Mailbox tools are a security risk

On Sunday the NYTimes published an article about Uber’s CEO. One of the pieces of information that came out of that article is services like unroll.me sell information they scrape out of emails sent to their users.

Uber devoted teams to so-called competitive intelligence, purchasing data from an analytics service called Slice Intelligence. Using an email digest service it owns named Unroll.me, Slice collected its customers’ emailed Lyft receipts from their inboxes and sold the anonymized data to Uber. […]
Slice confirmed it sells anonymized data (meaning that customers’ names are not attached) based on ride receipts from Uber and Lyft, but declined to disclose who buys the information.

Unroll.me is a service that takes user’s commercial email and “rolls it up” into an easy to digest email. Basically users give unroll.me access to their mailboxes, and the company digs through the mail you’ve received in order to organize it. I wrote about them back in 2015 because they were mishandling unsubscribe requests. The issue then was they were not sending unsubscribe requests if the List-Unsubscribe header was a mailto: link. They noticed and then flooded ESPs with requests all at once, causing many people to question if these were legitimate unsubscribes.
What I didn’t realize at the time is that using unroll.me means you are granting a 3rd party application access to your entire mailbox. Their FAQ claims you’re agreeing to “limited access.”

The signup process is quick and easy. Here’s how it works: Click on the “Signup” button on the homepage. Type in your email address. Unroll.me will ask for limited access to your email address using OAuth for Gmail or username/password for all of the other services. After granting limited access, Unroll.me scans your inbox and compiles a list of your email subscriptions.This can take a few moments. Once the scanning process is complete, a list of your email subscriptions will be presented to you. You’ll be able to edit them right away. That’s it! Once you’re done, begin enjoying the Unroll.me experience!

What does that “limited” access look like? This is how Google describes the access unroll.me wants:

Unroll me has unrestricted access to read, send delete and manage your email. What Google doesn’t know or say is that you are also giving unroll.me permission to sell information and data about your commercial and transactional emails (as defined in CAN SPAM).

We may collect, use, transfer, sell, and disclose non-personal information for any purpose. […] we may collect data from and about the “commercial electronic mail messages” and “transactional or relationship messages” (as such terms are defined in the CAN-SPAM Act (15 U.S.C. 7702 et. seq.) that are sent to your email accounts. […]
We may disclose, distribute, transfer, and sell such messages and the data that we collect from or in connection with such messages; […] all personal information contained in such messages will be removed prior to any such disclosure. […]
We may collect and use your commercial transactional messages and associated data to build anonymous market research products and services with trusted business partners.

Unroll.me isn’t the only provider to access your inbox and sell the data. Boxbe, owned by eDataSource, and Otherinbox, owned by Return Path both access mailboxes to collect user data. That is the “panel data” so many of my readers use to measure deliverability.
The biggest problems with these services is that an email address is more than simply a mailbox. Email addresses are the keys to our online identity. Giving companies like unroll.me, or Return Path or eDataSource access to your mailbox allows those companies access to private data and other online services associated with that email account.
Make a purchase from an online retailer? That receipt is a commercial electronic message. Register an account for an online service? The email with your registration information is a commercial electronic message. Give an app an email address? Any email from that app is a commercial electronic message. Receive bank statements? That email is a commercial electronic message. Use your email account to make an appointment at your doctor’s office? The confirmation email is a commercial electronic message. Reset your password on your iCloud account? The reset email is a commercial electronic message.
Just because a message is commercial does not make it non-personal. Some very personal emails come through commercial services. Emails a lot of people might not want to be public, even aggregated and anonymized.
But it’s not just the commercial messages that are an issue. The services have access to the email account. I looked through all 3 services to figure out if they are looking at all the mail and just taking data from commercial mail, or if they’re just looking at commercial mail. Best I can tell is that they’re reading all mail coming into the account, but only saving data from commercial mail. Or so they say.
For instance, unroll.me claims they do not keep copies of any emails sent to their users. But according to a post on yCombinator, unroll.me is keeping copies of every mail sent to and sent from accounts associated with unroll.me.

I worked for a company that nearly acquired unroll.me. At the time, which was over three years ago, they had kept a copy of every single email of yours that you sent or received while a part of their service. Those emails were kept in a series of poorly secured S3 buckets. A large part of Slice buying unroll.me was for access to those email archives. Specifically, they wanted to look for keyword trends and for receipts from online purchases. karlkatzke

If this is true, there are major issues here. Why are they saving outbound mail? This has nothing to do with incoming commercial mail and tracking trends. There’s no reason to save the outbound messages as it has nothing to do with what commercial email companies are sending. How secure are these S3 buckets?
Notice, too, that the services never discuss how they are identifying commercial messages. They just say they’re only monitoring commercial messages. But what criteria identifies a message as commercial vs. one that identifies a message as personal? I can think of a couple ways to ID commercial messages, but all of them are fraught with false negatives and false positives. Of course, the services fall back on “commercial” and rely on users believing that the service has a magic way to avoid identifying personal email as commercial.
The main takeaway from this is that if you give a third-party access to your mailbox you’re giving them the keys to the kingdom. If you care about your privacy or the security of your personal information you need to be aware of what their actual business model is – that it’s “selling data based on the email you receive” not “cleaning up your mailbox”, for instance. You also need to convince yourself that you completely trust the third party with your data – not just their stated use of it, but also their operational competence and dedication to data security.
Note: Return Path has commented with a statement on how they inform users about info collection and what they do to protect user privacy.

Related Posts

The Cyber and The Security

Cybersecurity has been on my mind lately. There is a lot of bad stuff going on, from giant dDOS attacks, to subscription bombing, to the ongoing low level harassment that some people have to deal with on a daily basis. I’ve written a lot about how I think marketers are going to have to step up and stop being a conduit for abuse. I do believe this. There are a lot of different issues to discuss but there are also many, many different stake holders in the issue of cybersecurity.
I’ve been on multiple calls with different groups over the last few weeks discussing the implications of the subscription attack and how it was carried out. The majority of my focus is email and how to protect senders from becoming a conduit for abuse. Other folks participating on the call are looking at what abuse is out there and how to stop it or minimize it.
One thing that came up on a recent call is that the bulk of dDOS traffic that took Brian Krebs’ website down was from various Internet of Things devices. Security cameras, DVD players, televisions, lightbulbs and other connected devices were part of the problem. It’s a huge issue, and one that cannot simply be mitigated by just ISPs and providers. But convincing individuals to secure their lightbulbs can be a challenge, we can’t even protect their computers completely. Convincing companies to stop providing default usernames and passwords or using the same keys for every device is another challenge.
These are big issues that we’re going to have to deal with.
Last night, with 100 million of my virtual friends and a small group of local ones, I watched the first Presidential debate. Part of the debate was about cyber security. To misquote Vice President Biden, “Cybersecurity is a big freaking deal.” We have nation states, and groups with the resources of nation states, conducting covert operations online. We have hacking, compromises, bonnets and other malicious activity occurring every, single day. And, the more complex the site and the more users it has the more likely it is to be compromised. Cybersecurity is a critical part of national security and our own individual security. We must take it seriously and we must address it.
Now, I’ll be honestI don’t think there is a solution to the problem. I think, though, that there are hundreds of things we can do as individuals, as companies, as nations, as volunteer organizations, as NGOs and as coalitions to solve different parts of the problem. We all need to think about what it is and who’s doing the bad stuff.
It’s common to think of hackers as lonely boys in basements who have too much time and too little to do. Back in the ancient days of the spam wars some folks referred to them as “chickenboners“: beer drinking rednecks who ate fried chicken and threw the bones on the floors of their trailers. The reality even then, though, was that many spammers ran businesses and made a lot of money. Admittedly, the descriptions of how the business was run are cringe inducing and full of illegal activity.
Now, much of the hacking is actually organized crime outside the US. This makes it hard to address successfully through legal channels.
It’s all very complicated. But I think we can agree security is a big deal. We are all part of the solution, by securing our sites and our personal devices. We’re also part of the solution by paying attention to the larger issues and events going on around us.
 
 
 
 

Read More

November 2016: The Month In Email

Happy December! Between #blackfriday, #cybermonday & #givingtuesday, pretty much everyone in the US has just survived a week of email from every brand and organization they’ve ever interacted with. Phew.
TurkeysforBlog
Is this still the best strategy for most senders? Maybe. But it’s always important to be adaptable and continue to evaluate and evolve your strategy as you move through the year.
As always, I continue to think about evolving our own strategies, and how we might best support senders and ESPs. One of the challenges we face when we talk to senders with deliverability questions is that so many of our answers fall into a nebulous “it depends” zone. We’re trying to articulate new ways to explain that to people, and to help them understand that the choices and details they specify at each point of their strategic planning and tactical execution have ramifications on their delivery. While “it depends” is still a correct answer, I’m going to try to avoid it going forward, and instead focus on exploring those choices and details with senders to help them improve deliverability.
In our community of deliverability and anti-abuse professionals, we are — as you’d expect — quite sensitive to unsolicited email that targets our industry. When an email circulates, even what seems like a reasonably well-thought-out email, it occasionally does not land well. Worse still are the various email-related product and service providers who try to legitimize B2B sales messaging as if it is something other than spam.
The takeaway from these discussions for senders is, as always: know your audience. This post about research from Litmus on millennials and spam is a great example of the kinds of things you might consider as you get to know your audience and how they prefer to communicate.
We also had a presidential election this month, one that made much of issues related to email, and it will be interesting to see how the candidates and parties use the email data they collected going forward.
In industry and security news, we saw over a million Google accounts breached by Android malware. We also saw some of the ramifications of a wildcard DNS entry from a domain name expiration — it’s an interesting “how things work” post if you’re curious. In other “how things work” news, we noted some of the recent changes AOL made to its FBL.
I answered an Ask Laura question about dedicated IP pools, and I have a few more queued up as well. As always, we want to know what questions are on the minds of our readers, so please feel free to send them over!

Read More

OTA joins the ISOC

The Online Trust Alliance (OTA) announced today they were joining forces with the Internet Society (ISOC). Starting in May, they will operate as an initiative under the ISOC umbrella.
“The Internet Society and OTA share the belief that trust is the key issue in defining the future value of the Internet,” said Internet Society President and CEO, Kathryn Brown. “Now is the right time for these two organizations to come together to help build user trust in the Internet. At a time when cyber-attacks and identity theft are on the rise, this partnership will help improve security and data privacy for users,” added Brown.

Read More