Hacker News new | past | comments | ask | show | jobs | submit login
Yahoo Starts Scanning Emails (jottit.com)
42 points by Sami_Lehtinen on June 2, 2013 | hide | past | favorite | 56 comments



I've had GC (general counsel) after GC tell me, both in company wide announcements, as well as during all-hands, to never send anything in email that you wouldn't be comfortable seeing on the front page of the New York Times. Indeed, I've had at least one colleague who sent something a little "off color" to our internal lawyer (where you would think it would be protected) at Netscape, actually land up in the New York Times - so this isn't just a theoretical perspective.

In general, I consider email to be a public forum - It's probably been at least 15 years since I wrote down anything that I wouldn't be completely comfortable being published in public newspapers.

So, Yahoo (and google) are free to scan my email at will - I long ago gave up any thought of it being secure.


There is a gulf of difference between company email and personal email. Company email is provided by the company and others may need to read someone elses' for many reasons.

Personal email has an expectation of privacy. You can argue from the point of view of cynicism and that's fine but it doesn't change my expectation.


I think the point I was trying to get across, is that unlike a personal conversation, either on the phone, or, ideally, in person - I've personally been trained to believe that email has the potential to be in a public forum. I'm not suggesting others are wrong to believe otherwise, I'm just saying that, when I type email to anyone - friend, mother, lover, or colleague - I do so with the expectation that the contents will be published.

If I want to communicate something personal, secret, embarrassing, or private for any reason, I do so in a conversation or phone call.

BTW, maybe my personal life is just boring - but this has very little impact on interpersonal communication, but a drastic impact on business communications, where I frequently find that I'm self-censoring, and asking my self, "Do I really want to commit that to email?"

Now, if my phone calls start getting published in the NYT, then I'm going to be very irate.


FYI With the advent of smart phones, phone call recording is very easy.

Possibly time to update that personal training of yours?

disclaimer: I agree, I believe everything online has potential to be public domain. I do; however, leave the tinfoil at home and realise not many people care what porn I watch or what the latest trite shit I post to my facebook wall is.


There's a difference between US and UK law that's interesting. In the UK, article 8 of the human rights act states that "Everyone has the right to respect for his private and family life, his home and his correspondence." A strict interpretation of this is that a company that monitors emails and intercepts an email between a husband and wife on a work email account violates article 8 [1].

In the US, I believe the government employees have more privacy rights with regard to email and communication than private employees, since private employers are not subject to the same constitutional restrictions - instead they're bound by contract law.

I do agree with you, however. Instead of the front page of the New York Times, however, my personal test is whether I'd be ok with it being projected in a congressional hearing, which actually happened to someone I know. It amounts to the same thing, however.

[1] It's mentioned in an appendix to "Unauthorised Access: Physical Penetration Testing For IT Security Teams," which is an interesting read. There's a particularly good story about an RSA SecurID key fob and a webcam...


never send anything in email that you wouldn't be comfortable seeing on the front page of the New York Times

This was the standard advice -- in exactly those words -- given to students receiving computing accounts at my university at least 20 years ago. I always wondered where it came from; did someone a few decades ago send an email which ended up on the front page of the New York Times?


Email that people thought would be private, has been appearing every year on the front page of the NYT, ever since lawyers realized that it was discoverable, and it was admitted into evidence.

My earliest recollection was 1997, when Eric Bradley, my colleague in Desktop Support, sent a ranting email to one of our top lawyers, pissed off that Microsoft's Browsers were screwing around with Netscape's configuration without asking the user.

http://query.nytimes.com/search/sitesearch/#/lessig+microsof...


Reminds me of this: https://www.jottit.com/v5wux/


How then does one handle matters that are commercially sensitive?


Phone calls, in person meetings. The contracts are usually privileged, so those can be shuffled around in email (the contents are still discoverable, but things like pricing are usually redacted.)

At least two of the very largest deals in one company I worked for were never discussed in email, and all parties met in person, and paper (!) notes were taken. It was only once all the essential details were agreed to (Memorandum of Understanding) and hammered out, that the final details were locked down by attorneys via standard electronic means.

Note, this is particularly important, if you are discussing things that might be coming close to (if not actually crossing) the lines of legality.

See: http://community.seattletimes.nwsource.com/archive/?date=199... for details of one such meeting.


Of course, that is only a workaround, not a fix.


Encrypted email (PGP) has been really easy to set up and use for about a decade now, particularly Enigmail.


PGP would not be a good choice for this. The mail archives are still discoverable, and I imagine the decryption keys would be as well.

Something closer to OTR would be a better choice. Deniability and forward secrecy are the important properties here.


2 things: 1) gmail has been doing this for years, and 2) yahoo mail has become the spam inbox of the internet. I basically only use because some websites have wised up to mailinator.com. So the only thing Yahoo is going to learn about me from my inbox is that I get a ton of Cialis emails, and I have a lot of relatives dying in nigeria leaving me lots of cash.

GMail, on the other hands, is where the problem lies. Too bad not that many people care


I don't understand this. You put your junk emails in Yahoo!, and the ones you care about with Gmail (correct me if I'm wrong). You have a problem with Gmail, even though that they do this has been public for years and you chose them for certain Emails. Surely the people who care about this just don't use Gmail?


I have gmail, yahoo and hotmail (outlook?) accounts. I use gmail for main account and like you I used to use the other two for filtering spam. I have recently logged in to my yahoo and hotmail account to see if anything changed or new happening. From my limited first hand few minutes experience I felt that both of them looked better and loaded faster than gmail have.

I have not spend enough time them to see if they provide all the granulated and edge case features I have come to enjoy on gmail, but they have definitely come a long way and I would say in some cases even better than gmail.

Gmail is starting to look old and has been really slow for me.


As a childish basic test, I timed loading gmail and yahoo mail. Chrome browser, FWIW. Browser open, and I just clicked the related bookmarks. How scientific of me!!!! Anyway....

5 secs for gmail. (used for junk, lots of mail) 2 secs for yahoo mail. (main email) 1 sec, almost instant for outlook. (empty)

So, I think we can forget the outlook speed. But I was surprised at the difference between gmail and yahoo. The cynical brain cells are also shocked that gmail isn't some how accelerated in chrome.


On average gmail takes me 10-15 seconds to load. My inbox is almost always empty.


I always assumed this was the case. Not that I use it but seems pretty obvious.

As long as you do not see your email as exactly the same as your ordinary mail: i.e. "your letters" you will not understand what it means that they are "kept" by someone different from you.

Yes, this is a problem (no one has a private mail server out there except a couple of people). But that is reality.

"Oh, my letters, aunt Anna keeps them after I read them and the ones I send, she keeps a copy".

But Brutus is an honest man, as Mark Anthony says.


Start? Doesn't Yahoo already have a virus filter? Or a spam filter? Or flags phishing attempts? All of those require scanning and analyzing all emails.

The only new thing seems to be that the same automated procedures that protect the user against spam, viruses and phishing will now also provide targeted advertising.


I think the difference here is use. They're using your personal data for their own gain versus a virus scanner which in theory serves to protect and work for only you.


Wait, just like Google have been doing for 8 years?


That's exactly why I don't ever use Google for anything which isn't 100% public and I wont allow publicly to be archived forever. For rest of stuff, I run my own servers, where I control my own privacy policies. Whenever I communicate with Yahoo or Gmail users, I simply send HTTPS links, which also require password before the content can be accessed. Yes I know, I should also use PGP, which I do with advanced users, but with others HTTPS & password is enough, when things are simply private and not secrets.


That's all a little too extreme for me. I'd rather just let Google read my mail.


That is a privilege which I'm sure you can understand why not everyone enjoys.


People like you piss me off :) (I'm sure I'll go to negative karma over this)


Haha why people like me piss you off? Interested in knowing :p


Because your apathy (well, not yours in particular, but of all the people behaving/feeling like you do) has an effect on everyone. Imagine if most people would be active in demanding their privacy be respected instead of just a minority.

I find your rhetoric of relaxed indifference "I don't care much about X reading my mail" very similar to the "I've got nothing to hide" rhetoric. It pisses me off because a couple years back when everyone was grilling me about not wanting a facebook account and me mentioning all the privacy implications, their response was: "oh, I have nothing to hide!" but at the same time they didn't feel like sharing with me their computer password.

Finally, in 2008 when I was looking to buy an apartment I had to pay the inflated price just like everyone else. It didn't matter that I paid cash. Why was the price inflated? Well, because people didn't bother to care much for the price of the apartment as long as they could get the loan from the bank. I had a friend that wanted to buy a house and all he could think about was what to do to be able to take the highest loan he could get. Never mind how he was going to pay for it later. Fast forward a couple years and now all those who bought apartments with the bank's money are looking for my sympathy because it's so hard for them to pay their mortgage and the bank might take their home.

I wish there was a country for people who cared. I'd move there.


truth, better ad targeting


We need default secure email, and we need it yesterday. It is long past the days where email was treated as private communication, as if it was a mailed letter going through the post office.

Default encryption is not that hard. In the earlier days, key management was seen as the major hindrance to ubiquitous encryption but in 2013 that is not as big issue anymore. There are workable solutions, be that through extending what's in DNS, exchanging QR codes between smartphones, BTNS or even the mess of using the centralized systems of CA's.

Mail servers can have certificates. Domain names can have DNSSEC. DNS can even have keys for mail addresses (RFC 4398). So how hard would it really be to for mail relays to automatically retrieve a key and encrypt the email before sending it forward to its destination?


"It is long past the days where email was treated as private communication, as if it was a mailed letter going through the post office."

Was email ever 'secure' in the way you're describing? As far as I'm aware, email gets sent in the clear. The analogy to the postal system would be sending postcards (as opposed to sealed letters).

Edit: fwiw I'm thinking about mail servers, online identity and DNSSEC with a view to pulling together a product in this space.


There has been a shift in privacy with cloud storage. When everyone was using POP3 to get email with a 2MB quota on the mail server email didn't stick around on the ISP's computers for long - it was generally stored on a device owned by the recipient, and searching that required all the usual fourth amendment protections.

The Stored Communications Act [1] makes a distinction between unread mail stored on a server for more than 180 days, and does not require a warrant to access such email. It appears that read email still does require a warrant, however, as it is considered a "Remote Computing Service." I didn't know that until just now, and am not sure how the legal requirements for accessing that differ from a hard drive sitting on my desk at home.

A secure email product would be interesting. I'd be interested to know where deniability (i.e. OTR) would fit into your plans.

[1] http://en.wikipedia.org/wiki/Stored_Communications_Act


Kim dotcom is working on a secure, easy to use email[1].And until then , if you're interested in security , it's probably best to use a secure messaging app like textSecure.

[1]http://www.itnews.com.au/News/342446,kim-dotcoms-mega-workin...


Email has never, ever, been private. Email has never, ever, been reliable.

Some companies have been good enough to provide email that appears to be private and reliable, and some people have made the mistake of thinking that email is now private and reliable.

Changing terms at a provider aren't much fun, but people should have been assuming that their email was being scanned anyway.


The Yahoo inbox has been broken for years. It's one of the main reasons I switched over to google. Honestly I'm impartial to the idea of them using it for targeted advertising, the majority of sites I visit have a retargeting system or something else.... plus, I'm a facebook users.

This new email targeting change is making me believe more and more that the purchase of tumblr was in fact related to yahoo's shift towards improving revenues from advertising.


How is it broken?

I have used yahoo mail for something like 15 years. Mail comes in, mail goes out. It is stored, and very easily manageable. On top of that, I have never ever been let down by it.

So, what are talking about? How is it broken.

And you switched to gmail? I have one of those too. Cant stand it. Yeah, it works perfectly well, but I personally cant get on with its design and interface at all.


Seems like a subtle advertisement for StartMail, honestly. Google has been doing this for years. I see the op has a previous submission for StartMail, too.

Any reason for that or is it just an attractive application/service to you? I mean, if it's something we should have a better look at, let us know.


Exactly -- if the general public really cared about this, Outlook.com would be more popular and Gmail would be in the basement.


You think MS don't scan emails? Than how are the naked pictures my next girlfriend sends me as attachments are automatically sorted in the quick views named pictures?


uhmmm.. because there is something called 'file extension' that will sort pictures from say .docx?


which once again mean the mail has been scooped while received since these are unread mails (I use outlook as a backup mail for gmail)


it doesn't mean your email has been scooped it only means a computer algo sorted it automatically


I never used yahoo mail because I thought they were not scanning emails. I use it because it works, and has done for me for 15 odd years, pain free.

All I see here is them belatedly catching up with all the other privacy abuses by larger internet companies. Given that is how they make money to run and exist, and it is perfectly legal, sadly, yahoo would be stupid not to. I'm too tight to pay for a service and appreciate that it is free, so right there I give up my right to complain about how they finance their service.

Good to know, sure, but I don't see any thing to get especially concerned about over an above everything else large internet companies get up to. Its not like Im going to get better privacy easily else where.


So are there any decent services out there that'll provide a yahoo/gmail-like experience but without the content scanning? I just want mobile, a fast web interface, and a basic feature set.

I'll pay. I'd upgrade to Yahoo pro if it'd get rid of the scanning.

And incidentally, I still don't understand the gmail preference. Yahoo's interface works flawlessly, is fast, and much better than gmail for the basics.


Yes, It's called postfix & roundcube.


Does anyone know if Google Apps emails are already read by Google ? I know they do it for Gmail.


Do Google Apps filter spam? If so, they are "read by Google".


I'm really new to this email security stuff, and I feel like I know nothing... Would using third party end-to-end encryption service be a good idea? Something like a free service like penango.com?


Targeted ads don't concern me nearly as much as "abuse protection"


Spam, virus, phishing all fall under "abuse". Targeted advertising is the only new thing here.


It depends how ads are targetted. I personally think that even spam protection is very big privacy issue. Because things like Bayesian filters, collect extensive information about your messages. If I get your spam-filter rules, I know a lot about you, even if I don't get the actual messages. Actually spam filter info is perfect data for profiling, it's condenced form of your communication. Especially the words which indicate ham content. Which for sure will include any professional terms & project names you're working, primary contacts etc.


You do realize email travels in plain text right?


Email between large providers rarely does; almost every major SMTP server supports STARTTLS.


Yahoo doesn't use SSL/TLS.


So the exact same thing as gmail? Considering that Yahoo handed off dissents to the Chinese government years ago it's small beans.


Mrissa Myer in the heezy fo sheezy bringin some o that G-Funk bounce to this...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: