Yahoo Issues Tone Deaf Non-Denial Denial Of Email Scanning Report
from the blink-twice-if-you're-being-forced-to-say-this dept
After basically all the big tech companies have come out with strong and clear denials, Yahoo this morning released a silly mealy mouthed non-denial denial, written by a PR firm, that took almost 24 hours to craft:
Good morning ?
We are reaching out on behalf of Yahoo regarding yesterday?s Reuters article. Yahoo said in a statement:
?The article is misleading. We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems.?
Best,
The Joele Frank Team
Media to Yahoo: Did you eat all the cookies?
Yahoo *with crumbs and smeared chocolate around mouth*: We do not have any cookies.— Christopher Soghoian (@csoghoian) October 5, 2016
Of course, people are parsing every word of that and noting some… remaining questions. The article is misleading? Okay, how? Which parts? What did it get wrong? You narrowly interpret every government request? Great. So explain what was found here, or explain the specifics of what Yahoo is doing. “Does not exist on our systems”? Did it ever? Does it exist on someone else’s system? Does a different mail scanning system exist? Lots of people would like to know.
More importantly, note that they say they want to minimize disclosures. But that’s not the key issue here, as Chris Soghoian points out. The Reuters report was on the searching of all emails, not the disclosure bit. Yes, sure, it seems clear that after searching everyone’s email, Yahoo likely only “disclosed” a small number to the NSA, but that’s not really the point, is it?
I mean, I guess this statement is better than Yahoo’s original: “Yahoo is a law abiding company, and complies with the laws of the United States” statement. But, it’s not very reassuring. Much more important is what Yahoo could have said, but didn’t.
What Yahoo could have easily said but didn't: ?We have not conducted such scanning. We produce content only about specific accounts."
— Julian Sanchez (@normative) October 5, 2016
But that’s not happening. Yahoo has said that it “can’t comment further” which either means it doesn’t want to comment further or, potentially, that it feels it is legally barred from commenting any further — which is certainly a possibility (though a disturbing one).
The NSA or the Director of National Intelligence could help clear this up, but so far they’re going all Glomar on any questions:
NSA's Rogers neither confirmed nor denied Yahoo story. #cambridgecyber
— Ken Dilanian (@KenDilanianNBC) October 5, 2016
And that alone should be a giant warning sign to any tech company that decides not to fight these kinds of demands: when it inevitably leaks to the public (and it will), the intelligence community will let you hang out to dry all by yourself.
Filed Under: email, mass surveillance, non-denial denial, nsa, scanning, section 702
Companies: yahoo
Comments on “Yahoo Issues Tone Deaf Non-Denial Denial Of Email Scanning Report”
Considering..
Considering the news that hit today about the BoozAllen contractor that has been held since August regarding theft of NSA secrets, I’m sure Yahoo doesn’t want to say much of anything right now.
http://www.cnn.com/2016/10/05/politics/intelligence-contractor-arrested-stealing-secrets/index.html
http://www.nytimes.com/2016/10/06/us/nsa-leak-booz-allen-hamilton.html
Re: Considering..
Would you mind elaborating on this connection?
Re: Re: Considering..
No connection whatsoever (that I know of, at least). However, if you could get your company off the front page by letting another, juicier, NSA story become the headline, would you do so? Or would you jump up and down, wave your arms and scream, ‘Hey! We did questionable stuff FOR the NSA!! Why aren’t you over here sticking microphones in our faces!?!?’
Confirmed!
Considering the NSA swears back and forth in strong language almost instantly to deny things, not doing so now means it’s confirmed.
Well, it’s better than the alternative of letting the NSA search it, because at least this way the NSA doesn’t have everyone’s emails.
Re: Re:
“the NSA doesn’t have everyone’s emails.”
Sorry cupcake, we do.
Re: Re:
It is a sad day indeed when we are reduced to considering better degrees of awful when it comes to violation of our most basic constitutional rights.
Maybe Hills and The Don can cover this at the next debate while we consider better degrees of awful candidates.
Re: Re: Re:
Feel free to ask them; they’re soliciting debate questions over at https://presidentialopenquestions.com/ .
Re: Re:
They don’t need everyone’s, just the dissidents and whistleblowers and rival drug manufacturers/money launderers/distributors and arms dealers.
Re: Re:
“Well, it’s better than the alternative of letting the NSA search it, because at least this way the NSA doesn’t have everyone’s emails.”
Is that the only alternative you can see? How about the government not having warrantless access to anyone’s emails?
Re: Re:
“Well, it’s better than the alternative of letting the NSA search it, because at least this way the NSA doesn’t have everyone’s emails.”
It’s better than killing and eating babies, so that makes it OK!
Narrow Interpretation
Yahoo narrowly interpreted the request to mean only users who use email on Yahoo’s systems, and not on any of its competitors’ systems.
Further, the request was narrowed to only search emails from the present to the past, and excluding all future emails to be sent once the ongoing search operations cease.
They're lying through thier teeth, Mike, and you know it.
“After basically all the big tech companies have come out with strong and clear denials,…”
Which mean absolutely NOTHING given their LONG CONCRETELY ESTABLISHED HISTORY OF LYING.
Re: They're lying through thier teeth, Mike, and you know it.
Hah, caught ya.
You know damned well that no one can lie through Thier’s teeth, as Thier hasn’t had any teeth for at least a decade.
Re: They're lying through thier teeth, Mike, and you know it.
Could you perhaps give an example? and not a teleco? Because from what i remember details later proved that any specific denials relating to government survailence were accurate.
Re: Re: They're lying through thier teeth, Mike, and you know it.
Could you perhaps give an example? and not a teleco? Because from what i remember details later proved that any specific denials relating to government survailence were accurate.
They can’t. People want to insist that the tech companies are lying, but there’s been zero evidence to support this. The telcos, yes, but not the internet companies.
This reminds of earlier news that law enforcement went after Signal with overly broad subpoenas and Signal could provide exactly nothing because their stuff are end-to-end encrypted and they keep minimal info. Sure law enforcement can request targeted monitoring of available information such as size of the traffic and metadata but they will be forced to do their investigative jobs. Other companies should take note.
Given that almost every article on yahoo requires clicking twice (for full story) and the worsening of their sports page – I cant recall the last time I even visited yahoo. Also glad I never used my real phone to create an account.
Re: Re:
I definitely recall the last time I visited Yahoo: it was last week, to change my password.
As always
should you or any of your I.M. Force be caught or killed, the Secretary will disavow any knowledge of your actions.
Good thing Facebook and Google pay their employees enough to keep them quiet.
"What we do is legal" and "Our policy is to do X" are standard boilerplate responses.
This is to say they haven’t really said anything except what is normally authorized for a low level representative to say.
This means that, yes, they’re remaining silent for now, which can be interpreted Yahoo is guilty as fuck, but they don’t know yet if they can cover this up and if not, who to can as a scapegoat. Also, if incidental, who is actually responsible.
If Yahoo doesn’t change their statement soon, it’s going to default to we don’t give two shits for our end users. All we care about is short-term dividends and executive paychecks.
So…stay tuned!
Re: "What we do is legal" and "Our policy is to do X" are standard boilerplate responses.
Remember, Yahoo only has to hold out long enough for Verizon’s check to clear.
Re: Re: That's right Yahoo is now a Verizon thing.
And rolling over for US Agencies is standard Verizon policy.
Of course Yahoo is lying
What’s left of Yahoo is just miserable. I have the unfortunate “pleasure” of dealing with their email operation on a regular basis, and — as far as I can tell — it’s staffed by crack monkeys. Outages happen regularly. Messages are accepted for delivery and disappear. Messages are refused for no reason and then accepted later. Attempts to report any of the massive spam coming FROM Yahoo are ignored or dismissed or….well, I can’t even classify some of the responses because they’re a word salad of nonsense. They deployed DKIM because reasons, breaking every mailing list in the world. (See IETF archives.) Their “Yahoo Groups” operation returns erratic results apparently depending on phase of the moon and is designed to hold users’ data captive. (Just try asking them for a full export. Really. Just try.)
And so on. Frankly, I doubt that they had the technical competence to execute this task correctly, a speculation substantiated by the resignation of their security guy and his statement that this implementation compromised user accounts.
Gee. You don’t think that had anything to do with 500M+ accounts we found about last week, do you?
The best thing that could happen for the Internet at this point is (1) the export of all remaining useful data from Yahoo and (2) its immediate shutdown.
RE:
I started on yahoo back in 2000, when webcams and voice chat was “the” new thing, I left in 2006, when the chat rooms changed. They have been going downhill ever since. ( back then, everyone was dressed on webcam )
Fight?
I’m curious how a random tech company would be able to fight?
I guess a good answer is to spend a bunch of money to implement end-to-end encryption (and then even more, to do it properly)… but that doesn’t work for email, or message boards, or a bunch of other situations.
But even then, how does a random tech company fight back against demands from the government to open a back door?
The only options I can see end up being to be to fight it in court (Apple), or to fold the company and liquidate the equipment (Lavabit). Both are horrifically expensive, and either way the cost is ultimately borne by the customer.
Re: Fighting in court / Folding and liquidating
The advantage to both of these options is in the long term. Companies willing to fight the surveillance state in court develop the reputation of standing up to the surveillance state, which drives business to them.
For companies not big enough to fight, when they instead fold in protection of their customers, that reputation of integrity goes with them to their next line of work. It shows they’re solid and willing to suffer a terrible setback to uphold the privacy and security of their customers.
That’s the impetus (other than sleeping soundly) of Alex Stamos quitting Yahoo when he discovered his superiors circumvented him in adding their (vulnerability-laden) spy code.
Stamos did the right thing, and he may well be chosen for a hire based on that very action.
Re: Re: Fighting in court / Folding and liquidating
I agree with that on the extremes, but I think it still falls down in the middle:
Massive companies can afford to go to court, hoping that the PR boost from fighting for their customers comes back to their bottom line.
Individual employees, or tiny companies like Lavabit can afford to fold up operations, because those people are making the decision for themself.
What if you’re the owner of a company with a dozen employees? A hundred? A thousand, across multiple countries? You may be able to get work again quickly on the back of a reputation of “standing up to the man”… but how long until you can afford to re-hire all of those employees again? Will they be able to hold out for long enough?
Plus, as one of your customers, how do I know that your new product is going to be around for long enough to get use out of it? Especially if you’re offering a service, what happens when the government targets your new service in six months time? At what point does “have backup providers ready” become “just use a different provider”?
It’s not just tech companies either; tax accountants, builders and tradespeople (we need you to install a bug while you’re doing this job)… I don’t know if lawyers are on this list; would client-attorney privilege trump an NSL? And that’s probably the best solution for the people – reverse the third party doctrine, and give client-attorney-like privilege to ALL dealings between customers and their providers/contractors! Good luck with that, though.
Re: Re: Re: Would client / attorney privilege trump an NSL?
That’s an excellent question. The most terrifying answer (and probably the accurate one) is that it depends on the judge, and once you take it to court, you can also be charged with violating the gag order, if filing to challenge require publication of what you’re trying to challenge.
I suspect there’s a way to do it legally with a string of lawyers, but I am completely unqualified even to speculate.
I had one Yahoo email address (for maybe 12 years now) that was ONLY used to register yahoo groups. Those groups have dwindled from maybe 5 to just one job club. When the club showed no indication of leaving Yahoo I dropped the club and deleted my one remaining Yahoo account.
Good Riddance I know you shouldn’t attribute to malice what can be adequately explained by incompetence but with Yahoo the bar is flat on the ground.
THE LAISSEZ FAIRE CARTE BLANCHE BEFORE THE HORSE
There is a reason why National Constitutions are PARAMOUNT LAW in respective countries!… AND, THAT IS, CONSTITUTIONS F-R-A-M-E P-A-R-A-M-O-U-N-T P-R-O-V-I-S-I-O-N-S! And that is why a country’s National Constitution is more important — for example!– than it’s Criminal Code! And… because!… a failure to adhere to Constitutional provisions, may very well lead to reactions by citizens (I.E., “CIVIL UNREST”!), that– in turn!– may lead to criminal acts! Then… where does one lay blame for the reactions of country’s citizens to violations of citizens’ Constitutional protections?:… the failure of country’s citizens to kowtow to breaches of citizens’ (and a country’s!) Paramount Law?… or, the failure of a country’s authorities to ensure that such Constitutional protections A-R-E-N-‘-T V-I-O-L-A-T-E-D?
.
These commissions and omissions by Yahoo, NSA and others are not merely “inadvertent mishaps” requiring belated apologies from the perps!… but, rather, premeditated breaches of the most important sanctions that a country can bestow on its citizens!… A-N-D W-H-I-C-H T-R-A-N-S-C-E-N-D M-E-R-E C-R-I-M-I-N-A-L A-C-T-S C-O-M-M-I-T-T-E-D B-Y W-H-O-M-E-V-E-R! Such commissions and omissions strike at the very core/ heart of who and what we are!… A-N-D T-H-U-S, T-H-I-S I-S W-H-Y S-U-C-H B-R-E-A-C-H-E-S A-R-E D-E-S-E-R-V-I-N-G O-F O-U-R H-A-R-S-H-E-S-T O-F P-E-N-A-L-T-I-E-S!
.
Please!… no emails!