Companies that Scrape Your Email

Motherboard has a long article on apps — Edison, Slice, and Cleanfox — that spy on your email by scraping your screen, and then sell that information to others:

Some of the companies listed in the J.P. Morgan document sell data sourced from “personal inboxes,” the document adds. A spokesperson for J.P. Morgan Research, the part of the company that created the document, told Motherboard that the research “is intended for institutional clients.”

That document describes Edison as providing “consumer purchase metrics including brand loyalty, wallet share, purchase preferences, etc.” The document adds that the “source” of the data is the “Edison Email App.”

[…]

A dataset obtained by Motherboard shows what some of the information pulled from free email app users’ inboxes looks like. A spreadsheet containing data from Rakuten’s Slice, an app that scrapes a user’s inbox so they can better track packages or get their money back once a product goes down in price, contains the item that an app user bought from a specific brand, what they paid, and an unique identification code for each buyer.

Posted on February 12, 2020 at 10:26 AM19 Comments

Comments

mark February 12, 2020 11:41 AM

This is different from gmail exactly how?

Why, no, they’re not scraping mine…since I pay for hosting, my email is to my domain, and I pop-3 everything… (though I should do something about the years of email sent via hosting provider email when I was working).

Robert February 12, 2020 12:33 PM

@mark : the only thing they aren’t scraping is your emails to yourself, to other entities who self-host, and encrypted emails. Every email you send to and receive from people using gmail and similar is getting scraped — it’s out of your hands. You might just be spending your own time and money to feel better about it.

Ben February 12, 2020 12:56 PM

I’ve encountered a lot of comments re: Spark (Readdle), however I’m unsure if the information is merely to fetch the emails or to scrape them to themselves or some third party, has there been any confirmed case/proof against them?

1&1~=Umm February 12, 2020 1:19 PM

Hmmm,

These companies have an odd idea about what they think is private and what they can scrape and sell.

The simple fact that they take information about your interaction with other entities. Even if that onteraction is only with commercial entities it is still actually a breach of your privacy.

But worse the data they take has to go back to one of their servers. So all the intermediary network nodes between your device with the app on it and their server knows that the device that corresponds to the IP address and Port number your device is assigned has such an app on it.

Even if that data is encrypted the likely hood is it will reveal information about the number of interactions and the time they occur and possibly where you were at the time. All of which can be used not just by the app company but by any snooping “third party” sitting on the upstream node from the app company servers.

Has nothing been learnt since the Carrier IQ debacle at the end of 2011?

lurker February 12, 2020 4:50 PM

“Companies that Scrape Your Email”

So am I dimwitted when I assume this means apps that are not email apps, or that I have not already under some other scheme permitted access to my email? But then I’m not the target demographic. I’ve always been suspicious of those clickable tracking links, 99% of them belong to neither the vendor, nor the carrier, and I have no inkling of the contract if any between those parties. I only need to track something if it doesn’t turn up, and both times it was a vendor putting a wrong label on the consignment. Gmail was always a bogeyman from day one. Sure they waved a white cloth and made the rabbit disappear, but we all know the rabbit is alive and well, up their trouser leg.

What really irritates me is the Big Name Stores who contract out their tracking and promotion to Mr. A or Mr. G or their lackeys, who send me emails that “based on my experience, I might be interested in …” two days after I have purchased said item, obviously triggred by the purchase. That is just dumb, boneheaded, and stupid, but you’d need a Whitehouse lawyer to prove it to them in terms of their contract.

Antistone February 12, 2020 5:04 PM

I’m confused about the technical details.

Have users explicitly given these apps access to their email? (If so, why do they need to look at your screen rather than the raw data?)

Do smartphones ordinarily allow third-party apps to read your screen when they are backgrounded? (Why in the nine hells would they ever do that?)

Is this all based on exploiting some technical security flaw on the phones? (Wouldn’t that make it flatly illegal?)

lurker February 13, 2020 12:21 AM

@Antistone

Have users explicitly given these apps access to their email?

No, and yes.

Do smartphones ordinarily allow third-party apps to read your screen when they are backgrounded?

Conditionally. What happens on install is the app pops up a dialog listing every which way it can siphon your data away, and the hapless user is expected to scroll down that list clicking No, No, No, Maybe… What happens is Joe Sixpack will click Mkay, and Bob’s your Aunty.

Is this all based on exploiting some technical security flaw on the phones?

Nope, it’s based on exploiting a security flaw in the user. The apps listed in the article are either “free” email apps, where your email is truly liberated; or are auto-reminder type apps that save you the bother of logging in and clicking buttons yourself.

RealFakeNews February 13, 2020 3:22 AM

In summary: free app compromises your privacy.

Show me a free app that doesn’t?

Presumably if they’re not exploiting a security flaw (I seem to recall Apple patched such a flaw some time ago, and I think Android too), why then is it possible?

Did Apple fold and provide an API?

Alejandro February 13, 2020 6:47 AM

I think a big issue is email service providers collect your, falsely presumed private, communications secretively and covertly but avoid being labeled as fully secret spyware by covering their tracks with lawyer double-talk.

Basically, they are copying, collecting, recording and storing every keystroke and data point available, then slicing and dicing it to give an appearance of propriety.

I suppose the main takeaway for normal people who might care about this is, be aware your every keystroke is being sold or shared to anyone with the right price or connections.

Unfortunately most people don’t care about these egregious assaults on our private communications. They have been literally brainwashed by the likes of FB propagandists and government agents to not care.

A slightly different perspective though is, to my knowledge, very few people use email for personal communications anymore. Let’s tell it like it is, if your spouse wants you to pick up the kids at school, they use text messaging, and if they are using Apple iOS are presumably afforded a fairly robust degree of privacy.

Email has become a venue almost entirely for commercial purposes such as ads, tracking and payment confirmation taking place of US Mail.

I would like to think anyone who really cares about their email privacy and security would find and use a paid encrypted email service to handle their business communications.

I have doubts there is any truly reliable, secure system on the market, however.

DBF February 13, 2020 7:39 AM

The whole concept of these “data trading economies” that are based on selling and reselling people’s personally identifiable info and then some, has made me want to move to a cave in Bolivia or Peru, or… or… or… but then it became clear to me as to why IPv6 IP Addressing is being pushed; “no cave left behind” or “every cave should have one”. Right now it might sound stupid but you just wait…

1&1~=Umm February 13, 2020 11:52 AM

@DBF:

“but then it became clear to me as to why IPv6 IP Addressing is being pushed; “no cave left behind” or “every cave should have one””

I think ‘cave’ is not fine enough theres a little under 2^33 people in the world so,

2^128/2^33 = 2^95 ~= 3.96×10^28

or,

39,614,081,258,000,000,000,000,000,000

An “average,70kg” person has about 7×10^27 atoms… Which is a little under 5 and 2/3rds of the above.

Or to put it another way, about the same as that number of atoms in an “average” family with pets and a bit to spare…

1&1~=Umm February 13, 2020 12:36 PM

@Alejandro:

“Basically, they are copying, collecting, recording and storing every keystroke and data point available, then slicing and dicing it to give an appearance of propriety.”

Which is exactly what ‘Carrier IQ’! did that so incensed a politician he was caused to splutter at the press in indignation.

Now nearly a decade later, ‘naugh who cares’…

! As I mentioned further up this thread it was back at the end of 2011,

https://www.wired.com/2011/12/carrier-iq-franken/

And as we later found out they were being ‘quite economical with the truth’.

Humdee February 13, 2020 5:11 PM

@Robert

Exactly. This is also the problem with photographs. It doesn’t matter if I don’t post my picture to the web. In order to be anonymous I would have to not allow my picture to be taken anywhere, by anyone…that is just not realistic because people can take my picture and I won’t even know about it.

So unless you never communicate by email, ever, your data is being scrapped.

Clive Robinson February 14, 2020 10:25 AM

@ Humdee,

So unless you never communicate by email, ever, your data is being scrapped.

I stopped using Email outside of a “controled environment” a number of years ago now (you will find people moaning about it on this blog 😉

And to be honest I realy do not miss it in the slightest, as I’d found it had turned into a masive “time sink-hole”.

Even in the controled environment I don’t accept anything other than plain 7bit ASCII with all and I do mean all attachments blocked. Others in the environment found the bounces anoying but then I’m not the one a hired pen-tester got at with a malware loaded picture…

I’m not saying I’m any more secure, but that day, the low hanging fruit the pen-tester went for was “apples” and that day by chance I was hanging in the “pear” tree and not out of Windows…

Mr. Peed Off February 14, 2020 4:40 PM

I have for quite some time believed email to be less secure than the common postcard. The other day I checked my email for the fist time in over 3 months. Nothing there but the usual marketing trash. Anyone wishing to communicate with me should use the postal service.

RealFakeNews February 15, 2020 12:04 AM

A much overlooked part of e-mail are whitelists.

Forget all the other spam filtering methods – I never saw anything get past my contact list filter.

I never communicate with anyone I haven’t met via e-mail, but intriguingly the moment I started writing to certain major e-mail providers, I started to get spam.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.