There has been a lot of talk about Yahoo being “the anti-Apple” when it comes to consumer privacy following last week’s news about a government order granting access to Yahoo Mail. Regardless of what happened there — and it is far from clear — recent reports underscore the need for more consumer awareness about best privacy practices.
It’s definitely been a bad news month for Yahoo starting with the revelation, on September 22, that 500 million Yahoo users had been compromised in 2015, in what was purported to be a Russia-sponsored attack. The news came as Yahoo was entering into final negotiations to be bought by Verizon, and there were reports that the latter subsequently tried to knock a billion dollars off the $4.8 billion offer.
So the pump was primed, as it were, when a second Yahoo news story broke. Without getting lost in the specifics, Reuters reported that Yahoo had rolled over on a government request for data, citing three anonymous sources with zero access to crucial details, such as court documents. According to Reuters, Yahoo combed through all incoming Yahoo Mail searching for a specific digital imprint at the behest of the NSA — piggy-backing on an existing scanning system used by the company to identify spam, child pornography, and malware.
Outrage ran riot. There were voices of reason, but the majority of commentary was a mix of righteous indignation and rudderless speculation. Most commentators assumed the worst about Marissa Mayer and Yahoo.
But was there actually a failure to meet the challenges of privacy and security at this juncture in history when mega breaches — state-sponsored and/or more purely criminal — are a fact of life?
Throw a rock and you’ll hit someone eager to tell you how bad things are at Marissa Mayer’s Yahoo. To be fair, there are those who defended Mayer and pointed out the sexist undertones of the critics’ attempted take-downs.
Then there are others, like Fortune’s Jeffrey Sonnenfeld, who pointed out that Mayer — the company’s ninth CEO in two decades — has done an admirable job, noting that with “600 million unique monthly visitors, and 225 million email users, Yahoo’s resurgence has been noteworthy. In fact, revenues were up 8 percent over last year to roughly $5 billion, with $1.5 billion in its mobile business — up from near zero — and $1 billion in profit.”
What we know about the FISA order is not sufficient to pass judgment. We know a court order was issued and that it granted government access to incoming mail that included a discrete digital marker. We do not know if Yahoo fought it, if there was a gag order, why they chose to modify an existing system (if that’s what they did) to meet the government’s needs rather than create custom software as was requested from Apple. The reporting was thin and contradictory.
When I reached out to Yahoo about the Reuters report, their only comment was as follows: “The article is misleading. We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems.”
While getting into the weeds on Fourth Amendment issues would be of great interest here if we had access to the whole story, what we have so far is insufficient. So until we have something more, my best advice is that consumers should stick to what they can do to protect themselves.
There are no guarantees, first of all. No protocol or checklist of actions and settings will truly protects us from the third certainty in life — that our privacy will be compromised by a hacker and/or data breach.
There’s email encryption, but it’s not yet as easy as it would need to be to go mainstream.
There are, of course, messaging apps like Signal, WhatsApp and iMessage (iOS only) that provide more protection than email, but as of yet they have not replaced email among mainstream users.
The best course of action after doing the obvious things like setting long and strong passwords, and using multiple-factor authentication when available, is to be careful about how you use email. Never store sensitive documents on your email server, and always try to think about what you communicate and how your communicate it. Is it too sensitive to risk being exposed by a hacker? In this new world you must assume that everything you communicate by way of email could end up as the equivalent of skywriting. Perhaps that communication is best saved for a phone call or via an encrypted messaging app — though bear in mind that the latter produces transcripts that also need to be protected.
In the underworld of spies, bad guys and fallible protections only one thing is certain — that you can’t know anything for sure. The Yahoo news certainly leaves room for speculation about other government requests, but we don’t know for sure what happened. What you can know is how to intelligently use these embattled communication tools, always being mindful of the risks even when you use best practices.