Mailbox tools are a security risk

On Sunday the NYTimes published an article about Uber’s CEO. One of the pieces of information that came out of that article is services like unroll.me sell information they scrape out of emails sent to their users.

Uber devoted teams to so-called competitive intelligence, purchasing data from an analytics service called Slice Intelligence. Using an email digest service it owns named Unroll.me, Slice collected its customers’ emailed Lyft receipts from their inboxes and sold the anonymized data to Uber. […]
Slice confirmed it sells anonymized data (meaning that customers’ names are not attached) based on ride receipts from Uber and Lyft, but declined to disclose who buys the information.

Unroll.me is a service that takes user’s commercial email and “rolls it up” into an easy to digest email. Basically users give unroll.me access to their mailboxes, and the company digs through the mail you’ve received in order to organize it. I wrote about them back in 2015 because they were mishandling unsubscribe requests. The issue then was they were not sending unsubscribe requests if the List-Unsubscribe header was a mailto: link. They noticed and then flooded ESPs with requests all at once, causing many people to question if these were legitimate unsubscribes.
What I didn’t realize at the time is that using unroll.me means you are granting a 3rd party application access to your entire mailbox. Their FAQ claims you’re agreeing to “limited access.”

The signup process is quick and easy. Here’s how it works: Click on the “Signup” button on the homepage. Type in your email address. Unroll.me will ask for limited access to your email address using OAuth for Gmail or username/password for all of the other services. After granting limited access, Unroll.me scans your inbox and compiles a list of your email subscriptions.This can take a few moments. Once the scanning process is complete, a list of your email subscriptions will be presented to you. You’ll be able to edit them right away. That’s it! Once you’re done, begin enjoying the Unroll.me experience!

What does that “limited” access look like? This is how Google describes the access unroll.me wants:

Unroll me has unrestricted access to read, send delete and manage your email. What Google doesn’t know or say is that you are also giving unroll.me permission to sell information and data about your commercial and transactional emails (as defined in CAN SPAM).

We may collect, use, transfer, sell, and disclose non-personal information for any purpose. […] we may collect data from and about the “commercial electronic mail messages” and “transactional or relationship messages” (as such terms are defined in the CAN-SPAM Act (15 U.S.C. 7702 et. seq.) that are sent to your email accounts. […]
We may disclose, distribute, transfer, and sell such messages and the data that we collect from or in connection with such messages; […] all personal information contained in such messages will be removed prior to any such disclosure. […]
We may collect and use your commercial transactional messages and associated data to build anonymous market research products and services with trusted business partners.

Unroll.me isn’t the only provider to access your inbox and sell the data. Boxbe, owned by eDataSource, and Otherinbox, owned by Return Path both access mailboxes to collect user data. That is the “panel data” so many of my readers use to measure deliverability.
The biggest problems with these services is that an email address is more than simply a mailbox. Email addresses are the keys to our online identity. Giving companies like unroll.me, or Return Path or eDataSource access to your mailbox allows those companies access to private data and other online services associated with that email account.
Make a purchase from an online retailer? That receipt is a commercial electronic message. Register an account for an online service? The email with your registration information is a commercial electronic message. Give an app an email address? Any email from that app is a commercial electronic message. Receive bank statements? That email is a commercial electronic message. Use your email account to make an appointment at your doctor’s office? The confirmation email is a commercial electronic message. Reset your password on your iCloud account? The reset email is a commercial electronic message.
Just because a message is commercial does not make it non-personal. Some very personal emails come through commercial services. Emails a lot of people might not want to be public, even aggregated and anonymized.
But it’s not just the commercial messages that are an issue. The services have access to the email account. I looked through all 3 services to figure out if they are looking at all the mail and just taking data from commercial mail, or if they’re just looking at commercial mail. Best I can tell is that they’re reading all mail coming into the account, but only saving data from commercial mail. Or so they say.
For instance, unroll.me claims they do not keep copies of any emails sent to their users. But according to a post on yCombinator, unroll.me is keeping copies of every mail sent to and sent from accounts associated with unroll.me.

I worked for a company that nearly acquired unroll.me. At the time, which was over three years ago, they had kept a copy of every single email of yours that you sent or received while a part of their service. Those emails were kept in a series of poorly secured S3 buckets. A large part of Slice buying unroll.me was for access to those email archives. Specifically, they wanted to look for keyword trends and for receipts from online purchases. karlkatzke

If this is true, there are major issues here. Why are they saving outbound mail? This has nothing to do with incoming commercial mail and tracking trends. There’s no reason to save the outbound messages as it has nothing to do with what commercial email companies are sending. How secure are these S3 buckets?
Notice, too, that the services never discuss how they are identifying commercial messages. They just say they’re only monitoring commercial messages. But what criteria identifies a message as commercial vs. one that identifies a message as personal? I can think of a couple ways to ID commercial messages, but all of them are fraught with false negatives and false positives. Of course, the services fall back on “commercial” and rely on users believing that the service has a magic way to avoid identifying personal email as commercial.
The main takeaway from this is that if you give a third-party access to your mailbox you’re giving them the keys to the kingdom. If you care about your privacy or the security of your personal information you need to be aware of what their actual business model is – that it’s “selling data based on the email you receive” not “cleaning up your mailbox”, for instance. You also need to convince yourself that you completely trust the third party with your data – not just their stated use of it, but also their operational competence and dedication to data security.
Note: Return Path has commented with a statement on how they inform users about info collection and what they do to protect user privacy.

Related Posts

January 2017: The Month in Email

Between client work and our national political climate, it’s been a very busy month around here and blogging has been light. Things show no sign of slowing down in February, so we’d love to hear from you with questions and suggestions of what you’d most like to see us focus on in our limited blogging time this month. We got a great question about how senders can access their Google Postmaster tools, and I wrote up a guide that you might find useful.

We’re also revisiting some older posts on often-requested topics, such as spamtraps, so feel free to comment below if there are topics you’d like us to address or update. One topic that comes up frequently, both on the blog and in our consulting practice, is about what to do when you’re on a blocklist. I revisited an old-but-still-relevant post on that topic as well.
On the Best Practices front, I wrote about how brands can use multiple channels to connect with customers and prospective customers to promote and enhance email delivery. I also took a moment to look back over 2016 and forward to 2017 in the realm of email security.
I continue to be annoyed by B2B spam, and have started responding to those “requests” for my time directly. Steve also wrote a long post about B2B spam, focusing on how these spammers are using Google and Amazon to try to work around reputation issues.
In case you missed it, I contributed some thoughts to a discussion on 2017 email trends over at Freshmail with my exhortation to “Make 2017 the year you turn deliverability into a KPI.”
I’m also still in the process of completing my 2017 speaking schedule, so I’m looking for any can’t-miss conferences and events you’d recommend. Thanks for keeping in touch!

Read More

Security, safety and the cavalry

In some ways it’s been really hard to focus on email for the last few months. There are so many more important issues in the world. Terrorism, Brexit, the US elections compromised by a foreign government, nuclear threats from multiple countries, the repeal of ACA, mass deportations and ICE raids here in the US.  I find myself thinking about what to blog. Then I glance at the news and wonder if there’s any value in another blog post about deliverability.
Generally I’ve tried to keep politics and world events mostly off the blog. But sometimes events are such that I need to talk about them.
Last October I had the chance to speak at the Email Innovations Summit in London. Steve and I took the chance to spend some time doing tourist things in London – including a photo walk along the Thames.

As an American I’m always a little surprised by the security in London. I grew up a few miles outside of DC. I could talk about prohibited airspace and security measures before I was 10. London is so much more open than even the DC of my youth. The surprise there is that London has been a much bigger target and attacked more than any city in the US.
The last few times we were in London I noticed a bit more visible security. In 2013 it was armed security walking through Tube stations. Last year it was Underground trains that were one long car. They were a bit weird and visually disconcerting. The part that really made me think, though, was this was a way to stop people hiding explosives between cars and to facilitate evacuations if something happened.
Last night Steve and I were talking and I mentioned the attack in London didn’t seem like terrorism to me. And it didn’t, not really. He then pointed out that explosives and guns are difficult to come by in the UK and this was classic terrorism. Oh. Sometimes our cultural differences come out in the strangest places.
Thinking about bigger issues like this make it hard to focus on email. There’s a regularly shared joke in deliverability, “There’s no such thing as a deliverability emergency.” And there isn’t, not really. Yes, even if a whole range of IPs is listed on Spamhaus, it’s still not an emergency and there’s no fast response team to deal with it.
There are abuse issues that are higher stakes than getting to the inbox. Child abuse materials. Harassment. Privacy issues. Terror threats. Every online services company, particularly the social media companies, have to deal with these kinds of things. Many of them are dealing poorly. Others have employees who are doing their best, but lack the tools, support, and training to do it well. Many companies don’t understand why they need to police their customer base.
The reality is, though, that abuse on the net (as opposed to abuse of the net) is a huge issue that needs to be dealt with. These are not small issues. The Internet is global and there’s no internet police. Law enforcement in different jurisdictions have to work together with technology experts to address crime and harassment on the internet.
It may surprise you to hear that the people who create spam filters and try and protect your inbox are the same people who fight crime on the internet. Spam and email are a vital part of online crime, so it falls on the abuse team to work with and educate law enforcement about tracing the source of email. The people you never see in ops, and abuse and support are vital to protecting folks online.
During the closing talk at MAAWG the chair was discussing how we can protect our online spaces. He stated “There is no cavalry; no second wave. It’s us or no one.” That’s a huge thing. My friends and colleagues are the people who stand protecting users online. It feels like a huge burden, but it’s something we can do to make the world a better and safer place.
 
 

Read More

Happy New Year!

Well, we mostly survived 2016. A year ago I was making predictions about how 2016 would be the year of email security. I was thinking of things like TLS and authentication and access to the inbox. It wasn’t out of the question, Gmail said they’d be turning on p=reject sometime mid-year. They also were suggesting that they would be putting more value on messages that aligned, even in the absence of a DMARC signature. The first still hasn’t happened, and the second doesn’t appear to be in place, either.
DataSecurity_Illustration
That doesn’t mean email security wasn’t a hot topic in 2016. In fact, the use of a private email server was a major topic during the US elections. We also had spear-phishing play a major role in the compromise of campaign systems. I didn’t talk much about that here when it happened, but news reports make it clear that Chairman Podesta and others were targeted for compromise. The NY Times has a more in depth article with broader context around the attacks and how emails were used to infiltrate a major political party.
The irony is with all the time spent talking about how insecure the private server was, that server wasn’t compromised. Instead, the compromise was at Gmail.
We all need to pay attention to our email and how we use it. It also means when we’re sending bulk and marketing email we need to consider the private and personal information we’re putting in messages. Do you send PII? Is there a way you don’t have to? What can we do to protect our brand and our users?
It’s not just bulk email we need to think about, either. Personal email can contain PII, or personal information. A common saying among some of my security friends is “never put in email anything you wouldn’t want to see on the front page of the Washington Post or NY Times.” That’s an easy thing to say, but the convenience of email makes it easy to share information that we may not want on the front page of either paper. Many of us aren’t actually targets of malicious activity so we don’t have to worry about being targeted the way elected and other officials are. But that doesn’t mean we are not at risk. It just means we’re at less risk than others.
Email is a frequent vector for malicious actors to access computers. Most, if not all of the major breeches in the last few years have started with a phishing attack of some sort. The attacks are planned out and sophisticated. This is not going to get better. The phishers are smart and plan the attacks.  We also need to be more personally aware of security given the current political climate. We need to take steps to protect ourselves more than we have in the past.
Security is more important than ever and we all need to protect ourselves.

Read More