Latest Uber controversy sheds light on how companies use your emails

Your email is watching you.

The recent revelation in a New York Times interview that the ride-share service Uber pays for data culled from unsuspecting users’ emails sheds light on an industry that capitalizes on the widespread collection of information obtained by tracking users’ online activity. Some of the most widely used email programs and add-ons note in theirs terms of service that they aggregate data on what users do with the service and elsewhere on the internet. As long as the data is stripped of personally identifying information, such as names and email addresses, selling and sharing this information is generally legal. 

In the case of Uber, the company’s CEO, Travis Kalanick, acknowledged in the Times interview that it pays a company called Slice Intelligence for data it gathers using an email digest service named Unroll.me. Slice collects and analyzes data from emailed receipts, including receipts for Uber’s biggest competitor, Lyft. 

Slice’s principal analyst, Ken Cassar, said in a webinar posted to the company’s website that Slice keeps anonymous data from its now 4.7 million users for two years, and is “able to see who bought, what they bought, where they bought it, when they bought it, and how much they paid.” 

slice.png

A slide from a Slice Intelligence webinar posted to the company’s website

In an interview with CBS News Tuesday, Jaimee Minney, vice president of marketing and public relations for Slice, acknowledged that the company collects data on purchases across a wide spectrum of industries, including another in which Uber is competitive.

“We measure everything from shampoo to UberEats, the whole gamut. And we have clients across all industries,” Minney said, noting that the company does not share any information about individual users.

But companies with access to large datasets about aren’t completely powerless to identify individuals, said Victoria Petrock, principal analyst for the market research company eMarketer.

“Anonymized telecommunications data on its own might be anonymous. But when, for example, people apply artificial intelligence to datasets, the machine might start to find links that start to identify individual customers,” Petrock said. “I think that’s the concern about this, because companies have been doing this [tracking] for years and years.”

One study found that data from as few as three purchases was enough to identify individuals.

Peter Swire, senior counsel with the law firm Alston & Bird’s privacy & data security team, said identifying individuals from data has become its own competitive industry.

“There’s big research program in how to re-identify data. So companies should be careful when they say something is de-identified, and it isn’t,” Swire said.

Beyond individual websites and apps, few have access more information than the data-mining behemoth: Google. It’s looking at your information right now. 

Last year, the company changed longstanding policy in order to combine information from users’ email accounts with their browsing habits, as a way of serving up more personalized ads. (Two privacy groups filed a complaint with the FTC in response to the change.) The company also allows advertisers to target users based on a list of email addresses, using a tool called Customer Match.

“We’ve long known that Gmail scans the content of emails for targeted marketing purposes. There’s lots of reporting on that over the years,” Swire said. 

But for services like Slice’s Unroll.me and other popular Gmail add-ons — such as the grammar checker Grammarly, and Boomerang, an email scheduling service that does not sell its data — many customers remain unaware of the data being collected, even though its acknowledged in their terms and conditions. Slice’s Minney said the company will soon change its website to make its data collection practices more clear.

“We underestimated how much people know about the data that are collected about them,” Minney said.

It turns out the average person knows very little about what’s collected about them, according to a 2015 study by professors at the Universities of Pennsylvania and New Hampshire. 

The study found “that large percentages of Americans often don’t have the basic knowledge to make informed cost-benefit choices about ways marketers use their information.”

“Sixty-five percent do not know that the statement ‘When a website has a privacy policy, it means the site will not share my information with other websites and companies without my permission’ is false,” the researchers wrote.