New Report Shows That Your Email App Could Be Spying on You for Profit

The limitations in Apple’s own Mail app over the years have led to a plethora of third-party options that offer many advanced and useful features, but it seems that with many of them you may be paying a price, trading off your own personal privacy for the convenience of even something as simple as receiving push notifications.

In a new privacy investigation, Motherboard found that many companies that make third-party email apps for both iOS and Mac are actually scraping data from users’ inboxes and selling that data to advertising and marketing companies.

The report cites “multiple confidential documents” that Motherboard was able to obtain that showed that several developers are not only failing to be nearly as transparent as they should be about these practices but in some cases are actually using deceptive marketing language that would lead users to believe that the companies are protecting their privacy in ways that they are clearly not.

Cited as one of the most egregious offenders was the popular email app Edison, which “scrapes users’ email inboxes and sells products based off that information to clients in the finance, travel, and e-Commerce sectors.” According to a J.P. Morgan document obtained by Motherboard, the contents of Edison users’ mailboxes are “of particular interest to companies who can buy the data to make better investment decisions.”

While Edison does acknowledge that it “processes” users’ emails, most users are unaware that the company is actually scraping through their inbox for profit. Several Edison users that Motherboard spoke with said that they had no idea that their mail app was actually doing this.

They could definitely be a bit more upfront about their commercial intents. Their website is all like ‘No Ads’ and ‘Privacy First’,” he added.

Seb Insua, an Edison user, in comments to Motherboard

Additional documentation obtained by Motherboard shows that at least two other popular mail apps, Cleanfox and Slice, also sell products based on users’ emails to corporate clients, but there could easily be many more.

Ironically, even Google — widely considered one of the most privacy-invasive companies out there — actually stopped scraping the content of emails from personal Gmail users for marketing purposes over two years ago. Google has actually never done this kind of scraping for users of its “G Suite” business, government, education, and non-profit services.

A product page on Edison’s website clearly shows that the company’s real business is not in providing a free email client, but rather in selling the data that it can obtain from the users of its email app. Edison points out that it can “provide detailed behaviour patterns to improve your customers’ experience and business results.”

In the J.P. Morgan document obtained by Motherboard, Edison is described as “providing consumer purchase metrics including brand loyalty, wallet share, purchase preferences, etc.” with the “source” of the data explicitly listed as the “Edison Email App.”

Another “free” email app, Cleanfox, is also clearly just a means for its parent company, Foxintelligence, to gather more consumer data. Motherboard obtained a confidential presentation from the company that lists clients such as PayPal and European ride-sharing company Bolt, along with consulting giants Bain & Company and McKinsey & Company.

The third app implicated in the Motherboard investigation was Rakuten’s Slice, which is an app designed to scrape a user’s inbox to provide services such as package tracking information and rebate deals. Data obtained by Motherboard showed it was collecting detailed information on each item a given person had bought from a specific brand and what they paid, based on email receipts and purchase confirmations from their email inbox. According to an email obtained as part of the investigation, Rakuten can charge upward of $100,000 for access to a single product category from this dataset.

How This Happens

Unlike Apple’s own built-in Mail app, many of these modern “free” email apps for iOS and Mac don’t make a direct connection to your email provider. Instead, they connect to the company’s own cloud servers, which store your credentials and then log into your mailbox on your behalf.

There are legitimate reasons for these third-party mail apps to do so, since they often provide push notifications for mail services that don’t otherwise offer native push on iOS, and can even provide more advanced features like automatically sorting and categorizing mail using the resources of more powerful servers in the cloud to ensure that spam is filtered and messages are organized and categorized before they land on your iPhone or iPad.

The problem, of course, is that when companies are doing this, they essentially have carte blanche access to everything that’s in your mailbox. If they can read your emails to deliver push notifications to your iPhone, or identify package tracking numbers, flight confirmations, and so forth, then they can read all of your emails really for any reason that they like. Essentially, when you log into your email account using one of these apps, you’re giving them your password and full access to your mailbox — everything in it, and everything that comes into it in the future.

What You Can Do About It?

From the Motherboard report, it would appear that most of these companies are collecting this data relatively anonymously. In other words, they don’t really care what you are doing as a person, but they want your data so that they can combine it with other data to come up with trends, such as knowing how many people bought products from a certain brand over a specified time period. Your data is only valuable to them as part of an aggregate.

The bottom line, however, is that these companies aren’t being nearly as transparent as they should, and the lack of transparency raises obvious questions about how this data is being stored, collected, and used, and whether we should even trust them to handle your personal email data properly.

If you’ve been using one of these apps and don’t like the idea of them scraping your data then you might be able to opt-out, depending on the company involved. Rakuten, for example, has a page on its web site where users can opt out of having their data included for sale, but this assumes that you trust the company to actually exclude your data properly.

If you don’t like the idea of companies having access to your email messages at all, the only surefire way to avoid this entirely is to stop using the app and change your email password in order to block any potential future access from these third-party services.

While the Motherboard report named three apps specifically, keep in mind that just about any third-party iOS app that offers immediate push notifications for new messages has to log into your mailbox on your behalf in order to provide this service, since their servers need to keep an active connection to your mailbox in order to scan for new mail as soon as it comes in and then send the notifications to your device. Once you’ve granted that app’s servers that kind of access to your mailbox, you can’t be sure that sending you notifications is the only thing they’re doing with your email messages.

Note that there’s a difference between apps that send you “push” notifications of new email and those that simply notify you when a new message arrives on your iPhone or iPad. If you get a notification immediately when a new message arrives in your mailbox on the server, then that’s a “push notification.” However, many apps — like Apple’s own Mail app — periodically check for new messages on a scheduled basis, and will simply notify you once the message arrives on your device. These notifications are sent from the app on your iPhone once it downloads new messages, rather than directly from the mail server.

Apple’s own Mail app does support push notifications for iCloud, of course, as well as accounts on Microsoft Exchange servers. Some mail providers like FastMail have also implemented support for the same push notifications used by iCloud, and of course apps like Gmail and Yahoo support push notifications from their own email services. In all of these cases, however, you’re getting the notifications sent to you directly from the same company that stores your email in the first place.

Third-party apps have to use their own servers to log into your mailbox in order to send notifications to your device, so about the only mail apps that you can truly be certain will guarantee the privacy between you and your mail provider are Apple’s own Mail app and first-party email provider apps such as Gmail and Yahoo.