Superhuman’s email surveillance and the big data question
Last month Superhuman, the invite-only email client, was at the centre of the latest data privacy scandal.
The criticisms of the Silicon Valley company centred around its use of “spyware” in their client. These tracking capabilities enabled the email sender to see extensive information, including:
- Read receipts, unbeknown to the recipient of the email.
- The time, location, and the number of times the email was opened.
- Additionally, recipients of the emails could not opt-out of having their data tracked.
The above pose a variety of issues around privacy; read receipts are already extensively used within popular applications such as Whatsapp, but both the sender and receiver of the message are aware of its existence and can opt-out with ease, this is different with Superhuman.
You could be the recipient of an unsolicited email from someone you do not know who is using the Superhuman client. Upon opening the email the sender then knows your location, time of opening and how many times you have opened the email. All without any knowledge or consent.
Rahul Vohra, CEO, and founder at Superhuman has since responded to the criticism and have promised to make amendments. Vohra’s response is summarised as so:
- We have stopped logging location information for new email, effective immediately.
- We are releasing new app versions today that no longer show location information.
- We are deleting all historical location data from our apps.
- We are keeping the read status feature, but turning it off by default. Users who want it will have to explicitly turn it on.
- We are prioritizing building an option to disable remote image loading.”
[This is taken directly from Vohra’s response that can be found here: https://blog.superhuman.com/read-statuses-bdf0cc34b6a5]
Vohra and Superhuman have been credited with the majority of their response, however, crucial criticisms have remained with the ability for the user to turn on their read receipts.
The European Perspective
This will likely rumble on for some time, as a can of worms has been opened in the US with regards to emails and privacy as a consequence. It could also be considered that had this been operating within the EU, Superhuman’s actions would be considered a breach of GDPR.
According to Article 4 of the GDPR regulations, a personal data breach is identified as:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
This includes the processing of personal information such as IP addresses. Email marketers have for a long time used similar tracking devices in campaign monitoring, seeing how many recipients open their emails, click unsubscribe, etc. to improve their success rate.
Post-GDPR this has been circumnavigated by ensuring that all recipients of campaign emails have opted-in and agreed to have their emails tracked by accepting the privacy policy, and ensuring that the ability to opt-out is easy and ever-present.
It is not by chance that many of the biggest organisations in the world, i.e. Google and Facebook, have established themselves as a consequence of their huge datasets, with data fast becoming the world’s hottest commodity. The recent Netflix documentary The Great Hack looks into the misuse of this data by the now infamous Cambridge Analytica, who have since become defunct.
Moving Forward
The theme here appears to be that organisations across the world are pushing the limits of data, with ever more opportunities to use and misuse data are becoming apparent. The problem is, is that the laws to govern data are often brought in retrospectively, only after we see how damaging the misuse could possibly be.
We are still in the infancy of this particular revolution, and it is a journey that will be fraught with mistakes. It is becoming more and more apparent that we should all take the time out to understand how our data is being used, to educate one another about how we understand data to be used, and come to a common understanding about where our red lines are. This is far from over.
