
Judge Orders Yahoo to Explain How It Recovered ‘Deleted’ Emails in Drugs Case - alternize
http://motherboard.vice.com/read/judge-orders-yahoo-to-explain-how-it-recovered-deleted-emails-in-drugs-case
======
codemogul
Relevant and coincidental personal anecdote: 10 years ago I caught my x-wife
in an affair as she was using this same method the communicate with her lover.
Her choice of email address for the shared account raised alarms on my
firewall, so it was a simple matter to track to her machine. While she had
gone to the similar trouble to delete all records on Yahoo (coincidentally),
she had been browsing with IE which, due to some off-line setting, was
cacheing locally all of the pages she had written. It was simply a matter of
laying hands on her laptop and downloading all of that cache to expose the
ruse.

I cannot find the article, but I believe this method of sharing access to one
e-mail account to many parties was one of the comms methods employed by the
9/11 terrorists, pioneered by Columbian drug lords.

~~~
brunoqc
> Her choice of email address for the shared account raised alarms on my
> firewall

What does that even mean?

~~~
satysin
I would assume he means it wasn't one of the big players such as Gmail or
Outlook so when he saw traffic to mail.ru or whatever service it was it looked
suspicious to his normal traffic profile.

------
pliny
Here's a thought: what if 'Yahoo gives FBI snapshots' is actually parallel
construction, but Yahoo are not allowed (under PATRIOT or whatever) to admit
the extent of their cooperation with three letter agencies (for instance, that
they hand over everything they see without requests being made). Do they have
to refuse to comply with the court?

~~~
anonymousab
There is likely leeway for them, or the government, to address the judge in
private and get this all dismissed.

Or perhaps some immunity to any results.

~~~
tobylane
In that case I'm surprised the judges are permitted to ask this sort of
question in public, it creates a warrant canary.

------
resoluteteeth
The idea that Yahoo is covering for a government surveillance program is
entertaining, but it hardly seems difficult to believe that they aren't
actually deleting what they say they are deleting. Of course, keeping copies
of everything forever in violation of their own policy is not exactly going to
make law enforcement unhappy.

I suspect that yahoo and other companies haven't yet taken the issue of
failing to delete data that should be deleted as seriously as that of losing
data that shouldn't be deleted, but this has the potential to become a
significant privacy issue.

------
HarryHirsch
Data retention is negotiated and spelled out in detail in NDAs for contract
research organizations. It's easy to delete data from servers once a project
is done, but the backup tapes also have copies. You can't throw the tapes out,
because the company needs them, hence there are agreements what happens to the
data and tapes, and nowadays these are standard practice.

This is a solved problem in the real world, but some companies would have us
think it's the Wild West, when in fact it isn't.

~~~
greenyoda
But an NDA can't prevent a company from turning over their backup data to the
authorities when presented with a legitimate warrant from a court.

~~~
HarryHirsch
At least you know what documents are retained, and in what form, and for how
long, and you can plan around that. With all these free services you can only
assume the worst.

------
falcolas
I'm curious if there will be blowback on Internet email companies if it turns
out the emails were not deleted, just archived away from user's access.

~~~
gaius
If you ever see an auto-complete feature on a website, it's probable that that
website is logging every keystroke. If you type "thermal detonators" into
Google, but never actually click the button, it's still flagged up aboard the
Imperial Command Ship.

~~~
Kenji
I once read an article about facebook even reporting back to the mothership
messages that you typed out but did not actually send because you changed your
mind. Never forget: The website owns the window you're operating in (if
there's JavaScript), not just requests you send by clicking <a> links.

------
IgorPartola
Aren't backups basically a guarantee that you can never ever delete anything
from anyone's server? Even if you hit delete on an email/post/photo/etc. if
they made a backup before then, your data will now forever live on in some
vault or maybe just Amazon Glacier. I can't imagine that Yahoo would go and
retroactively remove your email from their backup tapes/optical discs/offline
hard drives/clay tablets that they use.

~~~
scoot
The nearest thing to a "standard" for retention of operational backups is
30-60 days. For organisations retaining backups as part of some ill-conceived
archive, 7 years is typical; for organisations retaining backups under legal
hold, or whose backup process is out of control, indefinite retention is not
unheard of.

So while it's possible that backups mean you can never be entirely certain
your deleted data will stay deleted, it's most certainly not guaranteed.

In Europe, the recently enacted General Data Protection Regulations "GDPR"
which will come into force in 2018 will in theory require organisations to
ensure that personal information is removed in an appropriate timeframe - this
would include disposing of backups, or where data is comingled, ensuring at a
granular level that data is blacklisted for restore.

It remains to be seen how practical that will be, so moving to retentions
appropriate for operational restore may be the more sensible solution.

------
lox
I could imagine drafts have much less diligent deletion policies vs sent
emails. Auto-save mechanisms typically keep a long history of diffs, or whole
versions.

------
catfood
UPDATE email SET deleted = 1 WHERE uuid = '3b431dc020cc404b8bbea290e91b9865';

------
geggam
Farm model replicated across regions backed by filers taking snapshots of the
entire farm.

* my speculation _

------
perseusprime11
Is anything ever deleted?

~~~
satysin
If it is on a third-parties servers then _hell no_.

