Yahoo and Privacy

By mike_danhofmike_danhof (1261366944|%a, %b %e at %I:%M%p)

In an interesting development, Yahoo has ordered a website to take down its detailed listing of spying services it provides to law enforcement officials.

wired_logo.gif

Background and Synopsis

yahoo_logo.jpg

The WIRED magazine article from December 4th (which can be read here) talks about how Yahoo filed a request to block a Freedom of Information Act inquiry about its pricing policies for information and what kind of records it keeps of its users. The owner of the website Cryptome, John Young, however, was able to post a copy of the report that was leaked by someone (likely a Yahoo employee, IMO). In an even more interesting move, though, Yahoo's legal team has filed a DMCA take down notice (DMCA being the Digital Millennium Copyright Act) ordering Young to remove the report, as Yahoo says it is copyrighted. They also claim that Cryptome has exposed Yahoo's trade and business secrets, and that by publishing it, criminals would know how to avoid surveillance. Yahoo also published a Compliance Guide, which gives some insight into what kind of information Yahoo tracks and keeps on file:

The guide also reveals that the company retains the IP addresses from which a user logs in for just one year. But the company’s logs of IP addresses used to register new accounts for the first time go back to 1999. The contents of accounts on Flickr, which Yahoo also owns, are purged as soon as a user deactivates the account.

Chats conducted through the company’s Web Messenger service may be saved on Yahoo’s server if one of the parties in the correspondence set up their account to archive chats. This pertains to the web-based version of the chat service, however. Yahoo does not have the content of chats for consumers who use the downloadable Web Messenger client on their computer.

Instant message logs are retained 45 to 60 days and includes an account holder’s friends list, and the date and times the user communicated with them.

This is pretty intense, and there is probably even more that they keep track of (if you are interested, the entire disclosure document in .pdf form can be read here).

Yahoo responded to the FOIA request by saying that the person who requested it (which went to all Department of Justice agencies) that the user could use this information to "shame" Yahoo and other companies (like Verizon, SBC, Comcast, and more) and "shock" customers about their practices. Also, Yahoo said that by keeping this information public:

“…Yahoo!’s information is reasonably likely to lead to impairment of its reputation for protection of user privacy and security, which is a competitive disadvantage for technology companies,”

However, Verizon, who also objected to the FOIA request, took a different approach. They said that the release would confuse customers, thinking that anyone could get this information, and not just law enforcement officials, and would cause a flood of calls asking for their data. Kind of a cop-out a approach, but fairly rational too. I don't know if it would actually cause a "flood" of calls though.

Just to give an idea of what prices are like:

  • Cox Communications charges $2,500 to fulfill a pen register/trap-and-trace order for 60 days
  • Comcast charges at least $1,000 for the first month of a wiretap, and $750 per month thereafter
  • Yahoo charges the government about $30 to $40 for the contents, including e-mail, of a subscriber’s account. It charges $40 to $80 for the contents of a Yahoo group.

Implications

Privacy has always been one very sticky issue on the internet. On the one hand, people should be entitled to know what kind of information is being kept about them on company's servers. It is information about themselves and what their web habits are like, and even conversations that they may be having with friends or co-workers. On the other hand, the internet is a breeding ground for crime, and even terror. One can always hear stories about how terrorist cells used an internet group to plan and organize training, funding, and even attacks all over the world. So in this case, it seems like it would be wise for companies like Yahoo to keep track of activity and allow the DOJ to obtain it, for a price. So the tradeoff is, once again, privacy versus safety. How safe do you want to be? Do you feel that giving up some anonymity on the internet will lead to a safer society? However, for what purposes is the DOJ using this information?

Final Thoughts

I have never been quite sure what to think about my privacy on the internet. In all honesty, I rarely think about it. Most of the time, I do what I want on the internet (all of it legal, of course), and leave it be. I personally have nothing to hide. However, it is rather disconcerting to know that companies like Yahoo and Comcast are keeping detailed information about me on their servers, without my knowledge or consent. I'm sure much of this is covered in things like the Patriot Act and other legislation that gets passed without much fanfare or debate. I am not opposed to having some of my data stored and being available for government officials to see, but I don't want them to be able to see everything, just on principle. It will be interesting to see what kind of implications this will have for Yahoo and other companies, such as greater disclosure about what they track, opt-in and opt-out options, and more.

Further Reading

Yahoo's Objection Letter
Verizon's Objection Letter
First WIRED article

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License