
Why We Should All Dump Yahoo - dredmorbius
http://www.dumpyahoo.com
======
wila
While I agree with the sentiment.

Here's why you should not delete your yahoo account.

Once you delete your account, yahoo will make it available again to everyone.

This means that if you have not unlinked everything it can be used by others
to reset accounts on services you forgot that you linked to your yahoo
account.

Instead of deleting it, forward it all to another account and stop using it.

Do not forget to log in every 12 months to keep it active.

~~~
Silhouette
This is an excellent argument for setting up e-mail using your own domain
name, though, and for using that for all new accounts and transitioning
existing accounts to your new e-mail address as soon as possible.

The Internet works just fine when it's decentralised, but particularly with
e-mail, relying on the big service providers (or an ISP-provided address, for
that matter) immediately locks you into someone else's systems for no
particularly good reason.

Registering your own domain and setting up mail forwarding can be done with
any number of services and costs less for a year than many people pay for a
week of their cell phone service, and crucially, the domain is registered by
some specialist service but is your domain and can be transferred to another
service any time you want.

Unfortunately it can be a scary-looking process for non-technical users, but
for those with enough confidence to arrange it, I highly recommend it.

~~~
dredmorbius
Although that also introduces risks. Losing control over your domain would be
problematic. It happens.

The argument for individual domains suggests itself, or an equivalent follows-
the-person mechanism.

~~~
sk5t
Yes! Reducing the risk of losing control of the domain is a great reason to
prefer gmail.com, outlook.com, or another similarly theft-hard mail domain.
Otherwise, if an attacker can trick the registrar or nameserver, it's game-
over for all accounts that use mail or mail-dependent factors for
authentication.

~~~
Silhouette
_Otherwise, if an attacker can trick the registrar or nameserver_

That's a mighty big "if", though. For any of the TLDs I'm familiar with, there
are significant protections against unintended domain transfers, and that has
been the case for a long time for the major ones.

------
phantom_oracle
"...I care about my own privacy and security..." and yet your website has no
encryption. Thus, when I enter my details on your form, it is being passed
over the same internet in plaintext, thereby violating the exact "privacy and
security" this "protest" aims to create.

~~~
codemac
Well, I think the concept here is to publicly pledge to dump yahoo, in order
to convince & pressure others to do the same. Saying you care about your
privacy and security doesn't mean you remove yourself from all forms of public
expression. It's the most basic form of free speech.

If you want to privately pledge, just write it down on a sticky note, and put
it on your monitor.

~~~
bbcbasic
Still. I think its a bit absurd.

~~~
CobrastanJorji
This is a site collecting information for a public petition. By definition
your GOAL is to share your information publicly. How is it absurd to do so in
the open?

~~~
bbcbasic
What if I decide I don't want to share publicly. By then the contents of the
page as I have viewed have been sent unencrypted.

~~~
johnmaguire2013
Your headers would still be unencrypted -- including the domain and URL you
accessed.

~~~
alexbecker
The domain is unencrypted over HTTPS, but the path is encrypted.

~~~
palunon
So the difference is "you accessed www.dumpyahoo.com" vs "you accessed
www.dumpyahoo.com asking for / "...

~~~
alexbecker
I agree in this case it isn't very helpful.

------
donretag
Yahoo is simply the first company that we publicly know of that scans incoming
emails. If the government can force Yahoo, they will force all of them.

Yahoo has more disgruntled former employees to reveal secrets than Google,
Microsoft, etc...

~~~
crystalmeph
To be fair, according to this article, Google, Microsoft, Apple, and others
have explicitly denied allowing government officials direct access to their
servers.

However, due to the secrecy requirements of the law, we cannot know if they
did allow the government some other form of access that was functionally
equivalent to a rootkit on the server in terms of what the government could
access.

Pure speculation on my part: Yahoo probably got the court order and made the
decision that the government was going to get what they wanted anyway in the
end, and resistance was going to be futile, and they probably figured that
since no-one was going to be able to hear about them fighting against this
order, it wouldn't even do their reputation any good to fight it. Of course,
if I'm right, they miscalculated a little bit on that last part, since they
obviously didn't count on a leak of the fact that they did roll over, which
now has damaged their reputation.

~~~
jwtadvice
> To be fair, according to this article, Google, Microsoft, Apple, and others
> have explicitly denied allowing government officials direct access to their
> servers.

Right, but the statements were very carefully crafted PR statements that only
implied that there were no similar feeds while leaving open the possibility
that there may be.

Having watching the industry for some time (Skype's PR denials come to mind as
well as all the companies implicated in the Snowden disclosures) I have no
confidence that those PR releases mean anything of significance besides a
recognition from the companies that their users might not like certain
activities by their customers.

~~~
CobrastanJorji
Bruce Schneier agrees with you, which lends your argument some credence to me,
but I thought "We’ve never received a request like this, and were we to
receive it we’d challenge it in a court" was about as broad and clear a
statement as could reasonably be made about this. What would you need them to
say?

~~~
jwtadvice
Something like "We do not have _any_ programs or agreements whatsoever with
law enforcement to share any user data or metadata or summaries or analysis of
said information. We screen our employees for infiltration from intelligence
community members, putting them only in positions where they can not influence
our systems without significant risk of discovery and where they can not
influence our systems without involving a large number of other people who we
empower to contact the public and the media if they see anything suspicious.
Furthermore, we have no shareholders or executives with business, security or
personal relationships with federal police / national security personnel.
Finally, we've designed our product such that the very most minimal set of
information and meta information is ever available to us, even if we try, and
so the amount of abuse that we could perpetrate is at the very most X, where X
can be understood by someone who carefully looks at our design. In addition to
this, I and significant parts of our company leadership will step down from
our roles if any information contradicting any of this ever comes out."

Though I wouldn't hold my breath.

The wiggle room in "request like this", for example, is huge. That's not
something that I'm being particularly pedantic about - it's something we've
seen repeated evidence for.

Basically, I've lost trust in the public relations portions of these
businesses - which are not empowered to know the truth about what goes on at
their organizations to begin with. The only technologies I feel confident
placing trust in are ones that don't require placing a trust (forever) in one
of these corporations (as well as all future employees and shareholders).

(Twitter is a good example of a company that has held out for a very long
time, but has eventually given way to pressure.)

~~~
CobrastanJorji
Your proposed requests would include responding to legal warrants, which all
of those companies already admit to doing.

Could I suggest "We do not ever voluntarily comply with any requests for user
data or metadata or summaries or analysis, we resist involuntarily, legally
mandated compliance as much as legally allowable, and we publish as much
information about information we give away in as much detail as we legally
can."?

------
oridecon
Just be careful about "deleting" your Yahoo account.

> Register a previously used ID

> A deleted Yahoo account ID may become available for future use, and you’re
> welcome to try to register it. However, Yahoo can't specify how long until a
> deleted ID may become available, and we can't guarantee that it will become
> available.

[https://help.yahoo.com/kb/SLN3060.html](https://help.yahoo.com/kb/SLN3060.html)

And make sure it doesn't get removed for inactivity:

> If you rarely use your account, it will go into an inactive state and then
> be deleted. You can prevent this by signing in to your account using any
> device at least once every 12 months.

------
joesmo
The Yahoo fiasco is horrible, but it shouldn't come as a surprise to anyone
who has heard of Snowden and his leaks. He talks about programs like this,
though I don't remember the program's name. So, in other words, shouldn't we
all have dumped Yahoo (and everyone else) in 2013? Also, it's rather
irrelevant if you communicate mostly with other Yahoo, Gmail, etc. users
because, unless you encrypt (good luck with getting your friends and family to
encrypt) all messages, you still can't keep it private. So let's not pretend
like this is a surprise or it's only Yahoo doing it. That last claim would be
the most ridiculous.

~~~
etjossem
You are probably thinking of the PRISM program, which demands information from
technology companies based on warrants from the secret FISA court [1], and the
MUSCULAR program which sniffs internal Google/Yahoo cloud traffic from servers
based in foreign countries. MUSCULAR is completely warrantless because the
information is collected outside of the United States [2].

[1]
[https://en.wikipedia.org/wiki/PRISM_(surveillance_program)](https://en.wikipedia.org/wiki/PRISM_\(surveillance_program\))

[2]
[https://en.wikipedia.org/wiki/MUSCULAR_(surveillance_program...](https://en.wikipedia.org/wiki/MUSCULAR_\(surveillance_program\))

~~~
moosey
While these programs are horrible, I'd like to mention how great the naming of
the programs have been. One of my favorites was FIRSTDATE then BADDECISION
leading to SECONDDATE.

Again, not condoning behavior, I just wish I could be so creative when naming
systems.

------
bad_user
Right, because if I care about my privacy, I really want to leave my name,
email and zip-code on some random form on the Internets.

~~~
JamesUtah07
I don't care if people have my email address, I care about people reading my
emails.

------
akerro
Should I drop dropbox, google, apple, MS, CloudFare, LinkedIn, Ebay + paypal,
amazon, MasterCard and Visa for the same reasons?

~~~
eatbitseveryday
Doing so is just so increasingly limiting on our lives. What might be a more
ideal scenario is to change the government's priorities, and enact strict(er)
privacy laws that prevent these and other companies from sharing our data, or
to be able to speak out when a hidden government department asks them to keep
it under wraps.

~~~
akerro
From the listed above I have only amazon, linkedin and MasterCard anyway, so
not that limiting.

------
lightedman
If we wanted to show that we weren't letting them do this without consequence,
we'd be suing Yahoo and the Gov't like real Americans. We'd be suing for such
an egregious amount that our national debt would look like a bit of pocket
change. We would threaten the very life and livelihood of this country if we
TRULY cared about our rights and privacy.

But no, instead you want us to sign a petition.

Give me a break.

~~~
ilyanep
Okay, so go find a lawyer willing to make it a class-action and start the
suit. Find a list of damages and try to justify the large cost, then file.

Or is angrily commenting on Hacker News easier?

Give me a break.

~~~
lightedman
You don't need money. If you've ever bothered to read the paperwork to file a
suit, you'd notice a spot that says "I cannot afford the fees for attorney nor
filing. Waive them."

Then you prove that, make it a class-action suit, and you watch as lawyers
scramble to make their name representing you and the class.

This is how America works. If you haven't figured this out, I hope you do very
soon, as it will be the only way you can defend yourself in eventuality.

------
at-fates-hands
This is useless really.

Those people who are security minded have already switched to a secure email
provider, or run their own email servers. Those who are not so security minded
people don't care, won't care and have no desire to stop using Yahoo. If you
didn't know or think the NSA does this, then you've been living in a cave for
the past decade.

While I appreciate the outrage, it seems most people have become fatigued by
this constant barrage of evil corporations getting buddy:buddy with the NSA
and have either done something about it, or have just accepted it.

------
finishingmove
Unfortunately, even though I would very much like to abandon mine (even though
it's used only for some spammy registrations), email forwarding is not
possible unless you pay them, which is obviously out of question.

So basically, the best I can do is start changing my associated email address
at the services I care about that are still using my yahoo email address.
After a while, my yahoo inbox will be 100% spam (as opposed to 90% spam now),
so I'd be able to move on.

~~~
emcrazyone
Some email services will allow you to "fetch" mail from another service. For
example, I think it's possible with gmail to configure it to log in
periodically to your yahoo account and fetch the email.

I run a hosting business and our email stack supports this feature. We use a
combination of open source technologies to transfer email like imapsync for
the initial transfer and then use a glorified version of fetchmail in a cron
job.

------
awinter-py
how is yahoo's action different from a court-ordered pen register?

I respect the lavabit guy for his decision to implode, but you can't expect a
large public company to behave that way.

~~~
michaelmrose
Presumably in that traditionally an actual normal court that is accountable to
the public would have to based on evidence approve a warrant naming
particularly the individuals and why and for a finite duration of time.

This is fundamentally different from building a tool that would allow them to
access any or all of your customers communications forever with no further
oversight forever based on a secret courts request or in fact sometimes
nothing more than administrative request or even breaking in.

------
pwenzel
Well dang it, I only keep my Yahoo account around so I can log in to Flickr,
which is something I've been using long before Yahoo's acquisition of that
service.

------
emanueld
This is a great way to sign people up to your mailing list.

~~~
dredmorbius
This is actually one line of discussion I'd hoped to spark in posting the
item.

There are a few dyanmics here:

1\. Goodwill for a company with repeated security breeches.

2\. Goodwill for a company which rolls over in the face of government
surveillance.

3\. Privacy expectations in the face of third-party hosted services. Frankly,
Yahoo's actions should send stone-cold shivers through anyone using such
systems.

4\. The whole question of online petitions and such.

------
synaesthesisx
I thought this was going to be directed toward Yahoo stock (YHOO). While I
agree with the sentiment I would probably dump Yahoo stock too...

------
GoToRO
"I want to make it clear to the government, to Yahoo and to other internet
companies that they cannot compromise my security, privacy and safety without
consequence."

Well... then you should dump your phone too because the government has direct
access to all telecom networks. By law! no spying necessary.

------
rdiddly
It takes longer to sign the "pledge to delete" than to just delete your
account.

------
gamesbrainiac
I just use yahoo for fake emails. I think it serves that purpose wonderfully.

~~~
wtetzner
I just use Mailinator[1] for that.

[1] [https://www.mailinator.com/](https://www.mailinator.com/)

~~~
dredmorbius
That's inbound only though, correct?

You need another provider for sending.

~~~
kzisme
If it's for something to sign up to get a free bonus or coupon I use "10
Minute Email"
[https://10minutemail.com/10MinuteMail/index.html?dswid=-8354](https://10minutemail.com/10MinuteMail/index.html?dswid=-8354)

~~~
dredmorbius
Oh, I'm quite familiar with mailinator on that end.

------
grhmc
> Yahoo was recently sold to Verizon for 4.8 billion dollars.

Yahoo has not been purchased yet.

------
automatwon
This article is a great way to build up confidence to short Yahoo stock

------
gaius
Think we have flattened this site...

------
kyriakos
the only thing I ever liked about yahoo is flickr.. I'll miss it if its gone.

~~~
dingaling
Yahoo Groups has some useful groups of which I've been a member for many
years. I'd prefer that they'd just move to Majordomo-ish mailing lists but
short of that they're preferable to Facebook Gruops.

There is a mail icon in the top-right of my Yahoo Groups screen which I've
never clicked. Hovering over it says 'we're unable to preview your mail'. I'm
half-scared of _why_ that is.

