Superhuman’s Superficial Privacy Fixes Do Not Prevent It From Spying on You

Last week was a good week for privacy. Or was it?

It took an article I almost didn’t publish and tens of thousands of people saying they were creeped out, but Superhuman admitted they were wrong and reduced the danger that their surveillance pixels introduce. Good on Rahul Vohra and team for that.

I will say, however, that I’m a little surprised how quickly some people are rolling over and giving Superhuman credit for fixing a problem that they didn’t actually fix. From tech press articles implying that the company quickly closed all of its privacy issues, to friends sending me nice notes, I don’t think people are paying close enough attention here. This is not “Mission Accomplished” for ethical product design or privacy — at all.

I noticed two people — Walt Mossberg and Josh Constine — who spoke out immediately with the exact thoughts I had in my head.

1/ This is a good *first* step. Better than doing nothing. But it’s not enough. I read the full blog post. It makes no mention of disabling tracking how *often* the recipient opens the email. It’s also full of the rationalization that secret tracking is ok in “business” software. https://t.co/c0PbCRLgdp — Walt Mossberg (@waltmossberg) July 3, 2019

I appreciate Superhuman’s changes, but the problem is recipients don’t know they’re tracked, and it’s still not going to warn them https://t.co/GPfUYVkBMs — Josh Constine (@JoshConstine) July 3, 2019

Let’s take a look at how Superhuman explains their changes. Rahul correctly lays out four of the criticisms leveled at Superhuman’s read receipts:

“Location data could be used in nefarious ways.” “Read statuses are on by default.” “Recipients of emails cannot opt out.” “Superhuman users cannot disable remote image loading.”

However, he also omits the core criticism: Recipients of Superhuman emails do not know their actions are being tracked or sent back to senders.

Rahul then details the five ways they plan to address those concerns:

“We have stopped logging location information for new email, effective immediately.” “We are releasing new app versions today that no longer show location information.” “We are deleting all historical location data from our apps.” “We are keeping the read status feature, but turning it off by default. Users who want it will have to explicitly turn it on.” “We are prioritizing building an option to disable remote image loading.”

The first three apply only to the first criticism about location, but fine. All good moves. Bravo.

The fourth addresses the concern about teaching customers to surveil by default but also establishes that Superhuman is keeping the feature working almost exactly as-is, with the exception of not collecting or displaying actual locations. I’ve spoken with several people about how they interpreted Rahul’s post on this particular detail. Some believed the whole log of timestamped read events was going away and were happy about that. Others read it the way Walt, Josh, and I did: you can still see exactly when and how many times someone has opened your email, complete with multiple timestamps — you just can’t see the location anymore. That, to me, is not sufficient. “A little less creepy” is still creepy.

Also worth noting, “turning receipts off by default” does nothing to educate customers about the undisclosed surveillance they are enabling if they flip that switch. If they’ve used read receipts at all in the past, they will probably assume it works just like Outlook. At the very least, Superhuman should display a message when you flip that switch saying something like “by turning on Read Receipts, you are monitoring your recipients’ actions without their knowledge or permission. Are you sure you want to do this?”

Rahul’s fifth and final fix is also good in that they now realize pixel spying is a threat that they need to protect their own users from. This introduces a moral paradox, however: if the technology you are using on others is something you need to protect your own users from, then why are you using it on others in the first place? These are all questions I’ve asked Rahul publicly in this series of tweets, which I’m still waiting for a response on, four days later:

Thanks for responding, @rahulvohra. I appreciate that you apologized and not in a “sorry *if* you were offended” sort of way. Before I respond, I have a few questions though. #1: I couldn’t tell from the post if you are still collecting and reporting a log of timestamped (more) https://t.co/oQG5UH8uOE — Mike Davidson (@mikeindustries) July 3, 2019

Ask yourself, even under this new system, whether you would ever not feel creeped out by someone saying:

“I’ve noticed you’ve opened my email four times, including last night, and even five minutes ago… and you haven’t responded yet.”

What if someone in your family said that? What if your ex said that? What if someone who had threatened you in the past said that? How about someone you didn’t even know? How about your boss?

It would be creepy enough for someone to actually say that to you, but even if they kept their mouth shut, they still know when you are looking at their email, and you don’t even know that they know. All because of these tracking pixels, which Superhuman has decided to continue using.

The message that sender-controlled read receipts send is “I’m watching you, I’ve been watching you, and you didn’t even know it”. Can you imagine ever saying that to someone, in any context, and having it go well?

I cannot. And the reason is that it communicates not only that you don’t trust me, but that I (the recipient) can’t trust you. It also implies that I’m doing something wrong by not emailing you back. As Ray Ozzie says, mess with people’s expectations at your own risk:

As early as Fernando Flores's Coordinator, we learned to view email as the distributed implementation of a very specific set of social contracts. Once any social tool is ubiquitously-embraced, breach those contracts at your peril & the community's peril.https://t.co/dyV1oyLbFm — ray ozzie (@rozzie) July 3, 2019

“I’m always watching you” is exactly the expectation that sender-controlled read receipts set. It’s how they work. And it’s the reason people don’t (and likely won’t) disclose that they’re using them.

Above all else, I want to know if people feel safe with this implementation. It doesn’t matter if I feel safe or if Rahul feels safe. Do women feel safe? Do people who have been creeped on over work email feel safe? Do people who have been harassed by salespeople feel safe? These are questions I would love for Rahul and team to investigate. You can probably start with someone like Cindy Southworth (hat tip: @amac) or many of the women, like Tracy Chou, who chimed in on the thread:

my summary of this is essentially: wow, fuck this flagrant violation of my privacy. https://t.co/VL10ySzotS — Tracy Chou 👩🏻‍💻 (@triketora) July 2, 2019

To Superhuman’s tremendous credit, they appear to have a pretty diverse team. Out of 30 people, I count 10 women and a variety of ethnicities. In Bay Area tech, that usually takes intentionality. Well done on that. It’s hard to believe, then, that not a single person — employee or customer — ever brought up how creepy the display of timestamps and read statuses are. Maybe someone internally did but the culture was not psychologically safe enough to bring it up and advocate against it. I’m just speculating. I don’t actually know. As Derek Powazek said:

In all those funders, engineers, designers, coders … NO ONE ever expressed surprise that the sender of an email could see a location every time a recipient opened it? When they were implementing it, no one said anything? Ever? I just don’t believe it. — Derek Powazek 🌱 (@fraying) July 4, 2019

Turns out, there seems to have been plenty of feedback, at least as far back as October 2018. Here is a Tweet from Elies Campo, formerly of WhatsApp and now working at Telegram (both known for their attention to privacy):

Last October I barely made it past @Superhuman’s onboarding & cancelled shortly after. I was shocked about their tracking & privacy values. I sent them feedback about the tracking features. They replied that they where considering a “stealth mode” 🤦🏻‍♂️. https://t.co/JzwijG5VYd pic.twitter.com/Qtak7t3k3d — Elies Campo (@elies) July 5, 2019

Read the words from Superhuman “Delight Team” employee Cameron Wiese. He says explicitly says “I agree” and says he thinks Superhuman should turn images off to avoid triggering read receipts and “having your privacy violated”.

Cameron is no longer at the company. I have no reason to believe that is related to this, but it’s proof that Superhuman’s own very small team knew about this a long time ago and decided to do nothing about it.

I began to wonder why, so I started reading up on Rahul. I haven’t followed his career so I wanted to read some things he’d written or said to get a better picture of how he thinks about products. The first thing I came across was this article entitled How Superhuman Built an Engine to Find Product/Market Fit. It’s really well-written and full of a lot of great wisdom from Rahul that can help other entrepreneurs. Stuff I have never thought about for sure. In particular, the bit about zeroing in on the question “how disappointed would you be if you could no longer use this product” is great. It’s kind of an inverse NPS. Really good stuff. There’s one part of the article that may, however, reveal what led to this situation Superhuman now finds itself in: Rahul talks about how he explicitly ignores feedback from people who don’t already love his product. You can read it yourself inside that article or listen to it from his own voice in this interview at the 17:50 mark. Please get the full context from the material provided, but here’s the quote:

“You take the users who most love your product and turn those into an HXC (high-expectation customer), and you use those to narrow the market. And what I mean by that is, deliberately ignore the responses from customers who don’t fit that archetype of people who love your product.”

Bingo.

There is already a huge survivorship bias problem whenever you survey existing customers (which is why people like Elies and me aren’t even represented in these surveys), but doing things the way Rahul describes is like some sort of “devotional bias” on top of the existing survivorship bias.

I will say this: if you were skeptical of Superhuman’s commitment to privacy and safety after reading the last article, you should probably be even more skeptical after these changes. The company’s efforts demonstrate a desire to tamp down liability and damage to their brand, but they do not show an understanding of the core problem: you should not build software that surreptitiously collects data on people in a way that would surprise and frighten them. Superhuman needs to realize that the people their customers send emails to aren’t “externalities”. They are people. And they deserve not to be spied on by software they don’t even know about and never signed up to use. This was an opportunity for Superhuman to internalize what it means to respect privacy, and model behavior for the next generation of companies by doing just that. Instead, they have done little more than the minimum.

I want to quickly detour into a few other issues unearthed by the conversation last week, and then we’ll get back to Superhuman.

First and foremost, it’s important to understand how dissatisfying it is that I happen to be the one who was able to break through on this issue. I am not the internet’s ombudsman or a beacon of morality. For that, I would turn to someone like danah boyd or Anil Dash, who are always a step ahead in thinking about unintended consequences of technology. Second, to my knowledge, I have never been stalked or abused. I am not a victim speaking out. I’m just another white guy of moderately impeachable character who got on my privileged soapbox and said something.

There are several reasons I was able to do this:

Because of my background and the way I look, I don’t have to worry about getting discredited or blackballed.

Despite tweeting stuff like this, I have a decent size following on Twitter.

I got extremely lucky twice in tech, so I’m secure enough financially and career-wise to where I don’t have to give a shit what the technology and venture capital world think of me.

I haven’t personally wielded the sort of granular tracking technology I am railing against.

I took the time to write a proper argument in long-form, litigating issues and not people.

Without all five of those things aligning, I think this whole thing wouldn’t have registered a blip. Furthermore, the first four of those things are about who I am and not what I wrote. Think about how frustrating this is for all of the people in the world who have something important they want to bring to light but are only able to do number five. This happens every day, and we miss a lot of it.

Conversely, I will also say that there are a lot of people in the world who have either all or some of the first four taken care of and instead take the easy route by tweeting out some thought-terminating-cliches (hat tip: Kristy Tillman), and then moving on to the next thing they feel like tweeting. If you have an argument to make, put in the work.

Along these lines, it’s been interesting to see who has reacted (and how) to my original article. If you search for who has linked to it on Twitter, you have to scroll through more than 50 posts before you find a single detractor. I didn’t research any further, and I could be biased by how Twitter displays search results, but my gut is that this is at least a 95%/5% situation, if not higher. To anyone who thinks “everyone knows this stuff is going on”, this is a death blow to that theory. “Everyone” in ad tech might know about email surveillance, but the great majority of people in the world do not… and those are the people you are either signing up to be honest with or signing up to deceive. As Upton Sinclair said:

“It is difficult to get a man to understand something, when his salary depends on his not understanding it.”

In this case, the statement refers to getting people who surreptitiously track others to understand that those being tracked do not know they are being tracked nor want to be tracked and that it is a violation of their privacy.

It’s also been interesting to see who has not weighed in. That includes a lot of people on both sides of this issue, including most of Superhuman’s VCs and 120 well-placed angel investors. I have, however, gotten DMs from some very prominent people in the investment community expressing solidarity but unwilling to say anything publicly. I’ve also gotten similar messages from people involved in the creation of Outlook and other tools that have had to wrangle these sorts of issues. I’ve also heard from entrepreneurs who have been specifically told by investors not to engage in discussions like these because it may limit their ability to fundraise in the future.

To those who have spoken out publicly or messaged me privately, thank you!

Conversely, there are also probably people on the other side of the issue who haven’t spoken up because they don’t want to look like jerks. This issue can really make you look like a jerk quite easily, so it’s sometimes easier to just let everyone else tell on themselves instead, like this guy from Founders Fund:

Exactly the caring, benevolent way the venture capital world would love to be represented, I’m sure.

While we’re on the topic of Twitter, I should mention that I’m generally not a fan of having public, free-for-all debates about heated subjects on the platform. I think the format often turns us into the worst versions of ourselves, expelling incomplete thoughts in such staccato bursts that we are often talking past each other and to the larger audience we are trying to impress. Twitter at its best exposes us to wonderful things we’ve never seen before. But Twitter at its worst is just bad performance art. I feel bad that Rahul and team had to absorb the tens of thousands of Tweets directed at them last week. But at the same time, I also feel like they had advance warning several months ago from myself and surely others that what Superhuman is doing is not right.

Being on the inside of this whole clandestine web of intrigue for a few days has made me think twice about this tech ecosystem of ours and what sorts of behaviors we are enabling with it. How many VCs and powerful people hate what Superhuman is doing with people’s privacy but won’t say anything because they aren’t sure if another company in their portfolio does something similarly sketchy with data? How many won’t say anything because they are concerned about their relationship with Andreessen Horowitz?

This episode has also made me take stock of whether there’s anything in my own life which is collecting data it doesn’t need to collect. Someone on Twitter brought up the fact that I use Mailchimp to send out newsletters. That’s a good place to start. A few years ago, I enlisted Mailchimp to automate newsletter creation for me. I wanted to give people an easy way receive an email every time I wrote a new post. That’s about two or three times a year. Mailchimp makes this so easy that since installing it, I’ve never once logged into the service. I didn’t even know what, if any, data they were collecting aside from the number of subscribers I had. Turns out, they can collect a lot more data than I am comfortable with. Thankfully you can disable substantially all of it, which I have done. It bothers me that these services are choosing to collect all of this data for people who don’t even need it or want it. It turns people into “unwitting data collectors”.

It reminds me of the early days of Android when developers immediately asked for every single permission they could get from you. Now the conventional wisdom is to only ask for what you need, when you need it. It makes things slightly better that people are at least opting into these newsletters, but to use my same test from the original post, there is no way they know how much data is being collected on them. That said, I’m generally not moved by straw man arguments that attempt to paint bulk newsletter analytics with the same brush as email surveillance. News organizations are well within their rights to employ the former while criticizing the latter.

The second thing someone asked me on Twitter is whether the company I work for uses tracking pixels anywhere. I’m not in sales or I.T. so I have to look into how different people use analytics over here, but I imagine there are a variety of ways. I’m going to be proposing an explicit policy against the sort of thing described in this article this week and I don’t expect that will be controversial.

Ok, so back to Superhuman.

We are left now in a better state than we were last week. The threat level has decreased. But I am still left wondering, why is Superhuman taking this feature — which clearly creeps people out — and doing barely more than the minimum to make it less creepy? Rahul said exactly why in his post:

“If one of us creates something new, and that innovation becomes popular, then market dynamics will pull us all in that direction. This is how we ended up with location tracking inside of Superhuman, Mixmax, Yesware, Streak, and many others.”

Rahul is not wrong. But that is not how the greatest innovators think. The reason Slack is now an $18b company whose software is loved by millions of customers is that Stewart Butterfield created a new workplace communications tool based on how he thinks workplace communications should work. Stewart and team looked at what tools people were currently using, invented a new service full of things that seemed good, and left out everything that seemed bad. Are there any deceptive, creepy, or harmful features that exist in Slack because they already exist in other products? Not that I can think of. Someone please tell me if I’m wrong. Heck, Slack doesn’t even have read receipts! And it would be easy to design them ethically within Slack if they wanted to.

Either Rahul thinks email apps should be able to spy on recipients’ behavior without their knowledge or permission, or he doesn’t think they should — but he’s doing it anyway because other bad actors do. Neither of these represents the standard we should hold our entrepreneurs to… especially those we point to as models for great design and great leadership.

The other thing that’s been bugging me is that Superhuman’s other co-founder, Vivek Sodera, has openly compared Superhuman to Apple. See this thread:

Notwithstanding the fact that I believe Google could extinguish Superhuman’s entire existence with the flip of an API access switch, it strains credulity to see how the decision to surreptitiously collect behavioral data on unsuspecting users is Apple-like at all. Vivek is talking here about whether they will license their data out in the future, but still… if you are going to say you are like Apple, then you should at least try and act like Apple. Do I think Apple would ever insert invisible tracking pixels into emails so senders could monitor the actions of recipients without their knowledge or permission? Not in a million years. Do you?

To test my assumptions about how Apple, and in particular Steve Jobs, might approach a problem like this, I asked the only person I know who has worked directly for Jobs, across several decades: Mike Slade. Mike is the founder of ESPN.com, the original product manager of Excel, and worked directly alongside Jobs at both NeXT and Apple. Here’s what Mike said to me:

“Steve was the most consumer-first person I’ve ever worked with. If he didn’t like what the consumer was going to experience, he changed it. This functionality would’ve definitely creeped him out and he would’ve never implemented something as creepy as this.” — Mike Slade

Sadly, we’ll never know for sure, but this makes sense. Jobs used to talk a lot about the importance of taste in product development. That is exactly the concept that is missing here.

You just raised $36m so you could build a product for the long term. You think tracking pixels in emails are even going to be around in a few years? Differentiate yourselves from your competitors by giving a shit about privacy. Think Different.

To show you how this might work, I’ve taken the liberty of redesigning your sales pitch for you. Here is how you currently describe Read Receipts on your front page:

Now here’s how it would look if you decided to take a stand on privacy and protect people from both tracking and being tracked:

I feel like I am doing an unusual amount of free work here. THIS is the sort of morality I want to see in enterprise software. It’s funny, one of the things people like to talk about is how the iPhone kicked off “the consumerization of enterprise software”. Meaning, because the iPhone set the bar so high for how consumers experience digital products, all enterprise software eventually rose to meet this bar. If we can now expect our enterprise apps to look and feel as nice as our consumer apps, why can’t we also expect them to behave as nice?

To harken back again to the tao of Steve: “Design is how it works.”

Alright, that’s all I have on the subject of Superhuman specifically. Take my advice or leave it. It’s your company.

A couple of more things before I go. One of the valid criticisms of my article from last week is that I didn’t call out any of the various other companies that enable email spying. This is fair. I frankly didn’t know about most of them, since I don’t use email tracking myself. For instance, I had heard of Mixmax but thought it was just an extension which let people book time on your calendar (it does this too). I am more than happy to name the names of every company who does this. From Rahul’s post, that looks like Mixmax, Yesware, Streak, Mailtrack, and HubSpot (whose founder is a Superhuman investor). There are probably others too. To all of you: what you are enabling is bad and you should feel bad about enabling it. None of you pitch yourself as a well-designed email client so you avoided attention in my first post, but isn’t there a way for you to operate your business without enabling your customers to spy on their customers? Mixmax, you have that useful calendar thing. Is that not enough? HubSpot, Streak, and Yesware, you offer a bunch of services that are unrelated to this. Mailtrack, welp… this seems like pretty much all you do from what I can tell.

Is this stuff even useful in a material way? If you send someone an email and they don’t respond, you can either let it go or reach out again. Does knowing whether someone read it really change what you’re going to do? On top of that, aren’t we already in a world where you’re getting false positives and false negatives from that data? If I have images off (which, for the love of god, everyone should at this point), you’re seeing that I haven’t read email, when maybe I have. If Gmail or something else is proxying my email images, you might be seeing that I have read email, when maybe I haven’t. The data may be “usually right” because most normals don’t pay attention to this stuff, but how can you be sure? You can’t. This seems like a case of very low value data being collected and distributed in a potentially very harmful way.

To wrap things up, I want to address the final issue brought up from the first article: what are the big three mail platforms (Apple, Microsoft, and Google) doing to protect us? The answer seems to be “some, but not enough”. All three allow users to disable images, but none make that a default. I could make the argument that email should be text-only by default, but I don’t think that’s realistic given the sorts of emails people subscribe to these days (real estate listings, deals of the day, etc). Accepting this, it seems like email providers should use the same sort of filtering they use to keep us safe from malware. If an email with a Mailtrack pixel comes in, for instance, strip it. You’d have to maintain a growing list of these things as they mutate across IP addresses, but it would send a strong signal to the industry that this sort of stuff is on the outs.

Google and possibly also Microsoft could also stop this stuff from the other side: disallow extensions which provide this functionality. You don’t have to kill most of these companies’ entire businesses. Just specifically disallow this behavior.

Because neither of these solutions stops companies from using large, visible, legit images in their emails to provide the same tracking abilities, the big three should also proxy and cache remote images in email whenever they can. I believe Google already does some sort of this, but it’s unclear to me exactly how obfuscatory it is. I don’t believe either Microsoft or Apple does any of this yet.

This is almost certainly a case of “if you think the solution is easy, you don’t understand the problem”, so I recognize there’s a lot of implementation complexity I’m missing here. I guess I would just like to see all of these companies do everything they can to protect the majority of the world, who — unless they were paying attention last week — still doesn’t know they are naked with their curtains open for all people using spyware pixels to see.

Perhaps if the big platforms aren’t able to sufficiently protect people, the last resort is the law. I’m not a COPPA or GDPR expert, but it seems crazy that collecting information via a website about someone under 13 without parental consent is illegal, but providing software that can automatically track that child’s movements when they open an email is not.

This whole thing may already be advancing through the legal system, as just a few days ago, the British Information Commissioner’s Office issued guidelines requiring consent and transparency for email tracking pixels. If ethics can’t keep companies from doing these sorts of things, maybe fines can.

It seems to me we’ve still got a lot of work to do here to keep people safe. Until that work is done, the best way to stay safe is to follow the same two pieces of advice from my previous article:

Don’t use Superhuman yourself. They have not given a date for when they will protect you from other people’s tracking pixels and they have not shown a proper appreciation for privacy. Remember, when Superhuman says “you can turn it off”, that only means you can stop sending your own tracking pixels out. Turn off remote image loading in whatever email client you use. You may also want to consider using an always-on VPN to keep your location from ever being revealed.

Thank you for reading this. Stay safe out there.