more open-source apps on iOS.

Also, there's no way to change your default mail client, so that makes it somewhat less likely that we'd see someone develop one of these.

The HN title of this article, cf. the true title on the vice.com web page, fails to consider that this article is also about the companies that sell data derived from scraping the contents of email. Arguably the sellers are more interesting here as they are the ones doing the scraping and creating the market.

Someone changed the title. The original submission title matched the article title [1]. Feels like an intentional re-characterization to place the blame on the ones purchasing the data, as opposed to the ones harvesting and selling. This journalist is the same who exposed Jumpshot [2] for similar tactics (selling highly-sensitive user-level data), and a few days later the entire company (~230 employees) shut down.

I asked about a similar problem [3] on a "Who's Hiring" last week to a YC-funded company and dang was quick to detach that comment, as it was off-topic for the context of the thread.

[1] https://www.google.com/search?q=site%3Anews.ycombinator.com+...

[2] https://www.vice.com/en_us/article/qjdkq7/avast-antivirus-se...

[3] https://news.ycombinator.com/item?id=22229267

It seems it's time again for the reminder that if you aren't paying you are the product, not the customer. I don't understand how people don't understand this in 2020, after at least 2 decades of this nonsense. Or do they just not care?

Applications are open for YC Summer 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact