Update: Added response from Rahul Vohra, CEO of Superhuman.
Last week, Mike Davidson, the former VP of design at Twitter and founder of Newsvine, questioned the ethics and responsibility of Superhuman, one of Silicon Valley’s most talked about email app in a blog post. He called the app a “surveillance tool” that embed tracking pixels inside emails sent by its customers.
Superhuman is an email surveillance app that encourages its users to spy on friends and co-workers without their consent. Why the ethics of this matter and what it says about Superhuman as a company. New post on Mike Industries: https://t.co/97LPwhWI7Z
— Mike Davidson (@mikeindustries) July 2, 2019
Superhuman was founded in 2017 by Rahul Vohra with the aims to reinvent the email experience. It is an invitation-only service, mainly targeted towards business users that costs $30/month. Last month, the startup was able to raise a $33 million investment round that was led by Mr. Andreessen’s firm, Andreessen Horowitz and is now valued at $260 million.
Read more here: https://t.co/JMLUweaXes
— Superhuman (@Superhuman) June 27, 2019
“Superhuman teaches its users to surveil by default”
The email app bundles many modern features like snoozing, scheduling, undo send, insights from social networks, and more. The feature that Davidson talked about was “Read Receipts”, which is an opt-in common feature we see in many messaging email clients that indicates the read/unread status.
Davidson highlights that Superhuman gives you this read/unread status in a very detailed way. It allows sending and receiving emails embedded with tracking pixels, which is a small and hidden image in an email. When the recipient clicks on the email, the image reports a running log of every single time the recipient has opened the mail, including their location, regardless of the email client the recipient is using. The worst part is that it is on by default and many users do not usually bother to change the default settings.
Here’s a log that Davidson shared in his post:
Source: Mike Davidson’s blog post
What do people think of this feature?
Many people felt that sharing the number of times an email was read, geolocation of the recipient, and other information is intrusive and violates user privacy. In his post, Davidson talked about several “bad things” people can do using this technology, that the developers might have not even intended for. Some users agreed to this and pointed out that sharing such personal information can prove to be very dangerous for the recipients.
In addition to the application for stalkers & predators, it also violates another online safety rule: don't announce to the public (or strangers) that you're away from home. https://t.co/9F21ut9wg3
— (((Liora))) (@liora_) July 2, 2019
Others gave the rationale that many email clients are doing the same thing including Gmail, Apple Mail, and Outlook. Embedding tracking pixels in an email is also very commonly used by email marketing platforms.
There are literally hundreds of email open tracking applications. Mailchimp, Mailjet, Sendgrid for enterprise, Mixmax, Salesloft, Mailtracker for consumers.
I’d guess 50% of the emails you receive already have them. Probably more.
— Nick Abouzeid (@nickabouzeid) June 27, 2019
Practically every marketing email you’ve received has this too.
— ben.js (@bentruyman) July 2, 2019
If I may: it’s not just Superhuman, or marketing & sales emails—it’s every spam, scam, phishing hook, malware, and bad actor in the world. In short, if you leave “load remote images” turned on in your email client, you’re very naive and Superhuman the least of your concerns.
— Cʜʀɪsᴛᴏᴘʜᴇʀ Gʀᴀʏsᴏɴ (@chrisgrayson) July 3, 2019
As a response to this, Davidson rightly said, “The main point here is: just because technology is being used unethically by others does not mean you should use it unethically yourself. Harmful pesticides have also been around for years. That doesn’t mean you should use them yourself.”
Davidson further explained what making such unethical decisions means for a company in the long run. In the beginning days of a company, there are no set principles for its people to make decisions. It is basically what the founders think is right for the company. At that time, every decision that you make, whether it is good or bad, makes the foundation of what Davidson calls as “decision genome”. He adds, “With each decision a company makes, its “decision genome” is established and subsequently hardened.”
He says the decisions that seem small in the beginning actually become the basis of many other big decisions you will make in the future. This will ultimately affect your company’s ethical trajectory. “The point here is that companies decide early on what sort of companies they will end up being. The company they may want to be is often written in things like “core values” that are displayed in lunch rooms and employee handbooks, but the company they will be is a product of the actual decisions they make — especially the tough decisions,” he adds.
Many agreed on the point Davidson makes here, and think that this is not just limited to a single company but in fact, the entire ecosystem. David Heinemeier Hansson, the creator of Ruby on Rails, believes that Silicon Valley especially is in serious need for recalibration.
"Davidson’s point about the ethical trajectory of a company is spot on. But it goes even further than the single company. There’s an ethical trajectory of a whole ecosystem, and the one in Silicon Valley is in need of some serious recalibration", https://t.co/BIHhp4i4hX
— DHH (@dhh) July 3, 2019
What can be some possible solutions
One workaround can be disabling images in email by default since the tracking pixels are sent as images. However, Superhuman does not even allow that. “Superhuman doesn’t even let its own customers turn images off. So merely by using Superhuman, you are vulnerable to the exact same spying that Superhuman enables you to do to others,” Davidson mentions.
The next step for Superhuman, Davidson suggests is to apologize and remove this feature. He further recommends that Superhuman should, in fact, protect its users from emails that have tracking pixels. Another mitigation he suggests is to add a “Sent via Superhuman” signature so that the receiver is aware that their data will be sent to the sender.
A good ethics test for investors, employees & users of Superhuman. If you use SH’s default spyware behavior, you should be willing to change your signature to this:
– Sent via Superhuman. Every time you open this email, the time and your location are sent to me.
— Mike Davidson (@mikeindustries) June 27, 2019
If these do not suffice, Davidson gave a harsh suggestion to publicly post surveilled email on Twitter or other websites:
Imagine if every time you tried to violate someone's privacy by sending them a surveilled email via Superhuman, your email was automatically published publicly to Twitter or another website. Could script this easily. Probably too harsh, but interesting to think about.
— Mike Davidson (@mikeindustries) June 27, 2019
How Superhuman has responded to this criticism
Yesterday, Rahul Vohra, the CEO of Superhuman responded that the company understands the severity of sharing such personal information, especially the state or country level location. He further shared what steps the company is taking to address the concerns raised against the feature.
He listed the following changes:
- We have stopped logging location information for new email, effective immediately.
- We are releasing new app versions today that no longer show location information.
- We are deleting all historical location data from our apps.
- We are keeping the read status feature, but turning it off by default. Users who want it will have to explicitly turn it on.
- We are prioritizing building an option to disable remote image loading.
Many Twitter users appreciated Vohra’s quick response:
Good response from @rahulvohra here. Some feedback.
Your blog recommends (and links to) certain Google Chrome extensions like PixelBlock.
I'd suggest NOT linking to Chrome extensions unless you are personally vouching for them. The Chrome ecosystem is rife with bad actors. 1/ https://t.co/WxlBHEctWR
— Chad Loder ✸ (@chadloder) July 3, 2019
As usual showing what a true inspired CEO you are. Your reaction to the difficult public criticism you were somewhat unfairly dealt (not in terms of content and depth of thinking – but forum) is examplary. Go @Superhuman.
— Yuval Brisker (@yuvalb) July 3, 2019
A thoughtful response to a very complicated, nuanced, and difficult problem to solve! I can only imagine the all-hands-on-deck situation this caused internally and the amount of thought/effort put into this response by the whole team. Well done! 👏👏👏
— Kenny Mendes (@kmendes) July 3, 2019
Read Davidson’s post to know more in detail.