back to article $30/month email upstart Superhuman brought low with a blast of privacy Kryptonite

Superhuman, an email startup betting people who deal with a lot of messages will pay $30 a month for a more organized inbox, has come under fire for not providing privacy by default. "Superhuman is a surveillance tool that intentionally violates privacy by notifying senders every time their emails have been viewed by …

  1. Dan 55 Silver badge

    Those who don't understand e-mail are condemned to reinvent it poorly

    Apple and Microsoft, not to mention LinkedIn, Signal and Twitter, he argues, have designed read receipts in an ethical way.

    These are built-in to e-mail too, the sender's client can be configured to send the Return-Receipt-To and Disposition-Notification-To headers an the receiver's mail server (delivery report) and client (read report) can be configured whether or not to reply to them.

    1. sabroni Silver badge

      Re: These are built-in to e-mail too

      Another reason why using a tracking pixel for read receipts is, at best, ignorant.

  2. Anonymous Coward
    Anonymous Coward

    $30 ? A *month* ????? Fuck that.

    A decade maybe.

    But $30 a month to have an ad-free, sponsor-free search engine with a decent grasp of language - now you are talking. Shame it doesn't exist.

    1. Yet Another Anonymous coward Silver badge

      Re: $30 ? A *month* ????? Fuck that.

      Their average customer spends 3-4hour/day on email

      Multiply that by the hourly cost of a CEO / Hedge fund manager / startup founder

      We pay a lot more for optical simulation software when we could just use excel and the back of an envelope - it's just that engineer's time isnt free

      1. Anonymous Coward
        Anonymous Coward

        Re: $30 ? A *month* ????? Fuck that.

        You'd have to offer insanely unique, never before seen options to justify that price, not just some API scrapers and "cloud" storage. Realistically, those options don't exist (and don't need to), but then again, a fool with their money.

      2. Oliver Mayes

        Re: $30 ? A *month* ????? Fuck that.

        People at that level don't read their own email, they pay an assistant to summarise it and only show them the important stuff.

    2. adnim

      Re: $30 ? A *month* ????? Fuck that.

      "But $30 a month to have an ad-free, sponsor-free search engine with a decent grasp of language - now you are talking. Shame it doesn't exist."

      I have thought about this, I think it is a good business objective... Being totally fucking honest.

      I know this can work, I have tried it... One earns loyalty but does not get rich.

      Now if one can find some venture capitalists who are not greedy and are looking to earn a comfortable living with financial returns that they could actually spend in a lifetime.... And are prepared to wait a couple of years for a return.

      Get in touch via the register here... The totally honest, no track, don't take the piss, don't sell customer data can be applied to any online business, not just email. I believe it is possible to earn a good living using the honesty method.

      Perhaps after a few years, by being honest, one can only afford only one yacht or holiday home? How many do you fucking need?

  3. Anonymous Coward
    Anonymous Coward

    Tracking Pixel

    Capital One does this too if you choose the paperless option for statements etc.

    I use an email client with remote content disabled and text only, after a while they tried to revert me back to getting paper communications as they said (We see you haven't opened your email notifications from us).

    Hmmm, thanks for letting me know you're trying to spy on me.

    I'd have thought this would be prohibited under GDPR now, I certainly never knowingly gave them permission to try to track me.

    1. John Jennings

      Re: Tracking Pixel

      They are prohibited under GDPR - unless you opt in - but the ICO has a 'target rich environment' - to say the least!

    2. iron Silver badge

      Re: Tracking Pixel

      I wondered why they always moan that I haven't opened my statements when actually I have.

      Thanks Firefox & my tracker blocking extensions, protecting me from privacy violations I didn't even know were there. :)

    3. TimeMaster T
      Black Helicopters

      Re: Tracking Pixel

      Similar story for me as well.

      After 10+ years as a member of a local Aquarium/ocean research institution and always reading their emails about upcoming events and the latest happenings I was floored when I got a "we notice you haven't been opening your emails" a few months back. Checked the emails source and found the tracking image.

      I let me subscription expire last month. Kind of sad really, I liked the place and supported the research they do but if they can't respect my privacy they don't get my support.

  4. Anonymous Coward
    Anonymous Coward

    I would object to any mail service that messes with my message contents without my consent.

    Even just to add one pixel.

    Anyway, "read receipts" without legal value are of little use - and they are already supported by the mail standards as an opt-in feature.

    Here in Italy we have "electronic certified mail" which has both delivery and read receipts with full legal value - but you usually get a separate inbox which you use only when you need it (when you would need certified/registered mail, or go in person) - and it doesn't mess with message contents, it encrypts and sign the original message, and then wraps it into one with transmission data. It costs me about €9/yr for 1GB.

    1. phuzz Silver badge

      Re: I would object to any mail service that messes with my message contents without my consent.

      Presumably when you fork over the $30/mo you also have to click through a 'customer agreement' that allows them to do this, as well as giving them dibs on your first-born etc.

      1. Graham 32

        Re: I would object to any mail service that messes with my message contents without my consent.

        I assume it's the point of the service. They do extra tracking of emails you send and then you get to see the data of when it was opened, how many times, etc.

        People who send marketing spam love this stuff. For example, there's a lot of analysis about when to send emails so they are read. Apparently getting an email into someone's inbox at 9am is best so it's at the top as they start work. The top emails are read in detail. The user loses patience as they get lower down the list and is more likely to delete it without reading.

  5. Blockchain commentard
    Facepalm

    Stupidhuman more like!!!!!

  6. Steve K

    Same as it ever was...

    the tech industry's inability to regulate itself. Silicon Valley's answer to pretty much everything has been "Can we do it?" regardless of the ethical implications.

    Who remembers Scott McNealy’s dismissive “You have zero privacy anyway, get over it” from 20 (!!) years ago.....

    1. Pascal Monett Silver badge

      I will never forget that.

    2. Anonymous Coward
      Anonymous Coward

      Re: Same as it ever was...

      If you've got a while, The Beers With Talos podcast has an excellent episode on privacy: https://blog.talosintelligence.com/2019/02/beers-with-talos-ep-47-privacy.html

      And this is coming from a company owned by Cisco. Despite being security conscious, it's also pro privacy

    3. Teiwaz

      Re: Same as it ever was...

      Scott who?

  7. A Non e-mouse Silver badge

    Paid for email

    If you want an email email service which respects your privacy and support by humans, I can recommend Fastmail. Yes, it costs, but the basic tier is only $3 per month.

    Disclaimer: I'm a satisfied customer. I receive no kick-backs for promoting them.

  8. Ramlen

    Sales droids love this kind of service, despite the fact that the mailing lists they buy almost always contain a few honeytrap addresses and so get us on various SBLs

    "I sent 50,000 emails this week and I have 30 read receipts to show they have been read - that's worth at least XXXXX $£"

    Wankers the lot of 'em

    1. DontFeedTheTrolls
      Boffin

      I had a discussion with our Marketing Manager about 20 years ago about a paper mail shot we were sending out, and she stated at the time that the marketing industry expectations of a response of 2% was good.

      I'm guessing the number will be even less for targeted email. Anyone with Marketing connections know the figure for spam?

  9. Anonymous Coward
    Anonymous Coward

    The nuclear option

    I think I'll set up a new email rule.

    If my server detects a tracking pixel, reply to sender with 10,000 read receipts with various passages from Watership Down.

    After all, its their responsibility to block spam from their inbox, no?

    If they send a mail to me, they're part of the platform and have made their bed - they should expect a response.

    1. Anonymous Coward
      Anonymous Coward

      Re: The nuclear option

      10K might be deemed an abuse. Just send the following every 5 minutes while your email client is open:

      "Dear Sir, Thank-you for your recent email that contained a tracking pixel. Since you clearly have an interest in knowing precisely when and where I read email, please be informed that my email client is currently open and that I am sitting on the loo. I may or may not have time to read your email during this session but you will continue to be notified as necessary."

      1. Danny Boyd
        Go

        Re: The nuclear option

        And receive back a receipt for each of these mails, each receipt unleashing a flurry of new mails? Sounds like fun.

        1. J. Cook Silver badge
          Mushroom

          Re: The nuclear option

          Oh, and piss off the mail admins for both sides? SIGN ME UP, I LOVE NUKING ACCOUNTS THAT DO STUPID SHIT LIKE THIS.

  10. Mr Dogshit

    Zak Kukoff

    There's someone called "Zak Kukoff"?

    1. TimMaher Silver badge

      Re: Zak Kukoff

      Yo @dog. I think it is an anagram for Kak Zukoff.

      Might have scatological erotic connotations?

      Might be wrong?

  11. Anonymous Coward
    Anonymous Coward

    consumers will always trade privacy for "advancements in tech"

    while I find him and his lot repulsive, looking at people, in general, I'm afraid he's got it right.

    1. Richocet

      Re: consumers will always trade privacy for "advancements in tech"

      Not sure there is any advancement in tech here. However please alert me when hoverboards are available and I'll *consider* giving up some precious privacy.

  12. Anonymous Coward
    Anonymous Coward

    Hang on a second ....

    if they can insert tracking pixels *into* a message then they have access to the plaintext ?

    What sort of moron pays $30 a month to an outfit to handle email and doesn't encrypt it before sending ? And more importantly why don't I ever meet them when I'm flogging stuff ?

    1. 's water music

      Re: Hang on a second ....

      if they can insert tracking pixels *into* a message then they have access to the plaintext ?

      Teh article doesn't make it clear but this service is a gmail plugin that tarts the experience up a bit and tries to add a bit of value by making it simpler to carry out repetitive tasks. The privacy moan was about privacy of people you are sending mail to as it implements tracking pixels in your outgoing mail by default rather than defaulting to off and using the actual standards based read receipt headers (maybe because most sane mail servers either ignore them or allow the recipient to control them)

    2. adnim
      Mushroom

      Re: Hang on a second ....

      Anyone that own/admins a server that any kind of data passes through or lands upon has access to everything that lands on or passes through it.

  13. Alan Sharkey

    Your article misses the point

    It's not read receipt per se that are the issue, but the fact that the app can track WHERE you read the email - and where you re-read it. So, it's tracking you without your consent - which is against GDPR, I think

    Alan

  14. Rich 2 Silver badge

    Eh?

    I'm lost - Why would anyone use this "service"?

    There are a million other email services about that "just work". Without any crap. And they're a lot cheaper than $30/month

    As for an "undo" feature for email, everyone knows this doesn't (and can't) work. It's bollox

    1. Woodnag

      Undo

      Undo can be implemented completely by pausing the send until the undo window has passed. Or, implemented on the same server system, in the sense that the sent copies can be retrospectively deleted... but before that nothing stops a recipient keeping a copy by forwarding it, printing to PDF etc.

    2. DontFeedTheTrolls
      Unhappy

      Re: Eh?

      Why would anyone use this "service"?

      Can't answer for all the features, but for the tracking service I have a psycho stalker friend who uses a pixel tracking service to see when men she's dated have opened and read the emails she's sent them.

      Despite demonstrating how easy it is to defeat she continues to obsess over when her emails are being read and for how long they were open. "He's opened the email but why hasn't he replied immediately, he must be seeing other women", having been on only one date. I just hope none of them own a rabbit.

  15. Elgreppo
    Mushroom

    Half-assed nuclear option

    I think I'll set up a new email rule.

    If my server detects a tracking pixel, reply to sender with 10,000 read receipts with various passages from Watership Down.

    After all, its their responsibility to block spam from their inbox, no?

    If they send a mail to me, they're part of the platform and have made their bed - they should expect a response.

  16. Anonymous Coward
    Anonymous Coward

    Web Bugs and RootKits

    I had sent several emails to the abuse department of a large web anonymizing service that showed up in WHOIS when trying to track down the source of malicious ads that were serving up rootkits.

    This company never responded to my multiple emails but I am sure they received my complaints because their automated service tried to send me a "Web Bug" like this:

    "[REDACTED]_facebookhermes/images/web.p=

    ng"><span style=3D"font-size:12.0pt">&nbsp;&nbsp;"

    Pro Tip: If you're gonna pretend you never received an abuse complaint you should disable your automated spyware

  17. DropBear

    ...so you're basically saying it is a surveillance too. Well, I agree.

  18. Paul Hovnanian Silver badge
    Paris Hilton

    Spend time on a waiting list

    Sounds like an old marketing trick: Merchant couldn't move his junk so he puts up a sign "Limit: Two to a customer" and he sells out.

    And make them pay for something that most give away for free.

    1. Anonymous Coward
      Anonymous Coward

      Re: Spend time on a waiting list

      And make them pay for something that most give away for free.

      --------------------------------------

      "free" is almost always a red flag warning.

      That's why I pay for good connection provider independent email at a small local ISP.

  19. Sinick

    FTFY

    "fed up with the tech industry's inability to regulate itself"

    s/inability/deliberate refusal/

  20. IGotOut Silver badge

    Maybe I'm wrong

    But don't most web email platforms block trackers by default anyway?

    You normally have to click on some sort of banner saying "enable content"

  21. upsidedowncreature

    cf Whatsapp

    I can understand the privacy concern, but how is this different to Whatsapp, which indicates when a message has been read?

    1. DontFeedTheTrolls
      Boffin

      Re: cf Whatsapp

      WhatsApp makes it clear to everyone that the status of messages is being tracked. This service is attempting to track covertly. Not defending WhatsApp, just answering the question.

  22. NibsNiven

    Article should tell the whole truth

    I don't know why the article's author failed to disclose the most important parts of this story:

    1) The 1 pixel image is used to disclose to the sender not just the fact that the recipient received the email, but also when and where (via IP geolocation) the recipient is every time it's opened.

    2) Users of Superhuman are not allowed to opt out of downloading images in emails so cannot avoid being tracked themselves by Superhuman.

    Recipients who don't block image downloads end up having lists generated of when and where they were every time they open that email, yet they are not told this by the sender. Great for stalkers, nosy bosses and other creeps, not so great for the unwitting recipient.

    The (mostly marketers) who use Superhuman are providing all kinds of useful information on themselves and their customers, all of which Superhuman can legally sell according to the user agreement. Although I haven't confirmed this personally, users have said that they must provide their Gmail password to Superhuman as part of a "live training session" they undergo as a condition of joining Superhuman's service. Creeped out yet? How about this: apparently there's a waiting list to join Superhuman's service!

  23. Milton

    International quality standard

    Perhaps there is a case for drawing up an internationally agreed minimum standard for quality and especially privacy—a kind of gold seal for data protection, robustness, security, privacy, which can be awarded to products and services which have been verified as meeting high standards, not collecting personal data, offering clear and transparent opt-outs and so on.

    If you set up yet Another Email Service—presumably one which will be paid for along honest commercial lines, instead of supposedly "free"—you may apply to be audited for this certification. If the bar is high enough, then businesses can charge a justifiable sum for a service which potential customers will know has been properly tested.

    It might help to encourage a move away from "free", where the customer is really a user, and victim, to the more balanced model of paying directly for value recived. The customer gets rights far beyond that of the "free" user.

  24. pmb00cs

    What we need now ....

    I've seen in the comments a few possible responses to this sort of behaviour:

    - Spam people who send emails with tracking pixels

    - block images from loading (what I actually do)

    But what I reckon is needed is a server that can have the tracking pixels' URLs loaded into it, so that it can send requests over TOR (or some other anonymising network) for them every few minutes. Make the tracking data useless by filling it with junk data.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like