The popular Edison email app, which is in the top 100 productivity apps on the Apple app store, scrapes users' email inboxes and sells products based off that information to clients in the finance, travel, and e-Commerce sectors. The contents of Edison users' inboxes are of particular interest to companies who can buy the data to make better investment decisions, according to a J.P. Morgan document obtained by Motherboard.
On its website Edison says that it does "process" users' emails, but some users did not know that when using the Edison app the company scrapes their inbox for profit. Motherboard has also obtained documentation that provides more specifics about how two other popular apps—Cleanfox and Slice—sell products based on users' emails to corporate clients.
"They could definitely be a bit more upfront about their commercial intents," Seb Insua, a Edison user who said they were unaware of the data selling, told Motherboard. "Their website is all like 'No Ads' and 'Privacy First'," he added (the company's website says "Edison Trends practices privacy by design.")
"I did not know they were doing that. They've introduced new features that I really enjoyed like package tracking, price tracking and such, but it makes sense now why they built those out—if it was to just gather data on their users," Ronnie Johnson, another Edison user, said. A third user also said they weren't aware of the data selling.
Do you know about any other companies selling data? Do you have documents related to this? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
Some of the companies listed in the J.P. Morgan document sell data sourced from "personal inboxes," the document adds. A spokesperson for J.P. Morgan Research, the part of the company that created the document, told Motherboard that the research "is intended for institutional clients."
That document describes Edison as providing "consumer purchase metrics including brand loyalty, wallet share, purchase preferences, etc." The document adds that the "source" of the data is the "Edison Email App."
On the product section of its website, Edison offers "Edison Trends" and "Trends Direct." The company says it can provide "Detailed behavior patterns to improve your customers' experience and business results."
Edison is just one of several companies that offer free email apps which then sell anonymized or pseudonymised data derived from users' inboxes. Another company that mines inboxes called Foxintelligence has data that comes from users of the Cleanfox app, which tidies up users' inboxes.
"From a higher perspective, we believe crowd-sourced transaction data has a transformational power both for consumers and for companies and that a marketplace where value can be created for both sides without making any compromise on privacy is possible," Foxintelligence Chief Operating Officer Florian Cleyet-Merle told Motherboard in an email.
A confidential Foxintelligence presentation obtained by Motherboard lists what it claims are "examples of clients." They include PayPal, consulting giants Bain & Company, and McKinsey & Company. Most of the companies did not respond to a request for comment, but European ridesharing app Bolt, which was also listed as a client under its previous name Txfy, told Motherboard in an email "We've used Foxintelligence in the past for anonymised market share data for ride-hailing services in France. We have not used them outside of this limited purpose and are no longer a client." Cleyet-Merle added that "not all the brands in your screenshot are currently clients of Foxintelligence" but did not elaborate further.
A dataset obtained by Motherboard shows what some of the information pulled from free email app users' inboxes looks like. A spreadsheet containing data from Rakuten's Slice, an app that scrapes a user's inbox so they can better track packages or get their money back once a product goes down in price, contains the item that an app user bought from a specific brand, what they paid, and an unique identification code for each buyer. Last month the company created a page on its website telling users how to opt-out from the sale of their data. Rakuten told Motherboard in an email this was introduced to comply with the California Consumer Privacy Act (CCPA).
"I did not know they were doing that."
Rakuten did not dispute the titles of columns of the data when Motherboard provided a list. An email obtained by Motherboard appeared to show the price for access to Rakuten data for one product category as over $100,000. Rakuten told Motherboard that, "We do not publicly disclose our pricing or terms—these are confidential to our customers."
Insua, one of the Edison users, said they didn't have an issue with the data collection itself, but thinks Edison could be clearer on what they're really doing with collected email data.
"'Create research' makes it seem like they are academics or sharing this with the public institutions for non-commercial reasons or something," Insua said.
He added, "They could be like 'we anonymise the purchase data within your emails and sell this research.'"
Subscribe to our cybersecurity podcast, CYBER.