Yahoo Secret Email Scanning (@josephmenn, @nickywoolf)
From Nicky Woolf at The Guardian, “Yahoo ‘secretly monitored emails on behalf of the US government’” (and originally reported by Joseph Menn at Reuters):
Some Yahoo employees were upset about the decision not to contest the more recent directive and thought the company could have prevailed, the sources said. They were also upset that [chairman Marissa] Mayer and Yahoo general counsel Ron Bell did not involve the company’s security team in the process, instead asking Yahoo’s email engineers to write a program to siphon off messages containing the character string the spies sought and store them for remote retrieval, according to the sources.
That Yahoo allowed this is certainly troubling. How Yahoo handled this internally is also troubling. Also of concern is a bug that could have allowed hackers to access all Yahoo emails:
When [Alex] Stamos found out that Mayer had authorized the program, he resigned as chief information security officer and told his subordinates that he had been left out of a decision that hurt users’ security, sources said. Due to a programming flaw, he told them, hackers could have accessed the stored emails.
But the larger issue, that of government access to our data on all the major email services, hasn’t changed. Read how carefully-worded the denials are by some of Yahoo’s competitors:
Google, whose Gmail is the world’s largest email service, said on Tuesday that it hadn’t received a similar spying request from the request from the US government. If it had, Google said, its response would be: “No way.”
Microsoft, whose email service also is larger than Yahoo, also said it has “never engaged in the secret scanning of email traffic.”
Twitter, which doesn’t provide email service but does allow users to exchange direct messages, likewise said it has never received such a request and would challenge it in court if it did.
A Facebook spokesperson said: “Facebook has never received a request like the one described in these news reports from any government, and if we did we would fight it.”
These statements all deny a similar effort like Yahoo’s, which scanned every incoming email for some targeted text. But none of these statements indicates that our data is protected with any type of encryption, which is the only way these providers could keep this data private, or that these companies never hand emails over to the government when requested. And some egregious practices continue and are possible only because our data is not encrypted. For example, recall how Google scans all of our emails to target us with ads, a different but still troubling privacy concern.
As for Apple, the one major tech company that has very publicly opposed some types of government efforts to get our data, they said this:
“We have never worked with any government agency from any country to create a backdoor in any of our products or services. We have also never allowed access to our servers. And we never will.”
In a further statement, Apple said “We have never received a request of this type. If we were to receive one, we would oppose it in court.”
Apple should get kudos for things like iMessage and device encryption, but it has never stated that it would not or has never turned over email data when requested, and their issues with how they store iMessage metadata should also be a concern.
The only way to truly keep our information secure is to encrypt it, both end-to-end and while stored. None of these services do that. Remember that before you slam Yahoo about this exclusively.