For years now, people have been letting Unroll.me read the contents of their email inboxes, to help them unsubscribe from email spam. The service was endorsed by our sister site Lifehacker in 2011 for its effectiveness in finding and cleaning out unwanted subscriptions (and Gizmodo wrote about its iOS app release last year).
But a New York Times profile of Uber this weekend revealed, in passing, that Unroll.me, which is owned by a company called Slice Intelligence, isn’t just in the business of tidying up customers’ inboxes. Slice makes money by scanning its users’ email for receipts, then packaging that information into intel reports on consumer habits. Uber, for example, was paying Slice to find users’ Lyft receipts, so it could see how much they were spending each month, “as a proxy for the health of Lyft’s business.”
On its website, Slice brags that it has access to 4.2 million people’s inboxes, where it quietly sits looking at receipts from “hundreds of thousands of retailers.” Many Unroll.me users have been quite upset to learn about the extent of the data collection, which the service’s CEO, Jojo Hedaya, wrote in a blog post yesterday is “heartbreaking.”
“[W]hile we try our best to be open about our business model, recent customer feedback tells me we weren’t explicit enough,” Hedaya wrote.
How open was Unroll.me about what it does? When you sign up, this is how you’re informed about the service’s plan to read all your email and monetize the receipts:
Um, no, I wouldn’t call that an “explicit” explanation of the Unroll.me business model. The pop-up window doesn’t even include a scroll-through box of the text you’re agreeing to; it simply offers an extra link to click if you’re motivated enough to go find it.
If you do click through and go ahead and read the privacy policy, the text does tell you about the use of “non-personal information” to “build anonymous market research products and services,” but it’s in tiny light gray print against a lighter gray background. That’s a design choice that seems intended to get your eyes to glaze over what’s written, a classic “dark pattern,” which is when a website gives you information while trying to ensure you don’t absorb it:
Unroll.me didn’t need to make its privacy policy 50 shades of grey to keep people from reading it, because people already don’t read privacy policies. They are long. They are squirrelly. They contain non-specific legalese. To read all the privacy policies for all the services you use, you’d need to take a month off work every year. According to a 2014 study, half of all Americans don’t even know what a privacy policy is; they think a service having one means that it automatically keeps customer information confidential. They don’t realize that a privacy policy exists to tell you not how a company is going to keep your information safe but all the ways it plans to exploit it.
Maybe some users of Unroll.me don’t mind this monetization of their information. Everything that comes free online has a privacy price, after all. We’re used to our data being the currency of the internet.
But people invited Unroll.me into their inboxes for the sake of managing their bulk email subscriptions. The natural assumption would have been that if Unroll.me was collecting and selling user data, it would be data related to that service—say, information about subscription retention rates, for companies interested in effective bulk mailing.
Instead, in the gray print, it claimed the power to gather data “for any purpose” by reading any commercial emails you might have received. If you’re disturbed by that, it’s a reminder of the dangers of giving any app access to your inbox, probably the most sensitive collection of information you have. When you sign up for any service and it asks for these kinds of permissions...
... watch out. It means the company is reading your email and might do things with it you don’t like.
To see if you’ve granted any services access to your Gmail, check your Google permissions. In Outlook, go to settings and “Manage Integrations.” In Yahoo, go to your account security page. And if you use Unroll.me, and you’re not down with this monetization strategy, you might want to go delete your account. You just have to sign in, go to settings, and then click the little link at the bottom of this page.
Yeah, that gray-on-gray one at the bottom that you have to scroll down to see.