Unroll.me Fiasco Once Again Underscores the Need for Caution Against Free Apps and Services

Buried deep inside The New York Times' detailed profile of Uber CEO Travis Kalanick last week (about the lengths he is willing to go achieve success) is a little but important tidbit. The ride hailing startup, which is in hot water over its toxic employee culture and is engaged in a bitter legal kerfuffle with Google's Waymo, apparently secured ride receipts of Lyft users from a competitive intelligence firm called Slice Intelligence to gauge its rival's health and stay ahead of the competition.

In case you missed it, Unroll.me is a free service

Now if you are wondering how on earth did the company manage to get hold of this data, let me tell you a story - an interesting one at that. Founded in 2010, Slice began as a shopping and package tracking add-on for Yahoo! Mail (before expanding to other email services and venturing into mobile apps), allowing users to find all their order confirmations and receipts in one place. Recognising its potential as a valuable research tool to analyse user buying and spending patterns, Japan's largest retailer Rakuten, also an investor in Slice, acquired it in 2014 (paywall).

Unroll.me, founded by Josh Rosenwald and Jojo Hedaya in June 2012, has a similar history. Billed as a service to free your email inbox from unwanted newsletters and subscriptions (see image above), not only did it become popular amassing over 100,000 subscribers within a year, a report by TechCrunch in August 5, 2013 revealed that "more than 106 million emails have been diverted from inboxes thanks to Unroll.me's 'unsubscribe' feature, and that more than 225 million emails have been summarized in Unroll.me’s digest emails." The subscriber count now stands at 4.2 million.

Slice and Unroll.me's analogous ambitions to tackle the headache that's cluttered inbox (and subsequently use it to mine user data) led to the latter being acquired by Slice in late 2014. "The opportunities for us to improve people's lives by creating value from the information in email are limited only by our imaginations, so we see many avenues to grow the Unroll.me and Slice businesses jointly through the creation of new apps and experiences. We'll have more new on this soon, stay tuned!" said Rosenwald post the acquisition.

Mind you, both Slice and Unroll.me are free services. But unlike Google, Facebook or Microsoft, who use the anonymous user data they collect to lure advertisers to show tailored ads on their services, Slice operates by selling the said user data to third-party clients who can do whatever they want with the information. Which is exactly what Unroll.me did by selling anonymous ride receipt information of Lyft users to Uber. What's interesting however is that none is this is explicitly stated in its privacy policy, even if Slice has it in black and white (emphasis mine) -

Email and Other Accounts. You may also provide information necessary to use the Services, such as the login credentials for your email, social networking, or other Internet accounts that you link to the Services. By linking the Services to your email or other Internet accounts, you authorize us to gather, parse, and retain information, including personal information, from past and future emails and other communications you receive that relate to your online and offline shopping and purchasing ("transaction information").

We will use the information we collect, including your personal information and transaction information: (i) for internal and service-related purposes, such as to provide, improve, and personalize our Services, and to develop new ones; (ii) to communicate with you in order to provide you with information we think may be useful or relevant to you; (iii) to promote the Services; (iv) to analyze information in order to offer anonymized data products to third parties; (v) to facilitate the sharing of anonymized information, including transaction data, as set forth below; (vi) to enforce this Privacy Policy, the Terms of Service, and to protect the rights, property, or safety of Slice or its users; and (vii) as otherwise stated in this Privacy Policy.

Anonymous Use and Sharing. We may share with others anonymized transaction information for market research, data modeling, and analytics. Such information will not include personal information, but may include unique identifiers such as device identifiers or "hashes" of email addresses.

Here is Unroll.me's policy in comparison -

We also collect non-personal information − data in a form that does not permit direct association with any specific individual. We may collect, use, transfer, sell, and disclose non-personal information for any purpose. For example, when you use our services, we may collect data from and about the “commercial electronic mail messages” and “transactional or relationship messages” (as such terms are defined in the CAN-SPAM Act (15 U.S.C. 7702 et. seq.) that are sent to your email accounts. We collect such commercial transactional messages so that we can better understand the behavior of the senders of such messages, and better understand our customer behavior and improve our products, services, and advertising. We may disclose, distribute, transfer, and sell such messages and the data that we collect from or in connection with such messages; provided, however, if we do disclose such messages or data, all personal information contained in such messages will be removed prior to any such disclosure.

Not super-clear, is it? In a corporate blogpost titled We Can Do Better, Jojo Hedaya said "it was heartbreaking to see that some of our users were upset to learn about how we monetize our free service." Perri Chase, the third co-founder of Unroll.me who left the company post its acquisition by Slice defended the data collection via a Medium post. "Unroll.me was bought by a company called Slice Intelligence (don't get me started on the founder of that company) who takes that data and repackages it to sell insights to companies," adding anyone who was outraged by Unroll.me's monetisation practice as "living under a rock."

"Look, respectfully, you have clearly been living under a rock because if you look at the entire tech ecosystem — It's fucking gross. It starts at the top with the character quality and priorities of the investment community which, btw is not to be nice to the users it is (shocking) to make money!!! I encourage you to go read the Terms of Service of every app you opt in to in order to see what rights they have over your data. This is not new. Is it good? Is it bad? Is that the point? You optin for an awesome free product that clearly states the following and you are offended and surprised? Really?"

The dreaded popup that no-one bothers with! (Image credit: Gizmodo)

Chase indeed has a point. But the problem is most people don't bother reading privacy policies and terms of service agreements. They are often long, complicated and mired in obtuse legalese, as if deliberately designed with an intention to confuse users, thus preventing users from making informed decisions and leading to serious mismatches in privacy expectations. That said, by now it's also safe to assume that any internet service that claims to be free isn't really "free" and that if you are not paying for it, you are not the customer, you are the product. In other words, you are paying for it by trading your personal information. In an era where data has fast become the currency of the internet, what you are and what you do online therefore really matters.

Here are some steps you can do for a start -
  • Before signing up for any service, take some time to understand their privacy policies. While they can be super vague and confusing, check out sites like Terms of Service; Didn't Read (ToS;DR), TLDRLegal and Usable Privacy, which break down privacy policies in simplified plain-language formats.
  • Even if you are convinced of its policies, be mindful of the access permissions you give to those services. Do you really need Unroll.me to really scan every single email of yours? Is a service requesting for access to something (e.g. contacts) that you think is not really required for it to function?
  • Everything comes down to trust, not convenience. Unroll.me exploited this very aspect to entice users into linking their email accounts with them. While it's no longer possible to ignore the internet, choosing where you share your data and with whom is of utmost importance.
  • Never share anything on any website anywhere on the internet regardless of any privacy settings unless you are willing to accept that the data might one day be public.
  • Finally, be prepared to pay for services (if not now, in the future) - The Facebook, Google, Microsoft and Twitter you see today rely primarily on advertising to generate revenues, but if they promise to offer you the same service sans ads but for a monthly fee, will you be ready to pay, this time in actual dollars?