Yahoo Email Scanning May Sink EU Privacy Shield Agreement

from the nsa-fucking-things-up-again dept

After the US/EU "safe harbor" on data protection was tossed out thanks to NSA spying being incompatible with EU rights, everyone had tried to patch things up with the so-called "Privacy Shield." As we noted at the time, as long as the NSA's mass surveillance remained in place, the Privacy Shield agreement would fail as well. This wasn't that difficult to predict.

And there are already some challenges to the Privacy Shield underway, including by Max Schrems, who brought the original challenge that invalidated the old safe harbor. But things may have accelerated a bit this week with the story of Yahoo scanning all emails. This news has woken up a bunch of EU politicians and data protection officials, leading to some serious questions about whether it violates the Privacy Shield agreement.
Johannes Kleis, a spokesman with BEUC, an umbrella group for European consumer organisations, called on other EU data protection authorities to investigate Yahoo.

Fabio de Masi, a German member of the European parliament with the leftist Die Linke party called on the EU high representative for external affairs Federica Mogherini to seek clarification from US authorities about the treatment of EU data.
And elsewhere as well:
"It goes far beyond what is acceptable," said Johannes Caspar, Commissioner for Data Protection and Freedom of Information in Hamburg, Germany.
Over in the European Parliament, Dutch MEP Sophie in 't Veld has asked the EU Commission to investigate:
While some keep arguing that the whole idea of a safe harbor or privacy shield is a problem, that's not really true. Enabling more easy data flows between countries on a borderless internet is really important for keeping the internet really global. This is a serious issue. The problem is the NSA's surveillance activities undermining all of this, and continually (rightfully) freaking out people in other countries about what happens to data that flows into the US. The answer is not to dump agreements that enable the free flow of data, but to stop mass surveillance activities.

Once again, it appears that overly aggressive mass surveillance by the US intelligence community is creating massive headaches for American internet companies.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: data flows, data protection, eu, mass surveillance, nsa, privacy shield, us
Companies: yahoo


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Adrian Cochrane (profile), 6 Oct 2016 @ 2:19pm

    I so wish the EU would tell us developers to Nerd Harder on stopping mass surveillance, alongside protecting privacy otherwise. But I'm guessing they have their own intelligence companies who want technology to let them through.

    link to this | view in chronology ]

  • icon
    Padpaw (profile), 6 Oct 2016 @ 2:30pm

    The US alphabet agencies clearly do not care about the rights of their citizens, why would they care about foreign countries citizen rights.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Oct 2016 @ 3:00pm

    Why do I get the feeling that this will become a fight between politicians about who gets to spy on which citizens.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 6 Oct 2016 @ 3:19pm

      Re:

      Who gets the direct feed you mean. They all can now spy on everyone's citizens, its really just a matter of having fresh data along with mountains of prior data to sift through once targets have been identified. Remember everyone, three hops includes delivery pizza places as well as 911 calls or even 411 itself.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Oct 2016 @ 3:39pm

    The eventual solution

    will be to continue to allow this to continue with a "we won't abuse it, honest!" promise (wink wink, nudge nudge), as long as they avoid "politically sensitive" targets.

    link to this | view in chronology ]

  • identicon
    Personanongrata, 6 Oct 2016 @ 6:00pm

    Cognitive Dissonance and Glass Houses

    Yahoo Email Scanning May Sink EU Privacy Shield Agreement

    Some of the countries that comprise the EU are heavily involved with NSA and GCHQ mass surveillance schemes.

    Highlighted paragraph below excerpted from theguardian.com report titled GCHQ and European spy agencies worked together on mass surveillance

    The German, French, Spanish and Swedish intelligence services have all developed methods of mass surveillance of internet and phone traffic over the past five years in close partnership with Britain's GCHQ eavesdropping agency.

    https://www.theguardian.com/uk-news/2013/nov/01/gchq-europe-spy-agencies-mass-surveillance-sn owden

    link to this | view in chronology ]

    • icon
      Wendy Cockcroft (profile), 10 Oct 2016 @ 5:36am

      Re: Cognitive Dissonance and Glass Houses

      Then what we're seeing from the EU is outrage theatre: shouting about it in public while quietly doing business as usual behind our backs — with our data.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 10 Oct 2016 @ 6:50am

        Re: Re: Cognitive Dissonance and Glass Houses

        Then what we're seeing from the EU is outrage theatre: shouting about it in public while quietly doing business as usual behind our backs — with our data.

        Yep.

        link to this | view in chronology ]

  • identicon
    Screaming is all I can do, 6 Oct 2016 @ 10:10pm

    Upstream action is where its at

    Yahoo never even claimed to encrypt anything as google(dubiously)did so there upstream tap was always in the clear, same with outlook and all other MS domains, so whatever all of these people are not only collaborating, making up 40% of GDP they ARE the state.

    lets not even talk about what they are doing they are the NSA, CIA , FBI CBP anyone you want to name. Google is looking for reasons to send a SWAT team to your house, definitely.

    link to this | view in chronology ]

  • identicon
    David, 7 Oct 2016 @ 1:05am

    It's Snowden's fault


    Once again, it appears that overly aggressive mass surveillance by the US intelligence community is creating massive headaches for American internet companies.

    No, this would never have been a problem if nobody had ratted them out.

    This really calls for a drone strike on Snowden in order to send a message that it's inacceptable to endanger the relations of the U.S. government to other nations and its own people by indiscriminately pulling the rug out from over them. There is a reason for the rug, and everybody is aware of what is swept under it.

    It's like bakeries. Every single one has roaches and mice (mice are around anyway, and roach eggs are distributed under the boxes and containers of bakery suppliers and mills, so even a newly built bakery is populated within months). The bakers cope by keeping dough covered and making sure that anything ending up in sales is reasonably safe from access.

    But that's not the story for the customer. Blow the whistle on one bakery and people go elsewhere, shuddering in disgust. Never mind that the stuff running near the food is completely beside the point compared to meat production where the awful bits actually make up your food.

    So yes, the messengers are certainly to blame here. You can't expect people to have realistic expectations, not with what they see in TV (particularly reality TV). People have a right not to have to worry about things they are powerless to change. That's the sole point of civilization.

    Still with me? Creepy.

    link to this | view in chronology ]

    • icon
      nomadgroa (profile), 29 Oct 2016 @ 4:42pm

      Re: It's Snowden's fault

      Guess I'm a creeper cuz I read your entire comment, David. I learned how to read quite awhile back, so I'm not going to lose my mind if you take more than a paragraph to properly express your ideas. 

      Alas, I can't agree Snowden's to blame for the NSA’s wildly illegal behavior. Nor can I agree with your bakery analogy/apology explaining why espionage agencies should be allowed to lie and deceive and sweep highly questionable behavior under rugs so we don’t see the weevils propagating in the…sorry, dude. Can I drop your metaphor? Cuz I’m not sure there’s much difference between the icky bugs that unfriendly foreign powers place in our bread and the maggots the NSA installs there.

      People have a right not to worry about things they are powerless to change? That’s a rather odd statement, my friend. Personally, I'm still clinging to this idea called "democracy" and a country whose government represents the will of the people and not the questionable actions of an unelected intelligence community that claims it can only function if it's accountable to NO ONE AT ALL. Not even a congressional oversight committee. We are NOT powerless to change the tyrannical, belligerent behavior of an espionage community that exploits the very people it claims it’s protecting.

      The sole point of civilization is not to live as sheeple, herded this way and that by lying government douchebags. You may choose that for yourself. Most do. I do not. I'm still a life, liberty and the pursuit of happiness kind of girl. Call me naïve—I’m expecting it, so no worries—but you don't make the world safe for democracy by usurping it.

      You seem to be arguing that in exchange for the illusion of security--because that's the very best ANY intelligence agency can offer--we should allow our country's spies to create whatever havoc they please, at home or abroad, free of skepticism, criticism, or oversight from anyone. You know, like Wall Street bankers. With respect, hell’s no. That’s just wacked. As long as the NSA continues to rape American citizens of their constitutional rights, shit all over the rule of law, perjure itself during congressional investigations, and demand the right to do so with impunity, then we have no choice but to rely on whistleblowers like Edward Snowden. Who, btw, has stacked up quite a list of humanitarian awards from pretty much everyone but the US. And don’t be thinking about dissing Sweden, cuz that’ll just make you look like some sort of imperialist throwback.

      It's James Clapper's fault. Aided by John Kerry, King of the Message Killers.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Oct 2016 @ 1:09am

    The answer is end to end encryption for the masses

    The answer is not to dump agreements that enable the free flow of data, but to stop mass surveillance activities.


    The answer is not to stop mass surveillance. That ship is out of the bag, that cat has sailed.

    The answer is to encrypt all data from everyone all the time.

    This protocol shows how it can be done: http://eccentric-authentication.org

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Oct 2016 @ 4:22am

      Re: The answer is end to end encryption for the masses

      On first glance, this sounds overly optimistic.
      1. DPI will still see the initial handshake and exchange of keys, so it will still be possible to decrypt traffic with a MITM.
      2. They don't mention a key expiration or revoke system, which is always a good thing. Without that a single compromise could last indefinitely.
      3. Storage of PKI keys for every site will cause issues for end users. Simply send a user to a link with links to thousands of other sites and you could DoS the users computer by negotiating so many encrypted connections and possibly overload their HD storage.

      Could be many more, but I just glanced quickly through his front page.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 7 Oct 2016 @ 5:40am

        Re: Re: The answer is end to end encryption for the masses

        1) You obviously have no idea how D-H secure key exchange works. Even if there is a MitM on the key exchange, the compute power needed to derive the key would exhaust the heat energy of the entire universe.

        2) You are confusing host authentication with public/private keys. They are NOT the same thing.

        3) Storage of all public keys is NOT needed. That is why there is a secure exchange of keys AFTER a host has been authenticated.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 7 Oct 2016 @ 6:44am

          Re: Re: Re: The answer is end to end encryption for the masses

          1. So A10 doesn't decrypt SSL traffic?
          https://www.a10networks.com/products/thunder-series/ssl-decryption-encryption-and-inspection -ssl-insight You only need session data usually to decrypt.

          2. It didn't state who is the private key holder. I assumed it was like SSL where the site has the private key, and the user uses the public key. It it's like PGP, than even more so would revocation be necessary, as a lost computer or phone could lead to identity theft.

          3. I'm totally confused on this last part:
          "You can write one of these pseudonyms on a business card and everyone can retrieve the correct keys. People can look up the key that belongs to the name and use that to write encrypted messages. Safe against disclosure and tampering. This forms the basis for secure email, without any difficulties."

          So how do they not have a CA to verify, (think SKS, MIT for PGP) but yet have a public key infrastructure that you can look up and identify the end-user?

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 7 Oct 2016 @ 6:54am

            Re: Re: Re: Re: The answer is end to end encryption for the masses

            Yes, A10 does SSL interception. So does Blue Coat. So does F5. So does.....

            The way A10 et al do SSL interception is that it is placed on a choke point in the network, a self signed certificate is put on the A10, GPO pushes policy to all of the clients on the domain so the self signed cert is trusted, and then it can do SSL interception by "lying" to the client.

            That is NOT how SSL interception works on the open net.

            PKI is designed - for the most part - for a single network of group of networks. It was never intended to be an infrastructure used globally.

            I work on this stuff all day, every day. Get a clue.

            link to this | view in chronology ]

            • identicon
              Anonymous Coward, 7 Oct 2016 @ 8:44am

              Re: Re: Re: Re: Re: The answer is end to end encryption for the masses

              SSLStrip MITM: https://moxie.org/software/sslstrip/
              use -f for a lock fav icon, and most will think they are talking through SSL to the server.
              InfoSec has a good explanation, better than I can probably:
              https://www.youtube.com/watch?v=gNhyjPxuy5w

              Answer is, hope that the server uses HSTS to ensure that you can't fall back to HTTP.

              link to this | view in chronology ]

            • icon
              BobKerns (profile), 7 Oct 2016 @ 10:07am

              Re: Re: Re: Re: Re: The answer is end to end encryption for the masses

              Re: "It (PKI) was never intended to be an infrastructure used globally."

              I'm unclear on what you mean here. Certainly global infrastructure was envisioned even back in the day of the original Diffie-Hellman and Rivest-Shamir-Adelman papers, and the whole Certificate Authority thing has been a global infrastructure from the start.

              There are certainly inadequacies.....

              Be that as it may... I don't do this every day all day, but I've done it on and off for 35 years or so, and I fully endorse your main points here. The whole point of Diffie-Hellman key exchange is to allow keys to be created such that only the two parties know what the keys are, because the keys themselves were never sent, and can't be recreated without some information that each party holds secret.

              This is basic stuff that anyone setting up a secure web server should know at least the what and why, if not the how.

              I just wanted to give you a chance to clarify your point about PKI.

              Your eccentric-authentication link looks interesting. Definitely going in the right direction. I do have some concerns about mischief a clever corrupt CA could pull. I think using blockchain technology could prevent those, though. (It still compares favorably with the current situation, where we've experienced both corrupt and stupid CAs, and the damage is then widespread and hard to contain). That would also allow for robust revocation (a complicated topic, unfortunately).

              But aside from security, my big complaint with the current CA system is that its idea of "identity" can be wildly at variance with what is needed. I ran into difficulty getting a cert for a domain name I own, in the name of a character I own in a MMO. A well-established publicly-known entity that is distinct from my RL identity and to protect other people's privacy I'd like to keep separate.

              There's a role for strong and deep verification of identity, but it needs to be layered on top of a more robust model of basic unique identity. "We have verified that the identity xxxx is associated with Chase Bank's online banking services web site, as attested by VP of Operations Jane Opmanager on 9/12/2020, and back this certification with a $10,000 USD warranty of accuracy, insured by YYY Underwriters, Inc.", all of which can be independently cross-checked. Instead, we have a system where each cert in the chain is a potential point of compromise, and a compromised CA root cert is a global disaster in the making.

              link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Oct 2016 @ 2:26am

      Re: The answer is end to end encryption for the masses

      That website is not even encrypted. Fail.

      link to this | view in chronology ]

  • identicon
    John Mayor, 7 Oct 2016 @ 5:26am

    BEAUTIES AND THE BEAST

    Your last line... I suggest!... is an UNDERSTATEMENT! And!... in numerous senses!... I could care less what "headaches" many of these companies are experiencing!... as many of these companies have their own commissions and omissions to defend against!
    .
    Please!... no emails!

    link to this | view in chronology ]

    • icon
      The Wanderer (profile), 9 Oct 2016 @ 6:47am

      Re: BEAUTIES AND THE BEAST

      Why do you keep saying "Please!... no emails!" in comments in which you do not provide any E-mail address, and so no one reading the comment would be able to send you E-mail in any case?

      link to this | view in chronology ]

      • icon
        Wendy Cockcroft (profile), 10 Oct 2016 @ 5:38am

        Re: Re: BEAUTIES AND THE BEAST

        Not to mention that since reading his horribly formatted comments gives us headaches, nobody would actually want to.

        link to this | view in chronology ]

        • icon
          The Wanderer (profile), 14 Oct 2016 @ 9:40am

          Re: Re: Re: BEAUTIES AND THE BEAST

          I've begun habitually flagging any post of his in which he includes that tagline and omits an E-mail address (which works out to about 99% of his posts). I think I even did that with a post which I also voted insightful, once.

          link to this | view in chronology ]

  • icon
    BentFranklin (profile), 7 Oct 2016 @ 6:21am

    In other news...

    Verizon is asking for a $1B discount on its Yahoo deal.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Oct 2016 @ 9:10am

    EU is more pissed off that yahoo refuse to scan emails for them as well for the same price the NSA was paying.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Oct 2016 @ 12:46pm

    It's good that it sinks because "Privacy Shield" isn't about privacy.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.