Major Data Selling Scandal (2017)

The Uber Data Selling Scandal

• Unroll.Me secretly sold users' email data to Uber for millions of dollars to help Uber spy on competitor Lyft

• Collected Lyft receipts from users' inboxes and sold "anonymized" data to Uber for competitive intelligence

• Millions of users' private emails scanned and sold without clear consent

• CEO Jojo Hedaya showed no remorse, stating he didn't "feel bad" about selling user data

Federal Class Action Lawsuit (2017)

Electronic Communications Privacy Act Violation

• Case: Jason Cooper v. Slice Technologies Inc. et al., Case No. 3:17-cv-02340

• Court: U.S. District Court for the Northern District of California

• Allegations: Violating Electronic Communications Privacy Act and Stored Communications Act

• Seeking: $1,000 per affected user in damages

Deceptive Business Practices

False Marketing Claims

• Marketed as a simple email unsubscribe service while secretly operating as a data mining business

• Under the disguise of being a “consumer-friendly email management service”, UnrollMe was able to mislead millions of consumers

• Privacy policy buried data selling permissions in fine print that users never read

• Users believed they were only getting help with email management, not participating in data harvesting

Misleading Privacy Claims

• Company, claiming "we never, ever release personal data about you," sold detailed purchase and behavior data to third parties for profit

• Sold detailed purchase and behavior data to third parties for profit

• Used legal loopholes around "anonymized" data while data could still be re-identified

Corporate Ownership & Structure Issues

Parent Company Problems

• Current Owner: Nielsen Consumer LLC (NIQ Group) via the Rakuten acquisition

• Previous Owner: Slice Intelligence (acquired by Rakuten) uses a complex corporate structure to obscure responsibility

• Uses complex corporate structure to obscure responsibility

• Parent company Rakuten has filed multiple data breach notifications with state regulators

Technical Security Concerns

Poor Data Security Practices

• Former web developer claimed Unroll.me secured customer emails poorly

• Other companies declined to acquire Unroll.me partly due to concerns over executives' honesty

• Company requires full email account access, creating broad attack surface

Current Privacy Policy Issues

Ongoing Data Sharing Practices

• Still shares data with "corporate affiliates" and "business partners"

• Continues to disclose personal information to "advertising, measurement, and analytics providers"

• Privacy policy uses broad terms that allow extensive data sharing

• Limited user control over how data is shared with third parties

Connection to Uber's Legal Problems

Uber's Related Violations

• Uber paid $20 million to FTC partly related to data practices involving Unroll.me data

• Uber's use of purchased data contributed to broader pattern of privacy violations

• Data selling arrangement drew attention from federal regulators