Yahoo’s Email Spying Nightmare

Just when you’re thinking that the situation couldn’t get worse for once venerable Yahoo — the company has been sold at fire sale prices, they’ve announced historically enormous user account security breaches, and so on — comes word that Yahoo may have permitted mass scanning of users’ email contents by unnamed federal intelligence agencies. 

Unattributed, unsourced stories — particularly dramatic ones like this — must be viewed with extreme skepticism. Very often these days some nobody throws out a baseless rumor, it’s mirrored around the Web in minutes, and sometimes is even picked up by mainstream news sources without any sort of realistic fact checking. If every individual or firm subjected to this sort of abuse responded formally to every such unfounded attack, they often wouldn’t have time to do much else.

This Yahoo story is notably different however.

First, it actually originated with a reputable wire service — Reuters — and a reporter — Joseph Menn — who also is highly respected.

And Yahoo actually responded to these accusations by calling the story “misleading” in a very carefully worded, rather strange press release that leaves even more questions unanswered, including with the statement that: “the mail scanning described in the article does not exist on our systems.”

Hmm. Not precisely described? Not on their current systems at this time? 

What about closely described? What about on their systems in the past? What about data provided to some other entity for scanning?

Who (other than Yahoo) knows what they meant?

What they clearly didn’t do was issue a straightforward denial that such mass content scanning ever took place.

Google, Microsoft, and other firms quickly issued statements saying that they they had not received similar requests for scanning. Google said specifically that if they ever received such a request their response would be “No way.” (Indeed, knowing Googlers as I do, there’s no way in hell that they’d assent to such a request.)

This is a very big deal. Because if the accusations regarding Yahoo are true, this would be the first mass scanning incident of this kind, at least that we’ve ever learned about.

And it’s very important to keep in mind how this would differ from other surveillance situations here in the USA.

It’s one thing when a court gives permission to an agency to demand the records and other materials associated with specific users. While this kind of authority can be and has been abused, there are times when it can be justified.

The situation gets more problematic when we move into the realm of mass (as opposed to targeted to specific persons) collection of metadata — like phone numbers or message headers. Courts have ruled in different ways regarding the privacy protections due these classes of data, leading to the controversies over the NSA’s mass phone number collection efforts, for example.

But there’s no such confusion over the actual contents of communications, like what’s actually said in phone calls or written in the body of email messages.  

Communications contents are at the highest level of privacy protections, and mass, untargeted scanning of email messages’ contents would represent an egregious and (again, as far as we know) unprecedented violation of the individual privacy rights of innocent persons.

Frankly, I’m sincerely hoping that Reuters got this story wrong somehow, that the actual facts are not as dire as their report suggests.

But this is definitely not the time for Yahoo to be playing word games in their press releases, using language that leaves gaping holes obvious to all observers.

It’s possible that Yahoo is still under some sort of government order that prevents them from explaining precisely what went on — yet Yahoo’s current “non-denial” denial does not well serve Yahoo, its users, or the community at large.

We need to know the truth about what did or did not happen to users’ emails at Yahoo.

And we need to know now.

– – –


= = =


“Yahoo was ordered last year to search incoming emails for the digital “signature” of a communications method used by a state-sponsored, foreign terrorist organization, according to a government official familiar with the matter.

The Justice Department obtained the order from a judge of the Foreign Intelligence Surveillance Court.

To comply, Yahoo used a modified version of its existing systems that were scanning all incoming email traffic for spam, malware and images of child pornography. The system stored and made available to the Federal Bureau of Investigation a copy of any messages it found that contained the digital signature.

Yahoo was forbidden from disclosing the order and the collection is no longer taking place, the official said Wednesday.”

 = = =

If this additional information is correct, it represents an enormously dangerous slippery slope. The inclusion of arbitrary signatures” at the behest of the government into malware/spam/cporn (“PhotoDNA”) scanning systems is a dramatic departure from firms cooperating with each other, into the realm of secret government mandates.

– – –

I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.
– – –
The correct term is “Internet” NOT “internet” — please don’t fall into the trap of using the latter. It’s just plain wrong!