Yahoo Issues Tone Deaf Non-Denial Denial Of Email Scanning Report

from the blink-twice-if-you're-being-forced-to-say-this dept

After basically all the big tech companies have come out with strong and clear denials, Yahoo this morning released a silly mealy mouthed non-denial denial, written by a PR firm, that took almost 24 hours to craft:
Good morning –

We are reaching out on behalf of Yahoo regarding yesterday’s Reuters article. Yahoo said in a statement:

“The article is misleading. We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems.”

Best,

The Joele Frank Team
Of course, people are parsing every word of that and noting some... remaining questions. The article is misleading? Okay, how? Which parts? What did it get wrong? You narrowly interpret every government request? Great. So explain what was found here, or explain the specifics of what Yahoo is doing. "Does not exist on our systems"? Did it ever? Does it exist on someone else's system? Does a different mail scanning system exist? Lots of people would like to know.

More importantly, note that they say they want to minimize disclosures. But that's not the key issue here, as Chris Soghoian points out. The Reuters report was on the searching of all emails, not the disclosure bit. Yes, sure, it seems clear that after searching everyone's email, Yahoo likely only "disclosed" a small number to the NSA, but that's not really the point, is it?

I mean, I guess this statement is better than Yahoo's original: "Yahoo is a law abiding company, and complies with the laws of the United States" statement. But, it's not very reassuring. Much more important is what Yahoo could have said, but didn't.
But that's not happening. Yahoo has said that it "can't comment further" which either means it doesn't want to comment further or, potentially, that it feels it is legally barred from commenting any further -- which is certainly a possibility (though a disturbing one).

The NSA or the Director of National Intelligence could help clear this up, but so far they're going all Glomar on any questions:
And that alone should be a giant warning sign to any tech company that decides not to fight these kinds of demands: when it inevitably leaks to the public (and it will), the intelligence community will let you hang out to dry all by yourself.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 5 Oct 2016 @ 10:54am

    Considering..

    Considering the news that hit today about the BoozAllen contractor that has been held since August regarding theft of NSA secrets, I'm sure Yahoo doesn't want to say much of anything right now.

    http://www.cnn.com/2016/10/05/politics/intelligence-contractor-arrested-stealing-secrets/index.html

    h ttp://www.nytimes.com/2016/10/06/us/nsa-leak-booz-allen-hamilton.html

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 Oct 2016 @ 12:44pm

      Re: Considering..

      Would you mind elaborating on this connection?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 5 Oct 2016 @ 3:03pm

        Re: Re: Considering..

        No connection whatsoever (that I know of, at least). However, if you could get your company off the front page by letting another, juicier, NSA story become the headline, would you do so? Or would you jump up and down, wave your arms and scream, 'Hey! We did questionable stuff FOR the NSA!! Why aren't you over here sticking microphones in our faces!?!?'

        reply to this | link to this | view in chronology ]

  • icon
    JoeCool (profile), 5 Oct 2016 @ 11:00am

    Confirmed!

    Considering the NSA swears back and forth in strong language almost instantly to deny things, not doing so now means it's confirmed.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Oct 2016 @ 11:13am

    Yes, sure, it seems clear that after searching everyone's email, Yahoo likely only "disclosed" a small number to the NSA, but that's not really the point, is it?


    Well, it's better than the alternative of letting the NSA search it, because at least this way the NSA doesn't have everyone's emails.

    reply to this | link to this | view in chronology ]

    • identicon
      NSA, 5 Oct 2016 @ 11:16am

      Re:

      "the NSA doesn't have everyone's emails."
      Sorry cupcake, we do.

      reply to this | link to this | view in chronology ]

    • icon
      Chryss (profile), 5 Oct 2016 @ 11:23am

      Re:

      It is a sad day indeed when we are reduced to considering better degrees of awful when it comes to violation of our most basic constitutional rights.

      Maybe Hills and The Don can cover this at the next debate while we consider better degrees of awful candidates.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 Oct 2016 @ 2:18pm

      Re:

      They don't need everyone's, just the dissidents and whistleblowers and rival drug manufacturers/money launderers/distributors and arms dealers.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 Oct 2016 @ 5:09pm

      Re:

      "Well, it's better than the alternative of letting the NSA search it, because at least this way the NSA doesn't have everyone's emails."

      Is that the only alternative you can see? How about the government not having warrantless access to anyone's emails?

      reply to this | link to this | view in chronology ]

    • identicon
      Whutevah, 6 Oct 2016 @ 7:08am

      Re:

      "Well, it's better than the alternative of letting the NSA search it, because at least this way the NSA doesn't have everyone's emails."

      It's better than killing and eating babies, so that makes it OK!

      reply to this | link to this | view in chronology ]

  • icon
    DannyB (profile), 5 Oct 2016 @ 11:18am

    Narrow Interpretation

    Yahoo narrowly interpreted the request to mean only users who use email on Yahoo's systems, and not on any of its competitors' systems.

    Further, the request was narrowed to only search emails from the present to the past, and excluding all future emails to be sent once the ongoing search operations cease.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Oct 2016 @ 11:32am

    They're lying through thier teeth, Mike, and you know it.

    "After basically all the big tech companies have come out with strong and clear denials,..."

    Which mean absolutely NOTHING given their LONG CONCRETELY ESTABLISHED HISTORY OF LYING.

    reply to this | link to this | view in chronology ]

    • identicon
      DigDuggery, 5 Oct 2016 @ 11:37am

      Re: They're lying through thier teeth, Mike, and you know it.

      Hah, caught ya.

      You know damned well that no one can lie through Thier's teeth, as Thier hasn't had any teeth for at least a decade.

      reply to this | link to this | view in chronology ]

    • icon
      James Burkhardt (profile), 5 Oct 2016 @ 11:52am

      Re: They're lying through thier teeth, Mike, and you know it.

      Could you perhaps give an example? and not a teleco? Because from what i remember details later proved that any specific denials relating to government survailence were accurate.

      reply to this | link to this | view in chronology ]

      • icon
        Mike Masnick (profile), 5 Oct 2016 @ 11:46pm

        Re: Re: They're lying through thier teeth, Mike, and you know it.

        Could you perhaps give an example? and not a teleco? Because from what i remember details later proved that any specific denials relating to government survailence were accurate.

        They can't. People want to insist that the tech companies are lying, but there's been *zero* evidence to support this. The telcos, yes, but not the internet companies.

        reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 5 Oct 2016 @ 11:40am

    This reminds of earlier news that law enforcement went after Signal with overly broad subpoenas and Signal could provide exactly nothing because their stuff are end-to-end encrypted and they keep minimal info. Sure law enforcement can request targeted monitoring of available information such as size of the traffic and metadata but they will be forced to do their investigative jobs. Other companies should take note.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Oct 2016 @ 12:24pm

    Given that almost every article on yahoo requires clicking twice (for full story) and the worsening of their sports page - I cant recall the last time I even visited yahoo. Also glad I never used my real phone to create an account.

    reply to this | link to this | view in chronology ]

  • identicon
    coward (anon), 5 Oct 2016 @ 12:36pm

    As always

    should you or any of your I.M. Force be caught or killed, the Secretary will disavow any knowledge of your actions.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Oct 2016 @ 12:45pm

    Good thing Facebook and Google pay their employees enough to keep them quiet.

    reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 5 Oct 2016 @ 12:48pm

    "What we do is legal" and "Our policy is to do X" are standard boilerplate responses.

    This is to say they haven't really said anything except what is normally authorized for a low level representative to say.

    This means that, yes, they're remaining silent for now, which can be interpreted Yahoo is guilty as fuck, but they don't know yet if they can cover this up and if not, who to can as a scapegoat. Also, if incidental, who is actually responsible.

    If Yahoo doesn't change their statement soon, it's going to default to we don't give two shits for our end users. All we care about is short-term dividends and executive paychecks.

    So...stay tuned!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Oct 2016 @ 1:22pm

    Of course Yahoo is lying

    What's left of Yahoo is just miserable. I have the unfortunate "pleasure" of dealing with their email operation on a regular basis, and -- as far as I can tell -- it's staffed by crack monkeys. Outages happen regularly. Messages are accepted for delivery and disappear. Messages are refused for no reason and then accepted later. Attempts to report any of the massive spam coming FROM Yahoo are ignored or dismissed or....well, I can't even classify some of the responses because they're a word salad of nonsense. They deployed DKIM because reasons, breaking every mailing list in the world. (See IETF archives.) Their "Yahoo Groups" operation returns erratic results apparently depending on phase of the moon and is designed to hold users' data captive. (Just try asking them for a full export. Really. Just try.)

    And so on. Frankly, I doubt that they had the technical competence to execute this task correctly, a speculation substantiated by the resignation of their security guy and his statement that this implementation compromised user accounts.

    Gee. You don't think that had anything to do with 500M+ accounts we found about last week, do you?

    The best thing that could happen for the Internet at this point is (1) the export of all remaining useful data from Yahoo and (2) its immediate shutdown.

    reply to this | link to this | view in chronology ]

  • identicon
    Digitari, 5 Oct 2016 @ 3:04pm

    RE:

    I started on yahoo back in 2000, when webcams and voice chat was "the" new thing, I left in 2006, when the chat rooms changed. They have been going downhill ever since. ( back then, everyone was dressed on webcam )

    reply to this | link to this | view in chronology ]

  • icon
    MrTroy (profile), 5 Oct 2016 @ 10:20pm

    Fight?

    And that alone should be a giant warning sign to any tech company that decides not to fight these kinds of demands: when it inevitably leaks to the public (and it will), the intelligence community will let you hang out to dry all by yourself.

    I'm curious how a random tech company would be able to fight?

    I guess a good answer is to spend a bunch of money to implement end-to-end encryption (and then even more, to do it properly)... but that doesn't work for email, or message boards, or a bunch of other situations.

    But even then, how does a random tech company fight back against demands from the government to open a back door?

    The only options I can see end up being to be to fight it in court (Apple), or to fold the company and liquidate the equipment (Lavabit). Both are horrifically expensive, and either way the cost is ultimately borne by the customer.

    reply to this | link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 5 Oct 2016 @ 11:17pm

      Fighting in court / Folding and liquidating

      The advantage to both of these options is in the long term. Companies willing to fight the surveillance state in court develop the reputation of standing up to the surveillance state, which drives business to them.

      For companies not big enough to fight, when they instead fold in protection of their customers, that reputation of integrity goes with them to their next line of work. It shows they're solid and willing to suffer a terrible setback to uphold the privacy and security of their customers.

      That's the impetus (other than sleeping soundly) of Alex Stamos quitting Yahoo when he discovered his superiors circumvented him in adding their (vulnerability-laden) spy code.

      Stamos did the right thing, and he may well be chosen for a hire based on that very action.

      reply to this | link to this | view in chronology ]

      • icon
        MrTroy (profile), 6 Oct 2016 @ 12:20am

        Re: Fighting in court / Folding and liquidating

        I agree with that on the extremes, but I think it still falls down in the middle:

        Massive companies can afford to go to court, hoping that the PR boost from fighting for their customers comes back to their bottom line.

        Individual employees, or tiny companies like Lavabit can afford to fold up operations, because those people are making the decision for themself.

        What if you're the owner of a company with a dozen employees? A hundred? A thousand, across multiple countries? You may be able to get work again quickly on the back of a reputation of "standing up to the man"... but how long until you can afford to re-hire all of those employees again? Will they be able to hold out for long enough?

        Plus, as one of your customers, how do I know that your new product is going to be around for long enough to get use out of it? Especially if you're offering a service, what happens when the government targets your new service in six months time? At what point does "have backup providers ready" become "just use a different provider"?

        It's not just tech companies either; tax accountants, builders and tradespeople (we need you to install a bug while you're doing this job)... I don't know if lawyers are on this list; would client-attorney privilege trump an NSL? And that's probably the best solution for the people - reverse the third party doctrine, and give client-attorney-like privilege to ALL dealings between customers and their providers/contractors! Good luck with that, though.

        reply to this | link to this | view in chronology ]

        • icon
          Uriel-238 (profile), 6 Oct 2016 @ 5:58pm

          Would client / attorney privilege trump an NSL?

          That's an excellent question. The most terrifying answer (and probably the accurate one) is that it depends on the judge, and once you take it to court, you can also be charged with violating the gag order, if filing to challenge require publication of what you're trying to challenge.

          I suspect there's a way to do it legally with a string of lawyers, but I am completely unqualified even to speculate.

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Oct 2016 @ 9:00am

    I had one Yahoo email address (for maybe 12 years now) that was ONLY used to register yahoo groups. Those groups have dwindled from maybe 5 to just one job club. When the club showed no indication of leaving Yahoo I dropped the club and deleted my one remaining Yahoo account.

    Good Riddance I know you shouldn't attribute to malice what can be adequately explained by incompetence but with Yahoo the bar is flat on the ground.

    reply to this | link to this | view in chronology ]

  • identicon
    John Mayor, 7 Oct 2016 @ 12:04am

    THE LAISSEZ FAIRE CARTE BLANCHE BEFORE THE HORSE

    There is a reason why National Constitutions are PARAMOUNT LAW in respective countries!... AND, THAT IS, CONSTITUTIONS F-R-A-M-E P-A-R-A-M-O-U-N-T P-R-O-V-I-S-I-O-N-S! And that is why a country's National Constitution is more important -- for example!-- than it's Criminal Code! And... because!... a failure to adhere to Constitutional provisions, may very well lead to reactions by citizens (I.E., "CIVIL UNREST"!), that-- in turn!-- may lead to criminal acts! Then... where does one lay blame for the reactions of country's citizens to violations of citizens' Constitutional protections?:... the failure of country's citizens to kowtow to breaches of citizens' (and a country's!) Paramount Law?... or, the failure of a country's authorities to ensure that such Constitutional protections A-R-E-N-'-T V-I-O-L-A-T-E-D?
    .
    These commissions and omissions by Yahoo, NSA and others are not merely "inadvertent mishaps" requiring belated apologies from the perps!... but, rather, premeditated breaches of the most important sanctions that a country can bestow on its citizens!... A-N-D W-H-I-C-H T-R-A-N-S-C-E-N-D M-E-R-E C-R-I-M-I-N-A-L A-C-T-S C-O-M-M-I-T-T-E-D B-Y W-H-O-M-E-V-E-R! Such commissions and omissions strike at the very core/ heart of who and what we are!... A-N-D T-H-U-S, T-H-I-S I-S W-H-Y S-U-C-H B-R-E-A-C-H-E-S A-R-E D-E-S-E-R-V-I-N-G O-F O-U-R H-A-R-S-H-E-S-T O-F P-E-N-A-L-T-I-E-S!
    .
    Please!... no emails!

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.