Popular email apps harvest user data and sell it on to third parties

Email apps are collecting personal data from their users’ inboxes and selling it on to third parties for a profit, according to reports.

Free email apps offered by Edison, Cleanfox and Slice make money by scraping personal information out of emails, according to a JP Morgan document obtained and reported on by Motherboard.

In particular, transaction data in inboxes including receipts and shipping emails help third-party travel, finance and e-commerce companies monitor user behaviour.

Third parties can buy and use the data to make better investment decisions, the report says.

The Edison email app is in the top 100 productivity apps on the Apple app store and has millions of users worldwide. 

‘They could definitely be a bit more upfront about their commercial intents,’ Seb Insua, an Edison user, told Motherboard.

‘Their website is all like “No Ads” and “Privacy First”.’

‘I did not know they were doing that,’ another Edison user said.

‘They’ve introduced new features that I really enjoyed like package tracking, price tracking and such, but it makes sense now why they built those out – if it was to just gather data on their users.’

In response to the claims, Edison said in a blog post: ‘Edison puts privacy first in everything we do as a company and that includes making our users aware of how we use their data in our products.

‘To keep our Edison Mail app free, and to protect your privacy by rejecting an advertising-based business model, our company Edison Software measures e-commerce through a technology that automatically recognises commercial emails and extracts anonymous purchase information from them.’

The company added that it allows its users to opt out of data-sharing.

The JP Morgan document says Edison provides ‘consumer purchase metrics including brand loyalty, wallet share, purchase preferences’. 

The document adds that the ‘source’ of the data is the ‘Edison Email App’. 

A report by the Wall Street Journal in 2018 revealed that Edison employees read users’ emails in order to improve a smart-replies feature of the app.

Edison says on its website that it can provide clients with ‘detailed behaviour patterns to improve your customers’ experience and business results’. 

Edison says on its website that it can provide clients with ‘detailed behaviour patterns to improve your customers’ experience and business results’

Meanwhile, Cleanfox, which clears out clutter from users’ inboxes for free, has clients including PayPal and consulting firms Bain & Company and McKinsey & Company.

Foxintelligence, Cleanfox’s parent company, told Motherboard that it considers user data as ‘transformational’ for both companies and consumers.

‘From a higher perspective, we believe crowd-sourced transaction data has a transformational power both for consumers and for companies and that a marketplace where value can be created for both sides without making any compromise on privacy is possible,’ Foxintelligence Chief Operating Officer Florian Cleyet-Merle told Motherboard.

In a statement to MailOnline, Cleyet-Merle strongly denied the claims of the report, saying ‘we do not sell the personal data of our users’ mailboxes to third parties or to anyone’. 

‘This is contrary to the terms of our product Cleanfox, to ethics, to our values and to the statutes of our company,’ Cleyet-Merle said. 

‘Personal data, that we collect from our users to realise the service of Cleanfox – only transaction receipts and newsletters – has been totally transformed into aggregated information, out of which no personal data can be retrieved by anyone, in conformity with our terms and conditions and GDPR.’

Rakuten Slice, a startup whose Slice app lets users track packages and price drops of retail items, last month created a page on its website allowing users to opt out of data sharing. 

Slice, the free mobile and online app indispensable to smart online shoppers, is still working to meet privacy standards set by the General Data Protection Regulation (GDPR) in May 2018

Rakuten Slice has not been available to EU residents since May 2018 due to General Data Protection Regulation (GDPR) rules.

‘While we fully support and are working diligently toward meeting all GDPR requirements, we have determined that we will not complete this effort by the regulation’s start date later this month,’ the app’s homepage reads.

‘For our customers in the EU or in the European Economic Area, the Slice team is committed to re-introducing our service as quickly as possible so please stay tuned for updates.’

A spreadsheet containing data from Slice obtained by Motherboard revealed items bought, what they paid and a unique identification number for each buyer.  

Edison and Slice are yet to respond to MailOnline’s request for comment regarding the report.

WHAT IS THE EU’S GENERAL DATA PROTECTION REGULATION?

The European Union’s General Data Protection Regulation (GDPR) is a new data protection law that entered into force on May 25, 2018.

It aims to strengthen and unify data protection for all individuals within the European Union (EU).

This means cracking down on how companies like Google and Facebook use and sell the data they collect on their users.

The law will mark the biggest overhaul of personal data privacy rules since the birth of the internet.

Under GDPR, companies are required to report data breaches within 72 hours, as well as to allow customers to export their data and delete it.

The European Union’s General Data Protection Regulation (GDPR) is a new data protection law that entered into force on May 25

Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. 

Further, the controller must provide a copy of the personal data, free of charge, in an electronic format.

This change is a dramatic shift to data transparency and empowerment of data subjects.

Under the right to be forgotten, also known as Data Erasure, are entitled to have the data controller erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. 

The conditions for erasure include the data no longer being relevant to original purposes for processing, or a data subject withdrawing their consent. 

This right requires controllers to compare the subjects’ rights to ‘the public interest in the availability of the data’ when considering such requests.