Unknown hackers are breaking into the accounts of people who have AT&T email addresses, and using that access to then hack into the victim’s cryptocurrency exchange’s accounts and steal their crypto, TechCrunch has learned.
At the beginning of the month, an anonymous source told TechCrunch that a gang of cybercriminals have found a way to hack into the email addresses of anyone who has an att.net, sbcglobal.net, bellsouth.net, and other AT&T email addresses.
According to the tipster, the hackers are able to do that because they have access to a part of AT&T’s internal network, which allows them to create mail keys for any user. Mail keys are unique credentials that AT&T email users can use to log into their accounts using email apps such as Thunderbird or Outlook, but without having to use their passwords.
With a target’s mail key, the hackers can use an email app to log into the target’s account and start resetting passwords for more lucrative services, such as cryptocurrency exchanges. At that point it’s game over for the victim, as the hackers can then reset the victim’s Coinbase or Gemini account password via email.
The tipster provided a list of alleged victims. Two of the victims replied, confirming that they have been hacked.
AT&T spokesperson Jim Kimberly said that the company “identified the unauthorized creation of secure mail keys, which can be used in some cases to access an email account without needing a password.”
“We have updated our security controls to prevent this activity. As a precaution, we also proactively required a password reset on some email accounts,” the spokesperson said.
AT&T declined to say how many people have been hit in this wave of hacks. But the company, “as a precaution,” has locked some email accounts, forcing their owners to reset their passwords.
“This process wiped out any secure mail keys that had been created,” the spokesperson added.
One victim told TechCrunch that hackers stole $134,000 dollars from his Coinbase account. The second victim said that “it has been happening repeatedly since November 2022 — probably 10 times at this point. I notice it has been done when my Outlook client fails to ‘connect’ and I quickly login to my [AT&T] site and delete their key and create a new one.”
“Very frustrating because it is obvious that the ‘hackers’ have direct access to the database or files containing these customer Outlook keys, and the hackers don’t need to know the user’s AT&T website login to access and change these outlook login keys,” the victim added.
Also, several people with AT&T and other related email addresses said on Reddit that they have been hacked.
“Hello, my email was compromised back in March of this year and I have done everything I can to reset password, security questions, etc but occasionally I’m still getting emails that a secure mail key has been created on my account without my knowledge,” one user wrote. “They would even delete the email notification so I don’t see it but I recently changed to another email for profile updates so they don’t have access. This sounds like someone still has access to my account but how?”
Another person wrote: “I’ve had the same issue for months and just started again, password wasn’t changed but account locked out and a Mail Key keeps being created somehow.”
The tipster claims that the hackers can”’reset any” AT&T email account, and that they have made between $15 and $20 million in stolen crypto. (TechCrunch could not independently verify the tipster’s claim.)
TechCrunch has seen a screenshot apparently coming from a Telegram group chat, where one of the hackers claims that the gand “have the entire AT&T employee database,” which allows them to access an internal AT&T portal for employees called OPUS.
“Only thing we are missing is a certificate, which is the last key to accessing the [AT&T] VPN servers,” the hacker wrote in the Telegram channel, according to the screenshot
The tipster said that the gang now has access to AT&T’s internal VPN.
Kimberly, the AT&T’s spokesperson, denied that the hackers had any access to internal company systems. “There was no intrusion into any system for this exploit. The bad actors used an API access.”
Do you have more information about these hacks against AT&T email users? Or other similar hacks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email email@example.com. You can also contact TechCrunch via SecureDrop.
Hackers are breaking into AT&T email accounts to steal cryptocurrency by Lorenzo Franceschi-Bicchierai originally published on TechCrunch
Email inboxes are tricky tools because over time they become hard to manage and users have to spend a lot of time searching for what they are trying to find. And if you have been using one email address everywhere, it’s also painful to change that at a later stage. Email tools often fail to identify different kinds of emails and group them properly. India-based startup Flash is attempting to solve it by creating a solution (read email ID) that you can use for all e-commerce needs — and it will even reward you to use the service.
Flash — which is available on both iOS and Android — lets you create an email ID (with @flash.co domain) that you can use on all shopping platforms, and in return, earn rewards such as coupons and cashback. Once you download the app from the Play Store or the App Store, you can sign up with a new email ID and use it across all platforms to shop for things. After placing an order, you can also track multiple shipments from within the app.
The inbox is divided into two parts: Handpicked and Others. The Handpicked inbox has important emails such as order delivery updates and sign-up verifications while the Other section carries promotional emails. In my usage in the last few weeks, I noticed that some sign-up/verification emails ended up in the Other inbox. The startup said it is still ironing out its filtering algorithm to avoid that.
Flash’s email inbox is rudimentary at this moment. You can only forward or reply to emails. Flash said that next month, users will have features like archive, auto-forward, and flags.
Apart from creating a new inbox for e-commerce, the app also lets you connect with your Gmail inbox. This allows the app to build a summary of your orders in the last 12 months and show a report of your e-commerce expenses. Plus, the app also fetches orders for shipment tracking from your Gmail account.
Almost all e-commerce and payment services in India have offered some kind of reward to users to boost engagement and retention. Flash has a couple of types of rewards up its sleeve, too. First, it provides cashback on its own for completing certain orders or signing up for some services with a @flash.co email address.
It also has special coupons through brand collaborations with Walmart-owned Myntra, Puma, pharmacy platform Pharmeasy, and Warburg Pincus-backed electronics brand Boat. Discount coupons are standard practice in the Indian e-commerce market. Google Pay, Paytm, and Tiger Global-backed Cred offer a ton of these coupons in different shapes and forms. But often they have a lot of caveats attached to them.
Flash is also providing rewards for certain “streaks” — shopping several times through a certain brand or placing orders across a particular category in a defined time period. This will let users earn a mix of rewards from Flash and brands both. The startup provides 1 Flash coin to 1 rupee conversion for rewards. Users can deposit money directly into their bank accounts by linking their UPI (Unified Payment Infercae) IDs — which is India’s indigenous payment network.
Flash was founded by Ranjith Boyanapalli, a former Flipkart executive, in April last year. The company raised $5.8 million in seed funding in November from a bunch of investors including Global Founders Capital (GFC), White Venture Capital, and Zinal Growth with participation from the likes of Flipkart founder Binny Bansal, Cred’s Kunal Shah, Udaan’s Sujeet Kumar and Groww’s Lalit Keshre.
Before starting Flash Boyanapalli was a senior VP at Walmart-owned Flipkart and managed the company’s fintech and payment verticals there. In a call with TechCrunch, he said there’s a huge value in leveraging the data of online shoppers by making use of it to provide value to consumers. Flash’s idea is rooted in taking advantage of cross-merchant data intelligence through a single email ID, he said.
“We are targeting around 25 million power shoppers in India who shop from multiple merchants every year and have a major contribution in terms of market spend in the country’s e-commerce market,” Boyanapalli said.
One of the challenges these shoppers face is excessive spamming of inboxes by different merchants, he said. Plus, it’s hard to track orders through emails. Notably, Gmail has rolled out order tracking capabilities, but it’s limited to certain geographies for now. For brands, it’s harder to engage customers as they are bombarded with coupons, which results in lower conversion rates. Boyanapalli said Flash is trying to solve all these problems through one app.
There are plenty of e-commerce apps in both India and the US that offer either order tracking or rewards including Shopify’s Shop app, Groupon, and Cashkaro. But Flash believes that it has an advantage because it brings all of these functions together in one app.
India’s e-commerce market is set to double in size to over $130 billion by 2025, according to Bernstein, and the startup is trying to target people who will contribute most to those figures. But the vast majority of those people make purchases through Amazon India and Flipkart, services that currently are not playing ball with Flash for any rewards program.
After this launch, Flash is focused on rolling out features such as monthly reports, inbox search, email labeling, archiving, and auto-forwarding in the next few months. The company is also building its own “Login with Flash” authentication mechanism that e-commerce partners can integrate into their service.
Apart from feature rollouts, the startup is also thinking about category expansion by tuning its product for travel and OTT (Over the air) services purchases. So in the future, the app could let you manage all your tickets and subscriptions. Flash is also gearing up to launch its offerings in the US this year, where the e-commerce market is much bigger than that of India — both in terms of high-value shoppers and gross revenue.
Ex-Flipkart exec’s Flash app wants to be an inbox for your e-commerce needs by Ivan Mehta originally published on TechCrunch
Last year, a bunch of Google executives launched an email app called Shortwave, which aimed to fill in the gap left by the search giant’s Inbox app. Now, the company has introduced an AI-powered summary feature so you don’t have to read long emails or threads to get the gist.
The feature — powered by OpenAI’s GPT-3 — is available on all platforms in beta for free. The company says the summary also works well when translating emails from other languages. Shortwave has tested the feature on different kinds of use cases ranging from skimming over a newsletter to looking at a large number of emails in a short time.
What’s more, the company says that users can include a summary of a previous message while forwarding an email. Others can read this summary to get the context of the conversation quickly even if they don’t use Shortwave.
The startup plans to introduce more AI-powered functions in the future including more summarization methods and smart composing. It also wants to introduce a semantic search that allows users to search for phrases like “What time does my flight take off next Tuesday?”.
“The new capabilities of large language models have swung the door wide open for new ways to interact with your inbox. At Shortwave, we aim to pave the way towards an AI-enabled email future, starting with Smart Summaries, launching today in beta,” it said in a blog post.
Shortwave said that going forward free users will have some amount of access to these AI-powered features. However, the company is still evaluating its pricing strategy during the summary feature’s test phase.
While Shortwave is free for basic usage, it offers a subscription for $9 per month for power users and custom plans for teams as well. Apart from AI-powered features, Shortwave offers better categorization than Gmail, email grouping based on time, mentioning teammates, pinned emails, and support for emoji and GIF responses. The app treats emails as items in a to-do list, so you can snooze them or mark them as done.
Generating summaries for different kinds of media formats is a big use case for large language models. Last month, transcription company Otter launched a bot that automatically summarizes a meeting. Microsoft’s new AI-powered products like Bing and Edge can also summarize pages and documents. There are also other tools that provide a synopsis from links to YouTube videos and Slack threads to Resumes.
Shortwave email app introduces AI-powered summaries by Ivan Mehta originally published on TechCrunch
Malicious hackers are getting ever more creative with the techniques they use to break into networks to steal data and wreak havoc, but their primary route for opening that door has remained pretty consistent. Email is by far the most popular entry point for setting up and executing phishing, ransomware and other attack vectors, leading to some $2.4 billion in damages in 2021 across business email interactions in the U.S. alone, according a report last year from the FBI.
Today a startup called Sublime Security is emerging from stealth with a novel, collective approach for tackling that problem: it has built a platform, and domain-specific language (DSL), for researchers and security operations people — those defending networks — to write, run and share rules with each other for detecting and blocking the wide range of threats most (and least) commonly delivered via email.
The Washington, DC-based startup has been operating in private beta for over one year, and in that time it’s picked up a number of large multinational customers ranging from government organizations through to companies like Spotify — along with a waiting list of 2,500 others. Now, as it moves into general availability it’s also announcing funding of $9.8 million.
Decibel is leading the round, with Slow Ventures and a number of individuals in the world of cybersecurity participating, including Sounil Yu (the Cyber Defense Matrix and DIE Triad creator); Snort and Sourcefire creator Martin Roesch; veteran CISOs Jerry Perullo and Michael Sutton; Demisto founders Rishi Bhargava and Slavik Markovich; Lookout founder Kevin Patrick Mahaffey; and Phantom Cyber and Pangea founder Oliver Friedrichs.
Sublime covers vectors like malware, ransomware, credential phishing, VIP impersonation and callback phishing. Its code can be applied to Microsoft 365 and Google Workspace enterprise mail systems, as well as run on individual accounts via IMAP. And in addition to its most basic use — inbound email security — Sublime can be used to gather and analyse trends in threats to an organization, block entire domains, run security exercises for compliance and training, and more.
Joshua Kamdjou, who co-founded Sublime with Ian Thiel, said in an interview that he first got the idea for the startup based on work he was doing for the Department of Defense, where he started working as a ‘white hat’ hacker when he was still in high school.
There, he got closely acquainted with the techniques that malicious hackers were using with phishing emails.
“Attackers are constantly coming up with new ways of bypassing defenses,” he said, the problem being that most of those defenses are based around security parameters set up by single security vendors, a “black box” approach in his words. When new techniques were applied by hackers, the onus was upon vendors to issue patches and updates to their systems to account for those.
But then new techniques would come up, and so on and so forth, creating lags and gaps in protection. “The vendor is the bottleneck,” he said. In his own testing, Kamdjou would apply a phishing technique one month, and then return a month later, “and the problem would still be there.”
Kamdjou saw an opportunity to build a solution by tapping into the collective knowledge and working practices of developers. Coming from the world of hacking and coding, using services like GitHub to track and contribute to projects was in his DNA. He applied that crowdsourced model to how Sublime would track and grow its own database of threat vectors and approaches.
To be clear, Sublime is not “open source” and Thiel and Kamdjou said they were still deliberating what aspects, if any, they might potentially make open source down the line. But it does borrow from some of that ethos. The Sublime team has written around two-thirds of the rules in Sublime’s database, with one-third contributed by the community, Thiel said.
Individual organizations subsequently make their own calls about how to customize their own email security, which of these rules to apply and which to leave to the side, putting significantly more power into the hands of customers. That’s been of its selling points so far.
“Sublime gives detection teams the chance to take back control of the email inbox,” Dan Nguyen-Huu, a partner at Decibel, said in an interview. “The community-powered DSL means all of its customers are speaking the same language, sharing rules and being able to remediate better,” he said. “It means they can unite to fight the common enemy.” The approach it takes is unique in the market, he added.
“Defenders know their networks better than anyone, but we weren’t arming them as a community,” Kamdjou said. It’s also how many other security products not associated with email work. YARA for binaries, Sigma/EQL for logs, Snort/Suricata for networks, osquery/EDR for endpoint, Semgrep for static analysis are some of the examples Kamdjou cited.
Interestingly, the number of contributors so far has been only a small fraction of the total number of users that Sublime currently has.
“It’s kind of like Twitter,” Kamdjou said. “Most don’t Tweet, just read, and it looks like our model will be similar with only a small number writing rules and the rest finding those useful.”
Twitter is an apt analogy for another reason: Thiel said that Sublime has largely growth by word of mouth, and a lot of those words have been exchanged on that particular social platform. “Infosec lives on Twitter,” he said.
With new tools like generative AI representing potential ways to increase the volume of more sophisticated and convincing emails, you can see why and where it would make sense to speed up how end users themselves might be able to identify and respond to these threats. That might lead to more contributors, and more Sublime use, over time; what will be interesting to watch is how and if AI models start to get applied to the generation of more defenses, too.
Years ago, Will Allred and William Ballance were developing a tech platform, Sorter, to apply personality and communication psychology to marketing campaigns. Just as Sorter was heading to market, the pandemic hit — and marketing budgets froze. With a week of funding left, Allred and Ballance pivoted, repackaging their tech to work in Gmail in what they thought would be a brief detour to Sorter’s launch.
But users liked the repackaged product — and so did investors. So Sorter became Lavender, an AI-powered sale email coaching platform.
Lavender integrates with email providers to serve up context on a sales prospect and suggest ways to optimize the message to get a reply. Showing that there’s money in the idea, the company today announced that it raised $13.2 million across a Series A round led Norwest Venture Partners with participation from Signia Venture Partners and a seed round led by Signia with contributions from CapitalX, Position Ventures and various angel investors.
“By combining deep learning on email data with communication and behavioral psychology, Lavender’s AI writing assistant identifies and implements ways to increase reply rates,” Ballance told TechCrunch in an email interview. “In today’s climate, teams have to do more with less. While sales team sizes shrink due to layoffs, teams use Lavender to make each rep more effective and efficient.”
Lavender’s product is made up of three different components: a sales email coach, a “personalization assistant” and an email intelligence and coaching portal. The email tools provide research material (e.g. news and updates, funding stats, job listings, events, tweets and more) on recipients and can automatically create drafts from that research (à la ChatGPT), or simply generate a few bullet points to work within a preexisting email thread. As an email’s written, Lavender scores it in real time, suggesting improvements in specific areas.
“Writing a ‘better email’ is a four-step process — research, create, edit and learn — and our product helps across all four,” Ballance said. “Instead of automating, we help users write effective personalized emails faster. The AI works alongside them, but doesn’t replace them.”
Lavender’s aforementioned learning portal, meanwhile, aggregates and analyzes email activity, highlighting areas in need of improvement. Managers using Lavender can see which email templates are working versus which aren’t for instance, as well as metrics like individual email scores, open rates, reply rates and writing time.
Lavender also detects “at-risk” reps that may need additional support or coaching to meet certain goals. That’s not a feature likely to thrill every rep, particularly those who value their own processes and privacy. But Ballance makes the case that it’s a net good where an organization’s sales are at stake.
“Sales teams have become too focused on optimizing for efficiency and automation. This forced optimization has left buyers with a bad impression of sellers, because they feel as if they’re just a number,” he said. “Sales needs to go back to building real relationships — not automation and spam. Lavender makes real personalized emails faster for our users.”
While Lavender isn’t the only firm applying automation to the marketing and sales outreach segment, it’s certainly benefiting from the general boom time. According to a 2022 report from Ascend2 and Research Partners, 69% of marketers say that their overall customer journey is partially or mostly automated while 9% say that theirs is fully automated. The same report found that nearly a third — 31% — of marketing professionals planned to purchase a marketing automation solution in the next 12 months.
Lavender’s rivals include Sellscale, which similarly uses generative AI to write marketing emails, and marketing automation startup Klaviyo, which received a large investment from Shopify last August. (Ballance sees Jasper and Regie as competitors, too; both leverage text-generating AI for marketing copy drafting.) Lavender has a respectable customer base, though, totaling around 11,000 sellers at organizations including Twilio, Segment, Sendoso, Sharebite and Clari.
“We built for nearly two more years before raising venture capital,” Ballance said, declining to answer a question about recurring revenue. “Lavender is well-capitalized to continue building in the current market.
Lavender’s team recently grew to 16 employees, up from six in Q4 2022. Ballance says that the startup — which has raised $14.2 million in total to date — will continue to expand and fill “key roles” throughout the rest of the year.
Lavender lands $13.2M for its AI-powered email marketing engine by Kyle Wiggers originally published on TechCrunch
It’s a long weekend here in the United States, meaning office workers, at least, get a three-day break from the dreaded meeting. We wanted to take this time to offer up an impassioned defense of … email.
Hear us out. It’s conventional wisdom that meetings are killers of productivity and morale and happy work environments. So why not write an email?
We know email has its drawbacks, too — it’s hard to manage and riddled with spam. But as work moves ever more online, it’s superior to meetings. Two inbox zeroers and one Chaos Muppet drowning in notifications — see if you can guess who’s who! — tell you why.
Ram Iyer: Do you love meetings, or do you just hate writing?
Back when I used to smoke, I also used to work at a publication that had frequent and immensely unproductive meetings. Most of our team of over 20 people would just sit by quietly for an hour while someone droned on about something.
If you’re counting the person-hours wasted, each of those meetings wasted an average of 20 hours that could have been spent doing actual work. They were unnecessarily stressful, too: I found myself desperately wanting to smoke after every single meeting, and I wasn’t alone.
Thankfully, that hasn’t always been the case. I’ve been fortunate to mostly have worked in companies that fostered a culture of just communicating via email or messaging. But in hearing my friends and ex-colleagues complain about work over the past couple of years, I noticed a trend: As the pandemic sent everyone home, meetings became ever more frequent to the point that people found them getting in the way of their work.
I’ve asked this question often over the past couple of years: If it can be an email, why isn’t it? Why are people so driven to speak when they could write an email and save everyone’s time?
I think I finally have a theory.
OneSignal, a platform that powers notifications for mobile apps and more, today announced that it raised $50 million in a Series C round led by BAM Elevate with participation from SignalFire and other existing investors. The infusion brings OneSignal’s total raised to $80 million and will be used to make investments in machine learning, geographic expansion, and growing OneSignal’s team (from 140 employees to 170) by the end of the year.
Beginning as a mobile game studio, OneSignal pivoted to customer engagement when co-founder and CEO George Deglin saw an opportunity to address a perennial challenge in app development: creating an effective push notification pipeline.
“There is a huge shift happening in the mobile app industry. Technology and regulatory changes have made advertising less effective and more expensive by making it harder to target ads on platforms like Facebook. As a result, companies are shifting their focus from paid advertising channels like Facebook Ads to ‘owned channels’ like push notifications, emails, and in-app messages,” Deglin told TechCrunch via email. “Despite this recent shift, most of the technology that’s available to help brands engage with users on owned channels was not built for a mobile-centric world.”
By contrast, Deglin asserts, OneSignal is mobile-centric, with tools designed to let businesses automate the delivery of messages across channels, including SMS, email, and app notifications and in-app messages. OneSignal customers can centralize user communications within the platform, customizing their campaigns based on metrics to improve open rates.
There’s truth to the notion that customized, personalized messages can move product. According to a 2021 McKinsey survey, 76% of consumers said that receiving personalized communications was a key factor in prompting their consideration of a brand, while 78% said such content made them more likely to repurchase.
“OneSignal was founded by Long Vo and I in 2015. Long and I were running a Y Combinator-backed game studio but pivoted it into a push notification platform [and then a customer engagement solution] after discovering how hard it was for developers to communicate with their users,” Deglin said. “Prior to their meeting, I was the co-founder and CTO of Uversity, a student engagement platform. Long Vo was co-founder and art director of Gaia Online, an anime-themed social network. We were introduced through a mutual friend who thought we would be great co-founders for each other.”
OneSignal competes with Braze, CleverTap, and Xtremepush, among others. Braze is a publicly traded company, having raised around $175 million when private, while CleverTap most recently bagged $105 million in funding at a $775 million valuation. But Deglin argues that OneSignal differentiates itself by focusing on “intelligent delivery,” or analyzing the time and day users engage with an app and automatically scheduling “re-engagement” campaigns to be delivered based on the historical trends.
“By providing these types of automatic personalizations, OneSignal enables its customers to focus on building great apps and saves them time and guesswork that they would otherwise spend trying to determine the best time or frequency to send their messages,” Deglin added. “Just as smartphones are getting better at making recommendations based on how people use them, OneSignal sees an opportunity to democratize technology for all app developers to optimize their messaging campaigns to provide more personalized experiences to their users.”
Indeed, OneSignal has grown quite large, with over 1.7 million developers and marketers on the platform and roughly 6,000 paying customers. One accelerant has been OneSignal’s freemium plan, Deglin says, which limits certain features but doesn’t cap the number of users or messages that customers can send push notifications to.
“OneSignal has rapidly grown during the pandemic as more businesses recognized the importance of keeping their customers engaged, and increasing retention, with push notifications and emails … The company has also benefited from changes in the advertising ecosystem that have made it more costly to acquire users and, therefore, even more important to maximize user retention,” Deglin said. “OneSignal was well prepared for economic headwinds and has continued to grow quickly while not overspending. This round allows OneSignal to reach profitability while maintaining rapid growth … Efficiency has been a focus for the business and gross margins are over 90%.”
BAM Elevate’s Jamie McGurk, who’s joining OnSignal’s board of directors, told TechCrunch in a statement: “Today’s users expect hyper-personalized, relevant, and timely communication across every touchpoint. Creating a multichannel communication strategy is a must and OneSignal allows you to do this quickly and easily. It’s an honor to join the OneSignal team and I’m looking forward to working with George and the rest of the leadership team to continue on the great progress the company has made.”
Ah, email. Why did you send my friend’s birthday party invite to my spam folder? Why do you make it so easy to archive an email when I don’t even know what that means? Why are you … blue now … Gmail?
Email is a necessary evil. So whenever I hear about startups looking to innovate on the decades-old communication tech, I’m instantly intrigued considering the huge number of potential areas of improvement. Plus, talk about a large TAM!
Startups have taken note. Boomerang launched its email productivity software in 2010, Superhuman has raised $108 million to help users get through their inbox faster since its 2014 launch. Trying to build a better email mousetrap isn’t exactly a novel concept, but could be big business.
I recently received pitches from two new upstarts, both of which launched their email innovations in the last year, that really piqued my interest. Let’s meet them.
Google is facing a fresh privacy complaint in Europe over ads it inserts into its Gmail email service in the guise of emails.
Privacy advocacy group, noyb, has filed the complaint with France’s data protection watchdog, the CNIL, claiming the adtech giant has breached the European Union’s ePrivacy Directive rules on direct marketing by failing to gain consent from Gmail users for the ads it displays inside their inboxes, alongside promotional emails they have actually signed up for.
noyb’s complaint cites a ruling by the EU’s top court last year, in a separate case related to the use of email for direct marketing, which it argues makes it plain that ads which are displayed inside a user’s inbox constitutes “a use of electronic mail for the purposes of direct marketing” — which, under ePrivacy rules, requires user consent. (The Gmail advertising emails only distinguish themselves from genuine emails users have signed up for by the inclusion of an ‘ad’ label and the lack of a date-stamp.)
The complaint asserts that Gmail users did not consent to being spammed with Google’s ads — noting that, under ePrivacy, consent would have needed to be obtained prior to the ads being displayed in their inboxes.
noyb also argues that exceptions set out in relevant EU law do not apply here because Google’s ad emails are not used for the direct marketing of similar products for which consent was previously obtained.
“It is quite simple. Spam is a commercial email sent without consent. And it is illegal. Spam does not become legal just because it is generated by the email provider,” added Romain Robert, lawyer at noyb, in a statement.
Google was contacted for comment on the complaint.
France’s CNIL has been an active regulator of Google on privacy issues, making use of the competency it can exert under ePrivacy — which, unlike the General Data Protection Regulation, does not require cross-border complaints to be funnelled through a lead DPA (in Google’s case, Ireland’s Data Protection Commission) — avoiding the GDPR bottleneck that has slowed down privacy enforcement against Big Tech.
Back in December 2020, the CNIL fined Google $120M for dropping tracking cookies without consent — after finding it had breached ePrivacy rules. It followed that up with another beefy fine — $170M — this January for dark patterns it found Google deploying in cookie consent flows.
Those French ePrivacy enforcements soon led to Google announcing an updated cookie consent banner in Europe which finally offered users a top-level option to refuse all its tracking — suggesting muscular enforcement of laws defending web users rights and freedoms can face down the power of Big Tech.
The CNIL also managed to slap Google with an early GDPR enforcement, back in 2019, prior to a legal switch which brought the company’s EU users under the jurisdiction of its Irish subsidiary (instead of its US parent) — thereby ensuring that subsequent GDPR complaints against Google have been routed through Ireland.
Hence the majority of GDPR enforcement on major complaints against Google — such as over the legality of its adtech (a formal investigation was opened in May 2019); or its location tracking practices (under probe in Ireland since February 2020) — remain in limbo as the Irish regulator’s painstaking procedures grind on. But decisions must flow eventually — within months or years.
It will be interesting to see which arrives first: A decision from France’s CNIL on this fresh noyb complaint against Google’s Gmail ad spam (filed August 2022) — or a final decision from Ireland on Google’s adtech or location tracking.
In the meanwhile, noyb has been pressing another series of strategic complaints against Big Tech by targeting b2b users of Google Analytics and Facebook Connect across the EU — which has led to a number of breach findings and warnings from DPAs against use of Google’s analytics software, with France’s watchdog putting out guidance in June that warns users of the tool of the need to apply additional safeguards to ensure their implementation complies with GDPR requirements on data transfers outside the bloc or else switch to a compliant (non-Google) alternative.
Facebook also has a major decision hanging over it related to a long-standing complaint about its EU data exports which was originally filed by noyb’s chairman — long before he founded the privacy advocacy group.