Tuesday, April 25, 2017

Stop Using Unroll.me, Right Now. It Sold Your Data to Uber


Tucked away in a rollicking New York Times profile of amoral Uber CEO Travis Kalanick is a tidbit about Unroll.me, a popular service that aims to rescue your email inbox from unwanted newsletters and promotional messages with an easy automated unsubscribe service. The problem is, it’s been selling you out to advertisers, and you should stop using it immediately.

The Kalanick profile says that Uber previously used Unroll.me data to gauge the health of archrival Lyft:

Uber devoted teams to so-called competitive intelligence, purchasing data from an analytics service called Slice Intelligence. Using an email digest service it owns named Unroll.me, Slice collected its customers’ emailed Lyft receipts from their inboxes and sold the anonymized data to Uber. Uber used the data as a proxy for the health of Lyft’s business. (Lyft, too, operates a competitive intelligence team.)

Slice confirmed that it sells anonymized data (meaning that customers’ names are not attached) based on ride receipts from Uber and Lyft, but declined to disclose who buys the information.

This is a capability it’s safe to wager virtually none of Unroll.me’s users are aware of, let alone comfortable with. Indeed, the company’s CEO and co-founder, Jojo Hedaya, immediately penned a pro forma apology blog for the ages, in which he says he and his staff “weren’t explicit enough” about terms that allow, as Unroll.me’s privacy policy puts it, the company to “collect, use, transfer, sell, and disclose … transactional or relationship messages.” Hedaya joins a historic chorus of Silicon Valley executives who say what they always do when they’ve been found out: “We Can Do Better,” as the title of the CEO’s blog post declares:

I can’t stress enough the importance of your privacy. We never, ever release personal data about you. All data is completely anonymous and related to purchases only. To get a sense of what this data looks like and how it is used, check out the Slice Intelligence blog.

This is by all evidence false: If your privacy were important to Jojo Hedaya, the contents of your email, even if anonymized, would not be for sale. Were he ever serious about keeping your inbox private, an apology blog wouldn’t have been needed to begin with. (Hedaya and his co-founder could not be reached for comment.)

At Hacker News, a sort of virtual startup water cooler, a former web developer named Karl Katzke has further alleged in a series of comments that Unroll.me also secured customer emails poorly and that a company for which Katzke worked declined to acquire Unroll.me due in part to concerns over executives’ honesty. In an email to The Intercept, however, Katzke said that while he stands by those comments, “my information is, at best, third person hearsay based on a rumor that was based on hearsay.”

Still, even just based on the facts Hedaya has openly acknowledged, you shouldn’t trust him or his company and should remove Unroll.me’s unfettered access to your Google account immediately, because that’s just what you gave them when you signed up:

       

Here’s how to remove Unroll.me (you can also delete your account following the company’s instructions here):

From your Gmail inbox (or any Google page), click the button with your face on it in the top-right corner, then “My Account.”

Under “Sign-in & security,” click “Connected apps & sites,” then “manage apps.”

           

Find Unroll.me, click it, and then click remove. You might also want to take a very, very close look at any other apps that have been granted the ability to “Read, send, delete, and manage your email.” Do you have a clear assurance that they won’t leverage their access to make money from the likes of Uber? Probably not.