In Defense of the Email Ecosystem

Email apps and privacy are front and center again, thanks to this somewhat misleading WSJ article by Doug MacMillan that published today.

At Boomerang, we make tools that help millions of people be more productive. That’s what we’re passionate about, not about mining data for marketing firms and hedge funds. We weren’t part of the article, despite several conversations with Doug about this topic, because we don’t sell your data, and we never have. We don’t have people reading your emails, and we never have.

Even though we’re not part of the story directly, email privacy, what companies do with email data, and who reads emails are worth investigating. And here’s the thing — a more nuanced article like this would be a service to the industry. We make email apps, and we’re competing with free apps like Edison, which makes its money by selling your data. And people should know that when they sign up for a free email app, their data is the product, instead of leaving us a one star review because Boomerang isn’t free. So yeah, I’m pissed off about email data privacy too.

I went on the record with Doug on a phone call, plus a handful of email back-and-forths, because how we as an industry handle customer data is important. I shared with Doug how California residents can take advantage of a law called the Shine the Light law to find out who apps are sharing your data with. I explained that we charge money for our product so we don’t have to monetize your data at all.

I’ve spent the last eight years in the ecosystem of third-party email developers, and I’m deeply disappointed that this article implies a disrespect for privacy and cavalier treatment of customer data among us as a whole.

In reality, there are some bad actors, but a lot of us are incredibly concerned about how customer data gets handled, even as we compete with the companies that offer similar features for free, monetized by selling your data.

Our experiences directly contradict a number of the article’s assertions, so I want to set the record straight. Especially since we were specifically mentioned in Doug’s tweets about the article, which claimed there are “comments from” us, when our perspective was nowhere to be found in the article.

First off, we keep our business running by asking customers to pay for our services, not with shady data deals. Boomerang doesn’t sell any data about your email to anybody, and we never have. Neither do most of the founders I talk with in the email world.

Instead, we operate our business based on revenue from customers. Customers who find our services valuable pay us, every month, for the productivity features we provide. We have never sold any data to anyone. Period.

No humans have ever read any customer emails through any of our systems — as I explained, on the record, to Doug, when we need human-processed training data, we use publicly available data sets. We use public mailing list data gathered by this tool, or public data sets from (gulp) Hillary Clinton and Jeb Bush. None of our employees, nor anyone else we’ve partnered with or done business with, has ever used our systems to provide humans access to emails to generate training data.

Giving your emails to people to read and burying that in the fine print is revolting, not “reality,” no matter what the former CTO of a company that’s in the business of selling data says.

We work in the email space, so we believe serving our customers fairly means that we should be above reproach in how we handle data. That’s not to say we’re perfect, but we really, really try. And so do most of the founders of email companies I know. Most of us are in it to help people solve productivity problems, not to make a quick buck from surreptitiously mining and selling their data. The perspective of those companies, like us, are nowhere to be found in the article.

Second, the article makes it sound like the platforms just don’t care, and they don’t monitor the ecosystem at all. That’s just not true.

Here’s a screenshot of an email we got from Google, asking us to explain why we needed one of the permissions we ask for. We showed them how the features that needed mail access worked, and we explained how we couldn’t provide those features without the access and what we do with the data other than to provide those features (nothing). Google looked at our logs, validated that our access pattern matched up with our explanations, and approved our continued use. They’re watching. They care.

Our experience working with Microsoft is even more reassuring. Because we were a launch partner with Microsoft for a new set of APIs, we were subject to a level of scrutiny that’s completely inconsistent with what the article implies. Microsoft reviewed our architecture, reviewed how we would access data, reviewed our security policies, reviewed our plans for monetization, and reviewed our agreements with third parties (like AWS, where we store some of our data, encrypted) to make sure that every step of the way, we were putting user privacy front and center.

We had to review legal documents that made my eyes cross, and we had so many meetings that it made my head spin. For our fellow launch partners, Uber, Evernote, and Paypal, this was probably par for the course. For us, it was an incredibly serious obligation, and one that took an enormous amount of effort to follow through with, contrary to the article’s assertion that email platforms do “little” to ensure compliance.

Doug knew all of this, because I talked with him about it, on the record. I’m disappointed that he chose to ignore that evidence because it didn’t line up with a narrative that would drive more outrage and clicks.

Google and Microsoft could absolutely do more, but they are paying attention to what 3rd party developers are doing with their data access and taking some steps to ensure that we comply with our own privacy policies and the policies for their APIs. It was irresponsible to only quote one source which sensationalized the story, when he knew there was evidence that contradicts it.

I hope Google, Microsoft and Oath will make disclosure about what companies do with data more explicit as part of their sign-up flows. When I talked with Doug, I’d hoped that the article would provide a window into how the platforms protect data today, where they can do more, and distinguish between companies that sneak data out the back door and those of us that don’t. Instead, it feels like a polemic against the entire ecosystem.

The 3rd party email ecosystem provides a lot of cool, useful stuff. If you’ve ever wanted to have email arrive in your Inbox on a schedule, or send messages at a time they’re likely to be opened, or include a cross-platform read receipt, or make sure an email you’re writing is likely to get a response, without Boomerang, you can’t. And if you’ve ever snoozed an email, even if you do it through Google or Outlook directly, if we hadn’t invented it back in 2010, you wouldn’t have that option either.

We’re proud of the work we do every day. We’ve helped the scientists who discovered evidence of gravitational waves focus on their research. We’ve helped dozens of Fortune 500 divisions run more efficiently. And we’ve helped thousands of high school teachers respond to students while maintaining a schedule that works for them. Every single day, millions of people benefit from what we build. And we’ve done it while taking our customers’ privacy seriously, making sure we handle their data exactly the same way we’d want our own data handled. We think that’s a story worth telling too.