What is it about?
We created 150 fresh accounts on today’s most-downloaded websites and mobile apps, opted-out of marketing during sign-up, and then quietly watched every message that landed in those inboxes for a full year. In total we logged 4,847 emails. None came from shady, unknown spammers, but the companies themselves (or their authorized email vendors) still sent a steady stream of promotional and “CRM” messages even after we’d said “no thanks.” Our study maps who is really sending those messages, how often they arrive, and which third-party services (Salesforce, Mailgun, SendGrid, etc.) do the heavy lifting behind the scenes.
Featured Image
Photo by Andrey Matveev on Unsplash
Why is it important?
Cuts through the hype. People often assume their address is instantly bought and sold. We show that simple opt-outs largely stop unknown spam, but not the relentless in-house marketing that clutters inboxes. First “inbox-side” audit at scale. Prior work focused on single brands or public breach data; our 12-month, 150-service audit gives regulators and consumers a panoramic view of post-GDPR/CCPA practices. Actionable framework. The catch-all inbox plus automatic SPF/DKIM checks can be reused to monitor new apps in real time, flagging future leaks or policy violations early. Policy leverage. Because 63 % of all messages flowed through just ten email vendors, regulators can focus on a small number of infrastructure providers rather than thousands of brands.
Perspectives
Watching the inbox fill up day after day was eye-opening. I expected to uncover a shadowy spam ring, yet the bigger problem was respectable brands that kept sending promotions after a clear opt-out. That experience undermined my confidence in email as a channel where user consent truly matters. The protocol still puts senders in control, and patches like SPF, DKIM, and DMARC do little to protect privacy or limit profiling. I now believe sensitive communication belongs on platforms built around end-to-end encryption, explicit consent flows, and data minimisation from the start. Until those alternatives are mainstream, our measurement framework and open dataset give users and watchdogs a concrete way to hold companies accountable.
Scott Seidenberger
University of Oklahoma
Read the Original
This page is a summary of: Why You've Got Mail: Evaluating Inbox Privacy Implications of Email Marketing Practices in Online Apps and Services, June 2024, ACM (Association for Computing Machinery),
DOI: 10.1145/3714393.3726516.
You can read the full text:
Contributors
The following have contributed to this page
