416 comments

[ 5.1 ms ] story [ 301 ms ] thread
It sounds like Yahoo will fit right in at Verizon... It also sounds like another leak designed to damage Marissa Mayer:

> According to the two former employees, Yahoo Chief Executive Marissa Mayer's decision to obey the directive roiled some senior executives and led to the June 2015 departure of Chief Information Security Officer Alex Stamos, who now holds the top security job at Facebook Inc.

Sounds like she was a pretty terrible CEO all-around. But as a user, I would never use a service run by Marissa Mayer again. She lost that trust for good.
> But as a user, I would never use a service run by Marissa Mayer again. She lost that trust for good.

Realistically, this is every American company. Why trust anyone?

Microsoft and Apple have both been in court during the last 12 months to block US government over-reach. Yahoo joins Amazon in ethusiastically facilitating it. Your assertion isn't realistic, it's nonsense.
I'm curious, when has Amazon facilitated US government over-reach? I couldn't think of anything off the top of my head, and googling only provided a bunch of documentation for AWS's cloud offerings to government agencies.
Amazon chose to boot WikiLeaks immediately after a US senator expressed displeasure with WL's original high-profile tranche of leaks.
I'll be honest, that doesn't really bother me, assuming AWS wasn't forced or coerced into dropping WikiLeaks. I happen to disagree with a lot of WL's actions, and understand why AWS may not want to host stolen classified documents. I understand that you don't share that opinion, and that my opinion may not be the most popular one on HN.

Any other examples?

I must have missed something, can someone elaborate on how Amazon has enthusiastically facilitated government overreach into citizens' privacy?
Sure, as far as we know, MS and Apple have been in the public eye as being against government overreach. I suspect it's less about protecting customers from the government and more about protecting themselves, though.

But one needs their hands and toes to count the other areas in which Microsoft and Apple have conducted themselves... poorly?

Apple in the poaching employees lawsuit. Spurious lawsuits over "design" (ie rounded corners on rectangles) trademarks. Colluding with music execs to push customers to their streaming music service (instead of ad supported "free" streaming on labels sites). Since this is about a CEO hate, Steve Jobs was a complete asshole by a number of accounts. Horribly abusive.

Microsoft... well their track record should be well established. The absolute worst of which was releasing a mass market OS that was egregiously insecure by default (yet, around here, the conversation often is "I wish MS tested like they did back in the day." when webcams break, but I digress). Again, the CEO thing, Ballmer was borderline incompetent, Gates was involved in a number of shady market capture schemes.

But you know, because in this one context of government over-reach, they did a bit better than Yahoo!, the parents position that they're all untrustable is complete nonsense.

The only thing "wrong" Marissa did was not make a shit ton of money for Yahoo! No one would give this story another thought if Yahoo!'s stock was worth $100 more than it was when she started.

That's about all MS and Apple have done "right". That end justified the means.

Court isn't likely to solve this. Only a wholesale rejection of terrorism as a realistic threat to, well, anything but our political process is going to do it.

I assume the FBI is reading my email. You should, too, or you will be unhappy when you find out they are.

Because people don't honestly care, they just like to pretend to care.

Convenience trumps privacy, every time.

It is impossible to live functionally in society without trusting someone on some level.
For sure. But it's prudent to understand and mitigate risk.
Yea--I'm just saying this is a product of being a business, not Meyer. One can fight it and still give information over. You can't take the sign of struggle as a sign your data is safe.
It's not a sign that your data is safe, but I think the point here is the opposite: You can take easy capitulation as a sure sign that your data is compromised.

Similarly, the lock on my door doesn't make me safe against everyone who might want to commit any crime against me, but all else being equal, a locked door is still preferable from a security standpoint, and it's very preferable to keeping your valuables in an unlocked room with a known thief.

Yes, but they said every _American_ company, not every company in general.
You can trust Google/MS/Yahoo!/etc. with your pizza orders and mortgage payments, while switching to self-hosted, GPG email from a RYF-certified machine for organising your secret mattress-tag-removing guerrilla.
Let's take this one proof of company cooperation with NSA at a time.
This is an instance of a specific executive, specific betrayal of user interests, and a specific mode of betrayal.

Meyer is toast.

I'll agree that the general level of trust evinced by corporate America is low, but there is considerable variance within that domain.

I'm not a fan of Mayer's, but sounds like she didn't want to fight the order since that hadn't worked in the past:

"Yahoo in 2007 had fought a FISA demand that it conduct searches on specific email accounts without a court-approved warrant. Details of the case remain sealed, but a partially redacted published opinion showed Yahoo's challenge was unsuccessful."

Her real mistake was going directly to the e-mail team to implement the backdoor without telling the security chief about it:

"They were also upset that Mayer and Yahoo General Counsel Ron Bell did not involve the company's security team in the process, instead asking Yahoo's email engineers to write a program to siphon off messages containing the character string the spies sought and store them for remote retrieval, according to the sources.

The sources said the program was discovered by Yahoo's security team in May 2015, within weeks of its installation. The security team initially thought hackers had broken in.

When Stamos found out that Mayer had authorized the program, he resigned as chief information security officer and told his subordinates that he had been left out of a decision that hurt users' security, the sources said. Due to a programming flaw, he told them hackers could have accessed the stored emails."

Not winning on specific account searches is very different than not even fighting global access. Orders of magnitude different.
Good on Stamos for leaving.
Sure, but it's not like they had a non-terrible CEO in... ever? I'm not sure actually.
> I would never use a service run by Marissa Mayer again.

Surprisingly, stacks of $100 bills make great mattresses. She won't lose a night of sleep.

I'm not remotely rich, but I feel like after a certain amount of wealth, personal and professional reputation (and the success of things you control) matters much more to your overall happiness and well-being than your net worth.

I suspect she's not had a good year, from her perspective and for the people around her.

She might make anywhere from $55M to $122M from the Verizon acquisition. Please, sign me up for such a bad year.
I'd personally much prefer being known as a good CEO with a net worth of $5M than a bad CEO with a net worth of $500M.
Now gotta wonder if Google has succumbed to government pressure to do the same.

I'm really hoping and trusting they haven't.

Considering the amount of access they have to the White House: why would you assume that they haven't?
The white house is above the NSA and FBI, so wouldn't access to their bosses preclude them being coerced?
On the org chart it may be, but when the three letter mafia is blackmailing you what can you do, even as the president?
You can fire them, have them arrested, and/or have them disappear to anywhere you like. Presidents are pretty powerful.
If you actually wanted to do something, call them out on it. Blackmail is highly illegal, and if it actually goes anywhere, your VP can always pardon you.
I wouldn't bet a bent penny on it:

"Experts said it was likely that the NSA or FBI had approached other Internet companies with the same demand, since they evidently did not know what email accounts were being used by the target. The NSA usually makes requests for domestic surveillance through the FBI, so it is hard to know which agency is seeking the information.

Reuters was unable to confirm whether the 2015 demand went to other companies, or if any complied.

Alphabet Inc's Google and Microsoft Corp, two major U.S. email service providers, did not respond to requests for comment."

It's not a hard question to answer. You either are or are not searching all emails in realtime at the behest of the NSA.

"It's not a hard question to answer. You either are or are not searching all emails in realtime at the behest of the NSA."

It's easy to answer if you're not. If you are, you can't answer (at least not truthfully).

How much trouble would someone like Google be in if they gave a "warrant canary" style answer? "I'm sorry, we are unable to answer your question" would speak volumes without actually saying anything.

But I suppose that the order forbids "disclosure", and that statement is arguably disclosure...

The article says:

"Alphabet Inc's Google and Microsoft Corp, two major U.S. email service providers, did not respond to requests for comment."

Isn't that pretty much saying "I'm sorry, we are unable to answer your question"? If they weren't doing the same thing as Yahoo, they could say so.

They might be doing something different, that they still can't speak about.
No, it means Microsoft and Alphabet are not commenting on evidence implicating Yahoo!'s surveillance with the NSA.

It's basic PR for big brands to avoid getting quoted in the messes their competitor gets into.

They later responded. Quoting from Arstechnica's 5:11 ET update:

A spokeswoman for Microsoft, Kim Kurseman, e-mailed Ars this statement, and also declined further questions: “We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo.”

For its part, Google was the most unequivocal. Spokesman Aaron Stein e-mailed: "We've never received such a request, but if we did, our response would be simple: 'no way.'"

http://arstechnica.com/tech-policy/2016/10/fbi-demands-signa...

Don't the NSL's typically have a section saying that they have to deny they ever received one?
It's not just pressure, it's an order by government. Court orders aren't really optional.

And as much as you might think this is a huge problem, it's a bigger problem with companies aren't restrained by government orders. Imagine if Exceleon politely declined to allow nuclear inspections.

At this point, it's save to assume that NSA/FBI/CIA/Pentagon has front door access to Google.

That cheap-oil-for-your-private-planes deal with Pentagon is one small evidence [1]. The other is Matt Cutts working for (on a temporary basis) the Defense Department's branch of USDS [2]

[1]: http://www.wsj.com/articles/SB100014241278873238646045790697...

[2]: http://fedscoop.com/former-google-spam-chief-heads-to-usds

As for Microsoft, well, no debate there.

> That cheap-oil-for-your-private-planes deal with Pentagon is one small evidence

a perk they apparently shouldn't have been getting and was cut off by the pentagon is evidence the pentagon has front door access to Google?

> The other is Matt Cutts working for (on a temporary basis) the Defense Department's branch of USDS

What, do you think he really needed a job so the web search spam guy gave access to user accounts in exchange for getting to work in government contracting?

Really need to work on your circumstantial evidence.

I think the attitude here that most tech companies are rolling over and just complying without a single ethical consideration is misplaced.

The government has been doing an excellent job of basically extorting these companies into compliance. They threaten the full weight of the US government's wraith and then tie every order up with classifications and gag orders.

You aren't legally allowed to talk to other companies in the same position. Most your legal team probably doesn't get to know what's going on. You can't take your case to the public without being held in contempt.

I'm not giving these companies a complete pass for being complicit in the erosion of individual's civil liberties but treating this as if the decision is easy is vastly unfair.

The most damning part of this story is that Mayer decided to comply without telling her chief security officer. That really does make it look like Yahoo rolled over without a fight.
Since it had a gag order, she likely wouldn't have been allowed to tell him. The government doesn't care about the security implications of these backdoors, they just want the data.

Also, Yahoo spent many years fighting similar requests (I think before anyone else did) and won nothing.

She also was obviously being advised by Ron Bell, the GC. If she didn't tell Stamos, it was probably based on the guidance of Mr. Bell. I'm not sure we can fault Mayer much on this one.

She's the CEO, she gets paid to be responsible for everything at the company. Of course she is at fault.
Knowing Stamos' background, it's possible that she was specifically required not to tell him.
How do you slip something like this past a corporate security team? Stamos and @bcrypt never struck me as individuals that were "asleep at the wheel".

Surely there was evidence somewhere? If Stamos wasn't briefed as to the situation and a security engineer found the rootkit on their own how could they be bound by the terms of an NSL / gag order?

I don't know any more about this than you do; I'm learning about it from the same Reuters story. But according to the story, the decision to implant the backdoor wasn't discovered by Yahoo security; rather, the backdoor itself was discovered, weeks after it was deployed.
So is the speculation that Stamos' departure was related to this? The timing would seem suspicious otherwise.

If so, one wonders if he would take a similar principled stance a second time at Facebook. Much harder to jump ship for greener pastures while already riding the biggest rocketship in town.

I do not believe Stamos would remain at Facebook after something like this.

But we're not much more than acquaintances (we both worked at NCC, and were prior to that former business rivals or whatever you call two people with similar roles at competing firms). I like him.

I just want to be clear that I'm not speculating about Stamos's motives.

(comment deleted)
(comment deleted)
In a large pipelined, distributed architecture, there's probably dozens of consumers of the databases that all look rather similar: they do some queries and pack up some reports for internal consumption. Marketing, ab testing, user experience, etc. Yet another consumer sharing 99% of the same code might not stand out.
At the risk of being downvoted for possibly being pedantic...

Knowing Yahoo's mail architecture very intimately, your analogy here isn't very accurate unless you get very abstract with your usage of the words "database" and "queries".

This seems like the more interesting question.

Whether Mayer went around him willingly or by legal requirement is basically unanswerable, except to note that the email team chose to do the same. There's not much to say when we can't tell collusion from compulsion.

The question of accidental discovery, by contrast, is a fascinating one. A gag order couldn't possibly compel someone who made the discovery on their own (for the simple reason that they wouldn't know about it to be compelled). So circumventing the security team, instead of simply including them in the NSL, raises an interesting discussion about the nature of the NSL and why the matter was kept from Stamos' team.

> A gag order couldn't possibly compel someone who made the discovery on their own (for the simple reason that they wouldn't know about it to be compelled).

If the company was gagged, I don't see how it would matter whether company employees knew about it in advance or found it by accident. Either way, the company is still gagged.

Also, while your comment makes common sense, national security restrictions don't have to make sense to be legal. For example there is information that is "born classified," meaning that even if it is independently developed, totally separate from the defense apparatus, it's still considered classified!

That particular employee may not be. Obvious solution is to have a page ran by some reasonably trustworthy organisation where people can report these breaches before passing them on to their superiors.
Add it to the spam filter? The security team probably reviews the spam filter code, but perhaps not the particular weights and measures it uses on a daily basis. So you set up a parallel filter for "arabic spam" that generally looks like regular filter, just tuned a little differently.
The feds had an API that allowed them to download the mail caught in the "Arabic spam filter". How do you hide that?
Perhaps the ssh connection running 'tail -f spamlog' is what tipped off the security team.
(comment deleted)
> Yahoo execs deliberately bypassed review from the security team when installing the backdoor. In fact, when members of the security team found it within weeks of its installation, they immediately assumed it had been installed by malicious hackers, rather than Yahoo’s own mail team. (This says something about what the backdoor code may have looked like.)

https://diracdeltas.github.io/blog/surveillance/

Had Mayer specifically told him, he'd have been compelled to remain silent as she was...

I wonder if she knew the security team would find it if they weren't consulted, making not telling them the legal way to tell them.

Yahoo is a public company, it has to follow SOX which requires a security policy to be followed.
Weren't high level officials communicating over Yahoo! mail?

Was Yahoo given a contract, or otherwise compensated?

Isn't this the same as the Snowden revelations?
No. This is from last year. Snowden came out in 2013.
I wonder what the actual personal consequences are for someone going public that there is an NSL requested. I seriously doubt they'd destroy a major public company with lots of employees/voters/users; fines, maybe, and going after execs, but the Government loses most of its power to threaten things once the act is done and everything is public.

I think you win in the court of public opinion if it's a broad program like this (and IMO clearly unconstitutional). If it's an NSL about, say, an order to specifically target UBL, you probably hang in public opinion. If it's an NSL about, say, finding Snowden, you might be ok. This is an interesting check and balance vs. government overreach.

I'd be a lot more comfortable with someone going public in a live press conference in DC (maybe releasing a key to a file which is pre-distributed), than someone running off to Russia or doing it anonymously, though.

It's an experiment that I would personally be willing to try were I a high-visibility C-level exec. Been to jail, not that bad, mostly just boring; and certainly the jail that CEO me goes to would likely be better than the jail the real me has been a guest of. But the kind of person willing to tweak the nose of the government doesn't usually get to be C-anything.

As you point out, best to wisely pick your battle as you'll want public opinion behind you. And remember that as popular as she is, Martha Stewart still went to jail.

Chelsea Manning, who is imprisoned over something similar to this case, may have a different opinion on how nice jail is than you.
Chelsea Manning was imprisoned over something very different: she was a US soldier, not a private citizen, and she made public internal government documents, not a letter explicitly addressed to her.

Different standards do (and, IMO, should) apply to leakers who are government employees or members of the armed forces with a security clearance and to private citizens who are not 'leaking' something but rather sharing something they did not explicitly and voluntarily (through a contract or NDA) agree not to disclose.

Also, if you disclose that you received a NSL, that probably means you at least read the thing you're leaking before leaking it.
And yet the non-military CJ system can be brutal and harsh. I'd imagine it's certainly possible the first person to disobey a NSL might be made an example of, especially depending on who is in charge of the executive branch at the time. You could be locked in solitary for years until you lose your mind. You could be assigned to prisons in such a way the authorities ensure you would be repeatedly beaten and raped. You could be indefinitely detained without trial or attorney -- the crime is national security related, after all. There is a horde of horribly nasty things that could be done to you even if you aren't military or security clearance. It's worse for the military, but it's bad enough for the rest of us.

Perhaps unlikely, but certainly very scary.

For one, it depends where you come from. If you earn in the neighborhood of $25M a year it's likely you will find jail less comfortable than your home.

Secondly, breaking the law or even challenging NFLs carries a personal risk of going to jail, while silently complying carries almost zero personal risk, and a small risk of damaging the company's reputation if/when someone finds out. If you're not very strongly principled, the choice is really easy to make.

(comment deleted)
I've been wondering about this myself.

Apple got a mixed response when they pushed back on the FBI, but certainly not a clearly negative one. Lavabit's rather alarming case earned them substantial respect in the tech circles that learned about the matter.

Certainly whistleblowers have faced immense consequences, but they've been government or military employees engaged in major disclosures. To jail a 'captain of industry' for reporting that the government handed her a sheet of paper would be spectacularly bad optics, attacking a respected private citizen over an intuitively absurd legal mandate.

I suppose the details of the account in question would become important. If the public can be persuaded that you blew up an important investigation, you probably lose all support; we've certainly seen the government disclose a surprising amount of formerly-secret material to turn public opinion against whistleblowers. Even there, though, you could test the gag order by disclosing the fact of an NSL without the content.

If they can't show overwhelming importance, though? If it's just a cartel bust or a leaker or something similarly non-terrorist-y? I'm trying to picture the government bringing the hammer down on Cook or Mayer for going up on stage at a conference and unashamedly violating an NSL. It doesn't seem like a good fight to pick.

Also committing to a "fuck NSLs, we'll just go public and take it all the way legally" stance upfront might deter NSLs in the first place.
The fact no-one has done this means the consequences must be absolutely devastating. Probably jail time for executives and potential financial collapse.

Probably the only time an executive would go to jail for breaking the law in the US...

I remain unclear on the consequences. I don't think they're tested. 18 USC 2709(c) is what the government cites when they invoke nondisclosure. You win a prize if you find the consequences for violating that statute. Also, NSLs can be upgraded to court orders if the recipient is noncompliant. 18 USC 3511 discusses that:

> the Attorney General may invoke the aid of any district court of the United States within the jurisdiction in which the investigation is carried on or the person or entity resides, carries on business, or may be found, to compel compliance with the request. The court may issue an order requiring the person or entity to comply with the request. Any failure to obey the order of the court may be punished by the court as contempt thereof.

So they can upgrade to a court order and then hold you in contempt if you do not fulfill the terms of the court order. I am not clear if that includes the nondisclosure term. This is the closest I've ever come to identifying "what would legally happen if someone published an NSL?" Honestly, and I'm not extremely comfortable saying this and please do not get ideas, after a lot of research I don't think there is a federal punishment defined in legislation for doing it.

Usually laws have a punishment immediately after them. As in, section A is what's illegal, section B is how to punish violations of section A. 18 USC 2709 and 18 USC 3511 don't have that, so I honestly have no idea what would happen, and I half wonder if the federal government doesn't either.

(IANAL, etc)

It's entirely possible a highly-paid legal counsel like Apple or Google has finds out the emperor is wearing no clothes and NSL's are unenforceable.

The question is: who is willing to find out? There's all kinds of nasty stuff the gov can do to you personally for trying to fight an NSL - loss of gov contracts, detention at custom and border control, no-fly list, etc.

People with success tend to be afraid of losing it. They know it's mostly all luck and lightening probably won't strike twice.
NSLs are likely not the case here with Yahoo (and in fact are not the most significant privacy threat, IMHO). An NSL is a demand from the FBI, not a court order. NSLs also have unique First Amendment vulnerabilities that would help a company choosing to publicize receiving one.

A FISA court order, which can force you to do much more than NSLs, is the more significant operational threat to Internet companies. These court orders typically have "do not disclose" provisions. Willfully violating that court order will almost certainly result in contempt charges.

What if you had all your mail scanned or OCRed to remove certain phrases such as "do not disclose" and then the resulting message was delivered to you.

The key here being that you will never have any knowledge of such requirements and therefore cannot act with intent to violate such requirements. Basically, can you eliminate mens rea as an element of the crime of contempt?

The burden is on the deliverer to make sure you receive, open, read and acknowledge the entire message instead of a partial message.

> What if you had all your mail scanned or OCRed to remove certain phrases such as "do not disclose" and then the resulting message was delivered to you.

Willful blindness is (as one might expect) evidence of willfulness of an act, rather than a way of displaying an absence of willfulness.

Is it possible that the board would simply remove the CEO in time for the government to have its way with the company, in hope of averting financial Armageddon?
>I wonder what the actual personal consequences are for someone going public that there is an NSL requested.

Under the Patriot Act its 5 years in federal prison for any individual who violates a gag order.

(comment deleted)
>You can't take your case to the public without being held in contempt.

I don't know about that, Yahoo has a pretty big platform they could use against the government.

Not that I'd really expect anyone to pick up that fight, but Yahoo is far from powerless here.

Yes. It's worth noting that the former CEO of now-defunct telco Qwest claims that he spent 4 years in prison because he refused to comply with illegal NSA demands. [0]

[0] https://www.popularresistance.org/former-qwest-ceo-says-refu...

If only he had taken the high road and not dumped millions of dollars in stock shortly before it tanked, we wouldn't have to wonder about why he's in prison.
Yeah, that's what I said. It seems so many of these leakers or government examples would almost perfectly illustrate the point of activists if they just didn't do something incredibly illegal, naive, or debatable on top of the solid contributions. Then, we have to wonder why whatever happened to them really happened. Would the connection still be there if they just did the one or two good things? Can't prove it to skeptics.

I always encourage those in the future resisting police states to make sure whatever they do is beyond doubt A Good Thing. Even Constitutionalists on pro-surveillance side should pause to reconsider their views. They won't if they think person got canned for being a traitor or running financial schemes. (sighs)

> I always encourage those in the future resisting police states to make sure whatever they do is beyond doubt A Good Thing

But A Good Thing would easily be destroyed by simply fabricating a case against the enemy, wouldn't it? Like rape, child porn, the usual.

It's possible. So far, they're just using what's already there.
Right, they didn't make up this case. Everyone who has worked in a publicaly traded company knows you can't trade until a few days after the earnings release. It's double so for the CEO! How could he have not known that? I am sympathetic to the possibility that the govt my go after someone that didn't work with them, but he committed a separate illegal act, selling that stock. They didn't go after Martha Stewart for talking about the cia.
I don't buy this argue...Open Whisper Systems managed to not roll over and they are only less than half a dozen people...
Devils advocate: They have less to lose.
Advocate for reality: they don't mean shit in bigger scheme of things since virtually nobody uses them. So secret groups put less effort into them. Yahoo, Gmail, Lavabit, various IM's... all were in the Snowden leaks as SIGINT-enabled through taps, black bags, or "FBI coercion." If Whisper got that important, I think we'd see bad stuff happen to the company or Moxie.

So, enjoy the added protection from nation states of low uptake if you're using it. :)

It's easy to say with confidence "These 6 people that I know well and represent are OK losing their jobs when you fine my company out of existence".

It's much harder to say "I will defy you and in the process cost 10k+ people their jobs without them having any say or knowledge of this".

> I will defy you and in the process cost 10k+ people their jobs without them having any say or knowledge of this

There's no way the govt. would do anything more than skewer (or attempt to) a few sacrificial lambs for violating a gag order. There's no political win otherwise.

https://www.theguardian.com/world/2014/sep/11/yahoo-nsa-laws...

"The US government threatened to fine Yahoo $250,000 a day if it refused to hand over user data to the National Security Agency, according to court documents unsealed on Thursday."

"The size of the daily fine was set to double every week that Yahoo refused to comply, the documents show."

Two years ago

Such a fine can be challenged in open court, no? Or is there an order by a secret court preventing Yahoo challenging the fine in a regular court?

How do you defend yourself from secret orders issued by secret courts that forbid defending yourself? What is this, mafia or the government ?

Yahoo challenged it in FISA court, not open court.

"Yahoo took its case to the foreign intelligence surveillance court, also known as the Fisa court, which oversees requests for surveillance orders in national security investigations. The secretive Fisa court provides the legal authorities that underpin the US government’s controversial surveillance programmes. Yahoo lost its case, and an appeal."

isn't the whole premise that the Big Companies actually control the government? "They threaten the full weight of the US government's wraith and then tie every order up with classifications and gag orders."

full weight? You mean like a small fine ? That's what happened to Wells Fargo. The govt . seems really angry about it, but what can they really do to a corp that is considered an entity?

Maximizing shareholder value is like a death grip that squeezes any public corporation into not making financial gambles on ethical grounds.

It's so important that these leaks go public for two critical reasons:

1) with that type of financial regulatory environment for public companies, the only way to create incentives for that type of consumer protection play is when it has monetary consequences if they do nothing (customers shutting down their accounts)

2) court docs from an earlier Yahoo trial in a secret court were already released when the NSA requested a huge trove of emails and Yahoo challenged it. I read the judges ruling and the TLDR is that the judge said the customers will never know their email is being read so how can you claim that a privacy violation has occurred?

The twisted logic here is that there's no damage to the customer/company as long as the intrusion is conducted in total secrecy.

So that's why Yahoo is so willing to fold here. This is what they are dealing with.

Side note: Imagine the same logic was applied to police a search warrant that allowed police to enter hundreds of houses, a type of warrant that could never be challenged by these homeowners defence attorneys. "They'll never know police broke into their house and went through all of their drawers and personal belongings. They'll come home the next day and everything will seem exactly. the same. So what claim to privacy violation could do they have?"

The need for secrecy in FISA courts goes well beyond protecting state secrets like NSA tech. This type of judicial rationalization would never withstand scrutiny in open courts which is why total secrecy is the key.

>I read the judges ruling and the TLDR is that the judge said the customers will never know their email is being read so how can you claim that a privacy violation has occurred?

What?! That's like saying my home wasn't actually burgled until I arrive home to see that it was, absolutely ridiculous

> Maximizing shareholder value is like a death grip that squeezes any public corporation into not making financial gambles on ethical grounds.

Will this meme never die on HN? There is an obvious counter-example: Apple, a public corporation who publicly fought a similar request.

The idea that "maximizing shareholder value" is some sort of inescapable Faustian bargain is just not supported by the facts. People who run corporations might choose to act unethically, in order to maximize a certain outcome, but they are not forced to do so by the mere fact of running a for-profit corporation.

To the extent there is a structural problem in public corporations, it is one of executive incentive, not shareholder obligation.

> Apple, a public corporation who publicly fought a similar request.

The FBI went public with the case, not Apple... and the warrant was signed by a public criminal courts judge not a FISA court. That's a critical difference. There are no examples of successful challenges to NSLs, don't downplay the seriousness of doing so.

"Going public" is not really an option for the stuff we're talking about (as the Yahoo case I mentioned made clear, the whole warrant is predicated on secrecy ). If they do they could face serious financial penalties or face their CEOs going to jail where yes shareholder value will take a hit. The markets are very sensitive to large lawsuit liability and CEO changes.

So I don't see how you could challenge these laws as a public corporation without knowing full well you will damage the share value.

Their obligation to maintaining the stock value is only part of the issue here. You're expecting these businesses to be heroic martyrs when the state has stacked the chips extremely high against them. There's no question who is responsible for this mess.

Yet the US is on track to vote in another president whose primary national security strategy on her website is to expand NSA power and increase domestic and foreign intelligence gathering.

Four more years!

> Yet the US is on track to vote in another president whose primary national security strategy on her website is to expand NSA power and increase domestic and foreign intelligence gathering.

Scary indeed

Apple is also the most profitable company in the history of the world. So, they have more ability than most to fight something like that.
> > Maximizing shareholder value is like a death grip that squeezes any public corporation into not making financial gambles on ethical grounds.

> Will this meme never die on HN? There is an obvious counter-example: Apple, a public corporation who publicly fought a similar request.

This is a poor example to use to disprove the claim; Apple used the FBI encounter to prove to customers that they were tough on security, a component of their value proposition to a segment of the customer base.

"Maximizing shareholder value" has become like a Rorschach test, or a "just-so" story that people try to use to retroactively explain everything.

Why didn't Yahoo fight their order? Maximizing shareholder value.

Why did Apple fight their order? Maximizing shareholder value.

An explanation that applies to all outcomes does not actually explain anything.

Regardless of the merit of your claim, it remains the case that the provided example is ineffective.

There were many earlier this year that said standing up to the FBI improved their perception in foreign markets.

> the TLDR is that the judge said the customers will never know their email is being read so how can you claim that a privacy violation has occurred?

Really? A judge really said that? So if I place a camera in my neighbors' bathroom, and they never find out about it, everything's okay? Does it work with other crimes? If I steal millions from a company, but they never figure it out because their accounting department is sub-par, then I'm fine??

Running a huge legal risk is not consonant with maximizing shareholder value.
> full weight? You mean like a small fine ?

The amount of leverage NSA/FISA have is rather different than what the CFPB has at its disposal.

aka treason and the death penalty
The bar for treason is a little higher than refusing to secretly forward some emails.
Power isn't uniform or absolute.

Centralised powers have capabilities, but also weaknesses and vulnerabilities, and Yahoo in particular is an exceptionally vulnerable technology company.

Companies can influence specific laws, and sometimes work in concert to achieve specific aims (see the totalitarian plutonomic pact, a/k/a TPP, backed by virtually every major infotech and comms company: Amazon, Apple, AT&T, Cisco, Facebook, Google, Intel, Microsoft, and Verizon, among others). But they're also vulnerable to specific legal threats, investigations, and withdrawals of contracts.

Where corporations influence governments most effectively is where the collective interests of political and industrial leaders is furthered. Where corporations successfully oppose governments is where the corporations have some level of political leverage, often through influence on key elements of local economy. Where government has influence over corporations is where there's little financial upside, and often only a vague and long-term benefit to the company, and where national security or mass popular interest plays strongly against the companies.

Yahoo had no leverage and considerable downside in trying to stand up against this order. The long-term downside to compliance is what's emerged here: disclosure of the project and a possible scuttling of Yahoo's announced purchase by Verizon. The best case for Yahoo without the Verizon takeover is that it's dead. With the takeover, some of the investors and executives recoup a small amount of the long-term loss of value in the company.

Yahoo had little to gain by fighting (it would have been executively decapitated and entered immediately into a likely fatal legal fight with the US Government), and something to gain by playing along.

Mayer took the easy, and unprincipled, decision to play along.

>treating this as if the decision is easy is vastly unfair.

Especially for Yahoo, given their tough financial and market situation. It was far easier For Apple and Google.

Well, they've already "made an example" of the only company to truly stand in their way. Look at Qwest - you talk to the average citizen and their takeaway was that justice was served | A corrupt CEO ran the company into the ground and went to prison. Hurrah!

Don't pay attention to the fact he denied installing what he considered unconstitutional wire taps for the NSA resulting in the government pulling almost a billion dollars worth of contracts from the company. That example alone proved that the government can tell any narrative they want; they own the media, they'll own private companies too.

The Joseph Nacchio story is very complicated and not the best example of the point you are making, sadly. Qwest was undeniably naughty with the books on his watch and they had a case. I agree it sucks, just saying he's not the best example.
Which isn't to say that government organizations only ask companies with unquestionably above board accounting to engage in legally dubious initiatives.

Plainly, there's no reason to take a company's compliance as a sign that they 'have nothing to hide'. Likelier, it was in part because they did that they complied.

No, it just means, if you're going to dig in and take on the government make sure your house is clean. That's all it means. That applies to dealing with anyone with power, really, not just the government.

I'm not sure why I'm being downvoted. They had a case, and while the conclusion I was responding to is extreme, Qwest's accounting fraud ran into the billions and they had a pretty strong case that Nacchio profited from that. I'm not saying whether I agree or disagree nor am I saying I don't think Nacchio is notable for taking on the feds, just that Qwest is not a good example of what happens when you do because the government had a legitimate gripe with the books.

Lots of other companies, especially lots of other investor-driven telcos in the late 1990s and early 2000s, were guilty of the same and worse, and were never charged.

The proliferation of fake crimes like insider trading gives the state discretion to imprison anyone for basically political reasons. Any executive who owns financial instruments that refer to the firm that employs her can be found guilty of insider trading, if federal prosecutors wish.

Being clean is not an adequate defense. First off, no one is perfectly clean. If you were by some freak of nature actually clean, they would just throw a bucket of mud in your face before accusing you of being dirty.

The way the experts play is by mutually assured destruction. You get enough blackmail material on someone to assure their cooperation, and you leak just enough to them for them to think they have some leverage over you.

That's why fraternity initiation rituals are usually at least embarrassing, sometimes humiliating, and maybe even illegal. Rather than ensuring cooperation using intimidation by strength and the constant threat of swift and certain retribution, as with organized crime's code of silence, that mutual blackmail ensures that whomever it is that acts against the group first loses most. The renegade can be dogpiled, discredited, and disavowed, and the damage to the group is minimized, because no one person can know all the dirty secrets.

If you want to take on the government, you have to be as clean as possible, while also knowing where a few of the bodies are buried. But in that case, it may be easier for the government to recruit you to switching to their side. So you also need the moral fortitude to put principles over huge, heaping piles of money. And in that case, how did you get to be CxO of a big company, again?

Thats the entire point he is making. Blackmail and other forms of influence and control are their modus operandi, they used knowledge of his illegality (which they had most likely got unconstitutionally) to try to bend him their way, and the prosecution was vengeance for defiance.

If anyone wants to have a serious discussion of the control structure, lets start with Milners Kindergarten and the round table groups. Even the NSA has a shadowboss.

The media is mostly controlled and distributed by private companies that collude with the government for their own benefit, Google and Yahoo are exactly such companies.
if by collude you mean do so under threat of legal action and possible end of your business, then perhaps you are right.

for a site like this I am always amazed at how many people think it is easy to stand up to the full brunt of the government. the US government not only has the capability to do any business and person on US soil what it wants, it has people within it who relish in that power and who won't bat an eye to use it. if there is a legal issue the laws can simply updated "for the people".

this is not to say its any different elsewhere, the government controls the laws, the weapons, and through those can end your ability to do business if not simply through confiscation.

Well, since most media is advertising dependent, they're dependent on access to information to give you something of value, to in turn sell ads. If investigating or reporting on something shady means, a press operative can no longer be allowed access to an election campaign, or means their correspondents get snubbed at press conferences. They'll cooperate or not report on something, or follow the delivered narrative in lieu of their long term business interests.
It's much simpler when you stop trying to pretend the people who run these companies are benevolent angels out to do good in a scary scary world. These companies are run by the same class of people that run the government, they have the same interests and they collude in order to further their interests. Very simple.
The Palantir witchhunt against Peter Thiel is another example -- threatening to invalidate government contracts because of some imagined discrimination due to Thiel's political views.
Curious -- where was it reported the govt wanted to invalidate Palantir contracts?
If that were the case, then Apple would've caved in, too.

Mayer was probably too new and too scared to deal with this, especially when she had to think about her new baby.

My point is it has less to do with "Yahoo being scared about being destroyed by the US government" and more with Mayer's own personal fear of the US government, and easily caving to such threats, whether it was because of her baby, because of weak character, or because she was inexperienced as CEO didn't know how to handle this.

EDIT: Also Yahoo's response to the story is such bullshit:

> “Yahoo is a law abiding company, and complies with the laws of the United States.”

What's the law you're abiding with that says you need to implement such a backdoor? Name it. Even the FBI named the law or laws it thought would help it force Apple to put a backdoor in its phones.

So if Yahoo can't even name the law, then that law or the gag order saying they can't name it are unconstitutional. Period. It also proves once again how easily Yahoo caved.

> Mayer was probably too new and too scared to deal with this, especially when she had to think about her new baby.

OK, I normally think misogyny claims are over-blown and people are way too sensitive.

But your comment positively reeks of misogyny.

Rather than go for a down-vote, because you're able to edit your comment, I think you should reconsider the phrasing and delete the misogyny. If your comment doesn't stand without it, I believe deleting it would add to rather than subtract from, the discussion.

> > Mayer was probably too new and too scared to deal with this, especially when she had to think about her new baby.

> OK, I normally think misogyny claims are over-blown and people are way too sensitive. But your comment positively reeks of misogyny. Rather than go for a down-vote, because you're able to edit your comment, I think you should reconsider the phrasing and delete the misogyny.

Having newborn twins at home could certainly be a factor in any CEO's willingness to make an ideological stand in the face of jail time, regardless of the CEO's gender. Plus there's a wealth of feminist writing about the potential for gender disagreement when it comes to this very question, going back to Kohlberg, Gilligan, and an imaginary guy named Heinz.[1]

FWIW, I do agree that any privileged group should be conscientious when discussing others who might sometimes feel like or be seen as outsiders, and that this applies to guys in tech. But your comment seems a bit over the top and risks shutting down discussion about an important topic... whether the government took advantage of the fact that Mayer had newborns at home when they pressured her to comply.

[1] https://en.m.wikipedia.org/wiki/Lawrence_Kohlberg%27s_stages...

Men can also have new babies. I'm chuckling rather heavily at the fact that you are the person who brought the sexism to the discussion in an attempt to white knight a bit.
"What's the law you're abiding with that says you need to implement such a backdoor? Name it. Even the FBI named the law or laws it thought would help it force Apple to put a backdoor in its phones."

A court order to enable warrantless wiretapping per FISA provisions. That's what they were doing with others per the leaks. The Sentry Eagle leaks, highest classification they had, indicated the FBI "compelled" domestic firms to "SIGINT-enable" their stuff with FISA mentioned repeatedly. It didn't define the methods they used to compel companies.

So, they have some way of leaning on them with the Patriot and FISA Acts as legal support. It shouldn't surprise you given it's happening in an active, police state with apathetic citizens who haven't forced Congress to roll back the legislation. Media has been fairly complicit, too, as they're not pushing the angles that would stir people into action. They watered down the previous debates.

Until these legislations are killed, there's secret courts, secret consequences, and gag orders that all these companies are faced with. Unlikely anybody will help them if they violate the rules that serve the state. So, it's on the citizenry to modify those rules so there's accountability. They mostly don't care. So, compliance with the court orders is rational choice by a company with no rational alternatives unless it intends to shutdown and make everyone jobless. Which will likely just shift business to competitors that secretly cooperate with the State. Like with Lavabit.

Note: Apple got to be lucky exception since FBI publicized the case and tried to fight in court of public opinion on top of an actual court. Terrible thing is we still don't know if they backdoored stuff for them with that being a show. Especially that HSM. It's illegal to know in the U.S..

> I'm not giving these companies a complete pass for being complicit in the erosion of individual's civil liberties but treating this as if the decision is easy is vastly unfair.

Actually you are giving them a pass because your comment contains nothing but apologetics for these companies. Whether their decision to spy on their customers and invade their privacy was easy is irrelevant and all of your apologetics are worthless speculations based on nothing whatsoever.

I'm not saying they made the right decision. I'm saying that people treating this as if it were an easy place to be are likely over simplifying the situation.
> I'm not saying they made the right decision.

You're also not saying they made the wrong decision.

> I'm saying that people treating this as if it were an easy place to be are likely over simplifying the situation.

Nobody is treating it as if it were an easy place to be because nobody gives a shit. It's irrelevant to whether what they did was right or wrong.

I agree. I'll go further to hold the U.S. citizens responsible for the apathy in dealing with rampant deceit and abuses of power by intelligence companies. One set of those were what led up to secret courts, mass surveillances, etc. Any number of leaks showing they were full of crap wasn't enough for citizens to take action. They took action on many inconsequential matters, though.

So, if citizens continuously allow or even create (surveillance supporters) a police state, then the companies operating in it are under no ethical obligation to take risk to protect them from that police state's activities. Those companies would actually be putting in more effort and taking more risk than most of the citizens themselves. That's an unreasonable expectation.

U.S. citizens need to get their shit straight in this country. Interestingly, the vast majority are pushing for the two most corrupt candidates imaginable for this election who have each mocked the Constitution and support the police state apparatus. Trying to protect them is a lost cause. Better to invest that effort into a different democracy whose people actually give a shit vs this one.

See, the thing is, if the company had a way to encrypt all communications so that they couldn't read it, they wouldn't be in this position :\",
With SAAS, a server-side code tweak could resurrect surveillance capabilities.
Public companies have no real ethical consideration other than the warped perception of fiduciary responsibility to shareholders. Some companies may be managed by good people, but people are ephemeral, tomorrow anything can happen.

You have to criticize and a spew abuse at these companies, whether or not they are secretly resisting these orders, because their resistance is secret. Only by damaging entities responsible for implementing government policy can you affect change.

I used to work for a govt contractor. The only chance freedom has is for people to say shit like this to signal some of the bs I witnessed under those circumstances. Nuff said.
Very few people would put the blame mainly on companies like Yahoo or Google as they are forced by their government to do this.

But it still makes using their services dangerous to you and your company or the company you are working for.

I would even go so far and require any politician running for any office to not have used any foreign email, messenger or social network in the last X years except for reaching out to voters.

There's a high risk that they could be blackmailed with their private communication being in the hands of foreign governments and I don't want compromised people like that anywhere near public office.

>You can't take your case to the public without being held in contempt.

1. Report the letter stolen.

2. Publish it anonymously from a public hotspot with a throwaway phone.

It's not even particularly risky.

I know you are not supporting the companies here.

But let us just do a thought experiment. Suppose your bank suddenly locks up your money tomorrow, and when you ask for it back, they say: "Well, there was an unexpected event in some sector of the economy which happened behind the scenes which we cannot tell you about. However, what we can tell you is that we were sufficiently pressurized by the government that it was for the good of the entire economy to not give money back to the depositors. Also, you should know that we didn't take this decision lightly but spent many many hours agonizing over it. Please come back in a year. And you might have to take a little haircut on your money as well."

Would you say, "Oh, I didn't realize you gave it so much thought. Besides, its all for the good of the economy. Tell you what, why don't you just keep the money?"

Does the fact that the decision was actually genuinely hard, or even possibly justifiable in some sense, make you any less likely to get mad? Your justification of the hardness of the decision is a poor excuse, because many of these companies are trustees of a lot of money from the public who have some expectations about how their data should be managed and secured (not explicitly, sure. But they wouldn't agree to random strangers searching through their email if told beforehand, either). To borrow a cliche, great power comes with great responsibility. In the field of software unfortunately the only thing which comes with great power is a tendency to turn a blind eye and simply try and acquire even more power.

I have no objection to anger or even conclusions that the CEO made the wrong decision.

My objection was entirely to how the first commenters in this topic treated the situation as obvious and the CEO as the clear moral antagonist of this story.

One of my life mottos is seek first to understand. Another is that very few things in life are as simple as they appear.

I will forever object to vilification and simplification.

They're US corporations. They literally run the country.

They definitely have a lot more power than the little voter people.

Does anyone ever take responsibility for anything they do over there?

Google overtly scans your emails for anything.
> Google overtly scans your emails for anything

This is a common argument here.

"Company A secretly collaborates with government agency to subvert their users' security."

"Yes, but Company B collects user data for their own commercial purposes, fully disclosed to the user. Same thing."

Not the same thing.

Lets take it a different way:

You're knowingly sending your data to a 3rd party. You're not encrypting. It's not through the USPS (special protections).

It seems bloody evident that, of course, your email provider can read your emails! Unless you're encrypting with GPG, then they can (and they can still read the signing keys).

Yahoo, Google, and friends all scan, dedup, and all sorts of tricks to determine marketing and quality content (spamming). If you're worried, run your own mailserver. It's what I do, along with using gmail. But I know that, at any time, people/scripts/ai are reading everything sent and received.

edit: I'd much prefer to hear commentary/how wrong/how right/how crazy I am, rather than -1's.I'd like to hear a discussion about the "Secrecy of text written on postcards"....

Yes, but there's a huge difference between a computer "seeing" your email and a human being searching for keywords within your email to decide whether or not to follow you around and/or arrest you.

This report isn't complaining about unencrypted emails. It's about them giving an intelligence agency the equivalent of a `grep "terrorism" | tail -f` for all their users' email. Without a warrant. (Not that a warrant could even be granted for something so broad, anyway.)

You're right, that US govt bulk-scanning is terrifying, especially without warrants. But what happens when Facebook scans your private chats and reports your illegal doings to the police? ( http://www.infowars.com/facebook-monitors-your-private-messa... )

What data restrictions do we have that would prevent $dataCompany from sharing data with other actors? I'm sure a "privacy policy" can do something, but in the end, not really. The FTC doesn't require a privacy policy; they can only enforce one and apply lowball fines for bad behavior.

For example, what laws would prevent me from running a "* As a Service", scanning everything, ranging from copyright violations, spammers, criminal enterprises, and today's bugagboo of terrorism; and forwarding each of those things to the relevant authorities? Can a law protect criminal behavior in cases it is illegal? What responsibilities do you have if you know of criminality?

And specifically talking of emails, unless they are encrypted, they are akin to postcards with the content all in the clear.

(And for your example, I get your sentiment, but I'm guessing they'd have a neural net that triggers on examples of terrorism discussion. And they'd run all messages through it. Not saying I agree with it without a warrant...)

The system you are referring to is called Behavioral Retargeting, with the only difference being that retargeting is for profit not policing.
thats why i like using google allo - end-to-end encryption and expiring chats

https://allo.google.com/

It's hard to tell if this is sarcasm. You are aware that Allo has been widely criticized for its deep message inspection when outside of "incognito" mode right?
For secure messaging, I trust QTox and properly vetted Onion-aware applications.

Pretty much, if a for-profit company offers it, I can only assume it will be used to the fullest extent for their profitability. And they will, depending on popularity within... certain sectors... heavily leaned on by the US government to provide secret access to their database.

Technologically speaking, that's why I have more innate trust for things like Tox and Tor. It also makes me a very interesting target for "lists". But, whatever. I've done nothing wrong (and not like you can prove otherwise :) .

Yes, it's a frightening precedent. What Facebook's doing is essentially just as bad. Common carriers of communications (Facebook chat, Yahoo mail, etc.) should not be scanning mail. I think I'd grant an exception for the child pornography searching that most providers already do, since it's just comparing image hashes against a specific blacklist of hash and can never reveal private information about non-applicable images or communications.
Why do you believe that child porn should be given a legal carve-out? Once the system to scan is in place, it matters not what's actually being scanned.

And there's the fact that CP is strict statutory. Meaning, I can get your email, and send you via a remixing network, a few dozen CP images. And you're now guilty.

If anything, adding in mens rea requirement would be the best choice. Or remove it as law, because it's evidence of a crime.

And the FBI does it, why can't I? /anger

> But what happens when Facebook scans your private chats and reports your illegal doings to the police? ( http://www.infowars.com/facebook-monitors-your-private-messa.... )

That's a very different situation. With Facebook you learn about it and chose to continue using it or not. With government bulk scanning you no longer have any choice or even knowledge about it.

I've upvoted you, despite disagreeing with you, because I believe it's worth us all discussing the reasoning behind our opinions.

What you've just said is the email equivalent to "she deserved to be raped, because she was dressed like a slut".

Yes, we should take precautions to protect ourselves. But that in no way justifies the privacy intrusions that happened here.

I think it's closer to "you deserved your message to be read, since you put it on the back of a postcard". But ok.
This. Email messages are digital postcards. When it leaves your computer (house) and goes to your ISP (local post office), anyone at that place can pick it up and read it before sending it on its way to the recipient's mail handler. While it's in transit, it's not sealed, it's not obscured or encrypted, it is plain text.

Now, that doesn't change the fact that Yahoo rolled over like a puppy when the government came calling, which is reprehensible for any tech company to do. They should have fought it and asked for a warrant for the specific persons of interest, rather than happily fucking over every single Yahoo email subscriber.

Don't a lot of the big providers pass emails between each other encrypted with TLS? And emails internal to Yahoo's email system wouldn't be visible to your ISP or anyone outside of Yahoo.

https://www.google.com/transparencyreport/saferemail/

They might pass the email around via TLS but they store their copy unencrypted on their servers[1]. Even if they do one day decide to encrypt their local copy, they hold the keys, you don't. According to the Ars article on this subject[2], Google has officially said "We haven't been subpoenaed and if we were we'd say 'no'", but that stance could change in the next few years.

[1] https://www.google.com/transparencyreport/saferemail/faq/#wh...

[2] http://arstechnica.com/tech-policy/2016/10/report-fbi-andor-...

The fact that email is a digital postcard doesn't mean it must be.

SMTP was designed with no privacy, security, reputation, or authentication capabilities. Even the add-ons which provide some of these (e.g., PGP -- and I'm looking for the comment on this thread mentioning that) doesn't address what's almost always more useful than full-text search: metadata.

It's the systematic failure of tech industry leadership to come up with an open and viable alternative to email that's landed us in this position, and that's a lack of action that's increasingly utterly indefensible.

Or maybe "you deserved your postcard along with millions of other postcards to get systemically OCR'd and entered into a government database" ?

Concepts of scale and intent are rather central to this discussion.

This isn't about a postal employee glancing at your postcard and thinking you must be having a nice vacation.

I don't quite follow that analogy.

My underlying thoughts are as follows. Yahoo is the target in this story, so I'll use Yahoo as the placeholder for any company that deals with user data in that capacity.

When you send an email, it shows up at a destination. You send it from your mail provider, "magic happens", and it shows up at the destination. By definition, the text that you send it what is received.

By sending your text with who you want it to go to, you are relinquishing control over your data. Now, Yahoo can read it. And any mailserver in between. And the destination mailserver can as well. You also give up a form of copyright- because the basis of this transmission means that the same message may appear multiple places.

With the USPS, we pay postage to send data and packages. And there are stringent safeguards in place for the USPS. We have no such data safeguard laws in the US. European Union is different (I don't know the laws there). But whatever data I send to some private org, can be used and reused in whatever ways that are bound by their privacy policy (which they write), and whatever contracts they abide by (PCI DSS, HIPAA, FERPA, etc).

Even though this part isn't logical, whenever I don't pay for a service, I automatically assume that I'm paying with my data. I guess when you're cash-poor, it's a good trade-off.

The "paying-with-my-data-I-am-the-product" cliche doesn't really work here because Yahoo didn't do this for money. You are also not giving up "some form of copyright" beyond the narrow definition of the license yahoo may require to show it to someone else. Otherwise there'd probably be a few bestsellers owned by google et al. – I'm sure quite a few Harry Potter manuscripts went through their network.

There's a certain expectation of the relationship between a service like yahoo's and the customer. Those expectations go beyond what may be the bare minimum that is legally required. Considering that there is healthy competition even in the free tier of email services, consumers are not powerless in the "negotiation" that defines this relationship.

The bare minimum of any such relationship must be a truthful and specific description of any access the provider has to my data. Indeed that is a legal requirement in many jurisdictions.

But how can I trust them? It depends on the organization. I'm 100% certain that Apple doesn't sell the content of my e-mails because it'd be stupid... They'd be risking a triple-digit-revenue business on what could amount to a few million/year tops. Their and my interest are aligned.

Regarding the analogy you weren't following: placing yourself in a position of vulnerability is simply never an excuse for anybody, either legally or morally, to exploit that vulnerability. If I accidentally leave my bike unlocked doesn't change the thieve's legal or moral standing at all.

I don't see how there's anything to agree or disagree with. Nowhere is the question of "deserving" or justice raised explicitly, for example. It's just a fact: your shit is being read and analyzed at all times and at all levels. If in doubt, the safer course of action is likely to be based on assuming this rather than assuming otherwise. Encryption is a way to make sure. Though even that won't stop somebody who has already pwned your system.
I'd like to hear a discussion about the "Secrecy of text written on postcards"....

In a nutshell, there's a near-consensus (if I'm not mistaken) among judicial experts that in fact, email has the same expectations of privacy as regular, sealed postal mail (i.e. not postcards). So that's where the postcard analogy breaks down.

I wholeheartedly agree with you, pragmatically. But you also have to take into account why there are special protections on the USPS.

Privacy is a quality people generally expect to have. The USPS protections were created after the long social feedback cycle it took for people to realize what they were missing. We're going through another one of those cycles now, where people are finally realizing how surveilled-by-design modern technology is.

I'm unsure what will be quicker - groupwise societal understanding leading to legal privacy protection, or individual adoption of specific better technology. Given that social protections only work for those in "average" society, I personally hope it's the latter. But the two viewpoints are not conflicting, and are actually complementary - privacy preserving tools educate society as to what is possible, and a person has to value privacy before they can seek out tools to preserve it,

Please, I am absolutely for protections of data privacy even more stringent than what the USPS does with parcels.

I would be for something akin to "Swiss Banking requirements for Data" - where companies are NOT allowed to share data unless given exception in writing/cryptographically. I'm sure we can expound on these ideas collectively.

I'd also be OK with services that DO treat data as a semipermeable membrane. Think of what Google has done with all their free services. They make neural models that they (and others they choose to release) can exploit to great effect. In cases like this, there needs to be a simple chart; think of something like this https://tldrlegal.com/license/apache-license-2.0-(apache-2.0... . I also think of these services as bringing technology to me when I could not afford it... And yes, it has been a wonderful boon for me, and I'm sure as for Google as well.

I also want to be able to request all the data on my account, sent to me in a reasonable format (multiple of: Zip, ftp, file share, mailed DVDs for reasonable price). European Union already has that law, to great effect. I should also be able to legally command a company to remove my content. If copyright is so great, I should be able to revoke their rights to it as well due to copyright.

______________________________

I get privacy. I get how networks work, and how the Internet works. I know how mailservers work, as well as file deduplication. And I see a glaring hole in the technology that allows an action, a-ethical companies that will do anything to get ahead, and a government hell-bent on dismantling privacy and data security all to stop today's big bad monster, terrorism.

I'm also guaranteed on watch lists. I'm a minor Tor developer, and greatly utilizes Tor in many ways. In fact, my network resides in Tor-Space. I've figured out how to get Linux to resolve .onion addresses seamlessly, and have .onion endpoints on all my Linux machines. I also work with IPFS and Zeronet, both technologies that have some very... interesting content as well.

It's my little corner of the Net... And if I help others with my tech, awesome. If enough of us do this, then we can start stemming the tide of data insecurity. But I also remember, parts of these issues are with the Political system, and not of technology. Until these older, technologically ignorant politicians die or retire, and Millenials come in, we're stuck. At least we've grown up with it.

Well, your original comment lacks the ethical understanding that you clearly do have.

My own island of autonomy is tinc/unison. Less scalable namespaces, but more straightforward for now.

The only point I disagree on is your last bit. I don't think waiting out the politicians will suffice. Millenial politicians will still be politicians, still desire power in order to "do good", and still pander to the easily-spooked herd. Modern democracy is a centralized beast, just with everybody encouraged to think as a mini-dictator. True freedom isn't merely protecting the average person from surveillance, but also the social outcasts whom the herd would otherwise persecute. That core of that problem really is technological - our communication patterns need to support individual autonomy.

Hmm.. I thought I included my project. https://hackaday.io/project/12985-multisite-homeofficehacker... . Look further down on Tor configuration, and I include seamless .onion resolution.

I do agree that a technological solution(s) are needed. I see things like Zero-knowledge Proofs, Homomorphic encryption, plausibility networks, and other types of software are essential for freedom.... But I think this is also a governmental and societal issue as well. Of course, there's no reason to attack both fronts :)

And I'm also very much interested in Government as a Service, ala what Estonia is doing. The US in antiquated... I don't see it thriving much longer, as it's not staying ahead with technology in government. The spying on citizens however.....

  Yahoo Inc last year secretly built a custom software program to
  search all of its customers' incoming emails for specific
  information provided by U.S. intelligence officials, according
  to people familiar with the matter.
Wonder how much of the 4.8 billion can be attributed this custom software program?
From the article: "Some surveillance experts said this represents the first case to surface of a U.S. Internet company agreeing to a spy agency's demand by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time."

The first case to surface. Anybody else could have been doing it for just as long, but we don't know yet.

I was honestly a bit unhappy when Stamos left Yahoo in the middle of a bunch of (what seemed like) cool projects for users -- seemed like he was just jumping ship from an objectively pretty crappy company to a continuing-to-accelerate rocketship, presumably for career reasons.

However, if it went down like this -- he did probably the least destructive thing possible. I probably would have gone public or done something stupider, but at the very least not being a party to ongoing abuse of users' trust is necessary.

I'd like to see what other senior execs at Yahoo! were aware of the program and supported or at least tolerated it, so I can avoid ever working with any of them.

This should forever taint Marissa Meyer's reputation. Failure to save Yahoo is understandable. Disregard for user privacy and safety at this scale is unforgivable.
Don't forget this story.

Qwest CEO Joseph Nacchio who <edit> claims to have </edit> resisted NSA spying is out of prison (2013)

https://www.washingtonpost.com/news/the-switch/wp/2013/09/30...

Nacchio is no hero. He ran a $50MM pump-and-dump scam that personally netted him millions of dollars in profits at the expense of common shareholders, and he was indicted in a wave of similar prosecutions in the wake of the Enron fiasco. His offenses are there in black and white: with full knowledge that his company faced materially adverse changes unknown to his investors, he not only promoted the company but privately (and illegally) sold his own shares.

You do people like Stamos a huge disservice by drawing this comparison. People like Nacchio are exploiting the good work real privacy advocates do, for their own personal enrichment.

People like Nacchio are exploiting the good work real privacy advocates do, for their own personal enrichment.

Or it's possible for people to be dual-natured: capable both of flagrant chicanery and abuse, as well as acts of conviction and principled defiance.

The entangling of the FISA order and the insider trading scandal actually makes things worse. His most significant trades came just months after he refused the FISA order --- after which he claims NSA arranged to have DoD contracts with Qwest terminated. He did something with an obvious material impact on his shareholders, and secretly profited from it.

The reality, though, is that his tenure at Qwest appears broadly similar to the kinds of bullshit that was rife in corporate America at the time: accounting scandals, entirely unrelated to Qwest's government contracts, that boosted apparent growth and drove share prices higher than the fundamentals of the business could possibly justify.

Google, for instance, [qwest kmc telecom].

If you know, what was his defense against the fraud case? It could have been retribution (yes, that's completely speculative).
His claims included:

* That he was simply very optimistic about the business he was running that that he believed there would be an uptick in the stock long term after the company weathered the downturn he knew to be coming.

* That he was "set up" by NSA: yes, he sold at a high price anticipating a sector-wide downturn, but he did so because he'd been assured that Qwest would be part of a multi-billion NSA modernization program called "Groundbreaker", led by CSC, which contract would surely rescue Qwest's stock and even out his sale.

* That his board had demanded that he sell his stock, and that such sales were routine at Qwest.

* That he was distraught over the suicide of his son and sold the stock as part of an effort to immediately disentangle himself from the CEO position which he hoped to leave.

Against that, you have the black-and-white record of his trades and the testimony of numerous high-level Qwest executives all saying they'd been urgently warning him to revise Qwest's targets downwards. He not only maintained the unrealistic targets, and participated in channel-stuffing-style schemes to fake up earnings numbers, but profited personally by trading against those bogus numbers.

Psychologists have measured this! The capacity to stop yourself from doing bad things is different from the tendency to do good things (someone, go make an improved D&D alignment system out of that...).
This misses the point of the Nacchio story. There is nothing to suggest that Qwest's refusal to cave in to NSA demands was motivated by Nacchio's desire for personal enrichment instead of a principled stance. At worst, Qwest was motivated by the risk of fines of up to $130,000 per violation per day for breaching Section 222 of the Communications Act, according to Qwest legal [1]. We would do well to stop focusing on Nacchio and more on the response of Qwest as a whole. The NSA retaliated at Qwest for their non-cooperation by cancelling secret government contracts [2].

[1] http://usatoday30.usatoday.com/news/washington/2006-05-10-ns... [2] https://www.schneier.com/blog/archives/2013/08/more_on_the_n...

I don't understand your point. I was responding to this:

Qwest CEO Joseph Nacchio who resisted NSA spying is out of prison

Nacchio's imprisonment has nothing to do with NSA spying; it has to do with his efforts to bilk Qwest shareholders out of their money. Those efforts are well-documented.

He never said Nacchio was a hero like you wrote.

Further.. where is the motive?? So they guy scams everyone and their dog out of 50MM and doesn't care about shareholders and is evil to the core.. but yet disagrees to play along with some government agency that would put a spy trap in his servers?

If anything this could probably somehow helped him along the lines of some secret plea bargain.

I'm not sure what motive you're asking about. His motive for running a pump-and-dump scam with Qwest's stock was almost certainly straightforward: to enrich himself and his family.
The implication, as I'm sure you've heard, is that the stock drop was due in part to the canceled government contracts, and/or that Nacchio was investigated and prosecuted for somewhat common behavior because of Qwest's refusal to spy.
As the saying, attributed to Burke (but whose precise origins are unknown) goes:

"All that is necessary for the triumph of evil is that good [men and women] do nothing."

Both Meyer and Stamos made their choices, on this issue.

How did Stamos' action help the cause?

He did better than Meyer but I fail to see how his move bettered the world. It helped him not longer being part of something nefarious. But he left all users he had responsibility for in the unclear.

At least he managed to say, if only privately, "I'm not going to be a party to this" (most likely leaving a significant pile of cash and/or equity on the table in doing so). Which is way more than many CIOs/CSOs do in similar situations.

Of course you or I might like to believe we would have taken a more overtly defiant stand (by going public for example). But then again, we weren't there, in his shoes - now were we?

Did they really have a choice? It's pretty much a given now that 3-letter agencies get firehose access to any data they want.
If they did, they wouldn't be issuing these court orders.
They probably start with the court orders.
The person I'd question the most, after Marissa, is Yahoo!'s general counsel Ron S. Bell (https://www.linkedin.com/in/ronsbell).
CA hasn't adopted the ABA Model Rules. However:

http://www.leginfo.ca.gov/cgi-bin/displaycode?section=bpc&gr...

http://www.leginfo.ca.gov/cgi-bin/displaycode?section=bpc&gr...

"It is the duty of an attorney to do all of the following: ... To employ, for the purpose of maintaining the causes confided to him or her those means only as are consistent with truth ..."

"Every attorney is guilty of a misdemeanor who either: (a) Is guilty of any deceit or collusion, or consents to any deceit or collusion, with intent to deceive the court or any party."

> users' trust

"Promises only bind those who believe in them" - Henri Queuille

Booooo
Please comment civilly and substantively on HN or not at all.
Let's see a show of hands for those who think Yahoo was the only one?
But continue to find themselves stumped?
So, is this correct, in this context?

Pass: Apple, Google

Fail: Microsoft, Yahoo

Unknown: Facebook, Twitter

Google is definitely in cahoots with the government and probably way deeper than Yahoo. Why would you even assume otherwise, given how much ties to the government they expose to the public these days?
Why would you assume they are? Do you have any proof to backup your theory? And try to provide actual proof.
> Why would you assume they are?

Because the odds of Yahoo being exceptionally bad and anyone else being exceptionally good about this are extremely low. The intelligence agency doing this wants 100% coverage - it would be absurd not to. Everyone has been told to do this.

Just like I thought - you have no proof. Come back when you have actual proof to substantiate your bullshit.
As a European I have to I assume all major US companies in this area are either infiltrated or willingly participating in pervasive surveillance.

It's still interesting to know which companies have been actually exposed for this kind abuse of their customers' trust.

(comment deleted)
I’ve said the same a few times before, sadly, I usually get downvoted for it.

It’s impossible to trust Google (Search, Chrome, DNS, Fi, Voice, Android, etc) or other big US companies at all regarding this, so we need open source solutions.

The US government is openly hostile to citizen of other countries, on the internet and in the real world, so relying on them not sending an NSL to Google to fuck you over is quite dumb.

Personally, I built my own cloud for everything I need, and I run Firefox on Arch Linux.

Quite - and the European Court of Justice basically agrees with you too. Hence why Safe Harbor was anulled.
Google denied they have a similar program:

For its part, Google was the most unequivocal. Spokesman Aaron Stein e-mailed: "We've never received such a request, but if we did, our response would be simple: 'no way.'"[0]

I wonder if Google could even run a program like this while keeping it secret. Yahoo had their program discovered within weeks, and public within a year. Stamos could easily have immediately gone public in a way which would have prevented him from being prosecuted - say posting a blog post about how hypothetically Yahoo would implement such a system at the governments request, forwarding this on to Bruce Scheiner, and then refusing to comment if such a "hypothetical" program actually existed.

[0] http://arstechnica.com/tech-policy/2016/10/report-fbi-andor-...

Well, you know, it would be insane for any company to admit something like this.
But it also would be insane to make a provably false statement, leaving you open to lawsuits and probably enraging any would be whistle blowers. It would be even more insane to make your false statement more false than it needs to be.
They could always reply something like what Microsoft did.

“We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo,”

Everybody else declined having received the request, Microsoft just declined doing exactly what the report said yahoo were doing. Seems a lot more "safe".

The lesson from this is to not trust corporations with out privacy. Sadly, it seems many of us are not learning it.
Would it even be possible to make similar, but privacy centered products without corporations?
(comment deleted)
That's what Free Software is about. And it does.

The problems are of establishing protocols and standards, and seeing that others adopt them, and of creating self-contained systems that are bulletproof to set up and operate.

There are projects working on this, but the hurdle for having Joe Random User operate their own server is fairly high.

I'd much rather see a highly, but not entirely distributed system, with pervasive security, and very strong legal protections. I don't know if that can happen.

Yes, it's totally the fault of tech companies that the US Federal government forces them to give up access to any information they want, and a non-profit email org would immune US intelligence agencies. /s
Well, Sigaint is rather immune to this, no? The US government arguably doesn't know where its servers are located, or who operates them.
Non-profit is not the opposite of corporation. In fact, most non-profits are corporations.

The message is obviously to control your own security to the maximum extent practicable. Esau didn't assign fault in their comment. You might disagree with their assertion, but your comment is attacking a straw man, rather than the claim posted.

That's the problem with responding to people who don't actually make complete arguments.
So who do we trust? Governments?

Whatever you can say about Yahoo, they're not the one holding the gun.

> So who do we trust? Governments?

Yourself? The idea that you have to either trust governments or corporations is very much a false dichotomy.

GPG, running your own mail server, etc. may not be for you (they aren't for me), but let's not pretend cloud-hosted mail is the only option, or that encryption is impossible.

The lesson from this is to not trust corporations with out privacy.

I'm as upset about this as anybody, but realistically speaking... they had a gun to their heads. The real problem here isn't Yahoo! (or the other corporations), it's the government.

The thing you quoted doesn't assign blame. It simple says you can't trust that corporations will/can protect your privacy.
It's referring to cause of the symptom. Paraphrased differently: If the government can hold a gun to any organization or individuals' head for information, then the privacy distrust doesn't stop with just corporations.
True, the government can compel me to turn over all my data, but if I'm managing it myself, I'll know this has happened[0].

Additionally, if I'm managing the data myself, they'll only get access because they thought I was a worthwhile target. If I'm using Yahoo!, I get caught in a dragnet. In general, the larger the service, the better a position they are to fight these orders, but also the more likely the government is to bother dragneting it.

I'm not worth my own NSL, but this one's a freebie: the marginal effort the government has to put into spying on my Yahoo! account is zero, because they've already got access.

[0] Well, I might know. They can also do it surreptitiously unless I'm very competent and very diligent, but if I receive an NSL, I'll know.

Do you think a small start-up will be in a better position to stand up against its government?
Maybe not to trust the government? Yahoo is not your personal lawyer to defend you from NSA.
I find this hilarious since the only thing I use my yahoo address for is retailer sign-ups and things I know will land me a boat load of junk mail. It is my email landfill.
Likewise, although I refer to it as my spam storage.
Some people here laud some companies for being good about user privacy and security. This shows they have not yet reached table stakes for privacy and security.

This is why no provider can be trusted. Every routine communication should be e2e encrypted. Otherwise this WILL happen.

This is where I remind everyone about S/MIME. A bit awkward to setup for the first time, but with good email clients it is a pretty transparent experience once you have it setup.
That's good, but the correct response from the big internet services/portals should be to make it impossible to comply with such a request without an obvious and public withdrawal of service. And, beyond that, to use their resources to make key exchange and management simple and secure (they do that in some real time communications products) for storage and email. They have your social graph, they can implement web-of-trust features. They can made it both simple to use and exceedingly difficult to subvert. They can provide secure, open endpoint software. They can effectively end dragnet surveillance by providing a refuge from it, AND make burdensome and credibility-destroying requests/orders impossible to implement. And all these years after Snowden, they have not.
Yahoo was attributing its recently announced data breach to state-sponsored attackers.... Maybe that wasn't so far off the mark after all.
This is substantially worse than PRISM which operates on individual targeted persons and the upstream Verizon, AT&T program which collects plaintext over the public Internet.

This involved bulk search of data past the decryption layer.

The scariest part of the whole piece answers this question: Why are back doors with secret keys a BAD idea?

"... he had been left out of a decision that hurt users' security, the sources said. Due to a programming flaw, he told them hackers could have accessed the stored emails...."

The CEO of Yahoo must have known that this kind of scanning and storage puts their users at risk. She choose to do it anyway as being the path of least resistance against a more powerful adversary (US govt.). Bad judgement compounded by zero spine... Verizon looks like the perfect fit.

I imagine Yahoo! Mail engineers being royally pissed about this. Well, I suppose that includes all Yahoo! folks who are still putting real effort into improving Y!'s services. Every odd day something surfaces about Y!'s execs questionable practices and decisions, every even day problems, leaks, bad press. Moral must have hit rock bottom.

Maybe the Yahoo! Board should have surveyed the startups scene, looking for founders who bootstrapped successfully and proven their worth, and recruit the best they could get. I am not very familiar with management of people and aspects of running a business, but I believe there is a lot more to it than being a smart person with computers.

You may have missed the part where Yahoo engineers implemented this scheme, they are to blame as much as management here, possibly more because they could've walked away and gotten a different job without much trouble, but management had a responsibility to the whole organization.

Contrast with the rumors that Apple engineers were prepared to refuse & resign if ordered to share the iPhone's encryption keys.

Why should they lose their job and salary to defend someone else? Yahoo users can go to court themselves if they feel that their rights were violated.
Yahoo users can't go to court if they can't prove their rights were violated. Even with this news story there is no court-admissible evidence of collusion with the government.

Also, from the perspective of a civil suit against Yahoo, this program is likely somewhat legal unless it was specifically against their privacy policy and terms of use.

That doesn't mean the engineers knew they were performing unethical behavior. A better question is: why should anyone hire someone who aided unethical behavior?

Their behaviour might be not very ethical in relation to a customers but they were loyal to the company. This is a good point for an employer. I doubt a company would like to hire a Snowden type person that puts public interest over company's.
Secret URL for deleting your Yahoo account.

https://edit.yahoo.com/config/delete_user

Do you seriously think that it is better elsewhere? I think that the NSA and the FBI are out of control...
Of course it's better elsewhere. Many companies are not under US authority. Many provide better security features. Many are not known for having terrible security, or the biggest breach of user data ever.

IIRC, Yahoo has always provided more data not even because they shared it, but because they were so lax with security.

Consider setting up your own mail server. Decentralization is the most effective way of fighting this.

Rent a cheap, dedicated server (a VPS provides poor privacy protection), encrypt the root partition and install sovereign (https://github.com/sovereign/sovereign).

And (sadly) watch as all your outgoing mail is refused from most mail providers.
I have been running my own mail server for more than a decade now and haven't had that problem. If you rent a new server check its IP against the RBLs to see if its burned. If it's bad, request a new IP from your ISP. Other than that, adhere to industry best practices and you're good.
This is not at all surprising! BTW, I don't know a single person that has an email account with yahoo, who is not older than 60!
It was part of carnivore and AT&T also supported that. I'm pretty sure all major vendors had hooks into their systems for carnivore.
It should read "...Yahoo Chief Executive Marissa Mayer's decision to indulge the directive..." indulge, not obey.