As if things weren’t bad enough for Marissa Mayer and Yahoo after the announcement of losing 500 million user records and the very negative article in the NY Times last week about how they treated security, now there is a new revelation. Supposedly, Yahoo wrote custom software to search all emails in real time for specific search terms and feed that data to the NSA.
When the government came to Yahoo, unlike the very public fight that Apple fought with the FBI, Yahoo – specifically Mayer – decided to agree to do that. She did not tell her head of security who discovered the software within a couple of weeks of it being installed and quit over the incident. He is currently working for Facebook.
It is likely that Yahoo was served with a secret FISA court order compelling them to do that, but like with the Apple case, Yahoo could have fought it. Whether they would have been successful or not is unclear. Courts have sided both for and against Apple in their battles with the feds. Yahoo has only said that they are a law abiding US Company and complies with US laws. I would read between the lines to say that they were served with a FISA order and prohibited from telling anyone about it.
Both Google and Microsoft have said that they have never been served with a similar warrant. Whether this is true or not is unclear.
What appears to have really riled some folks up at Yahoo was that Mayer didn’t fight. She just rolled over.
Based on an earlier New York Times article it doesn’t appear that Mayer had much concern about security or privacy, so she may have decided that it wasn’t worth spending the money to fight.
What is clear is that right now, on the eve of selling the company to Verizon, this is one more headache that Yahoo does not need. Of course, Verizon could say that this is the way it is – after all, they were outed as having feed all of their call records to the NSA for years. However, it could cause more customers to flee from Yahoo, making the property worth even less. It is unlikely that Verizon could have a clause in the purchase agreement that says that if it is discovered that Yahoo complied with legal US court orders we can change the terms of the deal, but losing customers is certainly not something that Verizon wants to happen.
This is not even something that you could reasonably say could or should be discovered during due diligence. You could ask certain negative questions like is it accurate that you have never been served with a FISA warrant for x, but even answering that is dicey and it seems like most people at Yahoo would not have known about it so they might have answered the question incorrectly. Dealing with the blowback from FISA warrants might give some buyers pause if they thought the facts might come out after the purchase.
From a user’s standpoint, this is just one more nail in the coffin of the expectation of privacy. For users using cloud based services, it is clear that you should not expect your data to be private – either from law enforcement or vendor employees. You also should not expect to be told when your information is viewed by or given to third parties.
IF that is a concern, then the only workable option is to encrypt the data yourself in a way where only you or your company control the encryption keys. Some of the large cloud providers such as Amazon offer such services for enterprises. For other users, there may be add on products that allow you to do that. For example, BoxCryptor is an addon for Dropbox and other cloud file sharing services that allow you to encrypt your data before it is stored in Dropbox or the other services. It is your responsibility to manage and distribute the encryption keys for products like this Security. Convenience. Pick one.
May you live in interesting times. Yes we do.
Information for this post came from Reuters.