Several email services—most notably the top email apps Edison, Cleanfox and Slice—have been found to be scraping through the inboxes of their users to find data for resale, a J.P. Morgan document obtained by Vice’s Motherboard revealed. The third parties involved include finance and e-commerce companies, which purchase the information as data products.
The companies to which the top email apps sell data—one of which is Wall Street banking giant J.P. Morgan—reportedly make use of the information they buy to improve their investment decisions.
The Edison email app is one of the top email apps globally and among the top 100 productivity apps on the Apple app store, with millions of active users worldwide.
The recent allegation is not the first time in which Edison has become embroiled in a privacy scandal. In July 2018, the Wall Street Journal uncovered that user emails were being read by Edison employees in order to improve the app’s smart reply feature.
Data products built on transaction records
The top email apps implicated by the report seem to be concerned primarily with tracking the transaction data of their users, such as receipts, bookings and shipping emails. By using this information, companies are able to make informed decisions about the consumer behaviour of the individuals who’d had their emails scraped.
Aside from J.P. Morgan, several of these third-party companies in question include Paypal, Bain & Company, and McKinsey & Company—all of which receive data products from top email apps.
According to the Vice report, most users are wholly unaware that such practices are even occurring in the first place, and likely would not consent to their transaction data being scraped and sold as data products to third-parties.
The practice of obtaining user information as data products is widely defended by the companies involved. According to Florian Cleyet-Merle, COO of French information firm and Cleanfox’s parent company, Foxintellegence, “crowd-sourced transaction data has a transformational power both for consumers and for companies and that a marketplace where value can be created for both sides without making any compromise on privacy is possible.”
For the top email apps involved, however, what happens to such transaction data is made out to be considerably less clear. The Vice report points out that Edison’s privacy policy claims that it “accesses and processes” the emails of its users, and top email apps Cleanfox and Slice give similar disclaimers in their privacy policies.
However, the companies do not make it clear what precisely they consider as being ‘processing,’ and they also do not allude to the fact that they use the term to include the scraping of user inboxes for receipts and other transaction data for use as data products.
The top email apps implicated in Vice’s report all claim that the data they collect is anonymized or pseudonymized by the time it is resold to third-parties. However, doubts have been cast as to whether or not anonymity and pseudonymization do indeed occur in practice.
According to computer science research from Harvard John A. Paulson School of Engineering and Applied Sciences, data leaks and anonymized data products do, in fact, “pose greater risks than most people realize.” What’s more, similar investigations—such as those undertaken by the New York Times—reveal that anonymous data which had been stolen in breaches can be relatively effortlessly traced back to specific individuals with a high degree of certainty.
Top email apps offering varied responses
Edison responded to the allegations in a blog post on 10 February, in which it claims that it “puts privacy first” and makes users “aware of how we use their data in our products.”
However, the company nevertheless points out that in order to keep their app free, Edison “measures e-commerce through a technology that automatically recognises commercial emails and extracts anonymous purchase information from them.”
In essence, this amounts to a public confirmation that the company makes use of software to identify transactional emails and extract information from them for use as data products.
Cleanfox, on the other hand, denies all wrongdoing on its part and claims that its privacy practices stand in full compliance with the General Data Protection Regulation (GDPR). The company asserted in a statement to Techradar that they “strongly reject the recent accusations that Cleanfox sells user data to third-party companies” and claim that such claims are “false and defamatory.”
The third company, Slice, offered perhaps the most proactive response, adapting its settings in January (before the report broke) to allow users to opt-out of their emails being used as data products.
“For our customers in the EU or in the European Economic Area,” the apps homepage says, “the Slice team is committed to re-introducing our service as quickly as possible so please stay tuned for updates.”