HEY pulls feature which could expose email threads without participants’ knowledge

HEY pulls feature which could expose email threads without participants' knowledge

A new service called HEY claims to have a fresh take on email.

It’s a redo, a rethink, a simplified, potent reintroduction of email. A fresh start, the way it should be.

And watching a tour of their product you certainly get the feeling that they’re living up to their promise, tackling some of the problems many of us face with an overloaded email inbox.

Sign up to our free newsletter.
Security news, advice, and tips.

The product has got plenty of attention, partly because people really like the look of what they’ve seen, and partly because Apple and HEY’s developers Basecamp got into a very public ding-dong about whether their iOS app was breaking the App Store’s rules or not.

It looks like that kerfuffle is now getting resolved, and – frankly – it’s probably helped drive even more interest in HEY, and encouraged more people to sign-up to the waiting list to give HEY a try.

But creating an email service from scratch isn’t simple, and designing one which attempts to take a different look at how we manage our email inbox is perhaps even more complicated.

One sign of that came to light yesterday on Twitter, when HEY user Kylie Stewart, a software engineer at Formidable Labs, tweeted a link to an email thread she had exchanged with her colleague Jon Reynolds.

Yes, you read that correctly. Kylie posted a link that allowed anybody to see her email conversation with Jon. But Jon hadn’t approved it.

HEY gave Kylie, and any other user of the new email service, an easy way of sharing a public link to an email thread.

Hey get public link

And yes, HEY did display a clear message that sharing the link would allow anyone in the world to access it. But what it didn’t do is seek the permission of anyone else on that email thread.

Furthermore, HEY’s public link didn’t just include all messages in a thread up until that point, but all subsequent messages on that thread were also publicly exposed.

Yuck.

Email should be private by default. If personal emails are going to be shared then it should be with the explicit permission of all participants.

And yes, it’s easy to screenshot an email thread or forward an email message. No-one’s denying that it’s easy to break a confidence, but HEY’s “Get a public link” functionality sits uncomfortably alongside other features which promote its desire for greater inbox privacy.

Fortunately, HEY seems to agree. Within hours of Kylie’s message on Twitter, Basecamp’s founder David Heinemeier Hansson said that the “public link” feature was being withdrawn while his team went away and thought about things a bit more.

All in all, a sensible and speedy response from HEY that helps prevent them making headlines for the wrong reasons.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.