It was kind of odd seeing (or hearing) security podcast Security In Five recommend Unroll.Me, which is a service that helps users easily unsubscribe from subscription-based emails.
It’s a great idea, but Unroll.Me’s business model is essentially selling data about its users.
For years they did this and lied about it, claiming that they didn’t sell such data. In late 2019, they reached a settlement with the US Federal Trade Commission.
The FTC alleged that Unrollme Inc., which helps users unsubscribe from unwanted emails or consolidate their email subscriptions, falsely told consumers that it would not “touch” their personal emails in order to persuade consumers to provide access to their email accounts.
In fact, Unrollme shared users’ email receipts from completed transactions with Unrollme’s parent company, Slice Technologies, Inc. E-receipts can include, among other things, the user’s name, billing and shipping addresses, and information about products or services purchased by the consumer. Slice uses anonymous purchase information from Unrollme users’ e-receipts in the market research analytics products it sells.
As part of the settlement with the Commission, Unrollme is prohibited from misrepresenting the extent to which it collects, uses, stores, or shares information from consumers. It must also notify those consumers who signed up for Unrollme after viewing one of the allegedly deceptive statements about how it collects and shares information from e-receipts. The order also requires Unrollme to delete, from both its own systems and Slice’s systems, stored e-receipts previously collected from those consumers, unless it obtains their affirmative, express consent to maintain the e-receipts.
So today, Unroll.Me is upfront about its data usage, but the way it collects and uses data is concerning. According to its How We Use Your Data page (you know, the one the FTC had to force them create),
Unroll.Me is owned by Rakuten Intelligence, an e-commerce measurement business that provides companies with insights into industry trends, corporate performance, and the competitive landscape. Unless otherwise restricted by your email provider, when you sign up for Unroll.Me, we share your transactional emails with Rakuten Intelligence, who helps us de-identify and combine your information with that of millions of users, including Rakuten Intelligence’s shopping panel.
Honestly, I get why a lot of people would blow that off and figure “who cares”, but I am surprised that someone in computer security would given a company like this access to their data.