We’ve discussed this a few times before here. Here’s what I’ve noted: apps like Edison and Spark and Newton Mail scrape your info, try to de-identify and anonymize it, then resell the metadata. Edison even has the following scary commerce page in which they crow about being able scrape emails to offer travel booking behavior, info on items sold by companies and their final prices, what groceries, stores, brands are involved, and “research with deep geographic resolution and compete at a granular level”
Apple doesn’t do any of that (although if you’re using another email provider, like Gmail, Google has that info already).
Spark and Edison claim they de-identify and aggregate your email data, but I still find it unacceptable, which is why I use my me.com or my Gsuite (which unlike Gmail doesn’t track and use data from emails) for my purchase receipts, and why I don’t sync my contacts with facebook, gmail or Yahoomail,
Different people have differing comfort levels for how much of their lives they’re willing to open up in exchange for services. Yours might be more accepting. But allowing mail providers to scan and harvest info from my email is just not acceptable to me. For hundreds of millions of Gmail users it’s acceptable (assuming they even realize it’s happening) but I don’t like it, and I don’t particularly have confidence in Readdle’s ability to have sufficient security to protect my mail coursing through their servers.
• sends statistical data to several services known for bad privacy policies (Google, Facebook) to which there’s no way to opt out. (“We use third party services, such as Google Analytics, Facebook Analytics and Amplitude, to collect and analyze how you use Spark.”)
• automatically creates an account with the first address entered, and subscribes you to their newsletter. (“The first email you add to Spark is used as your username. We might use that email address to reach out to you periodically”)
• stores credentials for your email accounts on their servers.
• stores your emails on their servers to push them to your devices. (“We then use the authorization provided to download your emails to our virtual servers and push to your device.”)
In a 2015 blog post entitled “How we handle your account information in Spark” they wrote, “Some people raised a question about why do we store access tokens even if you have decided not to use Push Notifications. It’s a valid question and, in the next update of Spark, we will change this behaviour.” Does it currently still storing the tokens even if you don’t use Push notifications - I don’t know.
They also use Amplitude to track how you use the app. Personal data is used (without explanation) “to improve the Product”.
Their security? An “appropriate level” of protective measures.
Whatever that means.
Even if in this case deanonymization cannot be teased out of large data sets (as it most certainly does in web browsing and other online spheres) via field matching or weak data masking, the fact that they want to use my data to package and sell is sufficient for me to never ever use them. YMMV.
"We only obtain information necessary to provide you
with our services…Some of the data of our users is
aggregated for statistical purposes and processed in the
legitimate interests as stated in section 2 above"
Indeed: they’re admitting that they scrape your data and sell it as their business model. They say “we” don’t market to you, but your data is indeed scraped and promised to be anonymized when sold.
Finally, some opting out is only possible on a browser-by-browser basis via cookie, and if you have a policy of deleting cookies regularly (I have an app which does this every 45 minutes ) then even this doesn’t help me.
There’s money to be made in seeing what people buy, and when, and at what prices, and what newsletters they subscribe to, and where they’re located, and what their political affiliations are. I’d rather use mail that doesn’t let anyone get that insight if I can help it. Disgraced Andy Rubin, formerly of Google and then Essential Phone, recently bought CloudMagic and is resurrecting Newton Mail, with an eye to doing the same data harvesting as Google, Edison and Readdle. He’s certainly not doing it out of the goodness of his heart. But again, if you’re okay with your data presumably being anonymized (although we’ve found time and again that reidentification can be parsed out in other anonymized instances) and if you’re willing to trust the provider’s ability to have hardened security day after day going forward, then go for it.
I’m a huge fan of all of Readdle’s apps and I use them multiple times a day. But those are apps I paid for and which don’t glean information about me. I’m less sanguine about the Ukranian company’s service related security, or their new ‘free’ business model for my email.
Based on rumors for Apple’s update to its mail app, I look forward to more privacy-oriented advancements.