Last week, Mike Davidson wrote a viral blog post on how Superhuman, the email startup, is spying on its users through a default, built-in email open tracking feature that also shares the recipient's location.
Mike’s post is a really good example of how one feature can be a cool gimmick for some, but super creepy for others. It is also an interesting study on how the changing legal landscape within the tech sector is forcing people to rethink their products and ethics.
On the same day that Mike’s blog post took over my Twitter feed, the British data authorities (ICO) released an updated guide on cookie tracking that defined the type of email tracking for which Mike criticized Superhuman as illegal in its current form.
British DPA ICO has published new cookie consent guidance. Says fingerprinting is equivalent to cookie (not surprising). Consent & transparency applies also to e-mail tracking with pixel trackers! #GDPR #ePrivacy https://t.co/CQMEs0wKtQ pic.twitter.com/ENJC038ygE— Lukasz Olejnik (@lukOlejnik) 3 July 2019
I started tweeting about this situation, and a few of the responses argued that we are used to doing email tracking in this way, so why should it be illegal? “Other companies do it, so why give a fuck?”
I don't get it, read reciepts have been around in Nylas and Polymail for years. I thought this was quite normal in modern email clients.— Simon Lind (@simonlind) July 3, 2019
Even cool investors, like Christoph Janz, can’t see what all the fuss is about:
My current email signature is:— Christoph Janz 🅿️9️⃣ (@chrija) 4 July 2019
Not sent from my iPhone. Please excuse brevity nonetheless.
Considering changing it too:
Not sent via Superhuman. So take your time, I’m not getting read receipts.
The thing is that the internet has been a lawless wild west since its inception. Nobody in government, and only a very few tech people, predicted the impact that it would have on our society today. It was fine to have no rules, for a time.
Today, however, the internet is the main communication channel for most people in the West. It’s where the data about all of us lives, from our public social profiles to the most intimate details about you, me and everybody else. That's a completely different beast than the internet back in the mid-90s and, as the internet changes, our laws and ethics must adapt as well.
We, as makers of the modern internet, must step up and actively fight for building products that act in accordance with their impact. We should not always choose to make the cool feature just because the technology enables us to do so. Instead, we should step back more often and think about what impact these features will have on our users' privacy and on our society.
It’s already too late when we are Facebook. We need to have this kind of introspection in our DNA. We need to think of user privacy in the same way we think of UX and design—as something that benefits our users and lets us run a great company.
We have been so slow to adopt proper data ethics that many of us have been overtaken by lawmakers. Just look at the massive impact of GDPR on the tech industry. Yes, there are stupid parts of GDPR, but the core of the law is absolutely needed: Users own their data; users can get data deleted; and you should not send data off to a lot of strangers without the user's consent and without a valid purpose.
Does any of this really sound so bad?
If you think so, then it’s time to reset your moral compass.