Yahoo Issues Tone Deaf Non-Denial Denial Of Email Scanning Report

from the blink-twice-if-you're-being-forced-to-say-this dept

After basically all the big tech companies have come out with strong and clear denials, Yahoo this morning released a silly mealy mouthed non-denial denial, written by a PR firm, that took almost 24 hours to craft:

Good morning ?

We are reaching out on behalf of Yahoo regarding yesterday?s Reuters article. Yahoo said in a statement:

?The article is misleading. We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems.?

Best,

The Joele Frank Team

Of course, people are parsing every word of that and noting some… remaining questions. The article is misleading? Okay, how? Which parts? What did it get wrong? You narrowly interpret every government request? Great. So explain what was found here, or explain the specifics of what Yahoo is doing. “Does not exist on our systems”? Did it ever? Does it exist on someone else’s system? Does a different mail scanning system exist? Lots of people would like to know.

More importantly, note that they say they want to minimize disclosures. But that’s not the key issue here, as Chris Soghoian points out. The Reuters report was on the searching of all emails, not the disclosure bit. Yes, sure, it seems clear that after searching everyone’s email, Yahoo likely only “disclosed” a small number to the NSA, but that’s not really the point, is it?

I mean, I guess this statement is better than Yahoo’s original: “Yahoo is a law abiding company, and complies with the laws of the United States” statement. But, it’s not very reassuring. Much more important is what Yahoo could have said, but didn’t.

But that’s not happening. Yahoo has said that it “can’t comment further” which either means it doesn’t want to comment further or, potentially, that it feels it is legally barred from commenting any further — which is certainly a possibility (though a disturbing one).

The NSA or the Director of National Intelligence could help clear this up, but so far they’re going all Glomar on any questions:

And that alone should be a giant warning sign to any tech company that decides not to fight these kinds of demands: when it inevitably leaks to the public (and it will), the intelligence community will let you hang out to dry all by yourself.

Filed Under: , , , , ,
Companies: yahoo

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Yahoo Issues Tone Deaf Non-Denial Denial Of Email Scanning Report”

Subscribe: RSS Leave a comment
32 Comments
Anonymous Coward says:

Considering..

Considering the news that hit today about the BoozAllen contractor that has been held since August regarding theft of NSA secrets, I’m sure Yahoo doesn’t want to say much of anything right now.

http://www.cnn.com/2016/10/05/politics/intelligence-contractor-arrested-stealing-secrets/index.html

http://www.nytimes.com/2016/10/06/us/nsa-leak-booz-allen-hamilton.html

Anonymous Coward says:

Re: Re: Considering..

No connection whatsoever (that I know of, at least). However, if you could get your company off the front page by letting another, juicier, NSA story become the headline, would you do so? Or would you jump up and down, wave your arms and scream, ‘Hey! We did questionable stuff FOR the NSA!! Why aren’t you over here sticking microphones in our faces!?!?’

Mike Masnick (profile) says:

Re: Re: They're lying through thier teeth, Mike, and you know it.

Could you perhaps give an example? and not a teleco? Because from what i remember details later proved that any specific denials relating to government survailence were accurate.

They can’t. People want to insist that the tech companies are lying, but there’s been zero evidence to support this. The telcos, yes, but not the internet companies.

Ninja (profile) says:

This reminds of earlier news that law enforcement went after Signal with overly broad subpoenas and Signal could provide exactly nothing because their stuff are end-to-end encrypted and they keep minimal info. Sure law enforcement can request targeted monitoring of available information such as size of the traffic and metadata but they will be forced to do their investigative jobs. Other companies should take note.

Uriel-238 (profile) says:

"What we do is legal" and "Our policy is to do X" are standard boilerplate responses.

This is to say they haven’t really said anything except what is normally authorized for a low level representative to say.

This means that, yes, they’re remaining silent for now, which can be interpreted Yahoo is guilty as fuck, but they don’t know yet if they can cover this up and if not, who to can as a scapegoat. Also, if incidental, who is actually responsible.

If Yahoo doesn’t change their statement soon, it’s going to default to we don’t give two shits for our end users. All we care about is short-term dividends and executive paychecks.

So…stay tuned!

Anonymous Coward says:

Of course Yahoo is lying

What’s left of Yahoo is just miserable. I have the unfortunate “pleasure” of dealing with their email operation on a regular basis, and — as far as I can tell — it’s staffed by crack monkeys. Outages happen regularly. Messages are accepted for delivery and disappear. Messages are refused for no reason and then accepted later. Attempts to report any of the massive spam coming FROM Yahoo are ignored or dismissed or….well, I can’t even classify some of the responses because they’re a word salad of nonsense. They deployed DKIM because reasons, breaking every mailing list in the world. (See IETF archives.) Their “Yahoo Groups” operation returns erratic results apparently depending on phase of the moon and is designed to hold users’ data captive. (Just try asking them for a full export. Really. Just try.)

And so on. Frankly, I doubt that they had the technical competence to execute this task correctly, a speculation substantiated by the resignation of their security guy and his statement that this implementation compromised user accounts.

Gee. You don’t think that had anything to do with 500M+ accounts we found about last week, do you?

The best thing that could happen for the Internet at this point is (1) the export of all remaining useful data from Yahoo and (2) its immediate shutdown.

MrTroy (profile) says:

Fight?

And that alone should be a giant warning sign to any tech company that decides not to fight these kinds of demands: when it inevitably leaks to the public (and it will), the intelligence community will let you hang out to dry all by yourself.

I’m curious how a random tech company would be able to fight?

I guess a good answer is to spend a bunch of money to implement end-to-end encryption (and then even more, to do it properly)… but that doesn’t work for email, or message boards, or a bunch of other situations.

But even then, how does a random tech company fight back against demands from the government to open a back door?

The only options I can see end up being to be to fight it in court (Apple), or to fold the company and liquidate the equipment (Lavabit). Both are horrifically expensive, and either way the cost is ultimately borne by the customer.

Uriel-238 (profile) says:

Re: Fighting in court / Folding and liquidating

The advantage to both of these options is in the long term. Companies willing to fight the surveillance state in court develop the reputation of standing up to the surveillance state, which drives business to them.

For companies not big enough to fight, when they instead fold in protection of their customers, that reputation of integrity goes with them to their next line of work. It shows they’re solid and willing to suffer a terrible setback to uphold the privacy and security of their customers.

That’s the impetus (other than sleeping soundly) of Alex Stamos quitting Yahoo when he discovered his superiors circumvented him in adding their (vulnerability-laden) spy code.

Stamos did the right thing, and he may well be chosen for a hire based on that very action.

MrTroy (profile) says:

Re: Re: Fighting in court / Folding and liquidating

I agree with that on the extremes, but I think it still falls down in the middle:

Massive companies can afford to go to court, hoping that the PR boost from fighting for their customers comes back to their bottom line.

Individual employees, or tiny companies like Lavabit can afford to fold up operations, because those people are making the decision for themself.

What if you’re the owner of a company with a dozen employees? A hundred? A thousand, across multiple countries? You may be able to get work again quickly on the back of a reputation of “standing up to the man”… but how long until you can afford to re-hire all of those employees again? Will they be able to hold out for long enough?

Plus, as one of your customers, how do I know that your new product is going to be around for long enough to get use out of it? Especially if you’re offering a service, what happens when the government targets your new service in six months time? At what point does “have backup providers ready” become “just use a different provider”?

It’s not just tech companies either; tax accountants, builders and tradespeople (we need you to install a bug while you’re doing this job)… I don’t know if lawyers are on this list; would client-attorney privilege trump an NSL? And that’s probably the best solution for the people – reverse the third party doctrine, and give client-attorney-like privilege to ALL dealings between customers and their providers/contractors! Good luck with that, though.

Uriel-238 (profile) says:

Re: Re: Re: Would client / attorney privilege trump an NSL?

That’s an excellent question. The most terrifying answer (and probably the accurate one) is that it depends on the judge, and once you take it to court, you can also be charged with violating the gag order, if filing to challenge require publication of what you’re trying to challenge.

I suspect there’s a way to do it legally with a string of lawyers, but I am completely unqualified even to speculate.

Anonymous Coward says:

I had one Yahoo email address (for maybe 12 years now) that was ONLY used to register yahoo groups. Those groups have dwindled from maybe 5 to just one job club. When the club showed no indication of leaving Yahoo I dropped the club and deleted my one remaining Yahoo account.

Good Riddance I know you shouldn’t attribute to malice what can be adequately explained by incompetence but with Yahoo the bar is flat on the ground.

John Mayor says:

THE LAISSEZ FAIRE CARTE BLANCHE BEFORE THE HORSE

There is a reason why National Constitutions are PARAMOUNT LAW in respective countries!… AND, THAT IS, CONSTITUTIONS F-R-A-M-E P-A-R-A-M-O-U-N-T P-R-O-V-I-S-I-O-N-S! And that is why a country’s National Constitution is more important — for example!– than it’s Criminal Code! And… because!… a failure to adhere to Constitutional provisions, may very well lead to reactions by citizens (I.E., “CIVIL UNREST”!), that– in turn!– may lead to criminal acts! Then… where does one lay blame for the reactions of country’s citizens to violations of citizens’ Constitutional protections?:… the failure of country’s citizens to kowtow to breaches of citizens’ (and a country’s!) Paramount Law?… or, the failure of a country’s authorities to ensure that such Constitutional protections A-R-E-N-‘-T V-I-O-L-A-T-E-D?
.
These commissions and omissions by Yahoo, NSA and others are not merely “inadvertent mishaps” requiring belated apologies from the perps!… but, rather, premeditated breaches of the most important sanctions that a country can bestow on its citizens!… A-N-D W-H-I-C-H T-R-A-N-S-C-E-N-D M-E-R-E C-R-I-M-I-N-A-L A-C-T-S C-O-M-M-I-T-T-E-D B-Y W-H-O-M-E-V-E-R! Such commissions and omissions strike at the very core/ heart of who and what we are!… A-N-D T-H-U-S, T-H-I-S I-S W-H-Y S-U-C-H B-R-E-A-C-H-E-S A-R-E D-E-S-E-R-V-I-N-G O-F O-U-R H-A-R-S-H-E-S-T O-F P-E-N-A-L-T-I-E-S!
.
Please!… no emails!

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...