Superhuman is Spying on You

Over the past 25 years, email has weaved itself into the daily fabric of life. Our inboxes contain everything from very personal letters, to work correspondence, to unsolicited inbound sales pitches. In many ways, they are an extension of our homes: private places where we are free to deal with what life throws at us in whatever way we see fit. Have an inbox zero policy? That’s up to you. Let your inbox build into the thousands and only deal with what you can stay on top of? That’s your business too.

It is disappointing then that one of the most hyped new email clients, Superhuman, has decided to embed hidden tracking pixels inside of the emails its customers send out. Superhuman calls this feature “Read Receipts” and turns it on by default for its customers, without the consent of its recipients. You’ve heard the term “Read Receipts” before, so you have most likely been conditioned to believe it’s a simple “Read/Unread” status that people can opt out of. With Superhuman, it is not. If I send you an email using Superhuman (no matter what email client you use), and you open it 9 times, this is what I see:

That’s right. A running log of every single time you have opened my email, including your location when you opened it. Before we continue, ask yourself if you expect this information to be collected on you and relayed back to your parent, your child, your spouse, your co-worker, a salesperson, an ex, a random stranger, or a stalker every time you read an email. Although some one-to-many email blasting software has used similar technologies to track open rates, the answer is no; most people don’t expect this. People reasonably expect that when — and especially where — they read their email is their own business.

When I initially tweeted about this last week, the tweet was faved by a wide variety of people, including current and former employees and CEOs of companies ranging from Facebook, to Apple, to Twitter:

It was also met critically by several Superhuman users, as well as some Superhuman investors (who never disclosed that they were investors, even in past, private conversations with me). I want to talk about this issue because I think it’s instructive to how we build products and companies with a sense of ethics and responsibility. I think what Superhuman is doing here demonstrates a lack of regard for both.

First, a few caveats:

I was invited into the Superhuman service several months ago. I began their onboarding process, was excited to try using it as my primary email client, and bailed out the moment I found out about this spyware functionality. Nothing in this post evaluates other things about the Superhuman service. I’m not here to tell you it isn’t fast, isn’t good looking, or doesn’t save you time. I suspect it is all of those things, in fact. So if your response to this post is “BUT I LIKE IT!”, I believe you that there are things to like about it. That is not the subject of this post. I know people whom I consider to be ethical people who use workplace software that embeds tracking pixels in emails.

Second, I want to talk about why this particular issue is so important. Not why privacy is important; we are all already learning that the hard way. Rather, why making ethical decisions at the earliest stages of your company is important.

When a company first forms, there are no norms or principles guiding how its people should make decisions. It’s basically just what’s in the founders’ heads. With each decision a company makes, its “decision genome” is established and subsequently hardened. You’ve decided in your first month that you’re only going to hire engineers from Top 10 engineering schools? That’s now part of your genome and will determine the composition of your company. You’ve decided to forgo extra profits by keeping your prices low for consumers? That’s now part of your genome. You’ve decided to employ a single dark pattern to trick users into adding more things to their shopping cart? Part of your genome.

The reason this matters is that what may seem like small decisions early on become the basis for many more decisions down the road. These decisions affect your ethical trajectory as a company. Let’s use the dark pattern example. Maybe the shopping cart thing was pretty minor and you were able to rationalize it internally in a variety of ways, including the fact that the extra item in the user’s cart was inexpensive and provided value (like a product warranty, for instance). Down the road, when employees want to employ more dark patterns, here is how the conversation would go:

Greg: “Hey, we aren’t getting enough people to opt-into our mailing list when they sign up. Can we try maybe unchecking that box by default but using language such that leaving it unchecked opts people in?”

Desi: “Wouldn’t we be intentionally deceiving users if we did that?”

Greg: “Uhhhh, we already add things to your shopping cart that you don’t even ask for!”

Desi: “True. This seems like less of a big deal than that. I guess I’m OK with it.”

If you’ve never worked at a tech company before, this is how things go. When faced with making a product decision that is even mildly uncomfortable, employees often first look towards expressed company principles like “Always put the customer first”, but the next thing they look for is precedent. What other decisions have we made that look like this one? Designers do this. Engineers do this. Product managers do this. Executives do this. It’s an easy way to inform your current decision, and it’s also an easy way to cover your ass. Imagine the above decision was made by a product manager, and later on the company was called out publicly on it. The CEO or Head of Product marches over to the product manager and says “what were you thinking here?!?” The product manager needs only to point to the shopping cart behavior in order to let him or herself off the hook.

The point here is that companies decide early on what sort of companies they will end up being. The company they may want to be is often written in things like “core values” that are displayed in lunch rooms and employee handbooks, but the company they will be is a product of the actual decisions they make — especially the tough decisions.

So back to Superhuman. Here we have a company that professes to create a better email experience mainly through better design and engineering. So far so good! Those who know me know that I would be among the first people to sign up for something like this and also among the most vocal to evangelize it. Heck, I love a certain showerhead so much that I:

Have bought one for every shower in every place I’ve lived for the past several years. Bought one for every member of my leadership team at Twitter for Christmas. Used to keep a brand new spare one in my trunk to give away to friends every time the subject came up. Turned the damn showerhead emoji on Twitter into a Flipside. Actually, my team did this, but as an homage to my love for it.

In other words, when I see great design, I proactively try to spread it as far and wide as possible.

What I see in Superhuman though is a company that has mistaken taking advantage of people for good design. They’ve identified a feature that provides value to some of their customers (i.e. seeing if someone has opened your email yet) and they’ve trampled the privacy of every single person they send email to in order to achieve that. Superhuman never asks the person on the other end if they are OK with sending a read receipt (complete with timestamp and geolocation). Superhuman never offers a way to opt out. Just as troublingly, Superhuman teaches its user to surveil by default. I imagine many users sign up for this, see the feature, and say to themselves “Cool! Read receipts! I guess that’s one of the things my $30 a month buys me.”

When products are introduced into the market with behaviors like this, customers are trained to think they are not just legal but also ethical. They don’t always take the next step and ask themselves “wait, should I be doing this?” It’s kind of like if you walked by someone’s window at night and saw them naked. You could do one of two things: a) look away and get out of there, realizing you saw something that person wouldn’t want you to see, or b) keep staring, because if they really didn’t want anyone to see them, they should have closed their blinds. It’s two ways of looking at the world, and Superhuman is not just allowing for option B but actively causing it to happen. It’s almost as if Superhuman is aiming a motion-sensitive camera outside people’s windows and sending alerts when there is motion. It’s automated and designed to capture info when your family, your friend, your co-worker, or your victim is not aware. You may think “victim” is too harsh of a word to use here, but remember, we aren’t talking about you. We are talking about anyone who might use Superhuman.

Even though most of the feedback I’ve gotten about raising this issue has been supportive, here is a collection of replies I’ve gotten on Twitter, so we can address them all in one place:

“Email clients have done this for years. Even Apple does this with iMessage.” — Multiple People. This argument is naive at best and disingenuous at worst. Superhuman’s competitors are Apple Mail, Gmail, and Outlook. Exactly zero of those companies insert a tracking pixel into their emails. Furthermore, both Outlook and iMessage use Read Receipts that are turned off by default and controlled completely by the receiving user. In other words, when you buy a new iPhone or start using Outlook, no one requesting an Outlook or iMessage read receipt can receive one without your explicit permission. Furthermore, even if you do turn those on, it’s a simple one-time receipt… not a log of times and geolocations every time the recipient views the message. Both Microsoft and Apple — as well as other messaging platforms like Twitter, LinkedIn, and Signal — have designed their read receipts in an ethical way. Superhuman has not. Also ask yourself what the backlash would be if a company somehow retrofit these spying capabilities on top of iMessage. What if every single time you viewed someone’s text message, your phone sent a timestamp and location to back to the sender, creating a map of your movements? There’s a reason Apple doesn’t allow this. “Other tools like MailChimp, PersistIQ, SendGrid, and MailTrack do this.” — Multiple People. Superhuman is an e-mail client, much like Gmail, Outlook, and Apple Mail. It is not mail automation software. Mass mailing companies, for the most part, use that technology to track open rates and also to *stop* sending out emails to people who haven’t opened them in months. There are indeed some sales-enablement companies that use this technology to track individual opens, and I find that just as creepy. The main point here is: just because technology is being used unethically by others does not mean you should use it unethically yourself. Harmful pesticides have also been around for years. That doesn’t mean you should use them yourself. Where to start with this one from Gary Sheynkman. You, the sender, do not get to decide how I, the receiver, respond to you. Not returning your email right away is not passive-aggressive. It’s often just being busy or prioritizing. As pointed out by Erica, being “left on read” can send unintended hurtful messages. Furthermore, in the workplace, this can be used as a tool to monitor or coerce around-the-clock work. This is from Nick Abouzeid, a Superhuman investor (who did not disclose that, but I got it by going to his website) from the aptly named “Shrug Capital”. This comment gets to the crux of the ethics question we are talking about here. When you are making software, you can either say “lets exploit everything in the world that can act to our benefit” or you can say “lets build something that’s great for the world”. This person looks at all people who use email as potential people to exploit. How many people use email? 2 billion or so? How many of those have images turned off? Probably a tiny percentage. And how many are expecting that every time they open an email from a friend, their friend gets notified with their geolocation? I would guess almost zero. So what this person is essentially saying is that since most people leave their curtains open at night, it’s ethical for the company he funds to film what goes on inside. Furthermore, Superhuman doesn’t even let its own customers turn images off. So merely by using Superhuman, you are vulnerable to the exact same spying that Superhuman enables you to do to others. He is right about one thing though: because of spyware-foisting companies like Superhuman, you should unfortunately turn off all image loading in your email client.

When you start to think about all of the ways Superhuman can be used to violate privacy, you really wonder why The New York Times spent 1,200 words on a tongue-bath that doesn’t even talk meaningfully about privacy issues at all. We don’t need journalism to tell us where venture capitalists are putting other people’s money. We need it to examine the ramifications of the technology we are pushing into the world and in what ways it might shift the Overton Window for Ethics in either helpful or hurtful ways.

There are some bad people out there, so what are some bad things that people can do with technology like this? Here are just a few:

An ex-boyfriend is a Superhuman user who pens a desperate email. Subject: “I’ve been thinking about us”. He sends it to his former partner. She reads it when she gets to work in Downtown Los Angeles at 9am. She reads it again before dinner with friends in Pasadena at 7pm. She reads it again at home in Santa Monica at 1am. Over the weekend, she takes a trip to New York and reads it again. Twice. She decides not to answer the email, because her ex has stalked her in the past and she doesn’t want to communicate any further. But because of the tracking pixel, her email is always communicating, and it’s sharing info she does not want to send and doesn’t even know she is sending. She didn’t reply, but her ex still knows she read his email five times, including most likely in her bed. And he knows she took a trip to New York.

A pedophile uses Superhuman to send your child an email. Subject: “Ten Tips to Get Great at Minecraft”. Your child keeps the email in their inbox and refers back to it often over the course of a year. Sometimes when they are at home in Vermont. Sometimes when they are at school in New Hampshire. Sometimes when they are with their grandparents in Massachusetts. Every time your child opens the email, that person knows generally where they are (or specifically, if they have other info to triangulate against).

Superhuman decides they can make more money by supplementing their subscription fees with data licensing agreements. Maybe they decide to leave out data from paying Superhuman customers but they include location history from every single person you’ve ever emailed, because they have no contract with those people. Location maps with timestamps, other insights about things like working hours and locations, device types, and whatever else they collect. That data is then used to target those people in a variety of ways. If Superhuman is truly willing to commit to never license any data to anyone for any reason, they should be able to clearly say so right now. But they probably won’t, because they want to keep their options open.

I understand wanting to cover a new product, but an outfit as respected as the Times needs to go deeper on this stuff. Heck, I’m already at 4000 words — on a single subject — and I just wrote this on a whim over the weekend.

Even though I wish companies didn’t make the sorts of product decisions Superhuman has made, I’m glad they are at least showing their cards early (and appear to stand by them) so I can avoid their service. Not just on principle but because I have no reason to trust them with any of my data. Remember that they require full access to your Gmail in order to do their thing. Fast forward a year or two and I can see them licensing location data either from their own customers or their non-customers to a third-party for any number of distasteful purposes. They say they have a privacy policy that forbids this, but I don’t read their policy that way at all. It allows and even specifies all sorts of things they can do. Here’s an excerpt (emphasis mine):

HOW WE USE TRACKING TECHNOLOGY TO COLLECT INFORMATION We automatically collect usage information when you visit our Website or use the Service through the use of tracking technologies, including tracking pixels and similar technology (collectively, “Tracking Technologies”). We may use the data collected through Tracking Technologies to: (a) remember information so that you will not have to re-enter it the next time you visit the Website or use the Service; (b) provide and monitor the effectiveness of our Service; (c) provide functionality of the Service including read receipts; (d) monitor and collect analytics data using third-party tools like Google Analytics in order to help measure traffic and usage trends for the Service; (e) diagnose or fix technology problems; and (f) otherwise to plan for and enhance our Service.

The form of this paragraph is very familiar to lawyers. Specify some stuff that sounds mundane and then leave yourself all sorts of escape routes. Item F is essentially a universal license to do whatever they want (i.e. “We’ve ‘enhanced’ our service by using your location data in a new way!”). Now, I’m not saying this privacy policy is out of the ordinary at all. I’m just saying there is nothing about Superhuman’s Terms of Service that prevent them from making further decisions that violate your privacy in the future. Not to mention, companies can change their policy at any time. When you use a product, you need to trust the people who are building it — not the documents their attorneys create. And finally, once again, because of this spyware pixel, most of the people they are collecting information on aren’t even Superhuman customers and never even signed up for this policy.

So what would I do if I were Rahul Vohra, Superhuman’s CEO?

The first thing I’d do is apologize and remove this functionality for everyone. You don’t need to take out a front page ad in the Times. Just own the mistake and disable the feature unless and until you can design it in an ethical way. Don’t keep it up for a year while you work on it. Take it down. This would show responsibility and regard for doing the right thing. A sign of an honorable company is when it is willing to learn, take responsibility, and improve.

Next I would recalibrate how important it is to even offer Read Receipts. Superhuman seems to be doing just fine in terms of customer satisfaction. I know some people like this functionality but does the success of Superhuman’s business depend on it? I would guess not.

Third, if Superhuman really cared about protecting the privacy of its users, they would actually provide the exact opposite of this feature. Protect all Superhuman users from emails loaded with surveillance pixels, do it by default, and never embed them in their own outbound emails. There are a few browser extensions that do this decently while keeping most benign images turned on, but this would be a great feature to have baked into an email client. Use this moment as a turning point to honor all of the other work going on at the company and turn this negative into a positive.

Finally, if I still didn’t agree that tracking the geolocations and reading behavior of unwitting people was deceptive, I’d wear it on my sleeve:

A good ethics test for investors, employees & users of Superhuman. If you use SH’s default spyware behavior, you should be willing to change your signature to this: – Sent via Superhuman. Every time you open this email, the time and your location are sent to me. Who’s first? — Mike Davidson (@mikeindustries) June 27, 2019

A lot of Superhuman’s customers — and I assume most of its employees and execs — use the “Sent with Superhuman” signature already. If you are so sure that automatically receiving a recipient’s geolocation every time they read one of your emails is OK, you should be OK with telling them that when you send them an email. In fact, since it’s a feature you are proud of, you should be more than happy to market it so clearly, right? (In case you’re wondering, exactly zero people stepped up to do this. Not Rahul Vohra, no employees, no investors, and no customers.)

Before I close, I want to talk about blame.

I don’t automatically blame Superhuman designers for this, because I don’t know if they fought for it or against it. Likewise, I don’t blame Superhuman engineers, product managers, or anyone else, for the same reason. For all I know, this was something the team pushed back strenuously on and lost. If so, thanks for fighting the good fight, and you should have your equity grant doubled for trying to do the right thing. If not, this whole article also applies to you. The only person I know for sure shares some or all of the responsibility for this is Superhuman’s CEO, Rahul Vohra. He is the only employee I’ve seen actively defend it (although perhaps others have), and it’s safe to say he was intimately involved in its development.

This is also important: I do not know Rahul. I don’t know if he’s nice, mean, a good person, a bad person, likes his steak medium rare or well-done with ketchup, or anything else about him. I make no value judgements about him as a human, and as with most other humans, I try to assume the best about him. This article is about a very specific decision of his that I find to be dangerous and wrong. Whenever I see something like this, I always give the benefit of the doubt and assume the person simply doesn’t realize the downside consequences of their decision. I brought this up several months ago and the company did nothing to address it. I brought it up again last week and still nothing. In light of that, and in light of some of the responses from investors defending Superhuman’s surveillance behavior, I felt justified writing a proper piece about it.

Finally, if you are a user wanting to protect yourself against automatically having your email behavior and geolocation sent to people who use Superhuman and other surveillance tools, you need to do both of these things:

Don’t use Superhuman yourself. As mentioned earlier, Superhuman leaves you unprotected from spying because they don’t allow you to block these spyware pixels. It also turns you into an unwitting information collection machine, aggregating info on every single person you send email to. Possibly including your parents, children, partners, and friends. Turn off remote image loading in whatever email client you use. Almost every client these days allows you to do this, with the strange exception of Gmail for iOS. If you are a Gmail user, I recommend switching to something like Outlook on your iPhone. It’s free and allows you to use your existing Gmail account. No migration necessary. Apple Mail is fine too.

So to sum up — whether you are an email provider or an email user — don’t surveil, and don’t allow yourself to be surveilled. I hope Superhuman does the right thing and decides to help stop this problem instead of trying to normalize it.