Blog 5
Yahoo and Customer Protection: A Lesson in What Not to Do
By Nicholas Van Zandt
On October 4, Reuters released a story stating that Yahoo has been allowing for US intelligence agencies to scan the emails of hundreds of millions of Yahoo Mail accounts. According to the report, Yahoo complied with a government request to not only allow the National Security Agency to have access to their users personal emails, but they actually tasked their own engineers and developers to create the program that would facilitate the scanning and data collection. This allowed real-time scanning of emails so that every time a Yahoo email user sent an email they were under surveillance.
In 2015, when Yahoo’s CEO Marissa Mayer agreed to obey the government directive, this apparently was not a consensus opinion among their senior leadership. This led to the voluntary resignation of their CISO in June of last year.
Yahoo issued a statement in response to this story stating that “Yahoo is a law abiding company, and complies with the laws of the United States.” However, when other tech companies were given similar directives they fought back for their users’ privacy rights. In early 2016, Apple was given a very similar directive by the FBI to create a program that would allow the government to hack into iPhones. Their response was a very public refusal. Google, while acknowledging that they did not receive such a request, stated that their response would be very simple, “no way.”
This news comes on the back of reporting that Yahoo had suffered a massive cyber attack where over 500 million of their users’ email credentials over a period of two years. According to inside sources inside Yahoo, while all other major tech companies were investing millions in security and hiring hundreds of security engineers, Yahoo was regularly denying the requests of their small security staff to increase funding to improve their defenses.
This security team that was seeking to raise the alarms were referred to as “the paranoids” by Yahoo leadership and were frequently ignored. Other companies, such as Dropbox, Facebook, Google, and Apple, were instead highly impressed with the passion and efforts of Yahoo’s security team and many of the most qualified were hired away.
While these reports have all been released in the past few weeks, these were issues that were years in the making. Yahoo has clearly shown a willful neglect at protecting their email users’ privacy, from either surveillance from US intelligence agencies or from foreign hackers. While this author realized Yahoo was a weak technology worth replacing with a Google account over ten years ago, the best advice can be put in the words of The Intercept: “Delete your Yahoo account.”
Sources:
Arjun Kharpal, “Apple vs FBI: All you Need to Know,” CNBC, March 29, 2016, Available at: http://www.cnbc.com/2016/03/29/apple-vs-fbi-all-you-need-to-know.html.
Jeff John Roberts, “Google and Microsoft not Part of NSA Email Scanning Tied to Yahoo,” Fortune, October 4, 2016, Available at: http://fortune.com/2016/10/04/google-microsoft-nsa-email-yahoo/.
Nicole Perlroth, “Defending Against Hackers Took a Back Seat at Yahoo, Insiders Say,” New York Times, September 28, 2016, Available at: http://www.nytimes.com/2016/09/29/technology/yahoo-data-breach-hacking.html?_r=0.
Sam Biddle, “Delete your Yahoo Account,” The Intercept, October 4, 2016, Available at: https://theintercept.com/2016/10/04/delete-your-yahoo-account/.
“Yahoo has Reportedly been Spying on Hundreds of Millions of its Mail Users,” Reuters, October 4, 2016, Available at: http://fortune.com/2016/10/04/yahoo-mail-spying-software/.