A report this week accuses email apps of selling user data—or, at least, data derived from your email. One such app company, Edison, says there’s no news here, because it’s always been transparent about this.
But users say they’re surprised to learn their data is for sale. It certainly looks like a lack of informed consent.
And then there are the other app pushers. In this week’s Security Blogwatch, the party’s over.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Concorde eclipsed.
Opaque “transparency”
What’s the craic? Joseph Cox reports—How Big Companies Spy on Your Email:
Confidential documents … show the sort of companies that want to buy data derived from scraping the contents of your email inbox. … The popular Edison email app, which is in the top 100 productivity apps on the Apple app store, scrapes users' email inboxes and sells products based off that information … to companies who can buy the data to make better investment decisions.
…
Edison is just one of several companies that offer free email apps which then sell anonymized or pseudonymised data derived from users' inboxes. … "Consumer purchase metrics including brand loyalty, wallet share, purchase preferences, etc." … sourced from "personal inboxes," the document adds.
That sucks. William Gallagher adds—More email apps caught 'processing' and selling user data:
The best-known of these is Edison Mail, which is an email client for both Mac and iOS. … Edison Mail prompts users with complete and appropriate canned responses.
Edison Mail's developers have been clear that this is achieved by parsing users' email to build these lists. … However, it has not said that it then…sells products to finance, travel and e-commerce customers that is derived by scraping users' email.
Edison's website explicitly states that data is collected from users, and it extensively details all the use that users' agree to by signing up to the service. At no point, however, does it say that it will sell this data.
That really sucks. Michael Potuck is struck by this angle:
While the developer says on its website that it does “process” its users’ email, Edison customers … said they didn’t realize what was happening. … Edison having phrases like “privacy by design” and “privacy first” on its website can feel misleading after learning about how they scrape and sell personal data.
As you might imagine, there’s trouble at Edison’s PR mill—A Reminder of How We Use Data:
To keep our Edison Mail app free, and to protect your privacy … Edison Software measures e-commerce through a technology that automatically recognizes commercial email and extracts anonymous purchase information from them. Our technology is designed to ignore personal and work email, which does not help us measure market trends.
…
You have complete control over how your information is used and we allow you to opt-out of data sharing. … Our Edison Trends e-commerce research product … provides insights about shopping trends from aggregated and anonymized transaction data extracted with permission from our Edison Mail app users.
Wait. Pause. How is it “with permission” if it’s “opt out”? And how is it “a reminder” if we didn’t already know? Jarrad Young—@DrnkJarrad—is one of countless Edison Mail users who were, uhh, “surprised” by the lack of transparency:
Didn’t know y’all were selling my data to line your pockets. Deleting the app today and instructing [people] I know to do the same.
Shame on y’all.
My my my. Tysonmoth metamorphs a monochrome metaphor: [You’re fired—Ed.]
[It’s] like going to church and having your pastor say "trust me, I am a man of God" as he asks for all of your banking user account information. … A pastor should know far better than to ask for bank passwords.
Similarly, Edison should know far better than to traffic in private user email and simultaneously claim that they are about privacy. They say "privacy is important" and "transparency is important," but they never reveal their actual business model: "Use the … app for free by selling us your personal email."
Who is using these cringe-worthy apps? Yoni Heisler warns—email apps might be spying on you:
While I can certainly understand the desire to use a more fleshed out email [app], you’d be well-advised to do some research before downloading certain email clients. … There are a number of … apps that collect user data in questionable ways.
…
Privacy-minded users should be a bit more cognizant of the third-party email apps they choose to use.
But tennisproha blames Cupertino:
I wish Apple would fix it’s Mail app so that it’s remotely useful for anything other than junk mail. It’s definitely not usable for business.
Anyway, why should you care? nikosdion suggestifies thuswise:
All these funky new "mail apps" are a … nightmare. Not for the companies operating them … but for their users.
Imagine you're a professional who uses these apps to retrieve work-related email where your clients may share personally identifiable information (PII). … Unless you explicitly state in your privacy policy that the email app company and its clients may get access to it you are violating the GDPR which carries a fine up to 20 million Euros or 4% of your annual global income, whichever is higher.
…
Using such an app [should be] a fireable offense. Actually, considering the contracts my subcontractors have signed post-GDPR, it is a fireable offense and perpetually keeps them on the hook for any legal repercussions.
Think about this next time you're about to use a "mail app" for anything but your strictly personal email.
Meanwhile, @Rob_Rainbolt speaks directly to the companies’ employees:
Leeches like Edison will wither and die as users reclaim their privacy. Hope all of you are keeping your resumes up to date.
The moral of the story?
What are your users’ installed apps doing with your company’s data? It’s a Wild West of apps out there, so what’s your MDM strategy?
And finally
Chasing the a total eclipse at 1,100 mph
You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.
Image source: Airman First Class Zachary Hada (US Air Force)
Keep learning
Understand the newest privacy laws with this Webcast: California’s own GDPR? It’s not alone.
Take a deep dive into the new privacy laws with TechBeacon's Guide to GDPR and CCPA.
- Get up to speed on cloud security and privacy and selecting the right encryption and key management with TechBeacon's Guide.
