Yahoo Issues Tone Deaf Non-Denial Denial Of Email Scanning Report

from the blink-twice-if-you're-being-forced-to-say-this dept

Wed, Oct 5th 2016 10:42am — Mike Masnick

After basically all the big tech companies have come out with strong and clear denials, Yahoo this morning released a silly mealy mouthed non-denial denial, written by a PR firm, that took almost 24 hours to craft:

Good morning –

We are reaching out on behalf of Yahoo regarding yesterday’s Reuters article. Yahoo said in a statement:

“The article is misleading. We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems.”

Best,

The Joele Frank Team

Media to Yahoo: Did you eat all the cookies?
Yahoo *with crumbs and smeared chocolate around mouth*: We do not have any cookies.
— Christopher Soghoian (@csoghoian) October 5, 2016

Of course, people are parsing every word of that and noting some... remaining questions. The article is misleading? Okay, how? Which parts? What did it get wrong? You narrowly interpret every government request? Great. So explain what was found here, or explain the specifics of what Yahoo is doing. "Does not exist on our systems"? Did it ever? Does it exist on someone else's system? Does a different mail scanning system exist? Lots of people would like to know.

More importantly, note that they say they want to minimize disclosures. But that's not the key issue here, as Chris Soghoian points out. The Reuters report was on the searching of all emails, not the disclosure bit. Yes, sure, it seems clear that after searching everyone's email, Yahoo likely only "disclosed" a small number to the NSA, but that's not really the point, is it?

I mean, I guess this statement is better than Yahoo's original: "Yahoo is a law abiding company, and complies with the laws of the United States" statement. But, it's not very reassuring. Much more important is what Yahoo could have said, but didn't.

What Yahoo could have easily said but didn't: “We have not conducted such scanning. We produce content only about specific accounts."
— Julian Sanchez (@normative) October 5, 2016

But that's not happening. Yahoo has said that it "can't comment further" which either means it doesn't want to comment further or, potentially, that it feels it is legally barred from commenting any further -- which is certainly a possibility (though a disturbing one).

The NSA or the Director of National Intelligence could help clear this up, but so far they're going all Glomar on any questions:

NSA's Rogers neither confirmed nor denied Yahoo story. #cambridgecyber
— Ken Dilanian (@KenDilanianNBC) October 5, 2016

And that alone should be a giant warning sign to any tech company that decides not to fight these kinds of demands: when it inevitably leaks to the public (and it will), the intelligence community will let you hang out to dry all by yourself.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: email, mass surveillance, non-denial denial, nsa, scanning, section 702
Companies: yahoo

32 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 5 Oct 2016 @ 10:54am

Considering..
Considering the news that hit today about the BoozAllen contractor that has been held since August regarding theft of NSA secrets, I'm sure Yahoo doesn't want to say much of anything right now.

http://www.cnn.com/2016/10/05/politics/intelligence-contractor-arrested-stealing-secrets/index.html

h ttp://www.nytimes.com/2016/10/06/us/nsa-leak-booz-allen-hamilton.html
[ link to this | view in chronology ]
- Anonymous Coward, 5 Oct 2016 @ 12:44pm
  
  Re: Considering..
  Would you mind elaborating on this connection?
  [ link to this | view in chronology ]
  - Anonymous Coward, 5 Oct 2016 @ 3:03pm
    
    Re: Re: Considering..
    No connection whatsoever (that I know of, at least). However, if you could get your company off the front page by letting another, juicier, NSA story become the headline, would you do so? Or would you jump up and down, wave your arms and scream, 'Hey! We did questionable stuff FOR the NSA!! Why aren't you over here sticking microphones in our faces!?!?'
    [ link to this | view in chronology ]
JoeCool (profile), 5 Oct 2016 @ 11:00am

Confirmed!
Considering the NSA swears back and forth in strong language almost instantly to deny things, not doing so now means it's confirmed.
[ link to this | view in chronology ]
Anonymous Coward, 5 Oct 2016 @ 11:13am

Yes, sure, it seems clear that after searching everyone's email, Yahoo likely only "disclosed" a small number to the NSA, but that's not really the point, is it?

Well, it's better than the alternative of letting the NSA search it, because at least this way the NSA doesn't have everyone's emails.
[ link to this | view in chronology ]
- NSA, 5 Oct 2016 @ 11:16am
  
  Re:
  "the NSA doesn't have everyone's emails."
  Sorry cupcake, we do.
  [ link to this | view in chronology ]
- Chryss (profile), 5 Oct 2016 @ 11:23am
  
  Re:
  It is a sad day indeed when we are reduced to considering better degrees of awful when it comes to violation of our most basic constitutional rights.
  
  Maybe Hills and The Don can cover this at the next debate while we consider better degrees of awful candidates.
  [ link to this | view in chronology ]
  - Thad, 5 Oct 2016 @ 2:23pm
    
    Re: Re:
    Feel free to ask them; they're soliciting debate questions over at https://presidentialopenquestions.com/ .
    [ link to this | view in chronology ]
- Anonymous Coward, 5 Oct 2016 @ 2:18pm
  
  Re:
  They don't need everyone's, just the dissidents and whistleblowers and rival drug manufacturers/money launderers/distributors and arms dealers.
  [ link to this | view in chronology ]
- Anonymous Coward, 5 Oct 2016 @ 5:09pm
  
  Re:
  "Well, it's better than the alternative of letting the NSA search it, because at least this way the NSA doesn't have everyone's emails."
  
  Is that the only alternative you can see? How about the government not having warrantless access to anyone's emails?
  [ link to this | view in chronology ]
- Whutevah, 6 Oct 2016 @ 7:08am
  
  Re:
  "Well, it's better than the alternative of letting the NSA search it, because at least this way the NSA doesn't have everyone's emails."
  
  It's better than killing and eating babies, so that makes it OK!
  [ link to this | view in chronology ]
DannyB (profile), 5 Oct 2016 @ 11:18am

Narrow Interpretation
Yahoo narrowly interpreted the request to mean only users who use email on Yahoo's systems, and not on any of its competitors' systems.

Further, the request was narrowed to only search emails from the present to the past, and excluding all future emails to be sent once the ongoing search operations cease.
[ link to this | view in chronology ]
Anonymous Coward, 5 Oct 2016 @ 11:32am

They're lying through thier teeth, Mike, and you know it.
"After basically all the big tech companies have come out with strong and clear denials,..."

Which mean absolutely NOTHING given their LONG CONCRETELY ESTABLISHED HISTORY OF LYING.
[ link to this | view in chronology ]
- DigDuggery, 5 Oct 2016 @ 11:37am
  
  Re: They're lying through thier teeth, Mike, and you know it.
  Hah, caught ya.
  
  You know damned well that no one can lie through Thier's teeth, as Thier hasn't had any teeth for at least a decade.
  [ link to this | view in chronology ]
- James Burkhardt (profile), 5 Oct 2016 @ 11:52am
  
  Re: They're lying through thier teeth, Mike, and you know it.
  Could you perhaps give an example? and not a teleco? Because from what i remember details later proved that any specific denials relating to government survailence were accurate.
  [ link to this | view in chronology ]
  - Mike Masnick (profile), 5 Oct 2016 @ 11:46pm
    
    Re: Re: They're lying through thier teeth, Mike, and you know it.
    Could you perhaps give an example? and not a teleco? Because from what i remember details later proved that any specific denials relating to government survailence were accurate.
    
    They can't. People want to insist that the tech companies are lying, but there's been *zero* evidence to support this. The telcos, yes, but not the internet companies.
    [ link to this | view in chronology ]
Ninja (profile), 5 Oct 2016 @ 11:40am

This reminds of earlier news that law enforcement went after Signal with overly broad subpoenas and Signal could provide exactly nothing because their stuff are end-to-end encrypted and they keep minimal info. Sure law enforcement can request targeted monitoring of available information such as size of the traffic and metadata but they will be forced to do their investigative jobs. Other companies should take note.
[ link to this | view in chronology ]
Anonymous Coward, 5 Oct 2016 @ 12:24pm

Given that almost every article on yahoo requires clicking twice (for full story) and the worsening of their sports page - I cant recall the last time I even visited yahoo. Also glad I never used my real phone to create an account.
[ link to this | view in chronology ]
- Thad, 5 Oct 2016 @ 2:25pm
  
  Re:
  I definitely recall the last time I visited Yahoo: it was last week, to change my password.
  [ link to this | view in chronology ]
coward (anon), 5 Oct 2016 @ 12:36pm

As always
should you or any of your I.M. Force be caught or killed, the Secretary will disavow any knowledge of your actions.
[ link to this | view in chronology ]
Anonymous Coward, 5 Oct 2016 @ 12:45pm

Good thing Facebook and Google pay their employees enough to keep them quiet.
[ link to this | view in chronology ]
Uriel-238 (profile), 5 Oct 2016 @ 12:48pm

"What we do is legal" and "Our policy is to do X" are standard boilerplate responses.
This is to say they haven't really said anything except what is normally authorized for a low level representative to say.

This means that, yes, they're remaining silent for now, which can be interpreted Yahoo is guilty as fuck, but they don't know yet if they can cover this up and if not, who to can as a scapegoat. Also, if incidental, who is actually responsible.

If Yahoo doesn't change their statement soon, it's going to default to we don't give two shits for our end users. All we care about is short-term dividends and executive paychecks.

So...stay tuned!
[ link to this | view in chronology ]
- sigalrm (profile), 5 Oct 2016 @ 12:56pm
  
  Re: "What we do is legal" and "Our policy is to do X" are standard boilerplate responses.
  Remember, Yahoo only has to hold out long enough for Verizon's check to clear.
  [ link to this | view in chronology ]
  - Uriel-238 (profile), 5 Oct 2016 @ 1:30pm
    
    That's right Yahoo is now a Verizon thing.
    And rolling over for US Agencies is standard Verizon policy.
    [ link to this | view in chronology ]
Anonymous Coward, 5 Oct 2016 @ 1:22pm

Of course Yahoo is lying
What's left of Yahoo is just miserable. I have the unfortunate "pleasure" of dealing with their email operation on a regular basis, and -- as far as I can tell -- it's staffed by crack monkeys. Outages happen regularly. Messages are accepted for delivery and disappear. Messages are refused for no reason and then accepted later. Attempts to report any of the massive spam coming FROM Yahoo are ignored or dismissed or....well, I can't even classify some of the responses because they're a word salad of nonsense. They deployed DKIM because reasons, breaking every mailing list in the world. (See IETF archives.) Their "Yahoo Groups" operation returns erratic results apparently depending on phase of the moon and is designed to hold users' data captive. (Just try asking them for a full export. Really. Just try.)

And so on. Frankly, I doubt that they had the technical competence to execute this task correctly, a speculation substantiated by the resignation of their security guy and his statement that this implementation compromised user accounts.

Gee. You don't think that had anything to do with 500M+ accounts we found about last week, do you?

The best thing that could happen for the Internet at this point is (1) the export of all remaining useful data from Yahoo and (2) its immediate shutdown.
[ link to this | view in chronology ]
Digitari, 5 Oct 2016 @ 3:04pm

RE:
I started on yahoo back in 2000, when webcams and voice chat was "the" new thing, I left in 2006, when the chat rooms changed. They have been going downhill ever since. ( back then, everyone was dressed on webcam )
[ link to this | view in chronology ]
MrTroy (profile), 5 Oct 2016 @ 10:20pm

Fight?
And that alone should be a giant warning sign to any tech company that decides not to fight these kinds of demands: when it inevitably leaks to the public (and it will), the intelligence community will let you hang out to dry all by yourself.

I'm curious how a random tech company would be able to fight?

I guess a good answer is to spend a bunch of money to implement end-to-end encryption (and then even more, to do it properly)... but that doesn't work for email, or message boards, or a bunch of other situations.

But even then, how does a random tech company fight back against demands from the government to open a back door?

The only options I can see end up being to be to fight it in court (Apple), or to fold the company and liquidate the equipment (Lavabit). Both are horrifically expensive, and either way the cost is ultimately borne by the customer.
[ link to this | view in chronology ]
- Uriel-238 (profile), 5 Oct 2016 @ 11:17pm
  
  Fighting in court / Folding and liquidating
  The advantage to both of these options is in the long term. Companies willing to fight the surveillance state in court develop the reputation of standing up to the surveillance state, which drives business to them.
  
  For companies not big enough to fight, when they instead fold in protection of their customers, that reputation of integrity goes with them to their next line of work. It shows they're solid and willing to suffer a terrible setback to uphold the privacy and security of their customers.
  
  That's the impetus (other than sleeping soundly) of Alex Stamos quitting Yahoo when he discovered his superiors circumvented him in adding their (vulnerability-laden) spy code.
  
  Stamos did the right thing, and he may well be chosen for a hire based on that very action.
  [ link to this | view in chronology ]
  - MrTroy (profile), 6 Oct 2016 @ 12:20am
    
    Re: Fighting in court / Folding and liquidating
    I agree with that on the extremes, but I think it still falls down in the middle:
    
    Massive companies can afford to go to court, hoping that the PR boost from fighting for their customers comes back to their bottom line.
    
    Individual employees, or tiny companies like Lavabit can afford to fold up operations, because those people are making the decision for themself.
    
    What if you're the owner of a company with a dozen employees? A hundred? A thousand, across multiple countries? You may be able to get work again quickly on the back of a reputation of "standing up to the man"... but how long until you can afford to re-hire all of those employees again? Will they be able to hold out for long enough?
    
    Plus, as one of your customers, how do I know that your new product is going to be around for long enough to get use out of it? Especially if you're offering a service, what happens when the government targets your new service in six months time? At what point does "have backup providers ready" become "just use a different provider"?
    
    It's not just tech companies either; tax accountants, builders and tradespeople (we need you to install a bug while you're doing this job)... I don't know if lawyers are on this list; would client-attorney privilege trump an NSL? And that's probably the best solution for the people - reverse the third party doctrine, and give client-attorney-like privilege to ALL dealings between customers and their providers/contractors! Good luck with that, though.
    [ link to this | view in chronology ]
    - Uriel-238 (profile), 6 Oct 2016 @ 5:58pm
      
      Would client / attorney privilege trump an NSL?
      That's an excellent question. The most terrifying answer (and probably the accurate one) is that it depends on the judge, and once you take it to court, you can also be charged with violating the gag order, if filing to challenge require publication of what you're trying to challenge.
      
      I suspect there's a way to do it legally with a string of lawyers, but I am completely unqualified even to speculate.
      [ link to this | view in chronology ]
Anonymous Coward, 6 Oct 2016 @ 9:00am

I had one Yahoo email address (for maybe 12 years now) that was ONLY used to register yahoo groups. Those groups have dwindled from maybe 5 to just one job club. When the club showed no indication of leaving Yahoo I dropped the club and deleted my one remaining Yahoo account.

Good Riddance I know you shouldn't attribute to malice what can be adequately explained by incompetence but with Yahoo the bar is flat on the ground.
[ link to this | view in chronology ]
John Mayor, 7 Oct 2016 @ 12:04am

THE LAISSEZ FAIRE CARTE BLANCHE BEFORE THE HORSE
There is a reason why National Constitutions are PARAMOUNT LAW in respective countries!... AND, THAT IS, CONSTITUTIONS F-R-A-M-E P-A-R-A-M-O-U-N-T P-R-O-V-I-S-I-O-N-S! And that is why a country's National Constitution is more important -- for example!-- than it's Criminal Code! And... because!... a failure to adhere to Constitutional provisions, may very well lead to reactions by citizens (I.E., "CIVIL UNREST"!), that-- in turn!-- may lead to criminal acts! Then... where does one lay blame for the reactions of country's citizens to violations of citizens' Constitutional protections?:... the failure of country's citizens to kowtow to breaches of citizens' (and a country's!) Paramount Law?... or, the failure of a country's authorities to ensure that such Constitutional protections A-R-E-N-'-T V-I-O-L-A-T-E-D?
.
These commissions and omissions by Yahoo, NSA and others are not merely "inadvertent mishaps" requiring belated apologies from the perps!... but, rather, premeditated breaches of the most important sanctions that a country can bestow on its citizens!... A-N-D W-H-I-C-H T-R-A-N-S-C-E-N-D M-E-R-E C-R-I-M-I-N-A-L A-C-T-S C-O-M-M-I-T-T-E-D B-Y W-H-O-M-E-V-E-R! Such commissions and omissions strike at the very core/ heart of who and what we are!... A-N-D T-H-U-S, T-H-I-S I-S W-H-Y S-U-C-H B-R-E-A-C-H-E-S A-R-E D-E-S-E-R-V-I-N-G O-F O-U-R H-A-R-S-H-E-S-T O-F P-E-N-A-L-T-I-E-S!
.
Please!... no emails!
[ link to this | view in chronology ]