Yahoo spying on users and the future of US-hosted IT services

I am sure this piece of news passed through your newsfeed: Yahoo spied on its users on behalf of a US gov agency, reading incoming emails in real time.
Knowing that Yahoo isn't the only IT service provider based in the US that is spied upon by US gov agencies, how do you think these revelations would impact US-based IT service providers? The rest of the world must have taken a notice by now...
Yahoo Email Spying Scandal — Here's Everything that has Happened So Far

Find more posts tagged with

Comments

stryder144

It's not just the NSA/CIA/FBI in the US, it is also the GCHQ, MI5, FSB, etc in other countries doing it. I think that if there is a will, there is a way. No country's security apparatus can really be trusted.

networker050184

Does anyone really think it's different in any other country? You'd have to be extremely naive to think so in my opinion.

Lexluethar

It's a crazy world. You are right other government agencies are doing the same but it doesn't make it any more just.

the_Grinch

US law allows the government to issue a subpoena and been given information from any third party company that has it. Why this is news or shocking to anyone is beyond me. I especially liked Apple's answer because when you read it, it merely stated they took user privacy seriously. Of course it didn't say they didn't comply with government requests for information.

In the end, what did they do? They created a tool that allowed Yahoo staff to read emails in real time. They are already doing that (where do the ads you see come from?) and they created something that allowed them to comply with legal requests more quickly. Without having seen the cases it was used for, I can only say that more than likely it amounts to the same sort of request a law enforcement agency would make of a cell phone provider during an emergency when realtime cell location data is needed.

Now don't take this as me saying that privacy isn't important, it is. But at the same time privacy has been dead for a very long time. The minute we decided that convenience was more important was the day we said goodbye to privacy. Read those terms and conditions, acceptable use policies, and privacy policies. In the immortal words of Willy Wonka, "It's all there! Black and white, clear as crystal".

varelg

the_Grinch wrote: »

US law allows the government to issue a subpoena and been given information from any third party company that has it. Why this is news or shocking to anyone is beyond me...

Notice the title of the topic, "Yahoo spying on users...", it's not NSA spying on users, it's Yahoo. It should be shocking. This puts US-based IT service providers on the spot. If they are willing to spy on you on behalf of the government, and you aren't involved in anything illegal, you wouldn't consider them further for anything beyond providing casual chat room with aquaintances.
Substitute "you" with a business looking to expand into US but has trade secrets that allows "you" competitive advantage. After this story, would "you" consider US-based IT provider to handle the IT side of your business?
And no, there's no other gov in the world that is putting this amount of resources into mass surveillance.

UnixGuy

I read the article, the title is misleading, Yahoo wasn't spying on users; it was a legal filter installed by court order to filter for child pr0n and spam...I don't see the problem really? kudos to them for trying to catch bad guys.

Also, if I have my email hosted by a free service on the Internet (Yahoo or elsewhere) sure I expect them to have access to my inbox?

Again, I don't see the problem.

the_Grinch

No other government in the world spends as much as the US in mass surveillance? You're kidding right? It's a bigger story because the US is suppose to be the bastion of freedom, but believe me every country is doing it and on the same scale (if not on a worse scale than the US). China, Russia, Syria, UK, Australia, Germany, France, etc all have programs like this. Some not as bad, some much worse. Ever been to London? Most watched city in the world. Look up Singapore and their big data movement. They collect so much data on their citizens they were able to pinpoint the handful of people who brought a flu like virus into the country from the airport. (The Social Laboratory | Foreign Policy)

It's not shocking at all. You are literally handing all of your data to someone else and are shocked they look at it? Like I said, where do you think targeting advertisements come from? It's not from them not reading your email. You can say it's an algorithm with machine learning, but when push comes to shove it was tested by someone on a subset of real user data and they saw what was in there.

You want off the radar? Get rid of all your electronic devices because there is no getting away from it. Even then, they'll still be able to find you. Might take awhile, but in the end they will track you. In the name of convenience we decided privacy was optional. The old "I didn't do anything wrong they can go ahead and read it". Yahoo, Amazon, Google, Apple, Comcast, Verizon, Sprint, T-Mobile and any other tech company (and non-technical companies) are all collecting and looking at your data. Most of them are doing (and have been doing it for years) with the mere "trust us" mentality.

The time to be up in arms about it was before it happen or right as it happened. Not 30 years later when it has become so ingrained in the population and in the government that it will never be changed. You know before San Bernardino that Apple complied with every government request? Snowden leaked some info (most of which were programs that had been shutdown for awhile, with new ones in their place) and the public cared for about all of a month. Apple gets some good press, the world forgets, and it's back to business as usual.

You acknowledge, consent and agree that Yahoo may access, preserve and disclose your account information and Content if required to do so by law or in a good faith belief that such access preservation or disclosure is reasonably necessary to: (i) comply with legal process; (ii) enforce the TOS; (iii) respond to claims that any Content violates the rights of third parties; (iv) respond to your requests for customer service; or (v) protect the rights, property or personal safety of Yahoo, its users and the public. <---this is from Yahoo's Terms of Service.

Yahoo analyzes and stores all communications content, including email content from incoming and outgoing email. <---From their Privacy Policy

We provide the information to trusted partners who work on behalf of or with Yahoo under confidentiality agreements. These companies may use your personal information to help Yahoo communicate with you about offers from Yahoo and our marketing partners. However, these companies do not have any independent right to share this information.

We have a parent's permission to share the information if the user is a child under age 13. See Children's Privacy & Family Accounts for more information about our privacy practices for children under 13 .

We respond to subpoenas, court orders, or legal process (such as law enforcement requests), or to establish or exercise our legal rights or defend against legal claims.

We believe it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of Yahoo's terms of use, or as otherwise required by law.
We transfer information about you if Yahoo is acquired by or merged with another company. In this event, Yahoo will notify you before information about you is transferred and becomes subject to a different privacy policy.

All of the above is also from Yahoo's Privacy Policy.

Thus Yahoo users got exactly what they signed up for and agreed to.

Now do I agree with all that these companies do? No. But I am an informed user who knows they are doing it and who is choosing not to setup my own email server with a company that records no logs.

fredrikjj

networker050184 wrote: »

Does anyone really think it's different in any other country? You'd have to be extremely naive to think so in my opinion.

Yes I think it's different in some other countries in the sense that it's not possible to legally force tech companies to install back doors AND also demand secrecy from the company in question. If things like this went on in Sweden for example, it would rely on co-operation by individuals and companies that could reveal the scheme at any point.

varelg

@the_Grinch >>No other government in the world spends as much as the US in mass surveillance? You're kidding right?<< No grinch, I am not kidding. No other country on this planet spends on mass surveillance as much as the US gov. Despite what corporate bullhorns, pardon- media coverage tells you. I know you'll stop reading here, but I'll continue.
I'll point to the title of this topic: I am not discussing legalities here but the impact these revelations will have on businesses that have the IT part of their work handled here in the US by US-based IT services.
Let's say you as a business compete for a valuable contract from potential customer against a US-gov contractor. The customer has no ties to US gov. Your business has a competitive advantage over the US gov's contractor in the form of a trade secret/design/formula you developed after years of R&D. That advantage (or hints of it) is stored with a US-based cloud provider. What do you think, how long will it take for the US-gov contractor to pull its strings in DC and have your cloud provider cornered with some vague FISA letter that allows US gov read your cloud storage and telegraph it to its contractor? Resulting in you loosing your competitive advantage and the valuable contract despite years of hard work in R&D?

alias454

Seems like it would be less trouble to find some sys admin and bribe them. As far as privacy and using third party providers, you have to make a decision based on what you value most. If you want free there will be strings attached. Granted, if we are minding our own business, we should have an expectation of privacy but that only goes so far in today's world.

the_Grinch

Your making a leap from intelligence related work to corporate espionage by the government and if you can't supply any evidence other then "I think it's happening or could happen" then it isn't an argument. As the old adage goes, if my grandfather was a woman he'd be my grandmother. I'll concede that your argument isn't on the legality of what might have been done, but is on the sheer fact that it was done. But at the same time anonymous sources saying "this is what they said it did, but it could have done anything" isn't exactly inspiring. It could have been taken everything that came it, it could have done nothing, or it could have done exactly what it said it did.

Clearly we aren't going to be changing each other's mind on our stances, but healthy debate is always a good thing in my mind.

Chinook

@The_Grinch

I can remember a time when there were Hollywood movies about people escaping their country to come to America because their government spied on them & listened to their phone calls. The United States is like the "Nike" of spying on it's citizens. It's the whipping boy because it's so high profile but other nations spy on their citizens & on other countries.

Personally I think the bigger issue is organizations like the NSA hiding vulnerabilities in software. The concept of the NSA is to protect American interests not exploit flaws in their software for their own espionage.

beads

More ironic are the people who complain about Yahoo's privacy practices on Facebook.

Smart, very smart!

- b/eads

the_Grinch

It's very much a "the US is the bastion of freedom, yet look at what they do" type of thing. We get half the story and then have only our imaginations to make up the rest. varelg could 100% be on the money with what is happening. varelg could also be 100% wrong, just as I could be 100% wrong. Until such time that we get to see the order we can only hypothesize about what was loaded and what it did/could do. Initial story says Yahoo engineers wrote the program and that it was related to child pr0n and spam. Then the story becomes Yahoo engineers wrote the program, but it was to search for keywords (provided by the government) in real time and the data given to the government. Then the story becomes Yahoo engineers didn't write the program, merely installed a kernel module provided to them, and that engineers felt it was buggy and that it might allow for more then what it said it was suppose to do. What truly happened? We may never know.

Does the government do things that are not in the privacy interests of it's citizens? Certainly. They'll provide any number of reasons for it (typically "security") and talk all about the limitations to it, but ultimately it's all nonsense. Fact is we live in a 1984 society. Many always thought it would be via government systems, but it was corporations that built the systems that ultimately observe us. We brought into them and now we deal with that buy in. Plenty of non-government groups out there stealing trade secrets, just as there are state sponsored agents stealing trade secrets. Would you put your company's servers in a Chinese or Russian data center? Want me to buy the argument that our government is in the business of stealing trade secrets? Ok, but so is every other government on the planet. Probably should just unplug and live in a cave.

alias454

We can't live in a cave, how are we going to see season 3 of Mr Robot

the_Grinch

alias454 wrote: »

We can't live in a cave, how are we going to see season 3 of Mr Robot

Exactly! Phase 2 is upon us!