In today’s links post, I blogged about Yahoo’s compliance with a federal “security directive.” If true, their act would not only be despicable, but would be technologically unprecedented. They reportedly not only rolled over without a fight, but actually built new software at the behest of the fedgov to spy in realtime on their users’ incoming and outgoing mail.
There are obviously still a lot of questions here including some extremely basic ones. Did Yahoo really do this? Was the request made by the NSA or the FBI? What were the specific terms the company was “directed” to scan for? What other companies received similar requests and how did they respond?
Not to mention the larger questions like what the hell is a security directive? How does it differ from a warrant or a subpoena? Why was it used instead of a subpoena when this was apparently part of a criminal investigation? What gives some random federal agency the authority to issue one? And what law or principle requires any private company to submit to a non-warrant/non-subpoena piece of paper from the fedgov? (When I did a search on “what is a security directive,” the first two pages of results contained a lot of articles like this one, discussing specific directives by the TSA or explaining specific types of directives the president can issue. But I found not a mention of the basic legal or (un)constitutional principles.)
And — not that it matters, these days — but if the directive was issued under the Foreign Intelligence Surveillance Act, why was every single Yahoo user everywhere investigated as a criminal?
The Intercept has more. They’re very good at this kind of work and I expect we’ll be hearing more from them soon.
We do know, at least, that Yahoo’s director of security quit rather than go along with the directive. Good for him. Then he went to F*c*b**k. OMG. At least his departure confirms that this business really happened even if details are still vague.
Given this plus the recent news that Yahoo allowed between 500 million and a billion user accounts to be breached two years ago — and apparently didn’t even notice — it’s time to delete Yahoo. And more.
I never used Yahoo email, but I did have an account that allowed me to participate in three Yahoo-based email groups. It was no big deal for me to delete my Yahoo account. Which I did today. But that’s not enough.
It is time for all people who give a damn about their security — and the security of those who correspond with them — to stop patronizing this ghastly company. And, for that matter, to stop patronizing all other companies known to bend over for every federally ordered betrayal of their users. Or known to perform datamining on both users and their friends.
Years ago, when the first companies invited people to sign up for “free” email in exchange for allowing their correspondence (and their correspondents’ correspondence!) to be scanned for marketing purposes, my first response was to vow I’d simply never exchange messages with anyone who used those services.
Then so many people rushed to sign up to be data-mined that I couldn’t keep my promise to myself.
This morning I decided to take a second look at Yahoo with the idea of blacklisting all *.yahoo.com email addresses. I found that, over the last 10 years, I’ve sent 898 emails to yahoo.com addresses and that even now, several people who are very important to me use Yahoo email. So, still, I can’t “delete Yahoo” (or gmail or hotmail or similar abominations) from my personal correspondence even though I’ve deleted my Yahoo account.
We’re all in this together. So all I can do is gently suggest that if you rely on Yahoo or any similarly weak-kneed company, you switch. Switch now. Switch even though it’s a hassle. Switch for your own sake and the sake of everybody you correspond with. Switch for the sake of freedom, privacy and real security.
Either get a paid mail service that uses good security practices, or if you must use free mail, sign up with something like ProtonMail, which has both free and paid services. Protonmail is far from perfect but at least isn’t in the business of data-mining its customers or (you’ll pardon my French) spreading its cheeks and breaking out the Vaseline every time some member of the U.S. uber-government is in the mood for rape.
Please do not trade your and your friends security for the “convenience” of companies whose loyalty is neither to you nor to freedom.