Updated: 3 things to do now to check up on your data privacy settings

This week, Unroll.Me found itself in an unfriendly spotlight.

Unroll.Me is a free service that bundles subscription emails into a daily digest and helps you weed out other junk that clogs up your inbox. To make money, the company sells anonymized information scraped from its users email accounts. The practice surfaced for many earlier this week after reading a New York Times report on Uber chief executive Travis Kalanick; that article mentioned that Slice Intelligence, which owns Unroll.Me, sold information to Uber about rival company Lyft, based on emailed Lyft ride receipts. The act sounds nefarious, but it’s legal and it happens more than you might expect.

“I think the reason that a lot of people were very surprised by this behavior, is that if you go to the main homepage of Unroll.Me, it says this ‘is a free service,'” says Jason Hong, an associate professor of computer science at Carnegie Mellon University and an expert on privacy. What it doesn’t say, Hong points out, is how they monetize the service, and what they do with your data. For that, of course, you need to read the privacy policy—and who actually does that?

“Allowing companies to access your email, in general, is incredibly risky,” he adds.

So what’s a privacy-minded internet-user to do? Here are three strategies.

Think about how the app is going to make money off of you

There’s an internet adage: “If you’re not paying for the product, then the product is you.” And that applies to Unroll.Me. “You weren’t paying for it directly, but they were figuring out how to monetize your data in some way,” says Hong.

When you do pay for a service, on the other hand, it’s easier to understand how the company’s model works.

Alexander Obenauer, who started a paid service called Throttle that has a similar function as Unroll.Me, says that his company does not sell customer data in any way—not even anonymized. Instead, they make money by charging for their product.

“When a product is free, so often that comes with baggage,” Obenauer says.

And Boomerang, an email management service that offers features like letting people schedule a Gmail message to be sent later, maintains that they do not sell data, and that’s because they charge for it, too. “At Boomerang, we make our money from paid subscription upgrades,” Alex Moore, CEO of Boomerang, said in an email via a PR representative. “We don’t sell any data, and never have.”

Try to read that privacy policy

It’s obvious that reading the privacy policy is a pain, and according to Professor Hong, it’s rational not to read it: It takes forever, and it’s confusing, so there’s no payoff to the task. An eagle-eyed reader of Unroll.Me’s privacy policy would notice that it does say that it might “collect, use, transfer, sell, and disclose non-personal information for any purpose.” (Unroll.Me has responded to the blowback in a blog item on their website.)

“They intentionally use certain kinds of vague language,” Hong says, pointing out that Unroll.Me is not alone. “Almost every privacy policy and terms and conditions is like that.” Hong’s team is actually working on a service that will help surface key phrases—for example, language that pertains to financial charges a customer might face— from terms and conditions statements that consumers should be aware of.

A similar project is called Terms of Service; Didn’t Read that evaluates companies’ terms of service statements and puts them into classes, like “Class A” (at the good end) or “Class E” (the bad end).

Android users can visit PrivacyGrade, which is run by Hong’s team and assigns a letter grade to apps based on their use of something called a third-party library—code written by someone other than the app developers themselves (for example, advertisement-related software, or even just a library to help integrate Facebook into an app) that might give the researchers a clue as to what happens with customer data.

In general, think critically about what permissions an app or service is asking for when you install it. “Be very conservative about installing all these apps,” Hong says, “because, the challenge today is that it’s so easy for your data to flow outwards.”

Do a check-up

This is a great time to see what apps you may have already connected to your email account, and revoke their access if need be.

For Google users, under My Account, find the Sign-in & Security card, then click on “Connected apps & sites,” then find “manage apps.” There, you’ll see a list of apps that have access to your account, as well as an option to remove them. (Unroll.Me will likely be there if you’ve been using it.)

On Facebook, check what apps you’ve connected by clicking on the triangle at the far right-hand side of the site on a desktop browser, then Settings, then the Apps tab from the column at right.

For iOS users, looking in Settings, then Privacy, then Location Services will reveal what apps have permission to use your location and when, and what have used them recently.

Ultimately, people’s expectations of how an app or service uses your data matters, Hong says. If you understand that ads are supporting a service, or your money is, or even that Google’s computers are scanning your Gmail for words, people are generally okay with that.

“As we saw with Unroll.Me,” Hongs says, “it’s when people get nasty surprises, that’s when people have a really negative reaction to privacy.”

Slice Intelligence and Unroll.Me have learned a lesson from the experience, Jaimee Minney, who heads up marketing and public relations for Slice, said on Wednesday, explaining that they plan to update their website to be more transparent about the connection between Slice and Unroll.Me, and how they glean marketing data from customers’ inboxes. The service focuses on looking at e-receipts, Minney explains, for purchases like Uber and Lyft rides or Apple Watch sales, and they don’t pass along any information that can identify a user to their clients.

“We did see people unsubscribe,” she says, explaining that the uproar was worse than the actual fallout. “We also saw a lot of people sign up.”

Part of the issue, she says, beyond the company being more transparent, is consumer education. “If you are using something that’s free,” she says, “there’s a high likelihood that your data’s being used somehow, and you should be aware of that.”

“As much as we care about your inbox,” she adds, “it wasn’t a humanitarian mission for us to start Unroll.Me, so hopefully we can help people understand, and make them feel like it’s fair, that we’re getting something out of it, and they’re getting something out of it too.”

This article has been updated to include comments from a spokesperson for Unroll.Me and Slice Intelligence.