Yahoo scanned customer emails for US intelligence

I think the attitude here that most tech companies are rolling over and just complying without a single ethical consideration is misplaced.<p>The government has been doing an excellent job of basically extorting these companies into compliance. They threaten the full weight of the US government&#x27;s wraith and then tie every order up with classifications and gag orders.<p>You aren&#x27;t legally allowed to talk to other companies in the same position. Most your legal team probably doesn&#x27;t get to know what&#x27;s going on. You can&#x27;t take your case to the public without being held in contempt.<p>I&#x27;m not giving these companies a complete pass for being complicit in the erosion of individual&#x27;s civil liberties but treating this as if the decision is easy is vastly unfair.

Anyone remembers this?<p>&gt; Barack Obama: NSA is not rifling through ordinary people&#x27;s emails. US president is confident intelligence services have &#x27;struck appropriate balance&#x27;, he tells journalists in Berlin<p>edit: link fixed <a href="https:&#x2F;&#x2F;www.theguardian.com&#x2F;world&#x2F;2013&#x2F;jun&#x2F;19&#x2F;barack-obama-nsa-people-emails" rel="nofollow">https:&#x2F;&#x2F;www.theguardian.com&#x2F;world&#x2F;2013&#x2F;jun&#x2F;19&#x2F;barack-obama-n...</a>

I was honestly a bit unhappy when Stamos left Yahoo in the middle of a bunch of (what seemed like) cool projects for users -- seemed like he was just jumping ship from an objectively pretty crappy company to a continuing-to-accelerate rocketship, presumably for career reasons.<p>However, if it went down like this -- he did probably the least destructive thing possible. I probably would have gone public or done something stupider, but at the very least not being a party to ongoing abuse of users&#x27; trust is necessary.<p>I&#x27;d like to see what other senior execs at Yahoo! were aware of the program and supported or at least tolerated it, so I can avoid ever working with any of them.

Lets take it a different way:<p>You&#x27;re knowingly sending your data to a 3rd party. You&#x27;re not encrypting. It&#x27;s not through the USPS (special protections).<p>It seems bloody evident that, of course, your email provider can read your emails! Unless you&#x27;re encrypting with GPG, then they can (and they can still read the signing keys).<p>Yahoo, Google, and friends all scan, dedup, and all sorts of tricks to determine marketing and quality content (spamming). If you&#x27;re worried, run your own mailserver. It&#x27;s what I do, along with using gmail. But I know that, at any time, people&#x2F;scripts&#x2F;ai are reading everything sent and received.<p>edit: I&#x27;d much prefer to hear commentary&#x2F;how wrong&#x2F;how right&#x2F;how crazy I am, rather than -1&#x27;s.I&#x27;d like to hear a discussion about the &quot;Secrecy of text written on postcards&quot;....

Most illustrative part: &quot;Yahoo President Marissa Mayer and the company&#x27;s legal team kept the order secret from the company&#x27;s security team.&quot;<p>If you have to hide things from your own security team, it&#x27;s pretty clear you&#x27;re doing something very bad and you know it.<p>And my imaginary hat off to Stamos for resigning when he found his boss betrayed user privacy and undermined security. If everybody had such level of integrity, doing shady stuff would be much harder.

It sounds like Yahoo will fit right in at Verizon... It also sounds like another leak designed to damage Marissa Mayer:<p>&gt; According to the two former employees, Yahoo Chief Executive Marissa Mayer&#x27;s decision to obey the directive roiled some senior executives and led to the June 2015 departure of Chief Information Security Officer Alex Stamos, who now holds the top security job at Facebook Inc.

While it is damning that Mayer didn&#x27;t go to Stamos about this and went straight to the email team, it&#x27;s hard to say whether she felt it was necessary to tell him, or was even allowed to, since we don&#x27;t see the court orders and what they entail. It&#x27;s really easy to be against this and play armchair preacher but this is something she probably had no choice in, in many ways.<p>Also, I&#x27;m wondering if this story is bigger because people love to hate on Mayer. I am certain this kind of thing happened&#x2F;happens at Facebook, Google, Twitter, WhatsApp, etc., so it&#x27;s confusing why this is so newsworthy. It&#x27;s not really newsworthy that data from an email provider is sent to NSA under secret court orders and NSA can search the full text of it. Is the newsworthy part that she asked the team to do it without consulting the security team? My question would be, why wouldn&#x27;t a manager from the email team consult the security team if they had the power to?

Friendly reminder: the FBI and NSA are part of the executive branch of government and report to the President of the United States. Make no mistake -- there absolutely <i>is</i> someone who could stop this. The fact that this clearly unconstitutional activity not only continued after being exposed, but actually appears to has expanded in its scope, leaves us with but one conclusion: the President supports this activity and wants it to continue.

The scariest part of the whole piece answers this question: Why are back doors with secret keys a BAD idea?<p>&quot;... he had been left out of a decision that hurt users&#x27; security, the sources said. Due to a programming flaw, he told them hackers could have accessed the stored emails....&quot;<p>The CEO of Yahoo must have known that this kind of scanning and storage puts their users at risk. She choose to do it anyway as being the path of least resistance against a more powerful adversary (US govt.). Bad judgement compounded by zero spine... Verizon looks like the perfect fit.

I mean, think about the threats from .gov, right?<p>$250k per day doubling every week that can come with a gag order sounds like the sort of thing that could damage a business to the point of extinction, no?<p><a href="https:&#x2F;&#x2F;www.theguardian.com&#x2F;world&#x2F;2014&#x2F;sep&#x2F;11&#x2F;yahoo-nsa-lawsuit-documents-fine-user-data-refusal" rel="nofollow">https:&#x2F;&#x2F;www.theguardian.com&#x2F;world&#x2F;2014&#x2F;sep&#x2F;11&#x2F;yahoo-nsa-laws...</a>

Secret URL for deleting your Yahoo account.<p><a href="https:&#x2F;&#x2F;edit.yahoo.com&#x2F;config&#x2F;delete_user" rel="nofollow">https:&#x2F;&#x2F;edit.yahoo.com&#x2F;config&#x2F;delete_user</a>

Let&#x27;s see a show of hands for those who think Yahoo was the only one?

This reminds me of what happened to my grandfather in the early 30&#x27;s. He was employed by a small glassworks in PA, a factory town that owned his home, the town store, post office everything. They opened his mail and fired him for trying to start a union. Three kids under five and a wife thrown out on the street. Seems like the Oligarchs are still reading the spues mail all of these years later.

Distribute, encrypt, and anonymize. The only way forward doesn&#x27;t include them.<p>Congress is up for grabs. You can really change who is in congress this round. If you don&#x27;t like the guy you have vote in another. Vote for people that want to cut surveillance programs and agencies that request them. We could save or reallocate mountains of money.

Yahoo was attributing its recently announced data breach to state-sponsored attackers.... Maybe that wasn&#x27;t so far off the mark after all.

Ignoring fiduciary responsibility for a minute, what would happen if a publicly-traded company refused to comply with such a court order until they were required to release a financial statement? Wouldn&#x27;t they be legally required to disclose that multi-million dollar fine?<p>How would a company under such a gag order announce bankruptcy? &quot;Sorry, we lost all the money and we can&#x27;t tell you why&quot;?

The lesson from this is to not trust corporations with out privacy. Sadly, it seems many of us are not learning it.

The interesting part of the news is this:<p>&quot;&quot;&quot; The sources said the program was discovered by Yahoo&#x27;s security team in May 2015, within weeks of its installation. The security team initially thought hackers had broken in. &quot;&quot;&quot;<p>this is from Reuters: <a href="http:&#x2F;&#x2F;www.reuters.com&#x2F;article&#x2F;us-yahoo-nsa-exclusive-idUSK" rel="nofollow">http:&#x2F;&#x2F;www.reuters.com&#x2F;article&#x2F;us-yahoo-nsa-exclusive-idUSK</a><p>I can imagine being in that security team :) But there is also something more profound in this about secrecy in our times.

I find this hilarious since the only thing I use my yahoo address for is retailer sign-ups and things I know will land me a boat load of junk mail. It is my email landfill.

From the article: &quot;Some surveillance experts said this represents the first case to surface of a U.S. Internet company agreeing to a spy agency&#x27;s demand by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time.&quot;<p>The first case <i>to surface</i>. Anybody else could have been doing it for just as long, but we don&#x27;t know yet.

Now gotta wonder if Google has succumbed to government pressure to do the same.<p>I&#x27;m really hoping and trusting they haven&#x27;t.

I imagine Yahoo! Mail engineers being royally pissed about this. Well, I suppose that includes all Yahoo! folks who are still putting real effort into improving Y!&#x27;s services. Every odd day something surfaces about Y!&#x27;s execs questionable practices and decisions, every even day problems, leaks, bad press. Moral must have hit rock bottom.<p>Maybe the Yahoo! Board should have surveyed the startups scene, looking for founders who bootstrapped successfully and proven their worth, and recruit the best they could get. I am not very familiar with management of people and aspects of running a business, but I believe there is a lot more to it than being a smart person with computers.

If she had wanted to this to get out, I wonder if she could have ordered the email team to go ahead and build out the sniffer so she is not in contempt of the court, but let her security team openly blog about it, without informing her, when they found it - which could lead to an inadvertent release of the info? If the sec team was not under the gag order maybe they would not have gotten in trouble.<p>Or take her to a super boss level, she could have used whisper to talk to guccifer and let him know about some vuln that would allow access to the legal directory.... which would have to gag order. #wikileakitup

This is substantially worse than PRISM which operates on individual targeted persons and the upstream Verizon, AT&amp;T program which collects plaintext over the public Internet.<p>This involved bulk search of data past the decryption layer.

Since all these companies (Yahoo, Google, FB, MSFT, etc) all operate and with users in other countries, what happen when other countries&#x2F;governments demand the same &quot;search&#x2F;access&quot; of info?

It was part of carnivore and AT&amp;T also supported that. I&#x27;m pretty sure all major vendors had hooks into their systems for carnivore.

<p><pre><code> Yahoo Inc last year secretly built a custom software program to search all of its customers&#x27; incoming emails for specific information provided by U.S. intelligence officials, according to people familiar with the matter. </code></pre> Wonder how much of the 4.8 billion can be attributed this <i>custom software program</i>?

This shit needs to stop. Immediately.<p>Like most people, I have no problem with the government using probable cause to get warrants that are in search of something specific (none of these grab-all bullshit orders). If you have a legitimate reason to be looking at someone, then there should be no problem getting a warrant.<p>These secret FISA court orders are a serious violation to the rights of Americans in many cases. At minimum, if we really do need these secret courts to prevent people from finding out they are the subject of surveillance, then there needs to be an expiration on those gag orders. This crap about never being able to mention it FOREVER has to go. There should be a limit, say 5 years, which is well beyond the length of time most investigations take. At that time, those orders should expire so that these government actions can be brought to light if there is any question of wrong-doing on the part of our overzealous law enforcement.<p>&quot;Former NSA General Counsel Stewart Baker said email providers &#x27;have the power to encrypt it all, and with that comes added responsibility to do some of the work that had been done by the intelligence agencies.&#x27;&quot; Sorry, but no. That&#x27;s not how it works. There is no obligation to do the work of government unless it is actually written into law (i.e. record-keeping laws). And it currently is not. This is precisely why everyone should be encrypting all communications on the CLIENT side themselves. It should never leave your device (PC, phone, whatever) unencrypted. That way, if the government wants to go on a fishing expedition or has an actual legitimate reason to look at you, they will have to get a warrant for the device itself, which will at least give you a head&#x27;s up that they are trying to put you in the clink with a bunkmate named Bubba.<p>The NSA, and the government in general, has completely blown any goodwill they once had with the public. Under no circumstance will I ever advocate for anything that makes their job easier. And it is for no other reason than simply because they have proven time and again they cannot be trusted.<p>Honestly, I&#x27;m still not even clear why every employee of project PRISM isn&#x27;t rotting a jail cell right now after Snowden shed some light on the program for the rest of us peasants. Every single employee of that program had to know the clear violations of the constitution they were helping to partake in. Keep in mind the constitution protects against unreasonable SEIZURE as well as search. Gobbling up communications in the manner they did clearly counts as seizure because they would not have had them otherwise - whether or not they actually search the records is immaterial.<p>I&#x27;m not an Apple fan, but when they told the government to go pound sand regarding that terrorist phone encryption case, that was the first time that I can recall I actually approved of Apple&#x27;s political position on something.

Some people here laud some companies for being good about user privacy and security. This shows they have not yet reached table stakes for privacy and security.<p>This is why no provider can be trusted. Every routine communication should be e2e encrypted. Otherwise this WILL happen.

Note the attitude toward encryption:<p><i>Former NSA General Counsel Stewart Baker said email providers &quot;have the power to encrypt it all, and with that comes added responsibility to do some of the work that had been done by the intelligence agencies.&quot;</i>

Is this is the best solution? <a href="https:&#x2F;&#x2F;emailselfdefense.fsf.org&#x2F;en&#x2F;" rel="nofollow">https:&#x2F;&#x2F;emailselfdefense.fsf.org&#x2F;en&#x2F;</a><p>Getting anyone else I know to do this seems like a long shot. Is there something simpler?

Another reason for users and enterprises alike to avoid US companies and services. And another reason for entrepreneurs to start companies outside the US - escape the stigma, escape the potential clash with secret courts.

Any large company should openly defy such an order.<p>What will they do??? Fine, court, shut down the company? If that happened would the public not outcry?

So you really think that a free email service will &quot;protect your privacy?&quot; Any of them?<p>Why would you think that?<p>FWIW, SIGINT is a major part of the present festivities in the Woah on Terruh. It&#x27;s simply unrealistic to expect anything transmitted through ordinary means to be remotely private.

Any chance that this, and the recently announced historical account breach, are coming out as artifacts of Verizon&#x27;s due diligence?

This is not at all surprising! BTW, I don&#x27;t know a single person that has an email account with yahoo, who is not older than 60!

To be frank, the more I hear about those stories, the less I&#x27;m shocked.<p>There is nothing to be shocked about. Unless nobody else than intelligence officials are getting access to this, and if the investigations are legit, then what?<p>News like this are trying to ride the whole Snowden train, but that&#x27;s not what Snowden what whistle blowing about. Snowden was trying to warn about the abuse of those tools.<p>Now people moan and yell each time agencies try to do their job.

That the usg attempted this is a sign of deeply seated incompetence at a philosophical level.

I&#x27;m sorry, but have you <i>used</i> Yahoo Mail?<p>I don&#x27;t believe they are capable of writing the &quot;siphon&quot; they are accused of. To be honest, I don&#x27;t think they actually have engineers. I think they just use summer interns.

They moved heaven and earth to try to find Snowden.

having my yahoo as spammailaccount for registrations, they probably scanned gigabytes of all sorts of stuff xD

And it did not find any :-) !!!

So, when do Americans exercise the right of the Second and liberate from this totalitarian government?

Took them long enough ;)

Thanks Obama!

In China and Russia, it is well known that <i>all</i> oligarchs are corrupt.<p>However, not all of them will go to prison -- only those who cross the politicians will ever be tried and convicted.

Can we merge <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=12637302" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=12637302</a> into this? Same exact headline

So, is this correct, in this context?<p>Pass: Apple, Google<p>Fail: Microsoft, Yahoo<p>Unknown: Facebook, Twitter

Good riddance. I don&#x27;t understand what is worth scavanging from the carcas.

But continue to find themselves stumped?

It should read &quot;...Yahoo Chief Executive Marissa Mayer&#x27;s decision to indulge the directive...&quot; indulge, not obey.

Google overtly scans your emails for anything.