
Yahoo scanned customer emails for US intelligence - tshtf
http://news.trust.org/item/20161004170601-99f8c
======
DubiousPusher
I think the attitude here that most tech companies are rolling over and just
complying without a single ethical consideration is misplaced.

The government has been doing an excellent job of basically extorting these
companies into compliance. They threaten the full weight of the US
government's wraith and then tie every order up with classifications and gag
orders.

You aren't legally allowed to talk to other companies in the same position.
Most your legal team probably doesn't get to know what's going on. You can't
take your case to the public without being held in contempt.

I'm not giving these companies a complete pass for being complicit in the
erosion of individual's civil liberties but treating this as if the decision
is easy is vastly unfair.

~~~
rdl
I wonder what the actual personal consequences are for someone going public
that there is an NSL requested. I seriously doubt they'd destroy a major
public company with lots of employees/voters/users; fines, maybe, and going
after execs, but the Government loses most of its power to threaten things
once the act is done and everything is public.

I think you win in the court of public opinion if it's a broad program like
this (and IMO clearly unconstitutional). If it's an NSL about, say, an order
to specifically target UBL, you probably hang in public opinion. If it's an
NSL about, say, finding Snowden, you might be ok. This is an interesting check
and balance vs. government overreach.

I'd be a lot more comfortable with someone going public in a live press
conference in DC (maybe releasing a key to a file which is pre-distributed),
than someone running off to Russia or doing it anonymously, though.

~~~
mikestew
It's an experiment that I would personally be willing to try were I a high-
visibility C-level exec. Been to jail, not that bad, mostly just boring; and
certainly the jail that CEO me goes to would likely be better than the jail
the real me has been a guest of. But the kind of person willing to tweak the
nose of the government doesn't usually get to be C-anything.

As you point out, best to wisely pick your battle as you'll want public
opinion behind you. And remember that as popular as she is, Martha Stewart
still went to jail.

~~~
compiler-guy
Chelsea Manning, who is imprisoned over something similar to this case, may
have a different opinion on how nice jail is than you.

~~~
envy2
Chelsea Manning was imprisoned over something very different: she was a US
soldier, not a private citizen, and she made public internal government
documents, not a letter explicitly addressed to her.

Different standards do (and, IMO, should) apply to leakers who are government
employees or members of the armed forces with a security clearance and to
private citizens who are not 'leaking' something but rather sharing something
they did not explicitly and voluntarily (through a contract or NDA) _agree_
not to disclose.

~~~
wfo
And yet the non-military CJ system can be brutal and harsh. I'd imagine it's
certainly possible the first person to disobey a NSL might be made an example
of, especially depending on who is in charge of the executive branch at the
time. You could be locked in solitary for years until you lose your mind. You
could be assigned to prisons in such a way the authorities ensure you would be
repeatedly beaten and raped. You could be indefinitely detained without trial
or attorney -- the crime is national security related, after all. There is a
horde of horribly nasty things that could be done to you even if you aren't
military or security clearance. It's worse for the military, but it's bad
enough for the rest of us.

Perhaps unlikely, but certainly very scary.

------
cJ0th
Anyone remembers this?

> Barack Obama: NSA is not rifling through ordinary people's emails. US
> president is confident intelligence services have 'struck appropriate
> balance', he tells journalists in Berlin

edit: link fixed [https://www.theguardian.com/world/2013/jun/19/barack-
obama-n...](https://www.theguardian.com/world/2013/jun/19/barack-obama-nsa-
people-emails)

~~~
mtgx
Yup. So that's a complete lie now (not that I actually believed him when he
said it then). When you searching through everyone's emails, then you're
invading everyone's privacy.

~~~
Magnets
I guess they are using the same justification as GCHQ; they use tools to scan
everything and a human doesn't actually read ("rifle through") the majority of
material.

Is it still an invasion of privacy if a machine reads my emails? Google read
my emails to check for spam.

~~~
maxymoos
To me, the main difference is that you know about Google's automatic parsing
of your emails upfront and it can therefore be a factor in your
subscribing/unsubscribing decision.

------
rdl
I was honestly a bit unhappy when Stamos left Yahoo in the middle of a bunch
of (what seemed like) cool projects for users -- seemed like he was just
jumping ship from an objectively pretty crappy company to a continuing-to-
accelerate rocketship, presumably for career reasons.

However, if it went down like this -- he did probably the least destructive
thing possible. I probably would have gone public or done something stupider,
but at the very least not being a party to ongoing abuse of users' trust is
necessary.

I'd like to see what other senior execs at Yahoo! were aware of the program
and supported or at least tolerated it, so I can avoid ever working with any
of them.

~~~
zmanian
This should forever taint Marissa Meyer's reputation. Failure to save Yahoo is
understandable. Disregard for user privacy and safety at this scale is
unforgivable.

~~~
utefan001
Don't forget this story.

Qwest CEO Joseph Nacchio who <edit> claims to have </edit> resisted NSA spying
is out of prison (2013)

[https://www.washingtonpost.com/news/the-
switch/wp/2013/09/30...](https://www.washingtonpost.com/news/the-
switch/wp/2013/09/30/a-ceo-who-resisted-nsa-spying-is-out-of-prison-and-he-
feels-vindicated-by-snowden-leaks/)

~~~
tptacek
Nacchio is no hero. He ran a $50MM pump-and-dump scam that personally netted
him millions of dollars in profits at the expense of common shareholders, and
he was indicted in a wave of similar prosecutions in the wake of the Enron
fiasco. His offenses are there in black and white: with full knowledge that
his company faced materially adverse changes unknown to his investors, he not
only promoted the company but privately (and illegally) sold his own shares.

You do people like Stamos a huge disservice by drawing this comparison. People
like Nacchio are exploiting the good work real privacy advocates do, for their
own personal enrichment.

~~~
kafkaesq
_People like Nacchio are exploiting the good work real privacy advocates do,
for their own personal enrichment._

Or it's possible for people to be dual-natured: capable both of flagrant
chicanery and abuse, as well as acts of conviction and principled defiance.

~~~
tptacek
The entangling of the FISA order and the insider trading scandal actually
makes things worse. His most significant trades came just months after he
refused the FISA order --- after which he claims NSA arranged to have DoD
contracts with Qwest terminated. He did something with an obvious material
impact on his shareholders, and secretly profited from it.

The reality, though, is that his tenure at Qwest appears broadly similar to
the kinds of bullshit that was rife in corporate America at the time:
accounting scandals, entirely unrelated to Qwest's government contracts, that
boosted apparent growth and drove share prices higher than the fundamentals of
the business could possibly justify.

Google, for instance, [qwest kmc telecom].

~~~
hackuser
If you know, what was his defense against the fraud case? It could have been
retribution (yes, that's completely speculative).

~~~
tptacek
His claims included:

* That he was simply very optimistic about the business he was running that that he believed there would be an uptick in the stock long term after the company weathered the downturn he knew to be coming.

* That he was "set up" by NSA: yes, he sold at a high price anticipating a sector-wide downturn, but he did so because he'd been assured that Qwest would be part of a multi-billion NSA modernization program called "Groundbreaker", led by CSC, which contract would surely rescue Qwest's stock and even out his sale.

* That his board had demanded that he sell his stock, and that such sales were routine at Qwest.

* That he was distraught over the suicide of his son and sold the stock as part of an effort to immediately disentangle himself from the CEO position which he hoped to leave.

Against that, you have the black-and-white record of his trades and the
testimony of numerous high-level Qwest executives all saying they'd been
urgently warning him to revise Qwest's targets downwards. He not only
maintained the unrealistic targets, and participated in channel-stuffing-style
schemes to fake up earnings numbers, but profited personally by trading
against those bogus numbers.

------
kefka
Lets take it a different way:

You're knowingly sending your data to a 3rd party. You're not encrypting. It's
not through the USPS (special protections).

It seems bloody evident that, of course, your email provider can read your
emails! Unless you're encrypting with GPG, then they can (and they can still
read the signing keys).

Yahoo, Google, and friends all scan, dedup, and all sorts of tricks to
determine marketing and quality content (spamming). If you're worried, run
your own mailserver. It's what I do, along with using gmail. But I know that,
at any time, people/scripts/ai are reading everything sent and received.

edit: I'd much prefer to hear commentary/how wrong/how right/how crazy I am,
rather than -1's.I'd like to hear a discussion about the "Secrecy of text
written on postcards"....

~~~
peterkelly
I've upvoted you, despite disagreeing with you, because I believe it's worth
us all discussing the reasoning behind our opinions.

What you've just said is the email equivalent to "she deserved to be raped,
because she was dressed like a slut".

Yes, we should take precautions to protect ourselves. But that in no way
justifies the privacy intrusions that happened here.

~~~
Redoubts
I think it's closer to "you deserved your message to be read, since you put it
on the back of a postcard". But ok.

~~~
morganvachon
This. Email messages are digital postcards. When it leaves your computer
(house) and goes to your ISP (local post office), anyone at that place can
pick it up and read it before sending it on its way to the recipient's mail
handler. While it's in transit, it's not sealed, it's not obscured or
encrypted, it is plain text.

Now, that doesn't change the fact that Yahoo rolled over like a puppy when the
government came calling, which is reprehensible for any tech company to do.
They should have fought it and asked for a warrant for the specific persons of
interest, rather than happily fucking over every single Yahoo email
subscriber.

~~~
roywiggins
Don't a lot of the big providers pass emails between each other encrypted with
TLS? And emails internal to Yahoo's email system wouldn't be visible to your
ISP or anyone outside of Yahoo.

[https://www.google.com/transparencyreport/saferemail/](https://www.google.com/transparencyreport/saferemail/)

~~~
morganvachon
They might pass the email around via TLS but they store their copy unencrypted
on their servers[1]. Even if they do one day decide to encrypt their local
copy, they hold the keys, you don't. According to the Ars article on this
subject[2], Google has officially said "We haven't been subpoenaed and if we
were we'd say 'no'", but that stance could change in the next few years.

[1]
[https://www.google.com/transparencyreport/saferemail/faq/#wh...](https://www.google.com/transparencyreport/saferemail/faq/#what_do_you_mean_by)

[2] [http://arstechnica.com/tech-policy/2016/10/report-fbi-
andor-...](http://arstechnica.com/tech-policy/2016/10/report-fbi-andor-nsa-
ordered-yahoo-to-build-secret-e-mail-search-tool/)

------
smsm42
Most illustrative part: "Yahoo President Marissa Mayer and the company's legal
team kept the order secret from the company's security team."

If you have to hide things from your own security team, it's pretty clear
you're doing something very bad and you know it.

And my imaginary hat off to Stamos for resigning when he found his boss
betrayed user privacy and undermined security. If everybody had such level of
integrity, doing shady stuff would be much harder.

------
jonknee
It sounds like Yahoo will fit right in at Verizon... It also sounds like
another leak designed to damage Marissa Mayer:

> According to the two former employees, Yahoo Chief Executive Marissa Mayer's
> decision to obey the directive roiled some senior executives and led to the
> June 2015 departure of Chief Information Security Officer Alex Stamos, who
> now holds the top security job at Facebook Inc.

~~~
mtgx
Sounds like she was a pretty terrible CEO all-around. But as a user, I would
never use a service run by Marissa Mayer again. She lost that trust for good.

~~~
duaneb
> But as a user, I would never use a service run by Marissa Mayer again. She
> lost that trust for good.

Realistically, this is every American company. Why trust anyone?

~~~
chc
It is impossible to live functionally in society without trusting someone on
some level.

~~~
duaneb
Yea--I'm just saying this is a product of being a business, not Meyer. One can
fight it and still give information over. You can't take the sign of struggle
as a sign your data is safe.

~~~
chc
It's not a sign that your data is safe, but I think the point here is the
opposite: You can take easy capitulation as a sure sign that your data is
compromised.

Similarly, the lock on my door doesn't make me safe against everyone who might
want to commit any crime against me, but all else being equal, a locked door
is still preferable from a security standpoint, and it's _very_ preferable to
keeping your valuables in an unlocked room with a known thief.

------
yladiz
While it is damning that Mayer didn't go to Stamos about this and went
straight to the email team, it's hard to say whether she felt it was necessary
to tell him, or was even allowed to, since we don't see the court orders and
what they entail. It's really easy to be against this and play armchair
preacher but this is something she probably had no choice in, in many ways.

Also, I'm wondering if this story is bigger because people love to hate on
Mayer. I am certain this kind of thing happened/happens at Facebook, Google,
Twitter, WhatsApp, etc., so it's confusing why this is so newsworthy. It's not
really newsworthy that data from an email provider is sent to NSA under secret
court orders and NSA can search the full text of it. Is the newsworthy part
that she asked the team to do it without consulting the security team? My
question would be, why wouldn't a manager from the email team consult the
security team if they had the power to?

~~~
lmm
> It's not really newsworthy that data from an email provider is sent to NSA
> under secret court orders and NSA can search the full text of it.

It absolutely is newsworthy. We may have suspected it beforehand, we may
suspect it happens at other providers, but we have specific proof about Yahoo
now. This is new and important and we should be making a fuss. If we play the
jaded cynic we are joining the enemies of democracy.

~~~
yladiz
No, we had proof back when Snowden released documents about the search engine
that NSA has from data siphoned from providers. I'm not being cynical, I'm
being realistic in that this isn't newsworthy now because it was extremely
newsworthy when it first came to light a few years ago.

I would rather this be newsworthy because it gets people interested in
fighting FISC orders again, not against Yahoo and Mayer.

~~~
losvedir
What Snowden revelation are you talking about? I remember when everyone was up
in arms about PRISM, but that's just a pretty interface on more focused
requests of data for specific users.

This is the first instance, to my knowledge, of the government requesting
carte blanche realtime search of _all_ incoming and outgoing email for _all_
users.

~~~
nickpsecurity
No 2 and No 8 on this cover Yahoo directly:

[http://mashable.com/2014/06/05/edward-snowden-
revelations/](http://mashable.com/2014/06/05/edward-snowden-revelations/)

That's them searching for what they want plus seeing everything without
notification. There was also a $250,000 a day fine for non-compliance with
court orders. That adds up. I can't find the link but they made it grow
exponentially over time in another report.

~~~
tedunangst
#8 is a weird thing to bring up. Yahoo was going to be fined for not letting
the NSA secretly tap their cables? They didn't even know the tapping was being
done! How could they be non compliant?

~~~
nickpsecurity
Yeah, that might not totally fit in the point I was making on compliance side.
It does fit into overall picture of answering losvedir in how they'd be
collecting and searching everything in real-time. The next order might force a
tap on the cables on the inside. Much like the "pen register" Lavabit was
going to have to add.

------
boren_ave11
Friendly reminder: the FBI and NSA are part of the executive branch of
government and report to the President of the United States. Make no mistake
-- there absolutely _is_ someone who could stop this. The fact that this
clearly unconstitutional activity not only continued after being exposed, but
actually appears to has expanded in its scope, leaves us with but one
conclusion: the President supports this activity and wants it to continue.

~~~
j1vms
> (...) are part of the executive branch of government and report to the
> President of the United States.

It's very likely, from what we have observed over the past sixty to seventy
years, that the Executive Branch does not operate this way in practice. The
actual bureaucratic system has probably morphed to allow for deniability and
other measures that offer structural protection against political or legal
attacks.

~~~
boren_ave11
But we know that he knows about it. Because he has talked about it. He once
gave a speech specifically about government spying. Not only was the illegal
activity not stopped, it expanded. There simply is no deniability left.

------
suprgeek
The scariest part of the whole piece answers this question: Why are back doors
with secret keys a BAD idea?

"... he had been left out of a decision that hurt users' security, the sources
said. Due to a programming flaw, he told them hackers could have accessed the
stored emails...."

The CEO of Yahoo must have known that this kind of scanning and storage puts
their users at risk. She choose to do it anyway as being the path of least
resistance against a more powerful adversary (US govt.). Bad judgement
compounded by zero spine... Verizon looks like the perfect fit.

------
josh2600
I mean, think about the threats from .gov, right?

$250k per day doubling every week that can come with a gag order sounds like
the sort of thing that could damage a business to the point of extinction, no?

[https://www.theguardian.com/world/2014/sep/11/yahoo-nsa-
laws...](https://www.theguardian.com/world/2014/sep/11/yahoo-nsa-lawsuit-
documents-fine-user-data-refusal)

------
zmanian
Secret URL for deleting your Yahoo account.

[https://edit.yahoo.com/config/delete_user](https://edit.yahoo.com/config/delete_user)

~~~
awqrre
Do you seriously think that it is better elsewhere? I think that the NSA and
the FBI are out of control...

~~~
faktorialas
Of course it's better elsewhere. Many companies are not under US authority.
Many provide better security features. Many are not known for having terrible
security, or the biggest breach of user data ever.

IIRC, Yahoo has always provided more data not even because they shared it, but
because they were so lax with security.

------
JustSomeNobody
Let's see a show of hands for those who think Yahoo was the only one?

------
taivare
This reminds me of what happened to my grandfather in the early 30's. He was
employed by a small glassworks in PA, a factory town that owned his home, the
town store, post office everything. They opened his mail and fired him for
trying to start a union. Three kids under five and a wife thrown out on the
street. Seems like the Oligarchs are still reading the spues mail all of these
years later.

------
lasermike026
Distribute, encrypt, and anonymize. The only way forward doesn't include them.

Congress is up for grabs. You can really change who is in congress this round.
If you don't like the guy you have vote in another. Vote for people that want
to cut surveillance programs and agencies that request them. We could save or
reallocate mountains of money.

------
pkaeding
Yahoo was attributing its recently announced data breach to state-sponsored
attackers.... Maybe that wasn't so far off the mark after all.

------
Floegipoky
Ignoring fiduciary responsibility for a minute, what would happen if a
publicly-traded company refused to comply with such a court order until they
were required to release a financial statement? Wouldn't they be legally
required to disclose that multi-million dollar fine?

How would a company under such a gag order announce bankruptcy? "Sorry, we
lost all the money and we can't tell you why"?

------
Esau
The lesson from this is to not trust corporations with out privacy. Sadly, it
seems many of us are not learning it.

~~~
zzzcpan
Would it even be possible to make similar, but privacy centered products
without corporations?

~~~
dredmorbius
That's what Free Software is about. And it does.

The problems are of establishing protocols and standards, and seeing that
others adopt them, and of creating self-contained systems that are bulletproof
to set up and operate.

There are projects working on this, but the hurdle for having Joe Random User
operate their own server is fairly high.

I'd much rather see a highly, but _not entirely_ distributed system, with
pervasive security, and very strong legal protections. I don't know if that
can happen.

------
zby
The interesting part of the news is this:

""" The sources said the program was discovered by Yahoo's security team in
May 2015, within weeks of its installation. The security team initially
thought hackers had broken in. """

this is from Reuters: [http://www.reuters.com/article/us-yahoo-nsa-exclusive-
idUSK](http://www.reuters.com/article/us-yahoo-nsa-exclusive-idUSK)

I can imagine being in that security team :) But there is also something more
profound in this about secrecy in our times.

------
ChicagoDave
I find this hilarious since the only thing I use my yahoo address for is
retailer sign-ups and things I know will land me a boat load of junk mail. It
is my email landfill.

~~~
rdiddly
Likewise, although I refer to it as my spam storage.

------
AnimalMuppet
From the article: "Some surveillance experts said this represents the first
case to surface of a U.S. Internet company agreeing to a spy agency's demand
by searching all arriving messages, as opposed to examining stored messages or
scanning a small number of accounts in real time."

The first case _to surface_. Anybody else could have been doing it for just as
long, but we don't know yet.

------
vermontdevil
Now gotta wonder if Google has succumbed to government pressure to do the
same.

I'm really hoping and trusting they haven't.

~~~
aab0
I wouldn't bet a bent penny on it:

"Experts said it was likely that the NSA or FBI had approached other Internet
companies with the same demand, since they evidently did not know what email
accounts were being used by the target. The NSA usually makes requests for
domestic surveillance through the FBI, so it is hard to know which agency is
seeking the information.

Reuters was unable to confirm whether the 2015 demand went to other companies,
or if any complied.

Alphabet Inc's Google and Microsoft Corp, two major U.S. email service
providers, did not respond to requests for comment."

It's not a hard question to answer. You either are or are not searching all
emails in realtime at the behest of the NSA.

~~~
generj
They later responded. Quoting from Arstechnica's 5:11 ET update:

A spokeswoman for Microsoft, Kim Kurseman, e-mailed Ars this statement, and
also declined further questions: “We have never engaged in the secret scanning
of email traffic like what has been reported today about Yahoo.”

For its part, Google was the most unequivocal. Spokesman Aaron Stein e-mailed:
"We've never received such a request, but if we did, our response would be
simple: 'no way.'"

[http://arstechnica.com/tech-policy/2016/10/fbi-demands-
signa...](http://arstechnica.com/tech-policy/2016/10/fbi-demands-signal-user-
data-but-theres-not-much-to-hand-over/)

~~~
CaptSpify
Don't the NSL's typically have a section saying that they have to deny they
ever received one?

------
markpapadakis
I imagine Yahoo! Mail engineers being royally pissed about this. Well, I
suppose that includes all Yahoo! folks who are still putting real effort into
improving Y!'s services. Every odd day something surfaces about Y!'s execs
questionable practices and decisions, every even day problems, leaks, bad
press. Moral must have hit rock bottom.

Maybe the Yahoo! Board should have surveyed the startups scene, looking for
founders who bootstrapped successfully and proven their worth, and recruit the
best they could get. I am not very familiar with management of people and
aspects of running a business, but I believe there is a lot more to it than
being a smart person with computers.

~~~
matt4077
You may have missed the part where Yahoo engineers implemented this scheme,
they are to blame as much as management here, possibly more because they
could've walked away and gotten a different job without much trouble, but
management had a responsibility to the whole organization.

Contrast with the rumors that Apple engineers were prepared to refuse & resign
if ordered to share the iPhone's encryption keys.

~~~
codedokode
Why should they lose their job and salary to defend someone else? Yahoo users
can go to court themselves if they feel that their rights were violated.

~~~
generj
Yahoo users can't go to court if they can't prove their rights were violated.
Even with this news story there is no court-admissible evidence of collusion
with the government.

Also, from the perspective of a civil suit against Yahoo, this program is
likely somewhat legal unless it was specifically against their privacy policy
and terms of use.

That doesn't mean the engineers knew they were performing unethical behavior.
A better question is: why should anyone hire someone who aided unethical
behavior?

~~~
codedokode
Their behaviour might be not very ethical in relation to a customers but they
were loyal to the company. This is a good point for an employer. I doubt a
company would like to hire a Snowden type person that puts public interest
over company's.

------
_audakel
If she had wanted to this to get out, I wonder if she could have ordered the
email team to go ahead and build out the sniffer so she is not in contempt of
the court, but let her security team openly blog about it, without informing
her, when they found it - which could lead to an inadvertent release of the
info? If the sec team was not under the gag order maybe they would not have
gotten in trouble.

Or take her to a super boss level, she could have used whisper to talk to
guccifer and let him know about some vuln that would allow access to the legal
directory.... which would have to gag order. #wikileakitup

~~~
generj
The security or email team could also blog about how to "hypothetically"
implement real-time scan of email for keywords, and then stay mum about if
they ever actually implemented something like their proposed program.

Totally protected speech.

------
zmanian
This is substantially worse than PRISM which operates on individual targeted
persons and the upstream Verizon, AT&T program which collects plaintext over
the public Internet.

This involved bulk search of data past the decryption layer.

------
tkinom
Since all these companies (Yahoo, Google, FB, MSFT, etc) all operate and with
users in other countries, what happen when other countries/governments demand
the same "search/access" of info?

~~~
CobrastanJorji
Well, if you're Google in 2010, the answer was "stop putting any servers in
China, and accept getting blocked by China."

------
En_gr_Student
It was part of carnivore and AT&T also supported that. I'm pretty sure all
major vendors had hooks into their systems for carnivore.

------
0xmohit

      Yahoo Inc last year secretly built a custom software program to
      search all of its customers' incoming emails for specific
      information provided by U.S. intelligence officials, according
      to people familiar with the matter.
    

Wonder how much of the 4.8 billion can be attributed this _custom software
program_?

------
turc1656
This shit needs to stop. Immediately.

Like most people, I have no problem with the government using probable cause
to get warrants that are in search of something specific (none of these grab-
all bullshit orders). If you have a legitimate reason to be looking at
someone, then there should be no problem getting a warrant.

These secret FISA court orders are a serious violation to the rights of
Americans in many cases. At minimum, if we really do need these secret courts
to prevent people from finding out they are the subject of surveillance, then
there needs to be an expiration on those gag orders. This crap about never
being able to mention it FOREVER has to go. There should be a limit, say 5
years, which is well beyond the length of time most investigations take. At
that time, those orders should expire so that these government actions can be
brought to light if there is any question of wrong-doing on the part of our
overzealous law enforcement.

"Former NSA General Counsel Stewart Baker said email providers 'have the power
to encrypt it all, and with that comes added responsibility to do some of the
work that had been done by the intelligence agencies.'" Sorry, but no. That's
not how it works. There is no obligation to do the work of government unless
it is actually written into law (i.e. record-keeping laws). And it currently
is not. This is precisely why everyone should be encrypting all communications
on the CLIENT side themselves. It should never leave your device (PC, phone,
whatever) unencrypted. That way, if the government wants to go on a fishing
expedition or has an actual legitimate reason to look at you, they will have
to get a warrant for the device itself, which will at least give you a head's
up that they are trying to put you in the clink with a bunkmate named Bubba.

The NSA, and the government in general, has completely blown any goodwill they
once had with the public. Under no circumstance will I ever advocate for
anything that makes their job easier. And it is for no other reason than
simply because they have proven time and again they cannot be trusted.

Honestly, I'm still not even clear why every employee of project PRISM isn't
rotting a jail cell right now after Snowden shed some light on the program for
the rest of us peasants. Every single employee of that program had to know the
clear violations of the constitution they were helping to partake in. Keep in
mind the constitution protects against unreasonable SEIZURE as well as search.
Gobbling up communications in the manner they did clearly counts as seizure
because they would not have had them otherwise - whether or not they actually
search the records is immaterial.

I'm not an Apple fan, but when they told the government to go pound sand
regarding that terrorist phone encryption case, that was the first time that I
can recall I actually approved of Apple's political position on something.

------
Zigurd
Some people here laud some companies for being good about user privacy and
security. This shows they have not yet reached table stakes for privacy and
security.

This is why no provider can be trusted. Every routine communication should be
e2e encrypted. Otherwise this WILL happen.

~~~
josho
This is where I remind everyone about S/MIME. A bit awkward to setup for the
first time, but with good email clients it is a pretty transparent experience
once you have it setup.

~~~
Zigurd
That's good, but the correct response from the big internet services/portals
should be to make it impossible to comply with such a request without an
obvious and public withdrawal of service. And, beyond that, to use their
resources to make key exchange and management simple and secure (they do that
in _some_ real time communications products) for storage and email. They have
your social graph, they can implement web-of-trust features. They can made it
both simple to use and exceedingly difficult to subvert. They can provide
secure, open endpoint software. They can effectively end dragnet surveillance
by providing a refuge from it, AND make burdensome and credibility-destroying
requests/orders impossible to implement. And all these years after Snowden,
they have not.

------
hackuser
Note the attitude toward encryption:

 _Former NSA General Counsel Stewart Baker said email providers "have the
power to encrypt it all, and with that comes added responsibility to do some
of the work that had been done by the intelligence agencies."_

------
feefie
Is this is the best solution?
[https://emailselfdefense.fsf.org/en/](https://emailselfdefense.fsf.org/en/)

Getting anyone else I know to do this seems like a long shot. Is there
something simpler?

~~~
dredmorbius
Setting up and using PGP _personally_ isn't all that hard, though it's got a
few twists. Above and beyond any learning-curve issues:

1\. It doesn't protect metadata. _Who you communicate with_ , and when, and
what subject you specify, are all available to any system which can read the
packets. Unless you _only_ accept and transmit TLS (secured-session) transport
(HTTPS), this means that your communications _patterns_ are in the clear. If
your receiving party are fetching messages via a cleartext protocol (IMAP or
POP, say, and in some cases HTTP, rather than the secured variants IMAPS,
POPS, and HTTPS), then the headers _and possibly mail body_ will be clear.

Cryptography has to be end-to-end to be effective, though attack surfaces
exist at many levels. Ultimately the viewing device itself may be compromised,
but that's a rather unscalable attack.

2\. If you're using PGP _but nobody else you 're communicating with is_ then
you're not gaining much. Keep in mind, I've been yelled at and/or chided by
highly technical people _with strong security backgrounds_ over sending PGP-
encrypted emails. Including senior Google technical staff and Gene Spafford,
of recent memory.

Much of that is due to a wide range of email clients not playing well with
PGP, which gets again to vendor issues.

I recently posted a long critique of email on HN, and ultimately it's the lack
of privacy, security, encryption, authentication, and reputation which make me
think it's time to scrap it and start over, _although learning from it and
taking the best bits along_.

[https://news.ycombinator.com/item?id=12620997](https://news.ycombinator.com/item?id=12620997)

------
Taek
Another reason for users and enterprises alike to avoid US companies and
services. And another reason for entrepreneurs to start companies outside the
US - escape the stigma, escape the potential clash with secret courts.

------
cornchips
Any large company should openly defy such an order.

What will they do??? Fine, court, shut down the company? If that happened
would the public not outcry?

------
ArkyBeagle
So you really think that a free email service will "protect your privacy?" Any
of them?

Why would you think that?

FWIW, SIGINT is a major part of the present festivities in the Woah on Terruh.
It's simply unrealistic to expect anything transmitted through ordinary means
to be remotely private.

------
jameshart
Any chance that this, and the recently announced historical account breach,
are coming out as artifacts of Verizon's due diligence?

------
honyock
This is not at all surprising! BTW, I don't know a single person that has an
email account with yahoo, who is not older than 60!

------
jokoon
To be frank, the more I hear about those stories, the less I'm shocked.

There is nothing to be shocked about. Unless nobody else than intelligence
officials are getting access to this, and if the investigations are legit,
then what?

News like this are trying to ride the whole Snowden train, but that's not what
Snowden what whistle blowing about. Snowden was trying to warn about the abuse
of those tools.

Now people moan and yell each time agencies try to do their job.

~~~
Tepix
This is not just another case of surveillance. This is a company betraying its
own security chief and programming a backdoor to spy on its own customers on
behalf of a bunch of agencies. It is unprecedented, overreaching and must not
be tolerated.

------
awt
That the usg attempted this is a sign of deeply seated incompetence at a
philosophical level.

------
jmadsen
I'm sorry, but have you _used_ Yahoo Mail?

I don't believe they are capable of writing the "siphon" they are accused of.
To be honest, I don't think they actually have engineers. I think they just
use summer interns.

------
pseingatl
They moved heaven and earth to try to find Snowden.

------
aszantu
having my yahoo as spammailaccount for registrations, they probably scanned
gigabytes of all sorts of stuff xD

------
lifeisstillgood
And it did not find any :-) !!!

------
ezoe
So, when do Americans exercise the right of the Second and liberate from this
totalitarian government?

------
VOYD
Took them long enough ;)

------
exabrial
Thanks Obama!

------
trendia
In China and Russia, it is well known that _all_ oligarchs are corrupt.

However, not all of them will go to prison -- only those who cross the
politicians will ever be tried and convicted.

~~~
dEnigma
Which reminds me of this great passage in _Atlas Shrugged_ :

 _“Did you really think we want those laws observed? " said Dr. Ferris. "We
want them to be broken. You'd better get it straight that it's not a bunch of
boy scouts you're up against... We're after power and we mean it... There's no
way to rule innocent men. The only power any government has is the power to
crack down on criminals. Well, when there aren't enough criminals one makes
them. One declares so many things to be a crime that it becomes impossible for
men to live without breaking laws. Who wants a nation of law-abiding citizens?
What's there in that for anyone? But just pass the kind of laws that can
neither be observed nor enforced or objectively interpreted – and you create a
nation of law-breakers – and then you cash in on guilt. Now that's the system,
Mr. Reardon, that's the game, and once you understand it, you'll be much
easier to deal with.”_

― Ayn Rand, Atlas Shrugged

~~~
CodeMage
_" There are two novels that can change a bookish fourteen-year old's life:
The Lord of the Rings and Atlas Shrugged. One is a childish fantasy that often
engenders a lifelong obsession with its unbelievable heroes, leading to an
emotionally stunted, socially crippled adulthood, unable to deal with the real
world. The other, of course, involves orcs."_

\-- John Rogers

~~~
crdb
Responding with an ad hominem - whether at the author of the quote or the
poster of it by association - is both an ineffective response (the appeal to
emotion signals an inability to argue rationally) and lowers the quality of
discussion (by taking it away from the point, into emotional territory).

Constant appeals to emotion and resorting to a wide array of fallacies allows
for strongmen to build tribes which follow them blindly (no need to bother
forming policy) and is how we end up with Trump vs Clinton in 2016 (see [1]
for the impact on the legislative process). Reducing the quality of debate is
therefore a harmful thing with real consequences.

One line of argument might be to criticise the paranoid nature of the quote:
it is entirely possible that a mess of laws arises naturally from a mix of
special interests doing some lobbying to preserve small advantages for
themselves, and bad laws arising as a form of horse trading necessary to get
policy enacted. Only then does this mess presents an opportunity to
manipulators.

[1] [http://imgur.com/a/Wmoex](http://imgur.com/a/Wmoex) \- "Voting
Relationships between Senators in the 101st through 113th Congresses"

~~~
coldtea
> _Responding with an ad hominem - whether at the author of the quote or the
> poster of it by association - is both an ineffective response (the appeal to
> emotion signals an inability to argue rationally) and lowers the quality of
> discussion (by taking it away from the point, into emotional territory)._

Thankfully, that was not an ad hominem. It was a quote against a particular
BOOK.

> _Constant appeals to emotion and resorting to a wide array of fallacies
> allows for strongmen to build tribes which follow them blindly_

So, kind of like Ayn Rand, which had a known history of blind following
entourage?

~~~
woodman
> So, kind of like Ayn Rand, which had a known history of blind following
> entourage?

Without any sort of quantification, that is a very hollow argument. All
systems of ideas, and originators of such systems, have a history of "blind
following".

Saying that Objectivists are less critical of their own and competing ideas
strikes me as pretty laughable, especially when compared to the more popular
ideas - like Marxism. Maybe Ayn just doesn't look as good on a T-shirt as
Che...

------
cheeze
Can we merge
[https://news.ycombinator.com/item?id=12637302](https://news.ycombinator.com/item?id=12637302)
into this? Same exact headline

------
johansch
So, is this correct, in this context?

Pass: Apple, Google

Fail: Microsoft, Yahoo

Unknown: Facebook, Twitter

~~~
zzzcpan
Google is definitely in cahoots with the government and probably way deeper
than Yahoo. Why would you even assume otherwise, given how much ties to the
government they expose to the public these days?

~~~
johansch
As a European I have to I assume all major US companies in this area are
either infiltrated or willingly participating in pervasive surveillance.

It's still interesting to know which companies have been actually exposed for
this kind abuse of their customers' trust.

~~~
M2Ys4U
Quite - and the European Court of Justice basically agrees with you too. Hence
why Safe Harbor was anulled.

------
gjolund
Good riddance. I don't understand what is worth scavanging from the carcas.

------
ChoHag
But continue to find themselves stumped?

------
thwee
It should read "...Yahoo Chief Executive Marissa Mayer's decision to indulge
the directive..." indulge, not obey.

------
singularity2001
Google overtly scans your emails for anything.

~~~
panarky
> Google overtly scans your emails for anything

This is a common argument here.

"Company A secretly collaborates with government agency to subvert their
users' security."

"Yes, but Company B collects user data for their own commercial purposes,
fully disclosed to the user. Same thing."

Not the same thing.

